Int. No. 1557-A
By The Speaker (Council Member Mark-Viverito) and Council Members Levin, Dromm, Menchaca, Chin, Gibson, Kallos, Rosenthal, Constantinides and Vacca
A Local Law to amend the New York city charter and the administrative code of the city of New York, in relation to establishing a chief privacy officer and policies and protocols relating to the handling of identifying information
Be it enacted by the Council as follows:Section 1. Section 8 of the New York city charter is amended by adding a new subdivision h to read as follows:
h. The mayor shall designate the head of an office of the mayor, or of such other agency headed by a mayoral appointee as the mayor may determine, to act as the city’s chief privacy officer. For the purposes of this subdivision, identifying information has the same meaning as set forth in section 23-1201 of the administrative code. Consistent with the provisions of subdivision g of this section, such officer shall have the power and duty to:
1. promulgate, after receiving the recommendations of the committee established pursuant to section 23-1204 of the administrative code, policies, and protocols regarding the collection, retention, and disclosure of identifying information by agencies, contractors, and subcontractors, provided that particular policies and protocols may apply to all agencies, contractors, and subcontractors or to a subset thereof;
2. provide guidance and information to the city and every agency thereof on federal, state, and local laws, policies, and protocols related to the collection, retention, and disclosure of identifying information and direct agencies to make any changes necessary to achieve or maintain such compliance;
3. review, in collaboration with the committee established pursuant to section 23-1204 of the administrative code, agency identifying information reports submitted pursuant to section 23-1205 of the administrative code;
4. specify types of information, in addition to identifying information as defined in section 23-1201 of the administrative code, that shall be subject to protection by agencies, as required by such officer, based on the nature of such information and the circumstances of its collection or potential disclosure.
§ 2. Chapter 12 of title 23 of the administrative code of the city of New York is amended by adding new sections 23-1203, 23-1204, and 23-1205 to read as follows:
§ 23-1203 Policies and protocols of the chief privacy officer. The policies and protocols promulgated by the chief privacy officer pursuant to subdivision h of section 8 of the charter shall, at a minimum:
1. require that identifying information is anonymized where appropriate in accordance with the purpose or mission of a city agency;
2. require the privacy officer of each city agency to issue guidance to city agency employees, contractors and subcontractors regarding such agency’s collection, retention, and disclosure of identifying information;
3. require any city agency disclosing identifying information to a third party when such a disclosure is not classified as routine pursuant to section 23-1202 to enter into an agreement ensuring that the anticipated use and any potential future use of such information by such third party occurs only in a manner consistent with this chapter unless: (i) such disclosure is made under exigent circumstances, or (ii) such an agreement would not further the purposes of this chapter due to the absence of circumstances in which such disclosure would unduly compromise an important privacy interest.
4. describe disclosures of identifying information to third parties when such a disclosure is classified as routine pursuant to section 23-1202 for which, because of the nature or extent of such disclosures or because of the nature of the relationship between the city agency and third party, such disclosing agency is required to enter into an agreement with such third party requiring that the anticipated use and any potential future use of such information by such third party occurs only in a manner consistent with this chapter;
5. describe disclosures of identifying information that are not to be treated as routine pursuant to section 23-1202, as determined by the nature and extent of such disclosures, and require an additional level of review and approval by the privacy officer of such agency or the contractor or subcontractor before such disclosures are made;
6. describe circumstances when disclosure of an individual’s identifying information to third parties in violation of this chapter would, in light of the nature, extent, and foreseeable adverse consequences of such disclosure, require the disclosing city agency, contractor, or subcontractor to make reasonable efforts to notify the affected individual as soon as practicable;
7. establish standard contract provisions, or required elements of such provisions, related to the protection of identifying information;
8. require the privacy officer of each city agency to arrange for dissemination of information to agency employees, contractors, and subcontractors and develop a plan for compliance with this chapter and any policies and protocols developed under this chapter; and
9. establish a mechanism for accepting and investigating complaints for violations of this chapter.
§ 23-1204 Committee. a. There is hereby established in the office of the mayor, or such other city agency headed by a mayoral appointee as the mayor may determine, an identifying information protection committee.
1. Such committee shall consist of:
(a) the corporation counsel or a designee of the corporation counsel;
(b) the director of the mayor’s office of operations or such director’s designee;
(c) the coordinator of criminal justice or such coordinator’s designee;
(d) any deputy mayors who may be designated by the mayor to serve on such committee or their designees; and
(e) the commissioners of the following agencies or such commissioners’ designees:
(1) the administration for children’s services;
(2) the department of social services;
(3) the police department;
(4) the department of correction;
(5) the department of probation;
(6) the department of health and mental hygiene;
(7) the department of information technology and telecommunications;
(8) the fire department; and
(9) representatives of such other agencies as the mayor may designate having relevant duties or expertise with respect to federal, state, and local laws and policies relating to protecting identifying information.
2. Unless otherwise determined by the mayor, the chair of such committee shall be the director of the mayor’s office of operations or such director’s designee. Staff services for such committee shall be provided by the participating agencies.
b. The committee, in collaboration with the chief privacy officer, shall review city agency reports provided pursuant to section 23-1205 and recommend policies and procedures regarding the collection, retention and disclosure of identifying information while taking into consideration each city agency’s unique mission, subject matter expertise, and legal obligations.
c. No later than October 30, 2018, the committee shall communicate its final recommendations pursuant to subdivision b of this section along with the city agency reports required pursuant to section 23-1205 to the applicable city agencies, the mayor, the speaker of the council, and the chief privacy officer. Beginning July 31, 2020 and every two years thereafter, the committee shall review such agency reports and any policies and protocols adopted pursuant to this chapter.
d. Within 90 days of receiving any final recommendations of the committee, the chief privacy officer shall adopt policies and protocols, in accordance with sections 23-1202 and 23-1203, as necessary or appropriate in furtherance of this chapter.
e. No information that is otherwise required to be reported or disclosed pursuant to this section shall be reported or disclosed in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of information or that would interfere with a law enforcement investigation or other investigative activity by an agency or would compromise public safety.
§ 23-1205 City agency policies. a. No later than July 31, 2018, and every two years thereafter by July 31, each city agency shall provide a report regarding the collection, retention, and disclosure of identifying information by such agency and any contractors or subcontractors utilized by such agency. Each such report shall include:
1. information concerning identifying information collected, retained, and disclosed, including:
(a) the types of identifying information collected, retained, and disclosed, including, but not limited to, where practicable, those types enumerated in the definition of identifying information;
(b) the types of collections and disclosures classified as routine and any collections or disclosures approved by the chief privacy officer;
(c) current policies regarding collection, retention, and disclosure, including:
(1) policies regarding requests for disclosures from other city agencies, local public authorities or local public benefit corporations, and third parties;
(2) policies regarding proposals for disclosures to other city agencies, local public authorities or local public benefit corporations, and third parties;
(3) policies regarding the classification of disclosures as necessitated by the existence of exigent circumstances or as routine; and
(4) which divisions and categories of employees within an agency make disclosures of identifying information following the approval of the privacy officer;
(d) use of agreements regarding the anticipated use and any potential future use of identifying information disclosed;
(e) types of entities requesting the disclosure of identifying information or proposals for disclosures of identifying information, the reasons why an agency discloses identifying information in response to requests or proposes the disclosure of identifying information, and why any such disclosures furthers the purpose or mission of such agency; and
(f) the reasons why any collection and retention of identifying information furthers the purposes or mission of such agency;
2. the impact of any privacy policies and protocols issued by the chief privacy officer, any guidance issued by the privacy officer of such agency or the committee, the provisions of this chapter, and other applicable law on the agency’s collection, retention, and disclosure of identifying information;
3. consideration and implementation, where applicable, of alternative policies that minimize the collection, retention, and disclosure of identifying information to the greatest extent possible while furthering the purpose or mission of such agency; and
4. policies on access to identifying information by employees, contractors, and subcontractors, including consideration of the necessity of access to such information for the performance of their duties and implementation of policies that minimize such access to the greatest extent possible while furthering the purpose or mission of an agency.
b. Each city agency shall submit the report prepared pursuant to subdivision a of this section to the mayor, the speaker of the council, the chief privacy officer, and the committee.
c. No information that is otherwise required to be reported or disclosed pursuant to this section shall be reported or disclosed in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of information or that would interfere with a law enforcement investigation or other investigative activity by an agency or would compromise public safety.
§ 3. This local law takes effect on the same date and in the same manner that a local law for the year 2017 amending the administrative code of the city of New York relating to identifying information, as proposed in introduction number 1588-A, takes effect, provided that where the provisions of sections 23-1203, 23-1204, and 23-1205 of the administrative code of the city of New York, as added by section two of this local law, cannot be applied consistently with currently applicable contracts, such provisions shall only apply with respect to contracts entered into or renewed after the effective date of this local law.
11/8/17 4:33PM
LS #9355