ACCESS TO PERSONAL INFORMATION MAINTAINED BY STATE UNIVERSITY OF NEW YORK
§ 315.1 Purpose and scope.
(b) The university shall maintain in its records only such personal information that is relevant and necessary to accomplish a purpose of the university that is required to be accomplished by statute or executive order, or to implement a program specifically authorized by law.
§ 315.2 Designation of privacy compliance officer.
(a) The chancellor, for the central administration of the university, and the chief administrative officer of each State-operated institution are responsible for ensuring compliance with the regulations herein. For the purposes of central administration of the university, the Executive Director, Central Administration Services, or designee, State University Plaza, Albany, NY 12246, shall serve as privacy compliance officer. A privacy compliance officer shall be designated by the chief administrative officer of each State- operated campus. The name, title and business address of the campus privacy compliance officer may be obtained from the office of the chief administrative officer of each campus.
(b) Privacy compliance officers are responsible for ensuring appropriate responses to requests for access to and for amendment or correction of records in accordance with the Personal Privacy Protection Law. The designation of privacy compliance officers shall not be construed to prohibit officials who have in the past been authorized to make records available or to amend or correct such records from continuing to do so. Privacy compliance offices shall ensure that personnel:
(2) describe the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to the data subject;
(iii) the information sought cannot be retrieved by use of the description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the university or campus
§ 315.3 Proof of identity.
(a) When a request is made in person, or when records are made available in person following a request made by mail, the university or campus may require appropriate identification, such as a driver's license, an identifier assigned to the data subject by the university or campus, a photograph or similar information that confirms that the record sought pertains to the data subject.
(b) When a request is made by mail, the university or campus may require verification of a signature or inclusion of an identifier generally known only by a data subject, or similar appropriate identification.
§ 315.4 Location.
Records shall be made available at the office of the privacy compliance officer or at the location at which they are maintained. Whenever practicable, records shall be made available at an office near the residence of the data subject.
§ 315.5 Hours for public inspection and copying.
§ 315.6 Requests for records.
(a) All requests shall be made in writing, except that the privacy compliance officer may make records available upon an oral request made in person after the applicant had demonstrated proof of identity.
(c) Within five business days of the receipt of a request, the privacy compliance officer shall provide access to the record, deny access in writing explaining the reasons therefor, or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not exceed 30 days from the date of the acknowledgement.
§ 315.7 Amendment of records.
Within 30 business days of a request from a data subject for correction or amendment of a record or personal information that is reasonably described and that pertains to the data subject, the privacy compliance officer shall:
(a) make the amendment or correction in whole or in part and inform the data subject that, on request, such correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l); or
§ 315.8 Denial of request for a record or for amendment or correction or a record of personal information.
(a) Denial of a request for records or for amendment or correction of a record or personal information shall be in writing, explaining the reasons therefor, and shall identify the person to whom an appeal may be directed.
(b) A failure to grant or deny access to records or to respond to a request for amendment or correction of a record within the time periods specified in sections 315.6 and 315.7 of this Part, shall be construed as a denial which may be appealed.
§ 315.9 Appeal.
(a) Any person denied access to a record or denied a request to amend or correct a record or personal information pursuant to section 315.8 of this Part may, within 30 business days of such denial, appeal to: Vice Chancellor for Governmental and University Relations, or designee, State University of New York, State University Plaza, Albany, NY 12246, Telephone: (518) 443-5148.
(c) Within seven business days of an appeal of a denial of access, or within 30 business days of an appeal concerning a denial of a request for correction or amendment, the person designated to determine appeals shall:
(2) fully explain in writing the factual and statutory reasons for further denial and inform the data subject of the right to seek judicial review of such determination pursuant to article 78 of the Civil Practice Law and Rules.
(d) If, on appeal, a record or personal information is corrected or amended, the data subject shall be informed that, on request, the correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l).
(e) The person designated to determine appeals shall immediately forward to the Committee on Open Government a copy of any appeal made pursuant to this Part, the determination thereof, and the reasons therefor.
§ 315.10 Statement of disagreement by data subject.
(2) request that such a statement of disagreement be provided to any person or governmental unit to which the record has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l).
(b) Upon receipt of a statement of disagreement by a data subject, the university shall clearly note any portions of the record that are disputed and attach the data subject's statement as part of the record.
(c) When providing a data subject's statement of disagreement to a person or governmental unit in conjunction with a disclosure made pursuant to Public Officers Law, section 96(1)(d),(i) or (l), the university may also include a concise statement of its reasons for not making the requested amendment or correction.
§ 315.11 Fees.
§ 315.12 Severability.
If any provision of this Part or the application thereof to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this Part or the application thereof to other persons and circumstances.