PART 315
ACCESS TO PERSONAL INFORMATION MAINTAINED BY STATE UNIVERSITY OF NEW YORK
|
Denial of request for a record or for amendment or correction of a record or personal information | |
§ 315.1 Purpose and scope.
(a) It is the responsibility and the intent of State University of New York to comply fully with the provisions of article 6-A of the Public Officers Law, the Personal Privacy Protection Law.
(b) The university shall maintain in its records only such personal information that is relevant and necessary to accomplish a purpose of the university that is required to be accomplished by statute or executive order, or to implement a program specifically authorized by law.
(c) Personal information will be collected, whenever practicable, directly from the person to whom the information pertains.
(d) The university will seek to ensure that all records pertaining to or used with respect to individuals are accurate, relevant, timely and complete.
(e) These regulations provide information regarding the procedures by which members of the public may assert rights granted by the Personal Privacy Protection Law.
§ 315.2 Designation of privacy compliance officer.
(a) The chancellor, for the central administration of the university, and the chief administrative officer of each State-operated institution are responsible for ensuring compliance with the regulations herein. For the purposes of central administration of the university, the Executive Director, Central Administration Services, or designee, State University Plaza, Albany, NY 12246, shall serve as privacy compliance officer. A privacy compliance officer shall be designated by the chief administrative officer of each State- operated campus. The name, title and business address of the campus privacy compliance officer may be obtained from the office of the chief administrative officer of each campus.
(b) Privacy compliance officers are responsible for ensuring appropriate responses to requests for access to and for amendment or correction of records in accordance with the Personal Privacy Protection Law. The designation of privacy compliance officers shall not be construed to prohibit officials who have in the past been authorized to make records available or to amend or correct such records from continuing to do so. Privacy compliance offices shall ensure that personnel:
(1) assist a data subject in identifying and requesting personal information, if necessary;
(2) describe the contents of systems of records orally or in writing in order to enable a data subject to learn if a system of records includes a record or personal information identifiable to the data subject;
(3) take one of the following actions upon locating the record sought:
(i) make the record available for inspection, in a printed form without codes or symbols, unless an accompanying document explaining such codes or symbols is also provided;
(ii) permit the data subject to copy the record; or
(iii) deny access to the record in whole or in part and explain in writing the reasons therefor;
(4) upon request for copies of records, make a copy available upon payment of 25 cents per page;
(5) upon request, certify that a copy of a record is a true copy; or
(6) upon request, certify that:
(i) the university or campus does not have possession of the record sought;
(ii) the university or campus cannot locate the record sought after having made a diligent search; or
(iii) the information sought cannot be retrieved by use of the description thereof, or by use of the name or other identifier of the data subject without extraordinary search methods being employed by the university or campus
§ 315.3 Proof of identity.
(a) When a request is made in person, or when records are made available in person following a request made by mail, the university or campus may require appropriate identification, such as a driver's license, an identifier assigned to the data subject by the university or campus, a photograph or similar information that confirms that the record sought pertains to the data subject.
(b) When a request is made by mail, the university or campus may require verification of a signature or inclusion of an identifier generally known only by a data subject, or similar appropriate identification.
(c) Proof of identity shall not be required regarding a request for a record accessible to the public pursuant to the Freedom of Information Law.
§ 315.4 Location.
Records shall be made available at the office of the privacy compliance officer or at the location at which they are maintained. Whenever practicable, records shall be made available at an office near the residence of the data subject.
§ 315.5 Hours for public inspection and copying.
The university or campus shall accept requests for records and produce records during all regular business hours.
§ 315.6 Requests for records.
(a) All requests shall be made in writing, except that the privacy compliance officer may make records available upon an oral request made in person after the applicant had demonstrated proof of identity.
(b) A request shall reasonably describe the record or records sought. Whenever possible, the data subject should supply identifying information that will assist in locating the records sought.
(c) Within five business days of the receipt of a request, the privacy compliance officer shall provide access to the record, deny access in writing explaining the reasons therefor, or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not exceed 30 days from the date of the acknowledgement.
§ 315.7 Amendment of records.
Within 30 business days of a request from a data subject for correction or amendment of a record or personal information that is reasonably described and that pertains to the data subject, the privacy compliance officer shall:
(a) make the amendment or correction in whole or in part and inform the data subject that, on request, such correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l); or
(b) inform the data subject in writing of his or her refusal to correct or amend the record, including the reasons therefor.
§ 315.8 Denial of request for a record or for amendment or correction or a record of personal information.
(a) Denial of a request for records or for amendment or correction of a record or personal information shall be in writing, explaining the reasons therefor, and shall identify the person to whom an appeal may be directed.
(b) A failure to grant or deny access to records or to respond to a request for amendment or correction of a record within the time periods specified in sections 315.6 and 315.7 of this Part, shall be construed as a denial which may be appealed.
§ 315.9 Appeal.
(a) Any person denied access to a record or denied a request to amend or correct a record or personal information pursuant to section 315.8 of this Part may, within 30 business days of such denial, appeal to: Vice Chancellor for Governmental and University Relations, or designee, State University of New York, State University Plaza, Albany, NY 12246, Telephone: (518) 443-5148.
(b) The time for deciding an appeal shall commence upon receipt of a written appeal identifying:
(1) the date and location of the request for a record or for amendment or correction of a record or personal information;
(c) Within seven business days of an appeal of a denial of access, or within 30 business days of an appeal concerning a denial of a request for correction or amendment, the person designated to determine appeals shall:
(1) provide access to or correct or amend the record or personal information; or
(2) fully explain in writing the factual and statutory reasons for further denial and inform the data subject of the right to seek judicial review of such determination pursuant to article 78 of the Civil Practice Law and Rules.
(d) If, on appeal, a record or personal information is corrected or amended, the data subject shall be informed that, on request, the correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l).
(e) The person designated to determine appeals shall immediately forward to the Committee on Open Government a copy of any appeal made pursuant to this Part, the determination thereof, and the reasons therefor.
§ 315.10 Statement of disagreement by data subject.
(a) If correction or amendment of a record or personal information is denied in whole or in part upon appeal, the person designated to determine appeals shall inform the data subject of the right to:
(1) file with the university a statement of reasonable length setting forth the data subject's reasons for disagreement with the determination;
(2) request that such a statement of disagreement be provided to any person or governmental unit to which the record has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l).
(b) Upon receipt of a statement of disagreement by a data subject, the university shall clearly note any portions of the record that are disputed and attach the data subject's statement as part of the record.
(c) When providing a data subject's statement of disagreement to a person or governmental unit in conjunction with a disclosure made pursuant to Public Officers Law, section 96(1)(d),(i) or (l), the university may also include a concise statement of its reasons for not making the requested amendment or correction.
§ 315.11 Fees.
(a) Unless otherwise prescribed by statute, there shall be no fee charged for:
(b) Unless otherwise prescribed by statute, copies of records shall be provided:
(1) upon payment of 25 cents per page; or
(2) upon payment of the actual cost of reproduction, if the record or personal information cannot be photocopied.
§ 315.12 Severability.
If any provision of this Part or the application thereof to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this Part or the application thereof to other persons and circumstances.