Data Privacy

In today's globally connected world, the Internet makes it easier than ever to share data and files. Often people do not recognize the potential privacy risks and consequences associated with their online activities.

However, everything you post on social media, as well as the information organizations collect about you, leaves a digital footprint. By actively managing who sees the things you post online and with whom you share information, will allow you to protect your privacy and your personal information.  

Privacy focuses on how personal information is used, collected and shared.

Information security, or cybersecurity, refers to the processes and methods used to protect print, electronic, and other forms of information or data.

You have a right to control the collection, use, and disclosure of your personal information.  In New York, the Personal Privacy Protection Law (PPPL) regulates how state agencies collect, maintain, and share personal information.

In addition to the PPPL, the Internet Security and Privacy Act establishes data collection rules for state agencies. It limits the data that agencies can collect and ensures that only the necessary data is collected. This bill also allows ITS to adopt rules and regulations related to privacy and draft a model Privacy Policy which can be used by state agencies.

The ITS Guideline on Internet Privacy Policies provides guidance to State Agencies drafting internet privacy statements.

What is PPPL?

You have a right to control the collection, use, and sharing of your personal information. The New York State Personal Privacy Protection Law (PPPL) regulates how NYS state agencies collect, maintain, and share personal information.

The PPPL:

• Protects you from the random collection of personal information by state agencies.
• Allows you to access and correct this personal information.
• Regulates the disclosure of personal information for official use.

Only personal information maintained by ITS is available from ITS under the PPPL.

What records can be accessed?

You can only request information collected and maintained by ITS, which only includes information that contains a number, symbol, mark or other identifier that can be used to identify a person. Personal information that is exempt from disclosure and/or correction by statute or law is not available. For more information, see the Personal Privacy Protection Law.

How to make a request

Requests for access or correction of these records must include enough information to allow a search. In addition to a name or other identifiers, the request should include the following information (if known):

• ITS program or purpose for which the information was collected.
• Form number.
• Approximate dates involved.
• The event or location where the information was collected or submitted.

Proof of identity

Proof of identity (e.g., a notarized signature, your driver’s license, your passport or another official picture ID) may be required to confirm that the person making the request for the personal information is the person that is identified in that information. ITS will notify you if proof of identity is required.

How to submit a request

A request for access and/or correction of personal privacy record may be sent by e-mail to [email protected] or by postal mail to:

Privacy Officer
Office of Information Technology Services
State Capitol Empire State Plaza
PO Box 2062
Albany, New York 12220-0062

Once received, the Privacy Officer will acknowledge all requests for access, search for the information, determine if the information is sharable, and either transmit the information or deny access, as appropriate. If your request is denied, your rights to an appeal will also be provided.

Appeal

If your request has been denied by the Privacy Office, you will be notified in writing. You have a right to appeal, but you must do so within 30 days. For more information, see the Personal Privacy Protection Law.

Cost

ITS provides certain records free of charge as required by law, but some records may require payment. The fee schedule can be found in section  87 of the Public Officers Law. 

Originally celebrated annually on January 28, Data Privacy Day (DPD) was expanded into Data Privacy Week and is a national effort to empower people to protect their privacy, control their digital footprint and escalate the protection of privacy and data as everyone's priority.

Data Privacy Week's goals are to:

• Increase awareness about the many ways personal information is collected, stored, used and shared.
• Provide education about privacy practices that will allow individuals to protect their personal information.

Learn More About Data Privacy Week

• Personal Privacy Protection Law
• State Technology Law
• ITS Glossary (Additional term definitions)
• Federal Trade Commission: Consumer Privacy
• Federal Trade Commission: Consumer Information: Privacy, Identity & Online Security

If you have questions for the ITS Privacy Office, email [email protected].