Can I ignore my obligations as a service provider with access to personal information in New York? What are the requirements?

Based on the documents provided, as a service provider with access to personal information in New York, you cannot ignore your obligations. The Personal Privacy Protection Law and its regulations require that you designate a privacy compliance officer responsible for ensuring compliance with the law and regulations, coordinating responses to requests for records or amendment of records, and maintaining a current list of department records that contain personal information retrievable by use of a data subject’s name or other identifier ^{[1.1][2.1][4.1][5.1][6.1]}.

If a request for records or amendment or correction of a record or personal information is denied, the denial must be in writing, explaining the reasons therefor, and identifying the person to whom an appeal may be directed ^[3.1].

Certain records are exempt from access by data subjects, including records specifically prohibited by statute from disclosure, records concerning mental disability or medical records where access is not otherwise required by law, personal information pertaining to the incarceration of an inmate at a State correctional facility which is evaluative in nature or could endanger the life or safety of any person, attorney’s work product or material prepared for litigation, public safety records, records containing information compiled for law enforcement purposes which if disclosed would interfere with law enforcement investigations or judicial proceedings, deprive a person of a right to a fair trial or impartial adjudication, identify a confidential source or disclose confidential information relating to a criminal investigation, or reveal criminal investigative techniques or procedures, except routine techniques and procedures, and records whose disclosure would constitute an unwarranted invasion of personal privacy ^[2.2][1.2].

As a service provider with access to personal information in New York, you must also comply with requirements for requests for records and information, including that all requests must be made in writing and accompanied by a reasonable proof of identity, that a request must reasonably describe the record to which access is sought or about which information is desired, and that within five business days of the receipt of a proper request, you must provide access to the record, deny access in writing explaining the reasons therefore, or acknowledge the receipt of a request in writing, stating the approximate date when the request will be granted or denied, that date shall not exceed 30 days from the date of acknowledgment ^[6.2].

In summary, you cannot ignore your obligations as a service provider with access to personal information in New York. You must designate a privacy compliance officer, comply with requirements for requests for records and information, and ensure that certain records are exempt from access by data subjects.

Source(s):

• [1.1] Personal privacy compliance officer.
• [2.1] Personal privacy compliance officer.
• [3.1] Denial of request for record or amendment or correction of record or personal information.
• [4.1] Personal privacy compliance officer.
• [5.1] Designation of privacy compliance officer and location of records.
• [2.2] Records exempt from access by data subjects.
• [1.2] Records which are exempt from access by data subjects.
• [6.1] Designation of privacy compliance officer.
• [6.2] Requests for records and information.

Jurisdiction

New York

• Privacy