WHAT YOU SHOULD KNOW - NYS Personal Privacy Protection Law (PPPL)


Introduction

The Committee

Robert J. Freeman, Executive Director  
   
   
   

New York State enacted the Personal Privacy Protection Law (Public Officers Law, Article 6-A, sections 91-99) in 1984 to recognize public concern about privacy and the relationship between government and the people.

The law is intended to protect your privacy by regulating the manner in which the state collects, maintains and disseminates personal information about you. Generally, the law:

  • grants rights of access to you for records about you that are maintained by state agencies;
  • permits you to correct or amend information if you believe that it is inaccurate or irrelevant;
  • prohibits an agency from collecting personal information, unless it is "relevant and necessary" to a purpose of the agency that must be accomplished by law;
  • requires an agency, when it seeks personal information from you, to tell you why the information is being collected, where it will be kept, how it will be used, and what penalties, if any, may be imposed if you fail to provide the information;
  • protects you against disclosures of personal information without your consent, except in circumstances specified in the law; and forbids state agencies from maintaining "secret" data banks containing personal information.
The Committee on Open Government, a unit of the Department of State, provides advice to any person under the Freedom of Information and Open Meetings Laws. It is also authorized to advise individuals regarding rights of access to records subject to the provisions of the Personal Privacy Protection Law. The committee must maintain and make available a directory of all systems of records containing personal information kept by state agencies.


Explanation of Terms

This guide references various words and phrases used in the Personal Privacy Protection Law. To ensure clarity, please note the following explanation of commonly used terms:

An "agency" is a governmental entity that performs a governmental function for the state; the term does not include the courts, the State Legislature or any unit of local government.

"Personal information" means any information concerning an individual which, because of name number, symbol, mark or other identifier can be used to identify that person.

"Routine use," for the purpose of disclosing personal information, means any use of personal information relevant to the purpose for which it was collected, and which use is necessary to the legal duties of the agency that collected or obtained personal information, or necessary for that agency to operate a program specifically authorized by law.

A "system of records" is any group of records under the control of an agency pertaining to one or more people from which personal information is retrievable by use of the name or other identifier of a person.

A "public safety agency record" generally is a record of an agency or component of an agency whose primary function is the enforcement of civil or criminal laws, if the record pertains to investigation, law enforcement, confinement of persons in correctional facilities, or supervisor of persons pursuant to a criminal conviction or court order.

The "committee" is the Committee on Open Government.


State Agencies' Responsibilities

When you seek a service from government, often a form or questionnaire must be completed. To obtain the service, you complete the form even though many items of highly personal information may be requested.

A focal point of the Personal Privacy Protection Law is a requirement that an agency may "maintain in its records only such personal information which is relevant and necessary to accomplish a purpose of the agency" required to be accomplished by law. If records are used to make a determination about you, the records should be accurate, relevant, timely and complete. Further, to ensure the accuracy of personal information, agencies are generally required to collect information directly from you "whenever practicable."

When personal information is collected from you, you must be told:

  • the name of the agency and the subdivision within the agency that is collecting personal information;
  • the title of the system of records in which the information is maintained;
  • the title, business address and telephone number of the agency official responsible for the system of records;
  • the authority granted by law for the collection and maintenance of the information;
  • the penalty, if any, for refusal to provide any aspect of the information sought;
  • the purpose for which the information is collected; and
  • the "routine uses" made of the information the regular disclosures made within the agency and to other agencies or third parties.
The notification requirements described above do not apply to personal information collected for inclusion in a public safety agency record, regarding the grant or review of license, or concerning the receipt of services at a treatment facility; i.e., a hospital or mental health facility. In addition, each state agency is required to notify the committee of each "system of records" that it maintains. In 1980, agencies sent to the committee approximately 1,800 notices of systems of records. Since 1984, a "privacy impact statement" must be submitted by agencies to the committee in relation to new systems of records or existing systems of records that are substantially modified.

Information contained in notices of systems of records and privacy impact statements comprise a directory that is available to the public. The directory identifies every system of personal records maintained by every state agency.


How to Obtain Your Records

The Personal Privacy Protection Law seeks to ensure that you have the right to inspect or copy records pertaining to you. As a general matter, records pertaining to you are available to you. The exception to that rule permits an agency to withhold records compiled for law enforcement purposes that would, if disclosed:

  • interfere with law enforcement investigations or judicial proceedings;
  • deprive a person of a right to a fair trial or impartial adjudication;
  • identify a confidential source or disclose confidential information relating to a criminal investigation; or
  • reveal criminal investigative techniques or procedures, except routine techniques and procedures.
In addition, you have no right under the Personal Privacy Protection Law to:
  • personal information to which you are specifically prohibited by statute from gaining access;
  • patient records concerning mental disability or medical records where access is not required by some other provision of law;
  • personal information pertaining to inmates at state correctional facilities that are evaluative in nature, or when disclosure could endanger the life or safety of any person; attorneys' work product or material prepared for litigation; or
  • public safety agency records.
The Personal Privacy Protection Law applies only to records about you. But it is possible that rights of access to related records might exist under the Freedom of Information Law, which applies to all records of an agency and includes local government.

When requesting records, you must submit a request in writing that "reasonably describes" the record sought. The request should be made in accordance with regulations that must be adopted by each agency concerning the procedural aspects of the law. The regulations must include the designation of a "privacy compliance officer" to whom a request may be directed.

On receipt of a request, the agency has five business days to respond. The agency may make the record available to the individual, deny the request in whole or in part and provide reason for the denial in writing, or furnish a written acknowledgment of the receipt of the request and a statement of the approximate date when the request will be granted or denied. That date cannot exceed 30 days from the date of acknowledgment.

If a request for a record is denied, an appeal may be directed to the head or governing body of the agency or to the person designated to determine appeals within 30 days of the denial.

If no response to a request is made within 5 business days of its receipt by the agency or within 30 days of an acknowledgment of its receipt, the request may be considered to have been denied. As such, the denial may be appealed.

An appeal should contain the date and location of a request for a record, reference to the record that was denied, and your name and return address.

A determination on appeal regarding a denial of access must be rendered within seven business days of its receipt. In its determination, the agency may grant access to the record or fully explain in writing the reasons for further denial. A denial on appeal must also inform you of the right to seek judicial review of the determination under Article 78 of the Civil Practice Law and Rules.


Your Right to Correct or Amend Your Record

In addition to granting access to records to you about yourself, the Personal Privacy Protection Law enables you to attempt to amend or correct a record when you believe that the record is inaccurate, irrelevant, untimely or incomplete.

When a request to amend a record is made, the agency must, within 30 business days of such a request, amend the record or inform you of the reasons for refusal to do so. A denial of request to amend or correct a record may be appealed within 30 days of the denial. The appeals person or body must within 30 business days of receipt of an appeal amend or correct the record, or fully explain in writing the reasons for refusal to do so and inform you of the right to seek judicial review of the determination.

If, on appeal, an agency denies access to a record or refuses to amend or correct a record, a judicial proceeding may be initiated under Article 78 of the Civil Practice Law and Rules. In such a proceeding, the agency has the burden of proof. Moreover, if you "substantially prevail" in court and if the agency lacked a reasonable basis for its action, the court may award reasonable attorneys' fees to you.


Your Right to Disagree

If a request to correct or amend a record is denied on appeal, the determination must inform you of the right to file with the agency a "statement of disagreement" of reasonable length setting forth the reasons for disagreement with the agency's determination. Upon receipt of a statement of disagreement, the agency must clearly note portions of the record that are disputed and attach your statement as a part of the record.


Fees

Copies of accessible records pertaining to you must be available to you on request. Except when a different fee is prescribed by statute, an agency may not charge for inspection or search for records, or charge in excess of 25 cents per photocopy for records up to 9 by 14 inches. Fees for copies of other records may be based upon the actual cost of reproduction, such as computer time.

It is noted, too, that the law requires that a record shall be made available in printed form without any codes or symbols, unless accompanied by a document fully explaining codes or symbols.


Protection of Privacy

State agencies may not disclose personal information about you, except:

  • pursuant to your written request or consent, if
  • the request or consent limits and specifically describes:
  • the personal information to be disclosed;
  • the person or entity who will receive it; and
  • the use that will be made of the information;
  • to an official, employee or contractor of the agency for whom the information is necessary for the performance of his or her official duties pursuant to a purpose of the agency required to be accomplished by statute or executive order or necessary to implement a program specifically authorized by law;
  • pursuant to the Freedom of Information Law;*
  • to other government agencies, if each category of information disclosed is necessary for the receiving agency to operate a program specifically authorized by statute;
  • for a "routine use," which is a disclosure relevant to the purpose for which the information was collected and necessary to the statutory duties of the agency that collected the record, or necessary for that agency to implement a program specifically authorized by law;
  • when specifically authorized by statute, or federal rule or regulation;
  • to the U.S. Census Bureau;
  • solely for statistical research purposes, but only if the record is transferred in a form that is not individually identifiable; pursuant to a showing of compelling circumstances affecting the health or safety of a person;
  • to the state archives;
  • in response to compulsory legal process, such as a subpoena;
  • for inclusion in law enforcement records, provided that the information is to be used solely for law enforcement function;
  • pursuant to a search warrant; or
  • pursuant to an executive order, but only if such records are to be used solely for research purposes.

Notice of Disclosures to Others About You

Under certain circumstances when information about you is disclosed, the fact of that disclosure must be included as part of the record. An "accounting of disclosures" must include the date, nature, purpose and recipient of personal information. The notation of the disclosure must be retained for five years, or the life of the record, whichever is longer.

An accounting of a disclosure must be made if the information is disclosed:

  • for a use that is irrelevant to the purpose for which it is collected, when the information is necessary
  • for the receiving agency to operate a program specifically authorized by statute;
  • due to compelling circumstances affecting the health or safety of a person;
  • for law enforcement purposes. In such a case, the agency disclosing the information must notify the receiving agency that an accounting is being made.
You have the right to obtain a record accounting for disclosures, unless the information is disclosed for inclusion in a public safety agency record and disclosure to you would impede a criminal investigation.

You may also request that an agency that prepares an accounting inform the recipient of the information of any correction of the record or statement of disagreement regarding the content of information in dispute.


Other Laws That Protect Privacy

The Personal Privacy Protection Law is one among many laws that ensure that privacy is protected. Examples of other statutes that require confidentiality or prohibit disclosure to the public deal with:

  • personal income tax 
  • applicants for or recipients of public assistance 
  • medical records 
  • mental health records 
  • education records pertaining to students 
  • police records concerning juveniles 
  • claims for unemployment insurance benefits drug abuse 
  • rent control 
  • vocational rehabilitation 
  • applicants for or tenants in public housing 
  • child abuse 
  • adoption 
  • arrest records on persons against whom charges have been dismissed 
  • victims of sex offenses under the age of 18 years 
  • grand jury proceedings 
  • care and protection of children in receipt of social services 
  • autopsy reports
* It is noted that the Freedom of Information Law prohibits release of information by a state agency if the release would constitute an unwarranted invasion of privacy.

Requesting Records



Name (if known) or Privacy Compliance Officer
Name of Agency
Address of Agency
City, NY, ZIP code

Dear _____ :

Under the provisions of the Personal Privacy Protection Law, Article 6-A of the Public Officers Law, I hereby request a copy of (or: access to) _____ (describe as accurately and specifically as possible the record or records you want, and provide all the relevant information you have concerning them).

If there are any fees for copying the records I am requesting, please inform me before you fill the request. (or: .... please supply the records without informing me if the fees do not exceed $ _____).

If all or any part of this request is denied, please cite the reason(s) which you think justifies your refusal to release the information. As you know, the Personal Privacy Protection Law requires that an agency respond to a request within five business days of its receipt. Also, please inform me of your agency's appeal procedure.

In order to expedite consideration of my request, I am enclosing a copy of _____ (some document of identification).

Thank you for your prompt attention to this matter.

Sincerely,

Signature

Name
Address
City, State, ZIP code


Appealing a Denial of Access to Records

Agency Head or Appeals Officer
Name of Agency
Agency Address
City, NY, ZIP code

Dear _____ :

On _____ (date), I received a letter from _____ (individual's name) of your agency denying my request for access to _____ (description of information sought).

As required by the Personal Privacy Protection Law, the head or governing body of the agency, or whomever is designated to determine appeals, is required to respond within seven business days of the receipt of an appeal. If the records are denied on appeal, please explain the reasons for the denial fully in writing as required by law.

In addition, please be advised that the Personal Privacy Protection Law directs that appeals be sent to the Committee on Open Government, NYS Department of State, 41 State Street, Albany, NY 12231.

Thank you for your prompt attention.

Sincerely,

Signature
Name
Address
City, State, ZIP code


Requesting to Amend Records

Name (if known) or Privacy Compliance Officer
Name of Agency
Agency Address
City, NY, ZIP code

Dear _____ : By letter dated _____ , I requested access to (use same description as in request letter). In viewing the information forwarded to me, I found that it was (inaccurate) (incomplete) (outdated) (not relevant). Therefore, pursuant to the Personal Privacy Protection Law, Article 6-A of the Public Officers Law, I hereby request that you amend my record in the following manner: (Describe errors, new information, irrelevance, etc.)

In accordance with the law, I look forward to a response to this request within 30 business days of its receipt. If the correction or amendment is made, please inform me of the correction. If my request is denied, please indicate the reasons in writing and provide the name and address of the person to whom an appeal may be sent. Thank you for your assistance in this matter.

Sincerely,

Signature
Name
Address
City, State, ZIP code


Appealing a Refusal to Amend Records

Agency Head or Designated Appeals Officer
Name of Agency
Agency Address
City, NY, ZIP code

Dear _____ :

By letter dated _____ to _____ (official to whom you addressed your amendment request), I requested that information held by your agency concerning me be amended. This request was denied, and I am hereby appealing that denial. For your information, I am enclosing a copy of my request letter along with a copy of Mr/Ms _____ 's reply. (If you have any additional relevant information, send it too.)

I hope that upon consideration of my reasons for seeking the desired changes, you will grant my request to amend the disputed material. However, in the event you refuse this request, please advise me of the agency procedures for filing a statement of disagreement. As required by law, please inform me of your determination within 30 business days of receipt of this appeal.

Thank you for your prompt attention to this matter.

Sincerely,

Signature
Name
Address
City, State, ZIP code