Loading...
The policies and protocols promulgated by the chief privacy officer pursuant to subdivision h of section 8 of the charter shall, at a minimum:
1. require that identifying information is anonymized where appropriate in accordance with the purpose or mission of a city agency;
2. require the privacy officer of each city agency to issue guidance to city agency employees, contractors and subcontractors regarding such agency's collection, retention, and disclosure of identifying information;
3. require any city agency disclosing identifying information to a third party when such a disclosure is not classified as routine pursuant to section 23-1202 to enter into an agreement ensuring that the anticipated use and any potential future use of such information by such third party occurs only in a manner consistent with this chapter unless: (i) such disclosure is made under exigent circumstances, or (ii) such an agreement would not further the purposes of this chapter due to the absence of circumstances in which such disclosure would unduly compromise an important privacy interest.
4. describe disclosures of identifying information to third parties when such a disclosure is classified as routine pursuant to section 23-1202 for which, because of the nature or extent of such disclosures or because of the nature of the relationship between the city agency and third party, such disclosing agency is required to enter into an agreement with such third party requiring that the anticipated use and any potential future use of such information by such third party occurs only in a manner consistent with this chapter;
5. describe disclosures of identifying information that are not to be treated as routine pursuant to section 23-1202, as determined by the nature and extent of such disclosures, and require an additional level of review and approval by the privacy officer of such agency or the contractor or subcontractor before such disclosures are made;
6. describe circumstances when disclosure of an individual's identifying information to third parties in violation of this chapter would, in light of the nature, extent, and foreseeable adverse consequences of such disclosure, require the disclosing city agency, contractor, or subcontractor to make reasonable efforts to notify the affected individual as soon as practicable;
7. establish standard contract provisions, or required elements of such provisions, related to the protection of identifying information;
8. require the privacy officer of each city agency to arrange for dissemination of information to agency employees, contractors, and subcontractors and develop a plan for compliance with this chapter and any policies and protocols developed under this chapter; and
9. establish a mechanism for accepting and investigating complaints for violations of this chapter.
(L.L. 2017/245, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/245.
a. There is hereby established in the office of the mayor, or such other city agency headed by a mayoral appointee as the mayor may determine, an identifying information protection committee.
1. Such committee shall consist of:
(a) the corporation counsel or a designee of the corporation counsel;
(b) the director of the mayor's office of operations or such director's designee;
(c) the coordinator of criminal justice or such coordinator's designee;
(d) any deputy mayors who may be designated by the mayor to serve on such committee or their designees; and
(e) the commissioners of the following agencies or such commissioners' designees:
(1) the administration for children's services;
(2) the department of social services;
(3) the police department;
(4) the department of correction;
(5) the department of probation;
(6) the department of health and mental hygiene;
(7) the department of information technology and telecommunications;
(8) the fire department; and
(9) representatives of such other agencies as the mayor may designate having relevant duties or expertise with respect to federal, state, and local laws and policies relating to protecting identifying information.
2. Unless otherwise determined by the mayor, the chair of such committee shall be the director of the mayor's office of operations or such director's designee. Staff services for such committee shall be provided by the participating agencies.
b. The committee, in collaboration with the chief privacy officer, shall review city agency reports provided pursuant to section 23-1205 and recommend policies and procedures regarding the collection, retention and disclosure of identifying information while taking into consideration each city agency's unique mission, subject matter expertise, and legal obligations.
c. No later than October 30, 2018, the committee shall communicate its final recommendations pursuant to subdivision b of this section along with the city agency reports required pursuant to section 23-1205 to the applicable city agencies, the mayor, the speaker of the council, and the chief privacy officer. Beginning July 31, 2020 and every two years thereafter, the committee shall review such agency reports and any policies and protocols adopted pursuant to this chapter.
e. No information that is otherwise required to be reported or disclosed pursuant to this section shall be reported or disclosed in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of information or that would interfere with a law enforcement investigation or other investigative activity by an agency or would compromise public safety.
(L.L. 2017/245, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/245.
a. No later than July 31, 2018, and every two years thereafter by July 31, each city agency shall provide a report regarding the collection, retention, and disclosure of identifying information by such agency and any contractors or subcontractors utilized by such agency. Each such report shall include:
1. information concerning identifying information collected, retained, and disclosed, including:
(a) the types of identifying information collected, retained, and disclosed, including, but not limited to, where practicable, those types enumerated in the definition of identifying information;
(b) the types of collections and disclosures classified as routine and any collections or disclosures approved by the chief privacy officer;
(c) current policies regarding collection, retention, and disclosure, including:
(1) policies regarding requests for disclosures from other city agencies, local public authorities or local public benefit corporations, and third parties;
(2) policies regarding proposals for disclosures to other city agencies, local public authorities or local public benefit corporations, and third parties;
(3) policies regarding the classification of disclosures as necessitated by the existence of exigent circumstances or as routine; and
(4) which divisions and categories of employees within an agency make disclosures of identifying information following the approval of the privacy officer;
(d) use of agreements regarding the anticipated use and any potential future use of identifying information disclosed;
(e) types of entities requesting the disclosure of identifying information or proposals for disclosures of identifying information, the reasons why an agency discloses identifying information in response to requests or proposes the disclosure of identifying information, and why any such disclosures furthers the purpose or mission of such agency; and
(f) the reasons why any collection and retention of identifying information furthers the purposes or mission of such agency;
2. the impact of any privacy policies and protocols issued by the chief privacy officer, any guidance issued by the privacy officer of such agency or the committee, the provisions of this chapter, and other applicable law on the agency's collection, retention, and disclosure of identifying information;
3. consideration and implementation, where applicable, of alternative policies that minimize the collection, retention, and disclosure of identifying information to the greatest extent possible while furthering the purpose or mission of such agency; and
4. policies on access to identifying information by employees, contractors, and subcontractors, including consideration of the necessity of access to such information for the performance of their duties and implementation of policies that minimize such access to the greatest extent possible while furthering the purpose or mission of an agency.
b. Each city agency shall submit the report prepared pursuant to subdivision a of this section to the mayor, the speaker of the council, the chief privacy officer, and the committee.
c. No information that is otherwise required to be reported or disclosed pursuant to this section shall be reported or disclosed in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of information or that would interfere with a law enforcement investigation or other investigative activity by an agency or would compromise public safety.
(L.L. 2017/245, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/245.