Part 339 - ACCESS TO PERSONAL INFORMATION UNDER PERSONAL PRIVACY PROTECTION LAW

Doc Status: 
Complete
Statutory Authority: 
Social Services Law, Sections 20, 34; Public Officers Law, art. 6-A

Section 339.1 - Purpose and scope.

Section 339.1 Purpose and scope. (a) It is the responsibility and the intent of the State Department of Social Services (hereinafter "department") to fully comply with the provisions of article 6-A of the Public Officers Law, the Personal Privacy Protection Law.

(b) The department shall maintain in its records only such personal information that is relevant and necessary to accomplish a purpose of the department that is required to be accomplished by statute or executive order, or to implement a program specifically authorized by law.

(c) Record, as used herein, means any item, collection or grouping of personal information about a data subject which is maintained and is retrievable by use of the name or other identifier of the data subject. The term record shall not include personal information which is not used to make any determination about the data subject if it is:

(1) a telephone book or directory used exclusively for telephone and directory information;

(2) any card catalog, book or other resource in any library;

(3) any compilation of information containing only names and addresses which is used as a mailing list;

(4) personal information required by law to be maintained and required by law to be used only for statistical research or reporting purposes;

(5) information requested by the agency which is necessary for the agency to answer unsolicited requests by the data subject for information; or

(6) correspondence files.

(d) The word record, as used herein, shall not include any item, collection or grouping of personal information consisting of Social Security Administration case materials used for the adjudication of social security disability claims under titles II and XVI of the Social Security Act which are temporarily in the custody of the department as agent of the Federal government.

(e) Personal information, as used herein, means any information concerning a data subject which, because of a name, number, symbol, mark or other identifier, can be used to identify that data subject.

(f) Personal information will be collected, whenever practicable, directly from the person to whom the information pertains (referred to herein as "data subject").

(g) The department seeks to ensure that all records pertaining to or used with respect to individuals are accurate, relevant, timely and complete.

(h) These regulations provide information regarding the procedures by which members of the public may assert rights granted by the Personal Privacy Protection Law.

Doc Status: 
Complete

Section 339.2 - Privacy compliance officer; personal information procedures.

339.2 Privacy compliance officer; personal information procedures. (a) The director of Public Information and Communications is hereby designated privacy compliance officer and is responsible for ensuring that the department complies with the provisions of the Personal Privacy Protection Law and the regulations

herein and for coordinating the department's response to requests for records or amendment of records.

(b) The address and telephone number of the privacy compliance officer is: Department of Social Services, 40 North Pearl Street, Albany, NY 12243, (518) 474-9516.

(c) The privacy compliance officer is responsible for overseeing department procedures, by which a data subject can learn if a system of records contains any information pertaining to the data subject, including:

(1) assisting a data subject in identifying and requesting personal information, if necessary;

(2) describing the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to a data subject requesting such record or personal information;

(3) taking one of the following actions upon locating the record sought:

(i) except as prohibited by subdivision (d) of this section, make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided;

(ii) permit the data subject to copy information from the record; or

(iii) deny access to the record in whole or in part and explain in writing the reasons therefor;

(4) upon payment of established fees, unless such fees are exempted by section 339.11(c) of this Part, making a photocopy of the record or permitting the data subject to make a photocopy of the record;

(5) upon request, certifying that a copy of a record is a true copy; or

(6) upon request, certifying that:

(i) the department does not have possession of the record sought;

(ii) the department cannot locate the record sought after having made a diligent search; or

(iii) the information sought cannot be retrieved by use of the data subject's description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the department.

(d) The privacy compliance officer shall deny access to:

(1) personal information to which a data subject is otherwise prohibited by law from gaining access;

(2) attorney's work product or material prepared for litigation before a judicial, quasi-judicial or administrative tribunal unless disclosure is mandated by a statute, a grand jury subpoena, a subpoena issued in the course of a criminal action or proceeding, a court-ordered subpoena, a search warrant or a court order.

Doc Status: 
Complete

Section 339.3 - Proof of identity.

339.3 Proof of identity. (a) When a request is made in person, subject to the provisions of section 339.6(a) of this Part, or when records are made available in person following a request made by mail, the department shall require appropriate identification such as a driver's license, an identifier assigned to the data subject by the department, a photograph identification or similar information that confirms that the record sought pertains to the data subject.

(b) When a request is made by mail, the department shall require verification of a signature or inclusion of an identifier generally known only by a data subject or other appropriate identification.

(c) Proof of identity shall not be required regarding a request for a record accessible to the public pursuant to article 6 of the Public Officers Law.

Doc Status: 
Complete

Section 339.4 - Availability of records.

339.4 Availability of records. In addition to being available by mail, records shall also be made available by appointment at the main office of the department, which is located at: 40 North Pearl Street, Albany, NY 12243.

Doc Status: 
Complete

Section 339.5 - Hours for public inspection and copying.

339.5 Hours for public inspection and copying. The department shall accept requests for records and produce records by appointment during regular business hours.

Doc Status: 
Complete

Section 339.6 - Requests for records.

339.6 Requests for records. (a) All requests shall be made in writing.

(b) A request shall reasonably describe the record sought. Whenever possible, the data subject should supply identifying information that assists the department in locating the record sought.

(c) Requests based upon categories of information described in a notice of a system of records or a privacy impact statement shall be deemed to reasonably describe the record sought.

(d) Within five business days of the receipt of a written request, the department shall provide access to the record; deny access in writing explaining the reasons therefor; or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not exceed 30 days from the date of the acknowledgment.

Doc Status: 
Complete

Section 339.7 - Amendment of records.

339.7 Amendment of records. Within 30 business days of a written request from a data subject for correction or amendment of a record or personal information that is reasonably described and that pertains to the data subject, the agency shall:

(a) make the amendment or correction in whole or in part and inform the data subject that, on request, such correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to paragraphs

(d), (i) or (1) of subdivision 1 of section 96 of the Public Officers Law; or

(b) inform the data subject in writing of its refusal to correct or amend the record, including the reasons therefor.

Doc Status: 
Complete

Section 339.8 - Denial of request for a record or amendment or correction.

339.8 Denial of request for a record or amendment or correction. (a) Denial of a request for records or for amendment or correction of a record or personal information shall:

(1) be in writing, explaining the reasons therefor;

(2) identify the person to whom an appeal may be directed; and

(3) explain the procedure for pursuing such appeal.

(b) A failure to grant or deny access to records within five business days of the receipt of a request or within 30 days of an acknowledgment of the receipt of a request, or a failure to respond to a request for amendment or correction of a record within 30 business days of receipt of such a request, shall be construed as a denial that may be appealed.

(c) Any such denial may be appealed in writing to the privacy compliance appeals officer who shall be the general counsel or one designated by him to act on his behalf. Appeals shall be directed to: General Counsel, Department of Social Services, 40 North Pearl Street, Albany, NY 12243.

Doc Status: 
Complete

Section 339.9 - Appeal of denial.

339.9 Appeal of denial. (a) Any person denied access to a record or denied a request to amend or correct a record or personal information, may within 30 business days of such denial appeal such denial in writing to the privacy compliance appeals officer designated in section 339.8 of this Part.

(b) The time for deciding an appeal shall commence upon receipt of an appeal

that identifies:

(1) the date and location of a request for a record or amendment or correction of a record or personal information;

(2) the record that is the subject of the appeal; and

(3) the name and return address of the appellant.

(c) Within seven business days of an appeal of a denial of access, or within 30 business days of an appeal concerning a denial of a request for correction or amendment, the person determining such appeal shall:

(1) provide access to or correct or amend the record or personal information or cause such to be done; or

(2) fully explain in writing the factual and/or statutory reasons for further denial and inform the data subject of the right to seek judicial review of such determination pursuant to article 78 of the Civil Practice Law and Rules by authority of section 97 of the Public Officers Law.

(d) If, on appeal, a record or personal information is corrected or amended, the data subject shall be informed that, on request, the correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to paragraph (d), (i), or (1) of subdivision 1 of section 96 of the Public Officers Law.

(e) The department shall immediately forward to the Committee on Open Government a copy of any appeal made pursuant to this Part, upon receipt, the determination thereof and the reasons therefor at the time of such determination.

Doc Status: 
Complete

Section 339.10 - Statement of disagreement by data subject.

339.10 Statement of disagreement by data subject. (a) If correction or amendment of a record or personal information is denied in whole or in part upon appeal, the determination rendered pursuant to the appeal shall inform the data subject of the right to:

(1) file with the department a statement of reasonable length setting forth the data subject's reasons for disagreement with the determination;

(2) request that such a statement of disagreement be provided to any person or governmental unit to which the record has been or is disclosed pursuant to paragraph (d), (i), or (1) of subdivision 1 of section 96 of the Public Officers Law.

(b) Upon receipt of a statement of disagreement from a data subject, the department shall:

(1) clearly note any portions of the record that are disputed; and

(2) attach the data subject's statement as part of the record.

(c) When providing a data subject's statement of disagreement to a person or governmental unit in conjunction with a disclosure made pursuant to paragraph (d), (i) or (1) of subdivision 1 of section 96 of the Public Officers Law, the department may also include a concise statement of its reasons for not making the requested amendment or correction.

Doc Status: 
Complete

Section 339.11 - Fees.

339.11 Fees. (a) Unless otherwise prescribed by statute, there shall be no fee charged for:

(1) inspection of records;

(2) search for records; or

(3) any certification pursuant to this Part.

(b) Unless otherwise prescribed by statute or subdivision (c) of this section, copies of records shall be provided:

(1) at a rate of 25 cents per photocopy up to 9 x 14 inches; or

(2) upon payment of the actual cost of reproduction, if the record or personal information cannot be photocopied. The actual cost of reproduction shall be based upon the average unit cost for copying a record, excluding fixed costs of the department, such as operator salaries and overhead.

(c) There shall be no fee for providing copies of records when the data subject is a person applying for or receiving public assistance or care or food stamp assistance.

Doc Status: 
Complete