These jurisdiction checklists are practical scoping aids for privacy, DPO, DSAR, transfer, incident, and vendor governance decisions. Confirm obligations against your facts before relying on any checklist as advice.
New York
NYS Personal Privacy Protection Act Compliance Checklist
Key Provisions & Questions
Section 93 - Powers and Duties of the Committee
Does your agency submit an accurate system of records information, privacy impact statements, and annual reports to the committee as required under § 93?
Agencies must maintain complete and accurate details of all systems of records and submit required documentation to the committee on time.
Section 94 - Agency Obligations
Does your agency ensure that all personal information collected and maintained in its systems of records is accurate, relevant, timely, secure, and collected directly from the data subject wherever practicable, with proper notice and safeguards?
Agencies must implement comprehensive data quality, security, and collection practices that protect individual privacy rights while maintaining operational effectiveness.
Section 95 - Access to Records
Does your agency provide data subjects timely access to their records, allow corrections or amendments, and inform them of their rights to appeal or file disagreements as required under § 95?
Data subjects have the right to access their personal information, request corrections, and challenge agency decisions through established appeal processes.
Section 96 - Disclosure of Records
Does your agency disclose personal records only in accordance with the permitted exceptions under § 96, such as consent of the data subject, statutory authorization, law enforcement needs, or health/safety emergencies?
Personal information may only be disclosed under specific circumstances defined by law, ensuring that privacy is protected while allowing necessary information sharing.
Section 96-a - Prohibited Conduct
Does your agency prevent the public display, improper transmission, or unauthorized use of Social Security Numbers, ensuring compliance with § 96-a prohibitions?
Social Security Numbers require special protection and may only be used for specific statutory purposes, with strict controls to prevent unauthorized disclosure or display.
Compliance Recommendations
Powers and Duties of the Committee (§ 93)
If Yes:
- •Continue submitting privacy impact statements and annual reports on time
- •Maintain complete and accurate details of all systems of records
If No:
- •Implement procedures to ensure timely submission of required records, privacy impact statements, and reports
- •Establish internal compliance checks aligned with § 93 obligations
Agency Obligations (§ 94)
If Yes:
- •Maintain written policies and apply clear retention rules
- •Implement technical and organizational safeguards
- •Conduct regular audits to ensure ongoing adherence
If No:
- •Adopt procedures to notify data subjects
- •Collect only necessary data
- •Establish accuracy and security safeguards
- •Introduce periodic training for staff to oversee compliance with § 94
Access to Records (§ 95)
If Yes:
- •Continue ensuring records are provided within statutory deadlines
- •Maintain procedures for correction, amendment, appeals, and disagreement statements
If No:
- •Implement processes to grant or deny access within statutory timeframes
- •Establish correction and appeal procedures
- •Notify data subjects of their rights
Disclosure of Records (§ 96)
If Yes:
- •Maintain clear disclosure logs
- •Ensure disclosures align strictly with permitted exceptions
If No:
- •Establish strict disclosure procedures
- •Limit disclosures to permitted exceptions
- •Implement staff training
- •Create monitoring systems to prevent unauthorized release of records
Prohibited Conduct (§ 96-a)
If Yes:
- •Continue enforcing strict safeguards for Social Security Numbers
- •Limit use to statutory purposes
- •Periodically review systems to prevent inadvertent disclosures
If No:
- •Immediately implement controls to prohibit public display or transmission of SSNs
- •Adopt redaction practices
- •Strengthen authentication methods
Need Help with NYS Privacy Protection Compliance?
Our expert team can provide tailored compliance solutions for your organization's specific needs under the New York State Personal Privacy Protection Act.
Checklist to implementation
Need a fact-specific view?
Data>Nuance can turn this checklist into a scoped action plan for your product, vendor stack, cross-border transfers, DSAR workflow, breach readiness, or DPO operating model.