SUNY PP Home Page   Print Page   Close Page   Convert current file into a PDF document   Convert current file into a DOC document


The materials below consist of regulations of the State University of New York Board of Trustees. However, it is not the Official Compilation of the Codes, Rules, and Regulations of the State of New York. Readers are advised to refer to the Official Compilation ( 8 NYCRR Part et seq )in case of questions.

PART 315

ACCESS TO PERSONAL INFORMATION MAINTAINED BY STATE UNIVERSITY OF NEW YORK

Sec.

315.1

Purpose and scope

315.2

Designation of privacy compliance officer

315.3

Proof of identity

315.4

Location

315.5

Hours for public inspection and copying

315.6

Requests for records

315.7

Amendment of records

315.8

Denial of request for a record or for amendment or correction of a record or personal information

315.9

Appeal

315.10

Statement of disagreement by data subject

315.11

Fees

315.12

Severability

§ 315.1 Purpose and scope.

(a) It is the responsibility and the intent of State University of New York to comply fully with the provisions of article 6-A of the Public Officers Law, the Personal Privacy Protection Law.

(b) The university shall maintain in its records only such personal information that is relevant and necessary to accomplish a purpose of the university that is required to be accomplished by statute or executive order, or to implement a program specifically authorized by law.

(c) Personal information will be collected, whenever practicable, directly from the person to whom the information pertains.

(d) The university will seek to ensure that all records pertaining to or used with respect to individuals are accurate, relevant, timely and complete.

(e) These regulations provide information regarding the procedures by which members of the public may assert rights granted by the Personal Privacy Protection Law.

§ 315.2 Designation of privacy compliance officer.

(a) The chancellor, for the central administration of the university, and the chief administrative officer of each State-operated institution are responsible for ensuring compliance with the regulations herein. For the purposes of central administration of the university, the Executive Director, Central Administration Services, or designee, State University Plaza, Albany, NY 12246, shall serve as privacy compliance officer. A privacy compliance officer shall be designated by the chief administrative officer of each State- operated campus. The name, title and business address of the campus privacy compliance officer may be obtained from the office of the chief administrative officer of each campus.

(b) Privacy compliance officers are responsible for ensuring appropriate responses to requests for access to and for amendment or correction of records in accordance with the Personal Privacy Protection Law. The designation of privacy compliance officers shall not be construed to prohibit officials who have in the past been authorized to make records available or to amend or correct such records from continuing to do so. Privacy compliance offices shall ensure that personnel:

§ 315.3 Proof of identity.

(a) When a request is made in person, or when records are made available in person following a request made by mail, the university or campus may require appropriate identification, such as a driver's license, an identifier assigned to the data subject by the university or campus, a photograph or similar information that confirms that the record sought pertains to the data subject.

(b) When a request is made by mail, the university or campus may require verification of a signature or inclusion of an identifier generally known only by a data subject, or similar appropriate identification.

(c) Proof of identity shall not be required regarding a request for a record accessible to the public pursuant to the Freedom of Information Law.

§ 315.4 Location.

Records shall be made available at the office of the privacy compliance officer or at the location at which they are maintained. Whenever practicable, records shall be made available at an office near the residence of the data subject.

§ 315.5 Hours for public inspection and copying.

The university or campus shall accept requests for records and produce records during all regular business hours.

§ 315.6 Requests for records.

(a) All requests shall be made in writing, except that the privacy compliance officer may make records available upon an oral request made in person after the applicant had demonstrated proof of identity.

(b) A request shall reasonably describe the record or records sought. Whenever possible, the data subject should supply identifying information that will assist in locating the records sought.

(c) Within five business days of the receipt of a request, the privacy compliance officer shall provide access to the record, deny access in writing explaining the reasons therefor, or acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not exceed 30 days from the date of the acknowledgement.

§ 315.7 Amendment of records.

Within 30 business days of a request from a data subject for correction or amendment of a record or personal information that is reasonably described and that pertains to the data subject, the privacy compliance officer shall:

(a) make the amendment or correction in whole or in part and inform the data subject that, on request, such correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l); or

(b) inform the data subject in writing of his or her refusal to correct or amend the record, including the reasons therefor.

§ 315.8 Denial of request for a record or for amendment or correction or a record of personal information.

(a) Denial of a request for records or for amendment or correction of a record or personal information shall be in writing, explaining the reasons therefor, and shall identify the person to whom an appeal may be directed.

(b) A failure to grant or deny access to records or to respond to a request for amendment or correction of a record within the time periods specified in sections 315.6 and 315.7 of this Part, shall be construed as a denial which may be appealed.

§ 315.9 Appeal.

(a) Any person denied access to a record or denied a request to amend or correct a record or personal information pursuant to section 315.8 of this Part may, within 30 business days of such denial, appeal to: Vice Chancellor for Governmental and University Relations, or designee, State University of New York, State University Plaza, Albany, NY 12246, Telephone: (518) 443-5148.

(b) The time for deciding an appeal shall commence upon receipt of a written appeal identifying:

(c) Within seven business days of an appeal of a denial of access, or within 30 business days of an appeal concerning a denial of a request for correction or amendment, the person designated to determine appeals shall:

(d) If, on appeal, a record or personal information is corrected or amended, the data subject shall be informed that, on request, the correction or amendment will be provided to any person or governmental unit to which the record or personal information has been or is disclosed pursuant to Public Officers Law, section 96(1)(d),(i) or (l).

(e) The person designated to determine appeals shall immediately forward to the Committee on Open Government a copy of any appeal made pursuant to this Part, the determination thereof, and the reasons therefor.

§ 315.10 Statement of disagreement by data subject.

(a) If correction or amendment of a record or personal information is denied in whole or in part upon appeal, the person designated to determine appeals shall inform the data subject of the right to:

(b) Upon receipt of a statement of disagreement by a data subject, the university shall clearly note any portions of the record that are disputed and attach the data subject's statement as part of the record.

(c) When providing a data subject's statement of disagreement to a person or governmental unit in conjunction with a disclosure made pursuant to Public Officers Law, section 96(1)(d),(i) or (l), the university may also include a concise statement of its reasons for not making the requested amendment or correction.

§ 315.11 Fees.

(a) Unless otherwise prescribed by statute, there shall be no fee charged for:

(b) Unless otherwise prescribed by statute, copies of records shall be provided:

§ 315.12 Severability.

If any provision of this Part or the application thereof to any person or circumstances is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this Part or the application thereof to other persons and circumstances.