Int. No. 2459-A
By Council Members Feliz, Kallos and D. Diaz (by request of the Mayor)
A Local Law to amend the New York city charter, in relation to establishing an office of information privacy
Be it enacted by the Council as follows:
Section 1. Subdivision h of section 8 of the New York city charter, as added by local law number 245 for the year 2017, is amended to read as follows:
h. The mayor shall [designate the head of] establish an office of information privacy. Such office may be established within the executive office of the mayor or as a separate office or within any [of such] other agency or office headed by a mayoral appointee as the mayor may determine. [to act as] Such office shall be headed by the city's chief privacy officer, who shall be appointed by the mayor or by the head of such other agency or office. All city agencies shall cooperate with the office so as to ensure the efficient performance of its duties. For the purposes of this subdivision, identifying information has the same meaning as set forth in section 23-1201 of the administrative code. Consistent with the provisions of subdivision g of this section, [such] the chief privacy officer shall have the power and duty to:
1. promulgate, after receiving the recommendations of the committee established pursuant to section 23-1204 of the administrative code, policies, and protocols regarding the collection, retention, and disclosure of identifying information by agencies, contractors, and subcontractors, provided that particular policies and protocols may apply to all agencies, contractors, and subcontractors or to a subset thereof;
2. provide guidance and information to the city and every agency thereof on federal, state, and local laws, policies, and protocols related to the collection, retention, and disclosure of identifying information and direct agencies to make any changes necessary to achieve or maintain such compliance;
3. review, in collaboration with the committee established pursuant to section 23-1204 of the administrative code, agency identifying information reports submitted pursuant to section 23-1205 of the administrative code;
4. specify types of information, in addition to identifying information as defined in section 23-1201 of the administrative code, that shall be subject to protection by agencies, as required by such officer, based on the nature of such information and the circumstances of its collection or potential disclosure;
5. advise the mayor and senior city officials and provide guidance to city agencies on issues related to privacy, and on strategies, legislative proposals, and city and agency policies and best practices for advancing privacy protections;
6. establish citywide privacy policies, standards, and requirements, and modify or expand them as necessary to meet the evolving privacy protection needs of the city and its agencies;
7. issue guidance to support agency compliance with privacy laws, policies, and privacy best practice standards and requirements;
8. advise agencies on the privacy aspects of suspected and known incidents involving the unauthorized collection, access, acquisition, use, or disclosure of identifying information, working together with the office of cyber command and the department of information technology and telecommunications and other city officials responsible for managing the technical aspects of the city’s incident investigation, response, and recovery processes;
9. in collaboration with the office of cyber command, department of information technology and telecommunications, the law department, relevant agency counsel, and other city agencies and officials as needed, advise on any necessary actions regarding identifying information in response to such actual and suspected incidents;
10. train or cause to be trained city employees and contractors on privacy laws, policies, and best practices;
11. advise city agencies on privacy strategies and required or appropriate privacy provisions for data sharing initiatives, and assist in the development of privacy policies and contract terms for data sharing agreements, in coordination with relevant agencies and the law department as appropriate; and
12. promulgate rules as necessary to carry out the powers and duties of the office.
§ 2. This local law takes effect immediately.