Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 8 - EDUCATION DEPARTMENTChapter XX - Higher Education Services CorporationSubchapter A - Administration
Part 2002 - Public Access To Records
Section 2002.5 - Personal privacy protection

N.Y. Comp. Codes R. & Regs. tit. 8 § 2002.5

Download
PDF
Current through Register Vol. 46, No. 25, June 18, 2024
Section 2002.5 - Personal privacy protection
(a)General provisions.

The corporation shall maintain in its records only such personal information that is relevant and necessary to accomplish a purpose of the corporation required by statute or executive order, or to implement a program specifically authorized by law. Personal information will be collected, whenever practicable, directly from the person to whom the information pertains, and the corporation shall seek to ensure that all records pertaining to individuals are accurate, relevant and complete.

(b)Definitions.

As used in this section, the following terms shall have the following meanings, unless otherwise specified:

(1)Data subject shall mean any natural person about whom personal information has been collected by an agency.
(2)Personal information means any information concerning a data subject which, because of name, number, symbol mark or other identifier can be used to identify that data subject.
(3)Record means any item collection or grouping of personal information about a data subject which is maintained and is retrievable by use of the name or other identifier of the data subject. The term record shall not include personal information which is not used to make any determination about the data subject if it is:
(i) any compilation of information containing names and addresses only which is used exclusively for the purpose of mailing agency information;
(ii) personal information required by law to be maintained, and required by law to be used, only for statistical research or reporting purposes;
(iii) information requested by the agency which is necessary for the agency to answer unsolicited requests by the data subject for information; or
(iv) correspondence files.
(4) System of records.

The term system of records means any group of records under the actual or constructive control of any agency pertaining to one or more data subjects from which personal information is retrievable by use of the name or other identifier of a data subject.

(c)Designation and duties of personal privacy protection law compliance officer.
(1) The records access officer designated under section 2002.1(b) of this Part is hereby designated as the personal privacy law compliance officer.
(2) The privacy compliance officer is responsible for:
(i) assisting a data subject in identifying and requesting personal information, if necessary;
(ii) describing the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to a data subject requesting such record or personal information;
(iii) taking one of the following actions upon locating the record sought:
(a) make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided;
(b) permit the data subject to copy the record; or
(c) deny access to the record in whole or in part and explain in writing the reasons therefor;
(iv) making a copy available, upon request, upon payment of or offer to pay established fees, if any, or permitting the data subject to copy the records;
(v) upon request, certifying that a copy of a record is a true copy; or
(vi) certifying upon request, that:
(a) the corporation does not have possession of the record sought;
(b) the corporation cannot locate the record sought after having made a diligent search; or
(c) the information sought cannot be retrieved by use of the description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the agency.
(d)Compliance procedures.
(1) Request for records.
(i) All requests for records shall be made in writing, except that the corporation may make records available upon an oral request made in person, provided that applicant has demonstrated proof of identity.
(ii) A request shall reasonably describe the record sought. Whenever possible the request should include identifying information that assist the corporation in locating the records sought.
(iii) Requests based upon categories of information described in a notice of system of records or a privacy impact statement shall be deemed to reasonably describe the record sought.
(iv) Proof of identity.
(a) When a request is made in person, or when records are made available in person following a request made by mail, the agency may require appropriate identification, such as a driver's license, an identifier assigned to the data subject by the agency, a photograph or similar information that confirms that the record sought pertains to the data subject.
(b) When a request is made by mail, the agency may require verification of a signature of inclusion of an identifier generally known only by a data subject, or similar appropriate identification.
(c) Proof of identity shall not be required regarding a request for a record accessible to the public pursuant to article 6 of the Public Officers Law.
(v) Location. Records shall be made available at the main office of the agency, which is located at: One Commerce Plaza, Albany, NY 12210.
(vi) Hours for public inspection and copying. The agency shall accept requests for records and produce records during regular business hours, which are 9 a.m. to 5 p.m.
(vii) Within five business days of the receipt of a request, the corporation shall provide access to the record, deny access in writing explaining the reasons therefor, or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied.
(2) Amendment of records. Within 30 business days of a request from a data subject for correction or amendment of a record or personal information that is reasonably described and that pertains to the data subject, the agency shall:
(i) make the amendment or correction in whole or in part and inform the data subject that, on request, such correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to paragraph (d), (i) or (l) of subdivision 1 of section 96 of the Public Officers Law; or
(ii) inform the data subject in writing of this refusal to correct or amend the record, including the reasons therefor.
(3) Denial of request for a record or amendment or correction of record or personal information.
(i) Denial of a request for records or amendment or correction of a record or personal information:
(a) shall be in writing, explaining the reasons therefor; and
(b) identifying the person to whom an appeal may be directed.
(ii) A failure to grant or deny access to records within five business days of the receipt of a request or within 30 days of an acknowledgment or the receipt of a request, or a failure to respond to a request for amendment or correction of a record within 30 business days of receipt of such a request, shall be construed as a denial that may be appealed.
(iii) Any such denial may be appealed to: Executive Vice President, New York State Higher Education Services Corporation, One Commerce Plaza, Albany, NY 12255.
(4) Appeal.
(i) Any person denied access to a record or denied a request to amend or correct a record or personal information pursuant to paragraph (e)(1) of this section may, within 30 days of such denial, appeal to the corporation's executive vice-president.
(ii) The time for deciding an appeal shall commence upon receipt of an appeal that identifies:
(a) the date and location of a request for a record or amendment or correction of a record or personal information;
(b) the record that is the subject of the appeal; and
(c) the name and return address of the appellant.
(iii) Within seven business days of an appeal of a denial of access, or within 30 days of an appeal concerning a denial of a request for correction or amendment, the person determining such appeals shall:
(a) provide access to or correct or amend the record or personal information; or
(b) fully explain in writing the factual and statutory reasons for further denial and inform the data subject of the right to seek judicial review of such determination pursuant to article 78 of the Civil Practice Law and Rules.
(iv) If, on appeal, a record or personal information is corrected or amended, the data subject shall be informed that, on request, the correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to paragraph (d), (i) or (l) of subdivision 1 of section 96 of the Public Officers Law.
(v) The corporation shall immediately forward to the Committee on Open Government a copy of any appeal made pursuant to this Part upon receipt, the determination thereof and the reasons thereof at the time of such determination.
(5) Statement of disagreement by data subject.
(i) If correction or amendment of a record or personal information is denied in whole or in part upon appeal, the determination rendered pursuant to the appeal shall inform the data subject of the right to:
(a) file with the corporation a statement of reasonable length setting forth the data subject's reasons for disagreement with the determination;
(b) request that such a statement of disagreement be provided to any person or governmental unit to which the record has been or is disclosed pursuant to paragraph (d), (i) or (l) of subdivision 1 of section 96 of the Public Officers Law.
(ii) Upon receipt of a statement of disagreement by a data subject, the agency shall:
(a) clearly note any portions of the record that are disputed; and
(b) attach the data subject's statement as part of the record.
(iii) When providing a data subject's statement of disagreement to a person or governmental unit in conjunction with a disclosure made pursuant to paragraph (d), (i) or (l) of subdivision 1 of section 96 of the Public Officers Law, the corporation may also include a concise statement of its reasons for not making the requested amendment or correction.
(6) Fees.
(i) Unless otherwise prescribed by statute, there shall be no fee charged for:
(a) inspection of records;
(b) search for records; or
(c) any certification pursuant to this Part.
(ii) Unless otherwise prescribed by statute, copies of records shall be provided:
(a) at a rate of 25 cents per photocopy up to 9 ×- 14 inches; or
(b) upon payment of the actual cost of reproduction if the record or personal information cannot be photocopied.
(iii) The actual cost of reproduction shall be based upon the average unit cost for copying a record, excluding fixed costs of the agency, such as operator salaries and overhead.
(e)Severability.

If any provision of this Part or the application thereof to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this Part or the application thereof to other persons and circumstances.

N.Y. Comp. Codes R. & Regs. Tit. 8 § 2002.5