The State University of New York (University) is subject to the provisions of the “Personal Privacy Protection Law” (Public Officers Law §§91-99) and the University’s implementing regulations under 8 NYCRR § 315 (Access to Personal Information Maintained by State University of New York). The Personal Privacy Protection Law and regulations (PPPL) require the University to take certain steps to protect the privacy rights of individuals to whom state agency records pertain and to provide individuals with an opportunity to review and correct such records.

Under the PPPL: a) the University shall maintain in its records only such personal information that is relevant and necessary to accomplish a purpose of the University that is required to be accomplished by statute or executive order, or to implement a program specifically authorized by law; b) personal information will be collected, whenever practicable, directly from the person to whom the information pertains; and c) the University will seek to ensure that all records pertaining to or used with respect to individuals are accurate, relevant, timely and complete.

Furthermore, under the PPPL: a) subject to certain exceptions, the University shall, within five business days of a written request from an individual for a reasonably described record pertaining to that individual, provide access to the record, deny access in writing, stating the reasons for denial, or acknowledge receipt of the request in writing, stating the approximate date when the request will be granted or denied; b) within 30 business days of a request from an individual for correction or amendment of a record or personal information that is reasonably described and that pertains to the data subject, the University shall either make the amendment or correction in whole or in part or inform the data subject in writing of the refusal to amend or correct the information, including the reason for refusing to make the amendment or correction; and c) no record containing personal information will be disclosed to third parties without the consent of the data subject unless the disclosure is made to individuals or entities as specified in the “Disclosure of Records” in the Procedures section below or pursuant to a subpoena or other compulsory legal process.

A. OBLIGATIONS OF THE UNIVERSITY

1. The University shall:

(a)   except when a data subject provides the University with unsolicited personal information, maintain in its records only such personal information which is relevant and necessary to accomplish a purpose of the University required to be accomplished by statute or executive order, or to implement a program specifically authorized by law;

(b)   maintain all records used by the University to make any determination about any data subject with accuracy, relevance, timeliness and completeness provided however, that personal information or records received by the University from another governmental unit for inclusion in public safety agency records shall be presumed to be accurate;

(c)   collect personal information directly from the data subject whenever practicable, except when collected for the purpose of making quasi-judicial determinations;

(d)   provide each data subject whom it requests to supply information to be maintained in a record, at the time of the initial request, with notification as provided in this paragraph. Where such notification has been provided, subsequent requests for information from the data subject to be maintained in the same record need not be accompanied by notification unless the initial notification is not applicable to the subsequent request. Notification shall include:

(i)    the name of the University and any subdivision within the University that is requesting the personal information and the name or title of the system of records in which such information will be maintained;

(ii)    the title, business address and telephone number of the University official who is responsible for the system of records;

(iii)    the authority granted by law, which authorizes the collection and maintenance of the information;

(iv)    the effects on such data subject, if any, of not providing all or any part of the requested information;

(v)     the principal purpose or purposes for which the information is to be collected; and

(vi)     the uses which may be made of the information.

(e)   ensure that no record pertaining to a data subject shall be modified or destroyed to avoid the provisions of the PPPL;

(f)    cause the requirements of the PPPL to be applied to any contract it executes for the operation of a system of records, or for research, evaluation or reporting, by the University or on its behalf;

(g)   establish written policies in accordance with law governing the responsibilities of persons pertaining to their involvement in the design, development, operation or maintenance of any system of records, and instruct each such person with respect to such policies and the requirements of the PPPL, including any other rules and regulations and procedures adopted pursuant to the PPPL and the penalties for noncompliance;

(h)   establish appropriate administrative, technical and physical safeguards to ensure the security of records;

(i)    establish rules governing retention and timely disposal of records in accordance with law;

(j)    designate a University employee who shall be responsible for ensuring that the agency complies with all of the provisions of the PPPL (the Privacy Compliance Officer);

(k)   whenever a data subject is entitled to gain access to a record, disclose such record at a location near the residence of the data subject whenever reasonable, or by mail;

(l)    upon denial of a request, inform the data subject of the University’s procedures for review of initial determinations and the name and business address of the reviewing officials.

2.   The University shall, except for disclosures made for inclusion in public safety agency records when such record is requested for the purpose of obtaining information required for the investigation of a violation of civil or criminal statutes within the disclosing agency:

(a)   keep an accurate accounting of the date, nature and purpose of each disclosure of a record or personal information, and the name and address of the person or governmental unit to whom the disclosure is made;

(b)   retain the accounting made as part of said record for at least five years after the disclosure for which the accounting is made, or for the life of the record disclosed, whichever is longer;

(c)   at the request of the data subject, inform any person or other governmental unit to which a disclosure has been or is made of any correction, amendment, or notation of dispute made by the University, provided that an accounting of the prior disclosure was made or that the data subject to whom the record pertains provides the name of such person or governmental unit;

(d)   with respect to a disclosure made for inclusion in a public safety agency record or to a governmental unit or component thereof whose primary function is the enforcement of civil or criminal statutes, notify the receiving governmental unit that an accounting of such disclosure is being made pursuant to this subdivision and that such accounting will be accessible to the data subject upon his or her request unless otherwise specified by the receiving governmental unit pursuant to paragraph (e) of this subdivision;

(e)   with respect to a disclosure made for inclusion in a public safety agency record or to a governmental unit or component thereof whose primary function is the enforcement of civil or criminal statutes, if in its request for the record the receiving governmental unit states that it has determined that access by the data subject to the accounting of such disclosure would impede criminal investigations and specifies the approximate date on which such determination will no longer be applicable, refuse the data subject access to such accounting or information that such accounting has been made, except upon court ordered subpoena, during the applicable time period. Upon the expiration of said time period the University shall inquire of the receiving governmental unit as to the continued relevancy of the initial determination and, unless requested in writing by the receiving governmental unit to extend the determination for a specified period of time, shall make available to the data subject an accounting of said disclosure; and

(f)    in making a disclosure pursuant to subdivision one of section ninety-six of the Public Officer’s Law, the University shall make such disclosure pursuant to paragraph (d), (i) or (l) of said subdivision only when such disclosure cannot be made pursuant to any other paragraph of said subdivision.

3.    The provisions of paragraphs (c) and (d) of subdivision one of this section shall not apply to the following:

(a)   personal information that is collected for inclusion in a public safety University record;

(b)   personal information that is maintained by a licensing or franchise-approving agency or component thereof for the purpose of determining whether administrative or criminal action should be taken to restrain or prosecute purported violations of law, or to grant, deny, suspend, or revoke a professional, vocational, or occupational license, certification or registration, or to deny or approve a franchise;

(c)   personal information solicited from a data subject receiving services at a treatment facility, provided that each such data subject shall, as soon as practicable, be provided a notification describing systems of records concerning the data subject maintained by the treatment facility.

4.    The provisions of subdivisions two of this section shall not apply to University public safety records.

5.    Nothing in these rules shall abrogate in any way any obligation regarding the maintenance of records otherwise imposed on the University at law or in equity.

6.    Each University record which is transferred to the state archives as a record which has sufficient historical or other value to warrant its continued preservation by the state shall be considered to be maintained by the state archives and shall be exempt from these requirements, except as otherwise provided, and except that such record shall continue to be subject to inspection and correction by the data subject by application to the University.

B. ACCESS TO RECORDS

1.    All requests shall be made in writing, except that the privacy compliance officer may make records available upon an oral request made in person after the applicant has demonstrated proof of identity.

2.    A request shall reasonably describe the record or records sought. Whenever possible, the data subject should supply identifying information that will assist in locating the records sought.

3.    The University shall, within five business days of the receipt of a request from a data subject, make such record available to the data subject, deny such request in whole or in part and provide the reasons therefore in writing, or furnish a written acknowledgement of the receipt of such request and a statement of the approximate date when such request will be granted or denied, which date shall not exceed thirty days from the date of the acknowledgement.

4.    The University shall not be required to provide a data subject with access to a record pursuant to this section if:

(a)   the University does not have possession of such record;

(b)   such record cannot be retrieved by use of the data subject’s description thereof, or by use of the name or other identifier of the data subject, without extraordinary search methods being employed by the University; or

(c)   access to such record is not required to be provided pursuant to subdivision nine, ten or eleven of this section.

5.    Upon payment of, or offer to pay, the fee (set forth below), the University shall provide a copy of the record requested and certify to the correctness of such copy if so requested. The record shall be made available in a printed form without any codes or symbols, unless accompanied by a document fully explaining such codes or symbols. Upon a data subject’s voluntary request the University shall permit a person of the data subject’s choosing to accompany the data subject when reviewing and obtaining a copy of a record, provided that the University may require the data subject to furnish a written statement authorizing discussion of the record in the accompanying person’s presence.

6.    The University shall, within thirty business days of receipt of a written request from a data subject for correction or amendment of a record or personal information, reasonably described, pertaining to that data subject, which he or she believes is not accurate, relevant, timely or complete, either:

(a)   make the correction or amendment in whole or in part, and inform the data subject that upon his or her request such correction or amendment will be provided to any or all persons or governmental units to which the record or personal information has been or is disclosed, pursuant to paragraph (c) of subdivision two of the section “Obligations of the University” of these procedures; or

(b)   inform the data subject of its refusal to correct or amend the record and its reasons therefore.

7.    Any data subject whose request under subdivision one or two of this section is denied in whole or in part may, within thirty business days, appeal such denial in writing to the privacy compliance officer. Such official shall within seven business days of the receipt of an appeal concerning denial of access, or within thirty business days of the receipt of an appeal concerning denial of correction or amendment, either provide access to or correction or amendment of the record sought and inform the data subject that, upon his or her request, such correction or amendment will be provided to any or all persons or governmental units to which the record or personal information has been or is disclosed, pursuant to paragraph(c) of subdivision two of the section “Obligations of the University”, or fully explain in writing to the data subject the factual and statutory reasons for further denial and inform the data subject of his or her right to thereupon seek judicial review of the University’s determination. The University shall immediately forward to the committee on open government a copy of such appeal, the determination thereof and the reasons therefore.

8.    If correction or amendment of a record or personal information is denied in whole or in part upon appeal, the University shall inform the data subject of the right to file with the University a statement of reasonable length setting forth the reasons for disagreement with the University’s determination and that, upon request, his or her statement of disagreement will be provided to any or all persons or governmental units to which the record has been or is disclosed, pursuant to paragraph (c) of subdivision two of the section “Obligations of the University”. With respect to any personal information about which a data subject has filed a statement of disagreement, the University shall clearly note any portions of the record which are disputed, and attach the data subject’s statement of disagreement as part of the record. When providing the data subject’s statement of disagreement to other persons or governmental units in conjunction with a disclosure made pursuant to paragraph (c) of subdivision two of the section “Obligations of the University”, the University may also include in the record a concise statement of its reasons for not making the requested amendment.

9.    Any agency which may not otherwise exempt personal information from the operation of this section may do so, unless access by the data subject is otherwise authorized or required by law, if such information is compiled for law enforcement purposes and would, if disclosed:

(a) interfere with law enforcement investigations or judicial proceedings;

(b) deprive a person of a right to a fair trial or impartial adjudication;

(c) identify a confidential source or disclose confidential information relating to a criminal investigation; or

(d) reveal criminal investigative techniques or procedures, except routine techniques and procedures.

10.  When providing the data subject with access to information described in paragraph (b) of subdivision three of the section “Obligations of the University”, the University may withhold the identity of a source who furnished said information under an express promise that his or her identity would be held in confidence.

11.  Nothing in this section shall require the University to provide a data subject with access to:

(a)   personal information to which he or she is specifically prohibited by statute from gaining access;

(b)   patient records concerning mental disability or medical records where such access is not otherwise required by law;

(c)   personal information pertaining to the incarceration of an inmate at a state correctional facility which is evaluative in nature or which, if such access was provided, could endanger the life or safety of any person, unless such access is otherwise permitted by law or by court order;

(d)   attorney’s work product or material prepared for litigation before judicial, quasi-judicial or administrative tribunals, except pursuant to statute, subpoena issued in the course of a criminal action or proceeding, court ordered or grand jury subpoena, search warrant or other court ordered disclosure.

12.  This section shall not apply to public safety agency records.

13.  Nothing in this section shall limit, restrict, abrogate or deny any right a person may otherwise have including rights granted pursuant to the state or federal constitution, law or court order.

C. DISCLOSURE OF RECORDS

1.   The University may not disclose any record or personal information unless such disclosure is:

(a)   pursuant to a written request by or the voluntary written consent of the data subject, provided that such request or consent by its terms limits and specifically describes:

(i)    the personal information which is requested to be disclosed;

(ii)    the person or entity to whom such personal information is requested to be disclosed; and

(iii)   the uses which will be made of such personal information by the person or entity receiving it; or

(b)   to those officers and employees of, and to those who contract with, the University that maintains the record if such disclosure is necessary to the performance of their official duties pursuant to a purpose of the University required to be accomplished by statute or executive order or necessary to operate a program specifically authorized by law; or

(c)   subject to disclosure under New York’s Freedom of Information Law, unless disclosure of such information would constitute an unwarranted invasion of personal privacy as defined at New York Public Officer’s Law Section 89(2)(b); or

(d)   to officers or employees of another governmental unit if each category of information sought to be disclosed is necessary for the receiving governmental unit to operate a program specifically authorized by statute and if the use for which the information is requested is not relevant to the purpose for which it was collected; or

(e)   for a routine use, see Definitions.

(f)    specifically authorized by statute or federal rule or regulation; or

(g)   to the bureau of the census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of Title XIII of the United States Code; or

(h)   to a person who has provided the University with advance written assurance that the record will be used solely for the purpose of statistical research or reporting, but only if it is to be transferred in a form that does not reveal the identity of any data subject; or

(i)    pursuant to a showing of compelling circumstances affecting the health or safety of a data subject, if upon such disclosure notification is transmitted to the data subject at his or her last known address; or

(j)    to the state archives as a record which has sufficient historical or other value to warrant its continued preservation by the state or for evaluation by the state archivist or his or her designee to determine whether the record has such value; or

(k)   to any person pursuant to a court ordered subpoena or other compulsory legal process; or

(l)    for inclusion in a public safety agency record or to any governmental unit or component thereof which performs as one of its principal functions any activity pertaining to the enforcement of criminal laws, provided that, such record is reasonably described and is requested solely for a law enforcement function; or

(m)  pursuant to a search warrant; or

(n)   to officers or employees of another agency if the record sought to be disclosed is necessary for the receiving agency to comply with the mandate of an executive order, but only if such records are to be used only for statistical research, evaluation or reporting and are not used in making any determination about a data subject.

2.   Nothing in this section shall require disclosure of:

(a)  personal information which is otherwise prohibited by law from being disclosed;

(b)   patient records concerning mental disability or medical records where such disclosure is not otherwise required by law;

(c)   personal information pertaining to the incarceration of an inmate at a state correctional facility which is evaluative in nature or which, if disclosed, could endanger the life or safety of any person, unless such disclosure is otherwise permitted by law;

(d)   attorney’s work product or material prepared for litigation before judicial, quasi-judicial or administrative tribunals, except pursuant to statute, subpoena issued in the course of a criminal action or proceeding, court ordered or grand jury subpoena, search warrant or other court ordered disclosure.

3.    Fees

(a)   Unless otherwise prescribed by statute, there shall be no fee charged for:

(i)    inspection of records;

(ii)   search for records; or

(iii)   any certification pursuant to this Part.

(b)   Unless otherwise prescribed by statute, copies of records shall be provided:

(i)    upon payment of 25 cents per page; or

(ii)   upon payment of the actual cost of reproduction, if the record or personal information cannot be photocopied.

Committee - the committee on open government.

Data subject - Any natural person about whom personal information has been collected.

Disclose - To reveal, release, transfer, disseminate or otherwise communicate personal information or records orally, in writing or by electronic or any other means other than to the data subject.

Governmental unit - Any governmental entity performing a governmental or proprietary function for the federal government or for any state or any municipality thereof.

Personal information - Any information concerning a data subject which, because of name, number, symbol, mark or other identifier, can be used to identify that data subject.

Privacy Compliance Officer - The chancellor, for the system administration of the University and the president or designee of each campus.

Public safety agency record - A record of the University or any component thereof whose primary function is the enforcement of civil or criminal statutes if such record pertains to investigation, law enforcement, confinement of persons in correctional facilities or supervision of persons pursuant to criminal conviction or court order.

Record - Any item, collection or grouping of personal information about a data subject which is maintained and is retrievable by use of the name or other identifier of the data subject irrespective of the physical form or technology used to maintain such personal information. The term "record" shall not include personal information which is not used to make any determination about the data subject if it is:

(1) a telephone book or directory which is used exclusively for telephone and directory information;

(2) any card catalog, book or other resource material in any library;

(3) any compilation of information containing names and addresses only which is used exclusively for the purpose of mailing agency information;

(4) personal information required by law to be maintained, and required by law to be used, only for statistical research or reporting purposes;

(5) information requested by the University which is necessary for the University to answer unsolicited requests by the data subject for information; or

(6) correspondence files.

Routine use - With respect to the disclosure of a record or personal information, any use of such record or personal information relevant to the purpose for which it was collected, and which use is necessary to the statutory duties of the University or necessary for the University to operate a program specifically authorized by law.

System of records - Any group of records under the actual or constructive control of the University pertaining to one or more data subjects from which personal information is retrievable by use of the name or other identifier of a data subject.

There is no related procedures relevant to this requirement.

There are no forms relevant to this requirement.

The following link to FindLaw's New York State Laws is provided for users' convenience; it is not the official site for the State of New York laws. 
Article 6 of NYS Public Officers Law (Freedom of Information Law)

In case of questions, readers are advised to refer to the New York State Legislature site for the menu of New York State Consolidated.

Access to Personal Information Maintained by SUNY (8 NYCRR Part 315)

New York Department of State’s Committee on Open Government

Memorandum to presidents from the office of the University counsel and vice chancellor for legal affairs, dated January 10, 1989.

State University of New York Board of Trustees Resolution 88-280, adopted December 14, 1988

Memorandum to presidents from the office of the vice chancellor for employee relations and educational services, dated January 3, 1985.

State University of New York Board of Trustees Resolution 84-293, adopted December 18, 1984

State University of New York Board of Trustees Resolution 84-279, adopted November 28, 1984.

Memorandum to presidents from the office of the University counsel and vice chancellor for legal affairs, dated July 30, 1984.

State University of New York Board of Trustees Resolution 84-155, adopted June 27, 1984.

Memorandum to presidents from the office of the University counsel and vice chancellor for legal affairs, dated July 15, 1983.

State University of New York Board of Trustees Resolution 83-95, adopted May 25, 1983

Memorandum to presidents from the office of the University counsel and vice chancellor for legal affairs, dated February 22, 1979.

State University of New York Board of Trustees Resolution 78-306, adopted November 28, 1978

Memorandum to presidents from the office of the University counsel and vice chancellor for legal affairs, dated March 9, 1978.

Memorandum to presidents from the office of the office of the provost, dated January 6, 1978.

State University of New York Board of Trustees Resolution 78-40, adopted February 22, 1978

Memorandum to presidents from the office of the University counsel and vice chancellor for legal affairs, dated November 16, 1977.

There are no appendicies relevant to this requirement.