STATE OF NEW YORK
________________________________________________________________________
2642--A
2013-2014 Regular Sessions
IN SENATE
January 23, 2013
___________
Introduced by Sen. PARKER -- read twice and ordered printed, and when
printed to be committed to the Committee on Finance -- recommitted to
the Committee on Finance in accordance with Senate Rule 6, sec. 8 --
committee discharged, bill amended, ordered reprinted as amended and
recommitted to said committee
AN ACT to amend the executive law, in relation to oversight of intelli-
gence data centers
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. The executive law is amended by adding a new article 11-A
2 to read as follows:
3 ARTICLE 11-A
4 OFFICE OF DATA PROTECTION AND PRIVACY OVERSIGHT FOR NEW YORK STATE
5 FUSION CENTERS AND OTHER INTELLIGENCE DATA CENTERS
6 Section 232. Definitions.
7 233. Establishment.
8 § 232. Definitions. As used in this article, the following words shall
9 have the following meanings:
10 1. "Office" shall mean the office of data protection and privacy over-
11 sight for New York state intelligence data centers.
12 2. "Intelligence data center" shall mean any entity whose mission
13 includes collecting, analyzing, and sharing intelligence data and other
14 data for law enforcement or homeland security purposes.
15 3. "Personally identifiable information" shall mean all personal data
16 and any data element or combination of data elements that identifies or
17 could be used to identify any individual, including, but not limited to,
18 by any of the following:
19 (a) name of person;
20 (b) date of birth;
21 (c) address of residence;
22 (d) electronic password;
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD07097-02-4
S. 2642--A 2
1 (e) unique account number;
2 (f) phone number;
3 (g) biometric identifiers including signature, DNA, fingerprints, iris
4 or retinal scans, palm telemetry, photograph, facial recognition meas-
5 urements or any other biometric measurement;
6 (h) e-mail address;
7 (i) internet protocol address;
8 (j) web address; or
9 (k) any other unique identifier.
10 § 233. Establishment. 1. There is hereby established the office of
11 data protection and privacy oversight for intelligence data centers
12 operating in New York state.
13 2. The office shall be under the direction of a commissioner, who
14 shall devote full time to his or her duties.
15 3. The commissioner shall be appointed by the governor, and confirmed
16 by the senate, and shall serve for a term of three years.
17 4. (a) The person so appointed shall be selected without regard to
18 party affiliation and solely on the basis of integrity and demonstrated
19 ability in data management, privacy protection, public administration,
20 law, management analysis, or the administration of justice.
21 (b) In case of a vacancy in the position of the commissioner, his or
22 her successor shall be appointed in the same manner for the unexpired
23 term. No person shall be appointed for more than two three-year terms.
24 (c) The person so appointed may be removed from office, for cause, by
25 the governor. Such cause may include substantial neglect of duty, gross
26 misconduct or conviction of a crime. The reasons for removal of the
27 commissioner shall be stated in writing and shall include the basis for
28 such removal. Such writing shall be sent to the legislature, the gover-
29 nor, and the secretary of state at the time of the removal and shall be
30 deemed to be a public document.
31 5. (a) The commissioner may, subject to appropriation, appoint such
32 other personnel as may be deemed necessary to perform the duties of the
33 office.
34 (b) The commissioner shall be authorized to apply for, and accept on
35 behalf of the state, federal, local or private grants, bequests, gifts
36 or contributions for the purpose of carrying out the functions of the
37 office.
38 (c) The commissioner shall develop procedures for the office appropri-
39 ate to the effective performance of its duties.
40 6. The commissioner or his or her designees shall have access at any
41 and all reasonable times to any facility, program, or portion thereof
42 that is operated by intelligence data centers in the state, and to all
43 records, reports, materials, and employees in order to carry out the
44 responsibilities of the office.
45 7. The commissioner may request the attendance and testimony of
46 witnesses and the production of documents, papers, books, records,
47 reports, reviews, recommendations, correspondence, data and other infor-
48 mation that the commissioner reasonably believes is relevant to the
49 oversight and reporting responsibilities of the office. If a request is
50 denied, the commissioner shall have the power to issue a subpoena for
51 witnesses and the production of documents and any other data, in whatev-
52 er form, including electronic, that the commissioner reasonably believes
53 is relevant. If any person to whom a subpoena is issued fails to appear,
54 or having appeared, refuses to give testimony or fails to produce
55 evidence required, the commissioner may apply to the superior court to
56 issue an order to compel the testimony and production of documents of
S. 2642--A 3
1 any such witnesses. A failure to obey the order may be punished as
2 contempt. Any person or office or custodian of records to whom such a
3 request or subpoena is directed may seek injunctive relief in the supe-
4 rior court to defer a subpoena issued by the commissioner.
5 8. The office shall:
6 (a) examine, on a system-wide basis, the entire scope of the intelli-
7 gence and other operations of intelligence data centers in New York
8 state.
9 (b) investigate, evaluate, and analyze the particular procedures, both
10 as written and in practice, employed by intelligence data centers in
11 collecting data, including personally identifiable information, and in
12 protecting the privacy and security of such information;
13 (c) investigate, evaluate, and analyze the particular procedures, both
14 written and in practice, employed by intelligence data centers to ensure
15 that the activities of such centers do not infringe on the rights to
16 freedom of assembly, association, and expression guaranteed by the
17 United States constitution and the New York state constitution;
18 (d) investigate, evaluate, and analyze the impact of any military
19 involvement in intelligence data center activities;
20 (e) investigate, evaluate, and analyze the impact of any private
21 sector involvement in intelligence data center activities on the privacy
22 and security of personally identifiable information;
23 (f) investigate, evaluate, and analyze the quality, timeliness,
24 completeness, accuracy and efficiency of intelligence data centers'
25 responses to individuals' requests;
26 (g) issue semi-annual written reports, which shall be public records,
27 and shall be filed with the legislature, and submitted to the governor,
28 the chairs of the assembly ways and means and senate finance committees,
29 the chairs of the senate and assembly judiciary committees, the senate
30 veterans, homeland security and military affairs committee, the senate
31 consumer protection committee and the assembly consumer affairs and
32 protection committee and the assembly economic development, job
33 creation, commerce and industry committee. The first report shall be
34 filed on or before January thirtieth, two thousand sixteen;
35 (h) assist and cooperate with the members of the several relevant
36 committees, as noted, in convening and participating in annual public
37 hearings concerning the operations of intelligence data centers in the
38 state;
39 (i) provide independent oversight of data and privacy protection func-
40 tions at intelligence data centers, with regard to the collection, main-
41 tenance and storage, and any disclosure, transfer, or dissemination of
42 personally identifiable information or intelligence data;
43 (j) advise the public and public officials in all branches and at all
44 levels of state government about the data and privacy protection oper-
45 ations of the intelligence data centers; and
46 (k) make annual findings and recommendations concerning the operations
47 of intelligence data centers and submit appropriate legislation to
48 address identified issues.
49 § 2. The executive law is amended by adding a new section 225-b to
50 read as follows:
51 § 225-b. Prohibition on collecting certain information. 1. No state
52 or local law enforcement agency, prosecutorial office, or police or
53 peace officer shall collect or maintain information about the political,
54 religious or social views, associations or activities of any individual,
55 group, association, organization, corporation, business or partnership
56 or other entity unless such information directly relates to an investi-
S. 2642--A 4
1 gation of criminal activities, and there are reasonable grounds to
2 suspect the subject of the information is involved in criminal conduct.
3 2. Any information collected or maintained under subdivision one of
4 this section shall be referred to hereinafter as "protected informa-
5 tion". No intelligence data center, as defined in section two hundred
6 thirty-two of this chapter, or state or local law enforcement agency in
7 receipt of information from an intelligence data center, shall collect,
8 maintain, or disseminate such information except in accordance with the
9 provisions of this section.
10 (a) No information shall be knowingly received, maintained, or dissem-
11 inated that has been obtained in violation of any applicable federal,
12 state, or local law, ordinance, or regulation.
13 (b) All protected information shall be evaluated for the reliability
14 of its source and the accuracy of its content prior to being recorded in
15 any investigation file.
16 (c) Protected information shall be disseminated only to law enforce-
17 ment agencies, contingent upon review and prior written authorization by
18 the head of the originating law enforcement agency or intelligence data
19 center. A record of any such written authorization shall be maintained
20 for a minimum of five years.
21 (d) All investigations undertaken on the basis of any protected infor-
22 mation shall first be authorized in writing by the head of the investi-
23 gating law enforcement agency or intelligence data center. A record of
24 any such written authorization shall be maintained in the corresponding
25 investigation file for a minimum of five years.
26 (e) All information recorded in any investigation file shall be
27 reviewed at least once every five years, and any information that is not
28 reliable, accurate, relevant, and timely, shall be destroyed, provided
29 however, that any documents related to the authorization for and termi-
30 nation of investigations based in whole or in part on protected informa-
31 tion collected under subdivision one of this section, and any authori-
32 zation to disseminate such protected information, shall be retained.
33 § 3. This act shall take effect on the one hundred eightieth day after
34 it shall have become a law; provided, however, that effective immediate-
35 ly, the addition, amendment and/or repeal of any rule or regulation
36 necessary for the implementation of this act on its effective date is
37 authorized and directed to be made and completed on or before such
38 effective date.