Skip to code content (skip section selection)
Compare to:
New York City Overview
The New York City Charter
NEW YORK CITY CHARTER
The New York City Administrative Code
NEW YORK CITY ADMINISTRATIVE CODE
Title 1: General Provisions
Title 2: City of New York
Title 3: Elected officials
Title 4: Property of the City
Title 5: Budget; Capital Projects
Title 6: Contracts, Purchases and Franchises
Title 7: Legal Affairs
Title 8: Civil Rights
Title 9: Criminal Justice
Title 10: Public Safety
Title 11: Taxation and Finance
Title 12: Personnel and Labor
Title 13: Retirement and Pensions
Title 14: Police
Title 15: Fire Prevention and Control
Title 16: Sanitation
Title 16-A: [Commercial Waste Removal]
Title 16-B: Commercial Waste Zones
Title 17: Health
Title 18: Parks
Title 19: Transportation
Title 20: Consumer and Worker Protection
Title 20-A: [Shipboard Gambling]
Title 21: Social Services
Title 21-A: Education
Title 22: Economic Affairs
Title 23: Communications
Chapter 1: The City Record
Chapter 2: Public Records
Chapter 3: Non-Emergency City Services
Chapter 4: [Public Pay Telephones]
Chapter 5: Accessibility To Public Data Sets
Chapter 6: City Issued Permits, Licenses, and Registrations
Chapter 7: Department of Health and Mental Hygiene
Chapter 8: City Websites
Chapter 10: Nondiscriminatory Access to Services
Chapter 11: Language Access
Chapter 12: Identifying Information
§ 23-1201 Definitions.
§ 23-1202 Collection, retention and disclosure of identifying information.
§ 23-1203 Policies and protocols of the chief privacy officer.
§ 23-1204 Committee.
§ 23-1205 City agency policies.
Title 24: Environmental Protection and Utilities
Title 25: Land Use
Title 26: Housing and Buildings
Title 27: Construction and Maintenance
Title 28: New York City Construction Codes
Title 29: New York City Fire Code
Title 30: Emergency Management
Title 31: Department of Veterans' Services
Title 32: Labor and Employment
Title 33: Investigations
Title 34: Racial Equity
Appendix A: Unconsolidated Local Laws
The Rules of the City of New York
THE RULES OF THE CITY OF NEW YORK
Title 1: Department of Buildings
Title 2: Board of Standards and Appeals
Title 3: Fire Department
Title 6: Department of Consumer and Worker Protection
Title 9: Procurement Policy Board Rules
Title 12: Franchise and Concession Review Committee
Title 15: Department of Environmental Protection
Title 16: Department of Sanitation
Title 17: Business Integrity Commission
Title 19: Department of Finance
Title 20: Tax Appeals Tribunal
Title 21: Tax Commission
Title 22: Banking Commission
Title 24: Department of Health and Mental Hygiene
Title 25: Department of Mental Health and Retardation [Repealed]
Title 28: Housing Preservation and Development
Title 29: Loft Board
Title 30: Rent Guidelines Board
Title 31: Mayor's Office of Homelessness and Single Room Occupancy
Title 34: Department of Transportation
Title 35: Taxi and Limousine Commission
Title 38: Police Department
Title 38-A: Civilian Complaint Review Board
Title 39: Department of Correction
Title 40: Board of Correction
Title 41: Department of Juvenile Justice
Title 42: Department of Probation
Title 43: Mayor
Title 44: Comptroller
Title 45: Borough Presidents
Title 46: Law Department
Title 47: Commission on Human Rights
Title 48: Office of Administrative Trials and Hearings (OATH)
Title 49: Department of Records and Information Services
Title 50: Community Assistance Unit
Title 51: City Clerk
Title 52: Campaign Finance Board*
Title 53: Conflicts of Interest Board
Title 55: Department of Citywide Administrative Services
Title 56: Department of Parks and Recreation
Title 57: Art Commission
Title 58: Department of Cultural Affairs
Title 60: Civil Service Commission
Title 61: Office of Collective Bargaining
Title 62: City Planning
Title 63: Landmarks Preservation Commission
Title 66: Department of Small Business Services
Title 67: Department of Information Technology and Telecommunications
Title 68: Human Resources Administration
Title 69: Department of Aging
Title 70: In Rem Foreclosure Release Board
Title 71: Voter Assistance Commission
Title 72: Office of Emergency Management
Title 73: Civic Engagement Commission
Title 74: Community Hiring
§ 23-1201 Definitions.
As used in this chapter, the following terms have the following meanings:
   Chief privacy officer. The term "chief privacy officer" means the person designated by the mayor pursuant to subdivision h of section 8 of the charter to act as the city's chief privacy officer, or their designee.
   Contracting agency. The term "contracting agency" means a city, county, borough, or other office, position, administration, department, division, bureau, board or commission, or a corporation, institution, or agency of government, the expenses of which are paid in whole or in part from the city treasury.
   Contractor. The term "contractor" means a person who is a party to a contract with a contracting agency to provide human services, or other services designated in policies and protocols of the chief privacy officer.
   Employee. The term "employee" means any officer or other person whose salary or wages are paid by a city agency.
   Human services. The term "human services" has the meaning set forth in subdivision c of section 6-129.
   Identifying information. The term "identifying information" means any information obtained by or on behalf of the city that may be used on its own or with other information to identify or locate an individual, including, but not limited to: name, sexual orientation, gender identity, race, marital or partnership status, status as a victim of domestic violence or sexual assault, status as a crime victim or witness, citizenship or immigration status, eligibility for or receipt of public assistance or city services, all information obtained from an individual's income tax records, information obtained from any surveillance system operated by, for the benefit of, or at the direction of the police department, motor vehicle information or license plate number, biometrics such as fingerprints and photographs, height, weight, languages spoken, religion, nationality, country of origin, place of birth, arrest record or criminal conviction, employment status, employer information, current and previous home and work addresses, contact information such as phone number and email address, information concerning social media accounts, date and/or time of release from the custody of the administration for children's services, the department of correction, or the police department, any scheduled court appearances, or any scheduled appointments with any employee, contractor, or subcontractor.
   Privacy officer. The term "privacy officer" means the person designated by the head of each city agency to act as such agency's privacy officer. Where a disclosure of identifying information is in response to a request pursuant to the state freedom of information law, city agencies' freedom of information law officers may perform the functions otherwise performed by the privacy officer with respect to such request.
   Routine collection or disclosure. The term "routine collection or disclosure" means the collection or disclosure of identifying information that is made during the normal course of city agency business and furthers the purpose or mission of such agency. Routine collection or disclosure also includes the collection or disclosure of identifying information that occurs between agencies of the city when the privacy officers of the collecting agency and the disclosing agency agree that the collection or disclosure furthers the purpose or mission of their respective agencies.
   Subcontractor. The term "subcontractor" means a person who is a party to a contract with a contractor to provide human services, or other services designated in policies and protocols of the chief privacy officer.
   Third party. The term "third party" means any person other than: (i) personnel of the city, the department of education, or a local public benefit corporation or local public authority, or (ii) personnel of a contractor or subcontractor where such contractor or subcontractor is authorized to possess the relevant identifying information.
(L.L. 2017/247, 12/17/2017, eff. 6/15/2018; Am. L.L. 2023/061, 5/26/2023, eff. 11/22/2023)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/247.
§ 23-1202 Collection, retention and disclosure of identifying information.
   a.   Employees, contractors, and subcontractors shall collect, retain, and disclose identifying information only in accordance with this chapter.
   b.   Collection. 
      1.   Absent exigent circumstances, no employee shall collect identifying information without the written approval of the privacy officer of such employee's agency. In addition, such collection shall not be allowed unless it:
         (a)   furthers the purpose or mission of such city agency; or
         (b)   is required by law or treaty.
      2.   Notwithstanding the provisions of paragraph 1 of this subdivision:
         (a)   the privacy officer of an employee's agency may approve in advance certain routine collections of identifying information;
         (b)   the chief privacy officer may approve in advance a collection of identifying information not otherwise authorized by paragraph 1 of this subdivision upon the determination that such collection is in the best interests of the city; and
         (c)   the provisions of paragraph 1 of this subdivision do not apply:
            (1)   to any collection of identifying information by or to the police department in connection with an investigation of a crime that has been committed or credible information about an attempted or impending crime, or
            (2)   where the collection is in connection with an open investigation by a city agency concerning the welfare of a minor or an individual who is otherwise not legally competent.
         Any such collections shall not require any additional approval by the privacy officer or chief privacy officer.
   c.   Disclosure. 
      1.   Absent exigent circumstances, no employee shall disclose identifying information to any party outside such employee's agency, including an employee of another city agency, without the written approval of the privacy officer of such agency. In addition, such disclosure shall not be allowed unless it:
         (a)   has been authorized in writing by the individual to whom such information pertains or, if such individual is a minor or is otherwise not legally competent, by such individual's parent, legal guardian, or other person with legal authority to consent on behalf of the individual;
         (b)   furthers the purpose or mission of such city agency; or
         (c)   is required by law or treaty.
      2.   Notwithstanding the provisions of this subdivision:
         (a)   the privacy officer of an employee's agency may approve in advance certain routine disclosures of identifying information;
         (b)   the chief privacy officer may approve in advance a disclosure to another city agency or agencies not otherwise authorized by paragraph 1 of this subdivision upon the determination that such disclosure is in the best interests of the city; and
         (c)   the provisions of paragraph 1 of this subdivision do not apply:
            (1)   to any disclosure of identifying information by or to the police department in connection with an investigation of a crime that has been committed or credible information about an attempted or impending crime, or
            (2)   where the disclosure is in connection with an open investigation by a city agency concerning the welfare of a minor or an individual who is otherwise not legally competent.
         Any such disclosure shall not require any additional approval by the privacy officer or chief privacy officer.
      3.   Any request for identifying information or a proposal for the unsolicited disclosure of identifying information by an employee that does not concern a routine disclosure shall be sent to the privacy officer of such employee's agency as soon as practicable.
      4.   If an individual's identifying information is disclosed in violation of this chapter, the privacy officer of such employee's agency that becomes aware of such disclosure shall notify the chief privacy officer as soon as practicable and, if such disclosure is one described in policies and protocols issued pursuant to subdivision 6 of section 23-1203, the agency responsible for the disclosure shall make reasonable efforts to notify such individual in writing of the identifying information disclosed and to whom it was disclosed as soon as practicable; provided, however, that this paragraph shall not require any notification that would violate the provisions of subdivision e of section 23-1204. The chief privacy officer shall submit a quarterly report containing an anonymized compilation or summary of such disclosures to the speaker of the council and shall make such report available online. Such report may be combined with the report required by subdivision d of this section.
   d.   Exigent circumstances. 
      1.   In the event identifying information is collected or disclosed under exigent circumstances, information about such collection or request and disclosure, along with an explanation of why such exigent circumstances existed, shall be sent to the chief privacy officer as soon as practicable after such collection or disclosure. This subdivision shall not require any such notification where:
         (a)   the collection or disclosure is by or to the police department in connection with an open investigation of criminal activity;
         (b)   the collection or disclosure is in connection with an open investigation concerning the welfare of a minor or an individual who is otherwise not legally competent; or
         (c)   the collection or disclosure is by or to an employee acting in furtherance of law enforcement or public health or safety powers of such employee's agency under exigent circumstances and such collections or disclosures occur during the normal course of such agency's business.
      2.   The chief privacy officer shall submit a quarterly report containing an anonymized compilation or summary of such disclosures to the speaker of the council and make such report available online.
   e.   Retention. A city agency shall retain identifying information where required by law. In addition, a city agency may retain identifying information to further the purpose or mission of such city agency, or when retention is in the interest of the city and is not contrary to the purpose or mission of such agency. This subdivision shall not prohibit a city agency from retaining aggregate demographic information that is anonymized.
   f.   Agency policies and protocols. Each city agency, acting in accordance with the policies and protocols of the chief privacy officer, may issue additional agency-specific guidance in furtherance of this chapter, including the policies and protocols promulgated pursuant to section 23-1203.
   g.   Contractors and subcontractors. Each city agency shall require contractors that obtain identifying information, whether directly or through subcontractors, to apply the requirements of subdivisions b, c, d, and e of this section and any applicable policies and protocols adopted pursuant to this chapter; provided, however, that the duties of the privacy officer may be exercised by such contractors and subcontractors by designation of the agency.
   h.   Private right of action. Nothing in this chapter shall be construed to create a private right of action to enforce any provision of such chapter.
   i.   Construction. Nothing in this chapter shall prohibit city officers and employees from performing their duties in accordance with federal, state, and local law.
(L.L. 2017/247, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/247.
§ 23-1203 Policies and protocols of the chief privacy officer.
The policies and protocols promulgated by the chief privacy officer pursuant to subdivision h of section 8 of the charter shall, at a minimum:
   1.   require that identifying information is anonymized where appropriate in accordance with the purpose or mission of a city agency;
   2.   require the privacy officer of each city agency to issue guidance to city agency employees, contractors and subcontractors regarding such agency's collection, retention, and disclosure of identifying information;
   3.   require any city agency disclosing identifying information to a third party when such a disclosure is not classified as routine pursuant to section 23-1202 to enter into an agreement ensuring that the anticipated use and any potential future use of such information by such third party occurs only in a manner consistent with this chapter unless: (i) such disclosure is made under exigent circumstances, or (ii) such an agreement would not further the purposes of this chapter due to the absence of circumstances in which such disclosure would unduly compromise an important privacy interest.
   4.   describe disclosures of identifying information to third parties when such a disclosure is classified as routine pursuant to section 23-1202 for which, because of the nature or extent of such disclosures or because of the nature of the relationship between the city agency and third party, such disclosing agency is required to enter into an agreement with such third party requiring that the anticipated use and any potential future use of such information by such third party occurs only in a manner consistent with this chapter;
   5.   describe disclosures of identifying information that are not to be treated as routine pursuant to section 23-1202, as determined by the nature and extent of such disclosures, and require an additional level of review and approval by the privacy officer of such agency or the contractor or subcontractor before such disclosures are made;
   6.   describe circumstances when disclosure of an individual's identifying information to third parties in violation of this chapter would, in light of the nature, extent, and foreseeable adverse consequences of such disclosure, require the disclosing city agency, contractor, or subcontractor to make reasonable efforts to notify the affected individual as soon as practicable;
   7.   establish standard contract provisions, or required elements of such provisions, related to the protection of identifying information;
   8.   require the privacy officer of each city agency to arrange for dissemination of information to agency employees, contractors, and subcontractors and develop a plan for compliance with this chapter and any policies and protocols developed under this chapter; and
   9.   establish a mechanism for accepting and investigating complaints for violations of this chapter.
(L.L. 2017/245, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/245.
§ 23-1204 Committee.
   a.   There is hereby established in the office of the mayor, or such other city agency headed by a mayoral appointee as the mayor may determine, an identifying information protection committee.
      1.   Such committee shall consist of:
         (a)   the corporation counsel or a designee of the corporation counsel;
         (b)   the director of the mayor's office of operations or such director's designee;
         (c)   the coordinator of criminal justice or such coordinator's designee;
         (d)   any deputy mayors who may be designated by the mayor to serve on such committee or their designees; and
         (e)   the commissioners of the following agencies or such commissioners' designees:
            (1)   the administration for children's services;
            (2)   the department of social services;
            (3)   the police department;
            (4)   the department of correction;
            (5)   the department of probation;
            (6)   the department of health and mental hygiene;
            (7)   the department of information technology and telecommunications;
            (8)   the fire department; and
            (9)   representatives of such other agencies as the mayor may designate having relevant duties or expertise with respect to federal, state, and local laws and policies relating to protecting identifying information.
      2.   Unless otherwise determined by the mayor, the chair of such committee shall be the director of the mayor's office of operations or such director's designee. Staff services for such committee shall be provided by the participating agencies.
   b.   The committee, in collaboration with the chief privacy officer, shall review city agency reports provided pursuant to section 23-1205 and recommend policies and procedures regarding the collection, retention and disclosure of identifying information while taking into consideration each city agency's unique mission, subject matter expertise, and legal obligations.
   c.   No later than October 30, 2018, the committee shall communicate its final recommendations pursuant to subdivision b of this section along with the city agency reports required pursuant to section 23-1205 to the applicable city agencies, the mayor, the speaker of the council, and the chief privacy officer. Beginning July 31, 2020 and every two years thereafter, the committee shall review such agency reports and any policies and protocols adopted pursuant to this chapter.
   d.   Within 90 days of receiving any final recommendations of the committee, the chief privacy officer shall adopt policies and protocols, in accordance with sections 23-1202 and 23-1203, as necessary or appropriate in furtherance of this chapter.
   e.   No information that is otherwise required to be reported or disclosed pursuant to this section shall be reported or disclosed in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of information or that would interfere with a law enforcement investigation or other investigative activity by an agency or would compromise public safety.
(L.L. 2017/245, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/245.
§ 23-1205 City agency policies.
   a.   No later than July 31, 2018, and every two years thereafter by July 31, each city agency shall provide a report regarding the collection, retention, and disclosure of identifying information by such agency and any contractors or subcontractors utilized by such agency. Each such report shall include:
      1.   information concerning identifying information collected, retained, and disclosed, including:
         (a)   the types of identifying information collected, retained, and disclosed, including, but not limited to, where practicable, those types enumerated in the definition of identifying information;
         (b)   the types of collections and disclosures classified as routine and any collections or disclosures approved by the chief privacy officer;
         (c)   current policies regarding collection, retention, and disclosure, including:
            (1)   policies regarding requests for disclosures from other city agencies, local public authorities or local public benefit corporations, and third parties;
            (2)   policies regarding proposals for disclosures to other city agencies, local public authorities or local public benefit corporations, and third parties;
            (3)   policies regarding the classification of disclosures as necessitated by the existence of exigent circumstances or as routine; and
            (4)   which divisions and categories of employees within an agency make disclosures of identifying information following the approval of the privacy officer;
         (d)   use of agreements regarding the anticipated use and any potential future use of identifying information disclosed;
         (e)   types of entities requesting the disclosure of identifying information or proposals for disclosures of identifying information, the reasons why an agency discloses identifying information in response to requests or proposes the disclosure of identifying information, and why any such disclosures furthers the purpose or mission of such agency; and
         (f)   the reasons why any collection and retention of identifying information furthers the purposes or mission of such agency;
      2.   the impact of any privacy policies and protocols issued by the chief privacy officer, any guidance issued by the privacy officer of such agency or the committee, the provisions of this chapter, and other applicable law on the agency's collection, retention, and disclosure of identifying information;
      3.   consideration and implementation, where applicable, of alternative policies that minimize the collection, retention, and disclosure of identifying information to the greatest extent possible while furthering the purpose or mission of such agency; and
      4.   policies on access to identifying information by employees, contractors, and subcontractors, including consideration of the necessity of access to such information for the performance of their duties and implementation of policies that minimize such access to the greatest extent possible while furthering the purpose or mission of an agency.
   b.   Each city agency shall submit the report prepared pursuant to subdivision a of this section to the mayor, the speaker of the council, the chief privacy officer, and the committee.
   c.   No information that is otherwise required to be reported or disclosed pursuant to this section shall be reported or disclosed in a manner that would violate any applicable provision of federal, state, or local law relating to the privacy of information or that would interfere with a law enforcement investigation or other investigative activity by an agency or would compromise public safety.
(L.L. 2017/245, 12/17/2017, eff. 6/15/2018)
Editor's note: For related unconsolidated provisions, see Appendix A at L.L. 2017/245.

Disclaimer: The Codes and other documents that appear on this site may not yet reflect the most current legislation or rules adopted by the City. In addition, certain textual errors and omissions may temporarily exist, resulting from problems in the source database provided to American Legal and from which this website was created. Although these errors and omissions are being corrected, any user discovering any such error is invited to please contact the publisher at NYC.editor@amlegal.com or at 800-445-5588 and/or the New York City Law Department at NYCCodeRulesCharter@law.nyc.gov.

Hosted by: American Legal Publishing

Back to Code Library
Previous Doc
Next Doc