nys-g02-001-internet-privacy-policies.pdf

State Capitol P.O. Box 2062

Albany, NY 12220-0062

www.its.ny.gov

1.0 Purpose and Benefits

This guideline is designed to provide guidance in drafting Internet privacy policies for

state agency websites as required by Article II of the State Technology Law (“STL”),

known as the Internet Security and Privacy Act (“ISPA”). This guideline also includes a

Model Internet Privacy Policy in accordance with section 203 of the STL.

2.0 Authority

Section 103(10) of the State Technology Law provides the Office of Information

Technology Services (ITS) with the authority to establish statewide technology policies,

including technology and security standards. Section 2 of Executive Order No. 117

provides the State Chief Information Officer with the authority to oversee, direct and

coordinate the establishment of information technology policies, protocols and

standards for State government, including hardware, software, security and business

re-engineering. Details regarding this authority can be found in NYS ITS Policy, NYS-

P08-002 Authority to Establish Enterprise Information Technology (IT) Policies,

Standards and Guidelines.

3.0 Scope

This guideline applies to all “State Entities” (SE), defined as “State Government” entities

as defined in Executive Order 117, established January 2002, or “State Agencies” as

defined in Section 101 of the State Technology Law. This includes employees and all

All references to Executive Order 117 refer to that which was originally issued by Governor George E. Pataki on

January 28, 2002 and continued by Executive Order 5 issued by Governor Eliot Spitzer on January 1, 2007, Executive

Order 9 issued by Governor David A. Patterson on June 18, 2008, Executive Order 2 issued by Governor Andrew M.

Cuomo on January 1, 2011, and Executive Order 6 issued by Governor Kathy Hochul on October 8, 2021.

New York State

Information Technology Guideline

No: NYS-G02-001

IT Guideline:

Internet Privacy Policies

Updated: 4/13/2023

Issued By: NYS Office of Information

Technology Services

Owner: Division of Legal Affairs

NYS-G02-001 Page 2 of 18

third parties (such as local governments, consultants, vendors, and contractors) that

use or access any IT resource for which the SE has administrative responsibility,

including systems managed or hosted by third parties on behalf of the SE. While an SE

may adopt a different guideline, it must include the requirements set forth in this one.

For purposes of this guideline, “State Entities” shall include state agencies as defined

in the Internet Security and Privacy Act, which is taken from the Personal Privacy

Protection Law (“PPPL”).

The term 'state agency website' refers to an internet website operated by or for a state

agency, including those websites operated on behalf of a state agency by other public

or private entities, but does not include any portions of the internet outside of the control

of the state agency.

4.0 Information Statement

4.1 Introduction

The ISPA requires each SE that maintains a website to adopt and post an Internet

must be confident that their privacy is protected when they visit State Agency Websites.

Pursuant to section 203(1) of the STL, ITS has specified a model Internet privacy policy

for use by SEs.

This guideline highlights a number of considerations that should be taken into account

in drafting an Internet privacy policy and provides an outline for the contents of an

Internet privacy policy. This guideline may be used by each SE, in conjunction with the

ISPA and ITS' model policy, to draft Internet privacy policies that accurately describe

the practices and procedures relating to the information they collect about users

through the State Agency Website and to the SE's retention and disclosure of that

information.

The attached model Internet privacy policy was drafted using this guideline. This model

is not intended to reflect the actual practices and procedures of any particular SE and

should not be adopted by any SE without an analysis of whether the example accurately

describes the SE's practices and procedures.

4.2 Basic Requirements for an Internet Privacy Policy

Section 203(1) of the STL requires that each Internet privacy policy include, but not be

limited to, the following elements:

(a) a statement of the information, including personal information, the

State Agency Website will collect with respect to the user and the

purposes for which the information will be used;

(b) the circumstances under which information, including personal

information, collected may be disclosed;

NYS-G02-001 Page 3 of 18

the period of time that such information will be retained;

(d) the procedures by which a user may gain access to the collected

information pertaining to that user;

(e) the means by which information is collected and whether such collection

occurs actively or passively;

(f) whether the collection of information is voluntary or required, and the

consequences, if any, of a refusal to provide the required information;

and

(g) the steps being taken by the SE to protect the confidentiality and

integrity of the information.

The elements may be addressed in any form and in any order deemed appropriate by

the SE. Likewise, disclosure of the information required by a particular element may be

combined with the information required by other elements. However, regardless of how

the elements are organized, the information should be presented in a clear and logical

manner.

Section 203(2) of the STL requires that the Internet privacy policy is posted on the State

Agency Website, and that such posting "…include a conspicuous and direct link to such

is identifiable, prominently displayed, easy to find, and used in a location or manner on

the webpage that differs from the majority of the rest of the webpage's content by using

a different font, color, background, formatting, or type size.

In connection with complying with this posting requirement, SEs should also evaluate

the manner in which users access the various portions of the State Agency Website. In

the event that users can directly access portions of the State Agency Website, such as

surveys, registrations, order forms, or sign-in screens, which may collect information

relating to the user without first visiting the State Agency's Website, the SE should

consider placing links to their Internet privacy policy on those portions of the State

Agency Website with such links being "conspicuous and direct" as described in the

preceding paragraph.

4.3 Initial Steps

An SE should first determine what practices and procedures are currently in use with

regard to: (1) the collection of information, including personal information, with respect

to a user at its website; (2) the retention, disclosure of any information collected; and

(3) the consequence of any breach of these practices and procedures (e.g., breach

notification policy). Any of these current practices and procedures that involve personal

information must comply with the requirements of the PPPL (Public Officers Law, Article

6-A). The PPPL specifies when an SE is authorized to maintain and disclose personal

information concerning individuals.

The SE should evaluate whether all of its current practices and procedures regarding

the collection of information through its website serve agency purposes. If unnecessary

NYS-G02-001 Page 4 of 18

information is being collected through the website, the SE should revise its practices

and procedures to eliminate the collection of that information.

Because State Agency Website includes websites operated on behalf of SEs by other

public or private entities, it would be appropriate for the SE to evaluate, in the manner

described in the preceding paragraphs of this section, the practices and procedures of

any entities with which it contracts for the operation of all, or a portion, of the SE's

website. Existing contracts with other entities to operate websites on behalf of the SE

may include language requiring compliance with all applicable laws, and the SE should

inform those entities of the requirements of the ISPA. New contracts for the operation

of a website on behalf of an SE should specifically require compliance with the

provisions of the ISPA.

4.4 Drafting or Revising an Internet Privacy Policy

Drafting or revising an Internet privacy policy should involve ITS, including those

professionals responsible for the security of the SE’s information technology assets,

those program staff responsible for the content of the website, the respective SE's

counsel's office, the officers or employees responsible for the SE's compliance with the

Freedom of Information Law (“FOIL”) and the PPPL, and the SE's officers and

employees charged with overseeing the retention and disposition of records. The

involvement of these groups will increase the likelihood that the policy will be responsive

to all the statutory requirements.

To draft or revise the Internet privacy policy, it may be helpful to begin by answering the

eight questions listed below. Answers to one or more of these questions may contain

information that adequately addresses other required elements of the policy.

Accordingly, as noted above, ITS believes that disclosure of the information required by

section 203(1) of the STL need not rigidly follow the order in which the elements are

presented in that section. When the technology behind a website changes, or new

functionality is added to the website, the Internet privacy policy should be reviewed and

revised as necessary. For example, when an SE creates a mobile version of its website,

the Internet privacy policy should be reviewed for any changes needing to be specified

as applicable to the mobile version.

4.4.1 What type of information is collected by the SE?

Identify the type of information collected about users through the State Agency

Website. Such information may include, but is not limited to, the following:

a. Information collected automatically in the normal operation of the website, such

as:

(i) User client hostname. The hostname or Internet Protocol address of the

user requesting access to a State Agency Website.

(ii) HTTP header, "user agent.” The user agent information includes the

type of browser, its version, and the operating system on which the

browser is running.

NYS-G02-001 Page 5 of 18

(iii) HTTP header, "referrer.” The referrer specifies the web page from which

the user accessed the current web page.

(iv) System date. The date and time of the user's request.

(v) Full request. The exact request the user made.

(vi) Status. The status code the server returned to the user.

(vii) Content length. The content length, in bytes, of the document sent to

the user.

(viii) Method. The request method used.

(ix) Universal Resource Identifier (URI). The location of a resource on the

server.

(x) Query string of the URI. Anything after the question mark in a URI.

(xi) Protocol. The transport protocol and the version used.

b. Any personal information relating to the user. For purposes of an Internet

should not be considered personal information.

c. Any private information collected. “Private Information” consists of any

personal information combined with any one or more of the data elements

specified in section 208 of the STL including, but not limited to a social security

number, a driver’s license number, an account number, a credit card number,

and biometric information or a username or e-mail address in combination with

a password or security question and answer that would permit access to an

online account.

d. Any other information collected by the SE with respect to the user that does not

fall within paragraphs (a), (b) and (c), above.

4.4.2 How will the SE use the information it collects?

Identify the manner in which the SE will use information collected at the State

Agency Website, including, at a minimum, the following:

a. A statement indicating whether and how information collected will be used for

the technical support of the State Agency Website, including securing and

maintaining the website. For example:

"Information, including IP addresses and domain names, is

automatically logged to provide technical support for the website and its

associated computer systems, to diagnose system performance or

problem areas, and to detect attempts to damage or gain unauthorized

access to the website and its associated computer systems."

b. A statement indicating whether and how information collected will be used for

analytical and statistical purposes, including the improvement of the quality of

the website. For example:

"When visiting this website, the Agency automatically collects and stores

the following information about your visit:

NYS-G02-001 Page 6 of 18

1. The Internet Protocol address and domain name of your

Internet service provider. The Internet Protocol address is a

numerical identifier assigned either to your Internet service

provider or directly to your computer, which can be used to direct

Internet traffic to you;

2. The type of browser and operating system you used;

3. The date and time you visited this site;

4. The web pages or services you accessed at this site; and

5. The URL or web site address of the web site you visited prior to

coming to this website and from which any web page on this site

was linked.

This information is used to help the Agency understand how people are

using this website and to improve its content. Statistical analysis may

be undertaken to determine which portions of the website are visited

most frequently. The information is not collected for commercial

purposes and the Agency does not sell or otherwise distribute the

information collected from the website for commercial purposes."

c. A statement concerning the use of information submitted voluntarily to the State

Agency Website in an electronic mail message. For example:

"If during your visit to this website you send an electronic mail message

to the Agency, your electronic mail address and the contents of your

message will be collected. The information collected is not limited to

text characters and may include audio, video, and graphic information

formats included in the message. Your electronic mail address and the

information included in your message will be used to respond to you, to

address issues you identify, to improve this website, or to forward your

message to another agency for appropriate action. Your electronic mail

address is not collected for commercial purposes and the Agency does

not sell or otherwise distribute your electronic mail address for

commercial purposes."

d. A statement concerning the use of information submitted voluntarily to the SE

when the user completes a transaction such as a survey, registration, or order

form. If appropriate, the SE should provide a general description of the program

for which the information is being collected. For example:

"If during your visit to this website you complete a transaction such as a

survey, registration, or order form, the information, including personal

information, volunteered by you is used by the Agency to operate

Agency programs, which include the provision of goods, services, and

information. This information is collected by the Agency and may be

disclosed by the Agency for those purposes that may be reasonably

ascertained from the nature and terms of the survey, registration, or

order form in which the information was submitted."

NYS-G02-001 Page 7 of 18

-or-

"If during your visit to this website you place an order for a copy of a

map, the Agency will request information from you on our order form.

You must provide contact information, including your name and shipping

address, and financial information, including your credit card number

and its expiration date. This information is used to fill your order and for

billing purposes. If there are difficulties in filling your order, the contact

information may be used to get in touch with you."

-or-

"The Agency uses a third party to ship orders, and a credit card

processing company to bill users for goods and services. [Specified

personal information] is shared with these entities in order to complete

the transaction. These entities are not permitted to use the personal

information for any other purposes."

4.4.3 Under what circumstances will the information collected be

disclosed?

Identify the circumstances under which information, including personal

information, collected will be disclosed. For example:

"Collection of information through this website and the disclosure of that

information are subject to the provisions of the Internet Security and

Privacy Act. The Agency will not collect personal information through this

website or disclose such information to any person, firm, partnership,

corporation, limited liability company or other entity, including internal staff

who do not need the information to perform their official duties, unless the

user has consented to the collection or disclosure of such personal

information. Voluntary disclosure of personal information to the Agency

by the user constitutes consent to the collection and disclosure of the

information by the Agency for the purposes for which the user disclosed

the information to the Agency, as was reasonably ascertainable from the

nature and terms of the disclosure.

However, the Agency may collect or disclose personal information without

the consent of the user if the collection or disclosure is: (1) necessary to

perform the statutory duties of the Agency, or necessary for the Agency

to operate a program authorized by law, or authorized by state or federal

statute or regulation; (2) made pursuant to a court order or by law; (3) for

the purpose of validating the identity of the user; or (4) of information to

be used solely for statistical purposes that is in a form that cannot be used

to identify any particular person.

Disclosure of information, including personal information, collected

through this website is subject to the provisions of the New York State

Freedom of Information Law and the New York State Personal Privacy

Protection Law.

NYS-G02-001 Page 8 of 18

The Agency may disclose personal information to federal or state law

enforcement authorities to enforce its rights against unauthorized access

or attempted unauthorized access to the Agency's information technology

assets or against other inappropriate use of this website."

4.4.4 How long will the information collected be retained?

Indicate what types of information collected through the State Agency Website will

be retained by the SE and describe, in general terms, the retention periods for

those types of information. The statement should indicate whether the SE has

established any records retention and disposition schedules for information

collected through the website which vary from the General Retention and

Disposition Schedule for New York State Government Records issued by the State

Archives and Records Administration pursuant to the Arts and Cultural Affairs Law.

For example:

"The information collected through this website is retained by the Agency

in accordance with the records retention and disposition requirements of

the New York State Arts & Cultural Affairs Law. Additional information on

the requirements of the Arts & Cultural Affairs Law may be found at

http://www.archives.nysed.gov/records/retention-schedules or by calling

the New York State Archives at (518) 474-6926. In general, the Internet

services logs of the Agency, comprising electronic files or automated logs

created to monitor access and use of Agency services provided through

this website, are retained for _______ [state the period that is the

equivalent of three backup cycles] and then destroyed. Information,

including personal information, that you submit in an electronic mail

message or when you engage in a transaction such as completing a

survey, registration form, or order form is retained in accordance with the

records retention and disposition schedule established for the records of

the program unit to which you submitted the information. Information

concerning these records retention and disposition schedules may be

obtained through the Internet privacy policy contact listed in this policy or

by writing to the Agency at: ______________________________."

4.4.5 How are users provided access to personal information collected by

the state agency through its website?

Under section 205 of the STL, the SE must also provide the user with the

opportunity to request the correction or amendment of the personal information

pertaining to such user. If the SE collects personal information pertaining to users

through its State Agency Website, describe the manner in which a user may obtain

access to such personal information. Access to personal information and the

opportunity to request correction or amendment of such personal information is to

be provided in the same manner as provided for access to and correction or

amendment of personal information under section 95 of the Public Officers Law.

For example:

NYS-G02-001 Page 9 of 18

"Any user may submit a request to the Agency privacy compliance officer

to determine whether personal information pertaining to that user has

been collected through this website. Any such request shall be made in

writing and must be accompanied by reasonable proof of identity of the

user. Reasonable proof of identity shall include, but not be limited to,

verification of a signature or inclusion of an identifier generally known only

to the user. The address of the privacy compliance officer is:

_________________________

________________________

_________________________

Within five business days of the receipt of a proper request, the privacy

compliance officer shall: (a) provide access to the personal information;

(b) deny access to the personal information in writing, with an explanation

of why the request is being denied; or (c) acknowledge the receipt of the

request in writing, stating the approximate date when the request will be

granted or denied, provided that the date specified shall not be more than

30 days from the date of the acknowledgment.

In the event that the Agency determines that it has collected personal

information pertaining to a user through the state agency website and that

information is to be provided to the user pursuant to the user's request,

the privacy compliance officer shall inform the user of his or her right to

request that the personal information be amended or corrected under the

procedures set forth in section 95 of the Public Officers Law."

4.4.6 What methods are used to collect information from users?

Describe all passive information collection processes, including cookies, log files,

clear gifs, and other programming, in use at the State Agency Website. If the

website employs active information collection processes, the SE should describe

those processes, including, but not limited to, click-throughs, surveys, registration

forms, order forms, or other types of online transactions.

4.4.7 Is the disclosure of information by a user voluntary or required?

State whether the collection of information through the State Agency Website is

voluntary or required and describe the consequences, if any, of a refusal to provide

required information. For example:

"The Agency does not collect personal information about you unless you

provide it voluntarily by sending an e-mail, responding to a survey, or

completing an online transaction. You may choose not to send us an e-

mail, respond to a survey, or complete an online transaction. Your choice

not to participate in these activities may limit your ability to receive specific

services or products through this website, but it will not have an impact on

NYS-G02-001 Page 10 of 18

your ability to take advantage of certain other features of the website,

including browsing or downloading information."

-or-

"You may configure your web browser to refuse or delete the cookies used

at this website. Refusing or deleting cookies may limit your ability to take

advantage of some features of this website."

4.4.8 How does the SE protect the confidentiality and integrity of

information it collects through the website?

Describe, in general terms, the manner in which the SE protects the confidentiality

and integrity of information collected through its website. The SE's description

should not, however, disclose information that would jeopardize its ability to

maintain the security of its information technology assets. For example:

"The Agency recognizes the need to protect personal information and

private information collected through this website against unauthorized

access, use, or disclosure. The Agency limits employee access to

personal information and private information collected through this

website to those employees who need access to the information to

perform their official duties. Employees with access to such information

are made aware of the need to follow appropriate procedures in

connection with any disclosure of that information, and the state agency

must adhere to applicable State information security policies available at

https://its.ny.gov/policies

The Agency has implemented procedures to safeguard the integrity of its

information technology assets, including, but not limited to, authenticating,

monitoring, auditing, and encrypting. Security procedures have been

integrated into the design, implementation, and day-to-day operations of

this website as part of our continuing commitment to the security of

electronic content as well as the electronic transmission of information.

For website security purposes and to maintain the availability of the

website for all users, the Agency employs software to monitor traffic to

identify unauthorized attempts to upload or change information or

otherwise damage this website.

It should be noted that the information provided in this privacy policy

should not be construed as giving business, legal, or other advice, or

warranting as fail proof, the security of information provided through this

website."

4.4.9 Other Considerations

a. Each SE's Internet privacy policy should also discuss how the SE addresses

the collection of information from children. For example:

NYS-G02-001 Page 11 of 18

"The Agency does not knowingly collect personal information from

children or create profiles of children through this website. Users are

cautioned, however, that the collection of personal information submitted

in electronic mail will be treated as though it was submitted by an adult,

and may, unless exempted from access by federal or State law, be subject

to public access. The Agency strongly encourages parents and teachers

to be involved in children's Internet activities and to provide guidance

whenever children are asked to provide personal information online."

If the State Agency Website includes an area specifically intended for use by

children or if any of the transactions offered on the website are available to

children, the SE should be conscious of the rules adopted by the Federal Trade

Commission (FTC) pursuant to the Children's Online Privacy Protection Act

(COPPA). While COPPA generally applies only to commercial websites, the

FTC encourages others to post policies and provide protections that comply

with COPPA if children provide personal information at their sites. Information

concerning COPPA and the FTC rules is available at

https://www.ftc.gov/tips-advice/business-center/privacy-and-

security/children's-privacy

b. The SE may also wish to include contact information in the event that users

have questions about the policy. At the SE's discretion, the contact for

questions about the Internet privacy policy may be the employee designated to

be responsible for compliance with the PPPL pursuant to section 94(1)(j) of the

Public Officers Law.

c. It may also be advisable for the Internet privacy policy to clearly state that

websites to which the user may be linked from the State Agency Website are

not subject to that policy and providing information that links to NYS

authentication services is subject to the privacy policies of such authentication

service. For example:

“In order to provide users with certain information, this website provides

links to the websites of local, State, and federal government agencies, and

to the websites of certain other organizations. A link provided on this

website does not constitute an endorsement of the content, viewpoint,

accuracy, opinions, policies, products, services, or accessibility of that

website. Once you link to another website from this website, including

one maintained by the State, you are subject to the terms and conditions

of that website, including, but not limited to, its Internet privacy policy,

which has precedence for information collected by that site. Information

provided to obtain authentication services such as an NY.gov ID from the

https://my.ny.gov/ site used to access accounts and services of this

agency is subject to the policies of such authentication service."

d. The actual practices and procedures of SEs should conform to the practices

and procedures described in their Internet privacy policies. Accordingly, each

NYS-G02-001 Page 12 of 18

SE should establish procedures to monitor and evaluate compliance with its

Internet privacy policy. Such monitoring and evaluation should include, among

other things, the following:

(i) whether the posted Internet privacy policy accurately reflects the online

services provided and the transactions conducted on the State Agency

Website;

(ii) whether the posted Internet privacy policy accurately reflects the

information collected through the State Agency Website and how that

information is used;

(iii) whether the security practices and procedures implemented in

connection with the State Agency Website are adequate and effective;

and

(iv) whether the Internet privacy policy posted on the State Agency Website

conforms to the provisions of the ISPA, the FOIL, and the PPPL, and all

other relevant laws, regulations, or policies.

4.5 Model Internet Privacy Policy

Please note that the Internet Privacy Policy set forth below is intended to be a model of

a policy drafted using this best practice guideline distributed by ITS. This model is not

intended to reflect the actual practices and procedures of any particular SE and should

not be adopted by any SE without an analysis of whether the model accurately

describes the SE's practices and procedures.

INTERNET PRIVACY POLICY

Introduction

Thank you for visiting the Generic State Agency (GSA) website. This

website is designed to make it easier and more efficient for individuals and

businesses to interact with the GSA. The GSA recognizes that it is critical

for individuals and businesses to be confident that their privacy is protected

when they visit the GSA's website.

Consistent with the provisions of New York State’s Internet Security and

Privacy Act, the Freedom of Information Law, and the Personal Privacy

Protection Law, this policy describes the GSA's privacy practices regarding

information collected from users of this website. This policy describes what

information is collected and how that information is used. Because this

policy of any website, including other state agency websites, that you

access using this website.

For purposes of this policy, "personal information" means any information

concerning a natural person, as opposed to a corporate entity, which,

because of name, number, symbol, personal mark, or other identifier, can

be used to identify that natural person. The GSA only collects personal

information about you when you provide that information voluntarily by

NYS-G02-001 Page 13 of 18

sending an e-mail or by initiating an online transaction, such as a survey,

registration, or order form.

Information Collected Automatically When You Visit this Website

When visiting this website, the GSA automatically collects and stores the

following information about your visit:

(i) The Internet Protocol Address and domain name used, but

not the e-mail address. The Internet Protocol Address is a

numerical identifier assigned either to your Internet service

provider or directly to your computer;

(ii) The type of browser and operating system you used;

(iii) The date and time you visited this site;

(iv) The web pages or services you accessed at this site;

(v) The web site you visited prior to coming to this web site;

(vi) The web site you visit as you leave this web site; and

(vii) If you downloaded a form, the form that was downloaded.

None of the foregoing information is deemed to constitute personal

information.

The information that is collected automatically is used to improve this

website's content and to help the GSA understand how users are interacting

with the website. This information is collected for statistical analysis, to

determine what information is of most and least interest to our users, and

to improve the utility of the material available on the website. The

information is not collected for commercial marketing purposes and the

GSA is not authorized to sell or otherwise disclose the information collected

from the website for commercial marketing purposes.

Cookies are simple text files stored on your web browser to provide a means

of distinguishing among users of this website. The use of cookies is a

standard practice among Internet websites. To better serve you, we use

"session cookies" to enhance or customize your visit to this website.

Session cookies can be created automatically on the device you use to

access this website. These session cookies do not contain personal

information and do not compromise your privacy or security. We may use

the cookie feature to store a randomly generated identifying tag on the

device you use to access this website. A session cookie is erased during

operation of your browser or when your browser is closed.

If you wish, you may complete a registration to personalize this website and

permit a "persistent cookie" to be stored on your computer's hard drive. This

persistent cookie will allow the website to recognize you when you visit

NYS-G02-001 Page 14 of 18

again and tailor the information presented to you based on your needs and

interests. The GSA uses persistent cookies only with your permission.

The software and hardware you use to access the website allows you to

refuse new cookies or delete existing cookies. Refusing or deleting these

cookies may limit your ability to take advantage of some features of this

website.

Information Collected When You E-mail this Website

or Initiate an Online Transaction

During your visit to this website you may send an e-mail to the GSA. Your

e-mail address and the contents of your message will be collected. The

information collected is not limited to text characters and may include audio,

video, and graphic information formats included in the message. Your e-

mail address and the information included in your message will be used to

respond to you, to address issues you identify, to improve this website, or

to forward your message to another State agency for appropriate action.

Your e-mail address is not collected for commercial purposes and the GSA

is not authorized to sell or otherwise disclose your e-mail address for

commercial purposes.

During your visit to this website you may initiate a transaction such as a

survey, registration, or order form. The information, including personal

information, volunteered by you in initiating the transaction is used by the

GSA to operate GSA programs, which include the provision of goods,

services, and information. The information collected by the GSA may be

disclosed by the GSA for those purposes that may be reasonably

ascertained from the nature and terms of the transaction in connection with

which the information was submitted.

The GSA does not knowingly collect personal information from children or

create profiles of children through this website. Users are cautioned,

however, that the collection of personal information submitted in an e-mail

or through an online transaction will be treated as though it was submitted

by an adult, and may, unless exempted from access by federal or State law,

be subject to public access. The GSA strongly encourages parents and

teachers to be involved in children's Internet activities and to provide

guidance whenever children are asked to provide personal information

online.

Information and Choice

As noted above, the GSA does not collect any personal information about

you during your visit to this website unless you provide that information

voluntarily by sending an e-mail or initiating an online transaction such as a

survey, registration, or order form. You may choose not to send us an e-

mail, respond to a survey, or complete an order form. While your choice

not to participate in these activities may limit your ability to receive specific

NYS-G02-001 Page 15 of 18

services or products through this website, it will not prevent you from

requesting services or products from GSA by other means and will not

normally have an impact on your ability to take advantage of other features

of the website, including browsing or downloading most publicly available

information.

Disclosure of Information Collected Through This Website

The collection of information through this website and the disclosure of that

information are subject to the provisions of the Internet Security and Privacy

Act. The GSA will only collect personal information through this website or

disclose personal information collected through this website if the user has

consented to the collection or disclosure of such personal information.

Participation in an online transaction resulting in the disclosure of personal

information to the GSA by the user, whether solicited or unsolicited,

constitutes consent to the collection and disclosure of the information by the

GSA for the purposes reasonably ascertainable from the nature and terms

of the transaction.

However, the GSA may collect or disclose personal information without user

consent if the collection or disclosure is: (1) necessary to perform the

statutory duties of the GSA, or necessary for the GSA to operate a program

authorized by law, or authorized by state or federal statute or regulation; (2)

made pursuant to a court order or by law; (3) for the purpose of validating

the identity of the user; or (4) of information to be used solely for statistical

purposes that is in a form that cannot be used to identify any particular

person.

Further, the disclosure of information, including personal information,

collected through this website is subject to the provisions of the Freedom of

Information Law and the Personal Privacy Protection Law.

The GSA may disclose personal information to federal or state law

enforcement authorities to enforce the GSA's rights against unauthorized

access or attempted unauthorized access to the GSA's information

technology assets or against other inappropriate use of this website.

Retention of Information Collected Through this Website

The information collected through this website is retained by the GSA in

accordance with the records retention and disposition requirements of the

New York State Arts & Cultural Affairs Law. Information on the

requirements of the Arts & Cultural Affairs Law may be found at

http://www.archives.nysed.gov/records/retention-schedules

In general, the Internet services logs of the GSA, comprising electronic files

or automated logs created to monitor access and use of Agency services

provided through this website, are retained for _______ [state the period

that is the equivalent of three backup cycles] and then destroyed.

NYS-G02-001 Page 16 of 18

Information, including personal information, that you submit in an e-mail or

when you initiate an online transaction such as a survey, registration form,

or order form is retained in accordance with the records retention and

disposition schedule established for the records of the program unit to which

you submitted the information. Information concerning these records

retention and disposition schedules may be obtained through the Internet

Access to and Correction of Personal Information

Collected Through this Website

Any user may submit a request to the GSA privacy compliance officer to

determine whether personal information pertaining to that user has been

collected through this website. Any such request shall be made in writing

to the address below and must be accompanied by reasonable proof of

identity of the user. Reasonable proof of identity may include verification of

a signature, inclusion of an identifier generally known only to the user, or

similar appropriate identification. The address of the privacy compliance

officer is:

_________________________

The privacy compliance officer shall, within five (5) business days of the

date of the receipt of a proper request: (i) provide access to the personal

information; (ii) deny access in writing, explaining the reasons therefore; or

(iii) acknowledge the receipt of the request in writing, stating the

approximate date when the request will be granted or denied, which date

shall not be more than thirty (30) days from the date of the acknowledgment.

In the event that the GSA has collected personal information pertaining to

a user through the state agency website and that information is to be

provided to the user pursuant to the user's request, the privacy compliance

officer shall inform the user of his or her right to request that the personal

information be amended or corrected under the procedures set forth in

section 95 of the Public Officers Law.

Confidentiality and Integrity of Personal Information

Collected Through this Website

The GSA is strongly committed to protecting personal information collected

through this website against unauthorized access, use, or disclosure.

Consequently, the GSA limits employee access to personal information

collected through this website to only those employees who need access to

the information in the performance of their official duties. Employees who

have access to this information are required to follow appropriate

procedures in connection with any disclosures of personal information.

NYS-G02-001 Page 17 of 18

In addition, the GSA has implemented procedures to safeguard the integrity

of its information technology assets, including, but not limited to, [state

actual practices or procedures such as authentication, monitoring, auditing,

and encryption.] These security procedures have been integrated into the

design, implementation, and day-to-day operations of this website as part

of our continuing commitment to the security of electronic content as well

as the electronic transmission of information.

For website security purposes and to maintain the availability of the website

for all users, the GSA employs software to monitor traffic to identify

unauthorized attempts to upload or change information or otherwise

damage this website.

Disclaimer

The information provided in this privacy policy should not be construed as

giving business, legal, or other advice, or warranting as fail proof, the

security of information provided through this website.

Links

In order to provide users with certain information, the GSA provides links to

the websites of local, State, and federal government agencies, and to the

websites of other organizations. A link does not constitute an endorsement

of the content, viewpoint, accuracy, opinions, policies, products, services,

or accessibility of that website. Once you link to another website from this

website, including one maintained by the State, you are subject to the terms

and conditions of that website, including, but not limited to, its Internet

Information provided to obtain authentication services such as an NY.gov

ID from the https://my.ny.gov/ site used to access accounts and services of

this agency is subject to the policies of such authentication service.

Contact Information

For questions regarding this Internet privacy policy, please contact:

(via e-mail) _____________________________________

(via regular mail) _________________________________

_________________________________

5.0 Compliance

This guideline shall take effect upon publication. Compliance with enterprise guidelines

is non-compulsory, but strongly suggested. ITS may amend its guidelines at any time.

NYS-G02-001 Page 18 of 18

6.0 Definitions of Key Terms

All terms shall have the meanings found in http://www.its.ny.gov/glossary.

7.0 Contact Information

Submit all inquiries and requests for future enhancements to the guideline owner at:

Division of Legal Affairs

Reference: NYS-G02-001

NYS Office of Information Technology Services

State Capitol, PO Box 2062

Albany, NY 12220-0062

Telephone: (518) 473-5115

Email: its.sm.dla@its.ny.gov

Statewide technology policies, standards, and guidelines may be found at the

following website: https://its.ny.gov/policies

8.0 Revision History

This policy should be reviewed consistent with the requirements set forth in NYS-P09-

003 Process for Establishing Information Technology Polices, Standards and

Guidelines.

Date

Description of Change

Reviewer

06/17/2002

Issued guideline.

CIO/OFT

03/09/2004

Revised to update a reference link.

CIO/OFT

10/09/2009

Branding update.

CIO/OFT

03/21/2017

Revised to update links, add

information, and update branding.

Division of Legal Affairs

10/02/2020

Scheduled review. Definitions updated.

Division of Legal Affairs

05/24/2021

Updated Scope Language.

Division of Legal Affairs

4/13/2023

Links fixed, and language clarified.

Division of Legal Affairs

9.0 Related Documents

New York State Technology Law

NYS-P03-002 Information Security Policy