Title: Section 339.2 - Privacy compliance officer; personal information procedures.

339.2 Privacy compliance officer; personal information procedures. (a) The director of Public Information and Communications is hereby designated privacy compliance officer and is responsible for ensuring that the department complies with the provisions of the Personal Privacy Protection Law and the regulations

herein and for coordinating the department's response to requests for records or amendment of records.

(b) The address and telephone number of the privacy compliance officer is: Department of Social Services, 40 North Pearl Street, Albany, NY 12243, (518) 474-9516.

(c) The privacy compliance officer is responsible for overseeing department procedures, by which a data subject can learn if a system of records contains any information pertaining to the data subject, including:

(1) assisting a data subject in identifying and requesting personal information, if necessary;

(2) describing the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to a data subject requesting such record or personal information;

(3) taking one of the following actions upon locating the record sought:

(i) except as prohibited by subdivision (d) of this section, make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided;

(ii) permit the data subject to copy information from the record; or

(iii) deny access to the record in whole or in part and explain in writing the reasons therefor;

(4) upon payment of established fees, unless such fees are exempted by section 339.11(c) of this Part, making a photocopy of the record or permitting the data subject to make a photocopy of the record;

(5) upon request, certifying that a copy of a record is a true copy; or

(6) upon request, certifying that:

(i) the department does not have possession of the record sought;

(ii) the department cannot locate the record sought after having made a diligent search; or

(iii) the information sought cannot be retrieved by use of the data subject's description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the department.

(d) The privacy compliance officer shall deny access to:

(1) personal information to which a data subject is otherwise prohibited by law from gaining access;

(2) attorney's work product or material prepared for litigation before a judicial, quasi-judicial or administrative tribunal unless disclosure is mandated by a statute, a grand jury subpoena, a subpoena issued in the course of a criminal action or proceeding, a court-ordered subpoena, a search warrant or a court order.

Volume

VOLUME A (Title 18)

up