Full text
- This is an unofficial copy. The document has been archived and reformatted in plaintext for AGORA. Footnotes, tables, and similar material may be omitted. For the official text, visit the original source.
- Thematic tags for this document are awaiting validation (peer review by a second AGORA editor).
- This text may be out of date. According to the latest data in AGORA, this document has been proposed, but is not yet enacted or otherwise finalized. This text was collected 2024-04-23 and may have been revised in the meantime. Visit the official source for authoritative text.
§ 7. Section 165 of the state finance law is amended by adding two new
subdivisions 9 and 10 to read as follows:
9. AUTOMATED DECISION SYSTEM IMPACT ASSESSMENTS.
A. FOR THE PURPOSE OF THIS SUBDIVISION, THE FOLLOWING TERMS SHALL HAVE
THE FOLLOWING MEANINGS:
(I) "AUTOMATED DECISION SYSTEM" SHALL MEAN ANY SOFTWARE, SYSTEM, OR
PROCESS THAT IS DESIGNED TO AID OR REPLACE HUMAN DECISION MAKING. SUCH
TERM MAY INCLUDE ANALYZING COMPLEX DATASETS TO GENERATE SCORES, PREDIC-
TIONS, CLASSIFICATIONS, OR SOME RECOMMENDED ACTION OR ACTIONS, WHICH ARE
USED BY AGENCIES TO MAKE DECISIONS THAT IMPACT HUMAN WELFARE.
(II) "AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT" SHALL MEAN A STUDY
EVALUATING AN AUTOMATED DECISION SYSTEM AND THE AUTOMATED DECISION
SYSTEM'S DEVELOPMENT PROCESSES, INCLUDING THE DESIGN AND TRAINING DATA
OF THE AUTOMATED DECISION SYSTEM, FOR STATISTICAL IMPACTS ON CLASSES
PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW, AS
WELL AS FOR IMPACTS ON PRIVACY, AND SECURITY THAT INCLUDES AT A MINIMUM:
(A) A DETAILED DESCRIPTION OF THE AUTOMATED DECISION SYSTEM, ITS
DESIGN, ITS TRAINING, ITS DATA, AND ITS PURPOSE;
(B) AN ASSESSMENT OF THE RELATIVE BENEFITS AND COSTS OF THE AUTOMATED
DECISION SYSTEM IN LIGHT OF ITS PURPOSE, TAKING INTO ACCOUNT RELEVANT
FACTORS, INCLUDING DATA MINIMIZATION PRACTICES, THE DURATION FOR WHICH
PERSONAL INFORMATION AND THE RESULTS OF THE AUTOMATED DECISION SYSTEM
ARE STORED, WHAT INFORMATION ABOUT THE AUTOMATED DECISION SYSTEM ARE
AVAILABLE TO THE PUBLIC, AND THE RECIPIENTS OF THE RESULTS OF THE AUTO-
MATED DECISION SYSTEM;
(C) AN ASSESSMENT OF THE RISK OF HARM POSED BY THE AUTOMATED DECISION
SYSTEM AND THE RISK THAT SUCH AUTOMATED DECISION SYSTEM MAY RESULT IN OR
CONTRIBUTE TO INACCURATE, UNFAIR, BIASED, OR DISCRIMINATORY DECISIONS
IMPACTING INDIVIDUALS; AND
(D) THE MEASURES THE STATE AGENCY WILL EMPLOY TO MINIMIZE THE RISKS
DESCRIBED IN ITEM (C) OF THIS SUBPARAGRAPH, INCLUDING TECHNOLOGICAL AND
PHYSICAL SAFEGUARDS.
(III) "HARM" SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO
AN INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
(A) DIRECT OR INDIRECT FINANCIAL HARM.
(B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
LIMITED TO BIAS-RELATED CRIMES AND THREATS, HARASSMENT, AND SEXUAL
HARASSMENT.
(C) DISCRIMINATION IN GOODS, SERVICES, OR ECONOMIC OPPORTUNITY,
INCLUDING BUT NOT LIMITED TO HOUSING, EMPLOYMENT, CREDIT, INSURANCE,
EDUCATION, OR HEALTH CARE ON THE BASIS OF AN INDIVIDUAL OR CLASS OF
INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
ORIENTATION, GENDER IDENTITY, MARITAL STATUS, DISABILITY, MILITARY
STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
(D) INTERFERENCE WITH OR SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
ACTIVITIES BY STATE ACTORS.
(E) INTERFERENCE WITH THE RIGHT TO VOTE OR WITH FREE AND FAIR
ELECTIONS.
(F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
(G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
(H) THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
OF SECLUSION OR ACCESS CONTROL.
(I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
ABLE TO, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE
PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
BLE, CONTEMPLATED BY, OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
(IV) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED ENTITY
KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
(V) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT DIRECTLY OR
INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSO-
CIATED WITH, OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
OTHER INFORMATION IS HELD BY THE STATE AGENCY, TO IDENTIFY AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE.
(VI) "PROXY" OR "PROXIES" SHALL MEAN INFORMATION THAT, BY ITSELF OR IN
COMBINATION WITH OTHER INFORMATION, IS USED BY A COVERED ENTITY IN A WAY
THAT DISCRIMINATES BASED ON ACTUAL OR PERCEIVED PERSONAL CHARACTERISTICS
OR CLASSES PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECU-
TIVE LAW.
(VII) "TRAINING DATA" SHALL MEAN THE DATASETS USED TO TRAIN AN AUTO-
MATED DECISION SYSTEM, MACHINE LEARNING ALGORITHM, OR CLASSIFIER TO
CREATE AND DERIVE PATTERNS FROM A PREDICTION MODEL.
B. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM UNLESS IT FIRST ENGAGES A NEUTRAL THIRD PARTY
TO CONDUCT AN AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT AND PUBLISHES
ON ITS PUBLIC WEBSITE THAT AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT:
(I) OF EXISTING AUTOMATED DECISION SYSTEM WITHIN ONE YEAR OF THE
EFFECTIVE DATE OF THIS SUBDIVISION AND EVERY TWO YEARS THEREAFTER.
(II) OF NEW AUTOMATED DECISION SYSTEMS PRIOR TO ACQUISITION AND EVERY
TWO YEARS THEREAFTER.
C. UPON PUBLICATION OF AN AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT,
THE PUBLIC SHALL HAVE FORTY-FIVE DAYS TO SUBMIT COMMENTS ON SUCH ASSESS-
MENT TO THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION. THE STATE AND ANY GOVERNMENTAL AGENCY, POLI-
TICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION SHALL CONSIDER SUCH
PUBLIC COMMENTS WHEN DETERMINING WHETHER TO PURCHASE, OBTAIN, PROCURE,
ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN AUTOMATED
DECISION SYSTEM AND SHALL POST RESPONSES TO SUCH PUBLIC COMMENTS TO ITS
WEBSITE WITHIN FORTY-FIVE DAYS AFTER THE CLOSE OF THE PUBLIC COMMENT
PERIOD.
D. THE STATE PROCUREMENT COUNCIL SHALL, IN CONSULTATION WITH THE
OFFICE OF INFORMATION TECHNOLOGY SERVICES, THE DIVISION OF HUMAN RIGHTS
AND EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL BE
DIRECTLY AFFECTED BY AUTOMATED DECISION SYSTEMS, PROMULGATE RULES AND
REGULATIONS TO SET THE MINIMUM STANDARD ENTITIES SHALL MEET TO SERVE AS
NEUTRAL THIRD PARTIES CONDUCTING AUTOMATED DECISION SYSTEM IMPACT
ASSESSMENTS.
E. THE STATE PROCUREMENT COUNCIL SHALL MAINTAIN A PUBLICLY AVAILABLE
LIST OF NEUTRAL THIRD PARTIES THAT MEET THE QUALIFICATIONS OUTLINED IN
PARAGRAPH D OF THIS SUBDIVISION.
F. WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS SUBDIVISION, THE
OFFICE OF INFORMATION TECHNOLOGY SERVICES, IN CONSULTATION WITH THE
DIVISION OF HUMAN RIGHTS AND EXPERTS AND REPRESENTATIVES FROM THE COMMU-
NITIES THAT WILL BE DIRECTLY AFFECTED BY AUTOMATED DECISION SYSTEMS,
SHALL COMPLETE AND PUBLISH ON ITS WEBSITE A COMPREHENSIVE STUDY OF THE
STATISTICAL IMPACTS OF AUTOMATED DECISION SYSTEMS ON CLASSES PROTECTED
UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW, INCLUDING BUT
NOT LIMITED TO, EVALUATING THE USE OF PROXIES AND THE TYPES OF DATA USED
IN TRAINING DATA SETS AND THE RISKS ASSOCIATED WITH PARTICULAR TYPES OF
TRAINING DATA.
(I) AS PART OF SUCH STUDY, THE OFFICE OF INFORMATION TECHNOLOGY
SERVICES SHALL REVIEW THE AUTOMATED DECISION SYSTEM IMPACT ASSESSMENTS
THAT HAVE BEEN PUBLISHED PRIOR TO COMPLETION OF THE STUDY, AS WELL AS
THE PUBLIC COMMENTS SUBMITTED IN RESPONSE TO SUCH AUTOMATED DECISION
IMPACT ASSESSMENTS.
(II) THE OFFICE MAY REQUEST DATA AND INFORMATION FROM: STATE AGENCIES;
CONSUMER PROTECTION, CIVIL RIGHTS, AND PRIVACY ADVOCATES; RESEARCHERS
AND ACADEMICS; PRIVATE ENTITIES THAT DEVELOP OR DEPLOY AUTOMATED DECI-
SION SYSTEMS; AND OTHER RELEVANT SOURCES TO MEET THE PURPOSE OF SUCH
STUDY. THE OFFICE SHALL RECEIVE, UPON REQUEST, DATA FROM OTHER STATE
AGENCIES.
10. AUTOMATED DECISION SYSTEM USE POLICIES; NOTICE AND HUMAN REVIEW
REQUIREMENTS.
A. FOR THE PURPOSE OF THIS SUBDIVISION, THE FOLLOWING TERMS SHALL HAVE
THE FOLLOWING MEANINGS:
(I) "AUTOMATED DECISION SYSTEM" SHALL MEAN ANY SOFTWARE, SYSTEM, OR
PROCESS THAT IS DESIGNED TO AID OR REPLACE HUMAN DECISION MAKING. SUCH
TERM MAY INCLUDE ANALYZING COMPLEX DATASETS TO GENERATE SCORES, PREDIC-
TIONS, CLASSIFICATIONS, OR SOME RECOMMENDED ACTION OR ACTIONS, WHICH ARE
USED BY AGENCIES TO MAKE DECISIONS THAT IMPACT HUMAN WELFARE.
(II) "AUTOMATED DECISION SYSTEM USE POLICY" SHALL MEAN:
(A) A DESCRIPTION OF THE CAPABILITIES OF THE AUTOMATED DECISION
SYSTEM, ANY DECISIONS THAT SUCH SYSTEM IS USED TO MAKE OR ASSIST IN
MAKING AND ANY SPECIFIC TYPES OR GROUPS OF PERSONS PROTECTED UNDER
SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW WHO ARE LIKELY TO BE
AFFECTED BY SUCH DECISIONS;
(B) RULES, PROCESSES, AND GUIDELINES ISSUED BY THE STATE AGENCY REGU-
LATING ACCESS TO OR USE OF SUCH AUTOMATED DECISION SYSTEM, AS WELL AS
ANY PROHIBITIONS OR RESTRICTIONS ON USE;
(C) SAFEGUARDS OR SECURITY MEASURES DESIGNED TO PROTECT INFORMATION
COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM, INCLUDING
BUT NOT LIMITED TO, THE EXISTENCE OF ENCRYPTION AND ACCESS CONTROL MECH-
ANISMS;
(D) POLICIES AND PRACTICES RELATING TO THE RETENTION, ACCESS, AND USE
OF DATA COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM, AS
WELL AS THE DECISIONS RENDERED BY SUCH AUTOMATED DECISION SYSTEM;
(E) WHETHER OTHER ENTITIES OUTSIDE THE STATE AGENCY HAVE ACCESS TO THE
INFORMATION AND DATA USED BY OR INPUTTED INTO THE AUTOMATED DECISION
SYSTEM OR THE DECISIONS RENDERED BY THE AUTOMATED DECISION SYSTEM,
INCLUDING WHETHER THE OUTSIDE ENTITY IS LOCAL, STATE, FEDERAL, OR
PRIVATE, THE TYPE OF INFORMATION AND DATA THAT MAY BE DISCLOSED, AND ANY
SAFEGUARDS OR RESTRICTIONS IMPOSED BY THE AGENCY ON THE OUTSIDE ENTITY
REGARDING THE USE OR DISSEMINATION OF THE INFORMATION, DATA, OR DECI-
SION;
(F) WHETHER ANY TRAINING IS REQUIRED BY THE STATE AGENCY FOR AN INDI-
VIDUAL TO USE SUCH AUTOMATED DECISION SYSTEM OR ACCESS INFORMATION
COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM OR THE
DECISIONS RENDERED BY THE AUTOMATED DECISION SYSTEM;
(G) A DESCRIPTION OF THE INTERNAL AND EXTERNAL AUDIT AND OVERSIGHT
MECHANISMS, INCLUDING THE MECHANISM FOR HUMAN REVIEW REQUIRED UNDER
PARAGRAPH G OF THIS SUBDIVISION, TO ENSURE COMPLIANCE WITH THE AUTOMATED
DECISION USE POLICY AND THAT THE AUTOMATED DECISION SYSTEM DOES NOT
RESULT IN HARM TO AN INDIVIDUAL;
(H) RELEVANT TECHNICAL INFORMATION ABOUT THE AUTOMATED DECISION
SYSTEM, INCLUDING THE SYSTEM'S NAME, VENDOR, AND VERSION, AS WELL AS A
DESCRIPTION OF THE AUTOMATED DECISION SYSTEM'S GENERAL CAPABILITIES,
INCLUDING REASONABLY FORESEEABLE CAPABILITIES OUTSIDE THE SCOPE OF THE
AGENCY'S PROPOSED USE;
(I) THE TYPE OR TYPES OF DATA INPUTS THAT THE AUTOMATED DECISION
SYSTEM USES, HOW THAT DATA IS GENERATED, COLLECTED, AND PROCESSED, AND
THE TYPES OF DATA THE SYSTEM IS REASONABLY LIKELY TO GENERATE;
(J) HOW AND WHEN THE AUTOMATED DECISION SYSTEM WILL BE DEPLOYED OR
USED AND BY WHOM, INCLUDING BUT NOT LIMITED TO, THE FACTORS THAT WILL BE
USED TO DETERMINE WHERE, WHEN, AND HOW THE TECHNOLOGY IS DEPLOYED;
(K) A DESCRIPTION OF ANY PUBLIC OR COMMUNITY ENGAGEMENT HELD AND ANY
FUTURE PUBLIC OR COMMUNITY ENGAGEMENT PLANS IN CONNECTION WITH THE AUTO-
MATED DECISION SYSTEM; AND
(L) A DESCRIPTION OF THE FISCAL IMPACT OF THE AUTOMATED DECISION
SYSTEM, INCLUDING INITIAL ACQUISITION COSTS, ONGOING OPERATING COSTS,
SUCH AS MAINTENANCE, LICENSING, PERSONNEL, LEGAL COMPLIANCE, USE AUDIT-
ING, DATA RETENTION, AND SECURITY COSTS, AND ANY CURRENT OR POTENTIAL
SOURCES OF FUNDING, INCLUDING ANY SUBSIDIES OR FREE PRODUCTS OFFERED BY
VENDORS OR GOVERNMENTAL ENTITIES.
(III) "DE-IDENTIFIED INFORMATION" SHALL MEAN INFORMATION THAT CANNOT
REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED
WITH, OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR INDIVIDUAL;
PROVIDED THAT A COVERED ENTITY THAT USES DE-IDENTIFIED INFORMATION:
(A) HAS IMPLEMENTED TECHNICAL SAFEGUARDS THAT PROHIBIT REIDENTIFICA-
TION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
(B) HAS IMPLEMENTED BUSINESS PROCESSES THAT SPECIFICALLY PROHIBIT
REIDENTIFICATION OF SUCH INFORMATION;
(C) HAS IMPLEMENTED BUSINESS PROCESSES THAT PREVENT INADVERTENT
RELEASE OF SUCH DE-IDENTIFIED INFORMATION; AND
(D) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
(IV) "HARM" SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO
AN INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
(A) DIRECT OR INDIRECT FINANCIAL HARM.
(B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
LIMITED TO BIAS-RELATED CRIMES AND THREATS, HARASSMENT, AND SEXUAL
HARASSMENT.
(C) DISCRIMINATION IN GOODS, SERVICES, OR ECONOMIC OPPORTUNITY,
INCLUDING BUT NOT LIMITED TO HOUSING, EMPLOYMENT, CREDIT, INSURANCE,
EDUCATION, OR HEALTH CARE ON THE BASIS OF AN INDIVIDUAL OR CLASS OF
INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
ORIENTATION, GENDER IDENTITY, MARITAL STATUS, DISABILITY, MILITARY
STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
(D) INTERFERENCE WITH OR SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
ACTIVITIES BY STATE ACTORS.
(E) INTERFERENCE WITH THE RIGHT TO VOTE OR WITH FREE AND FAIR
ELECTIONS.
(F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
(G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
(H) THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
OF SECLUSION OR ACCESS CONTROL.
(I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
ABLE TO, CONTEMPLATED BY, OR EXPECTED BY THE INDIVIDUAL TO WHOM THE
PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
BLE, CONTEMPLATED BY, OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
(V) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM A COVERED ENTITY
KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
(VI) "PERSONAL INFORMATION" SHALL MEAN INFORMATION THAT DIRECTLY OR
INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING ASSO-
CIATED WITH, OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
WITH OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
OTHER INFORMATION IS HELD BY THE STATE AGENCY, TO IDENTIFY AN INDIVID-
UAL, HOUSEHOLD, OR DEVICE.
(VII) "RELEVANT TECHNICAL INFORMATION" SHALL INCLUDE, BUT NOT BE
LIMITED TO, SOURCE CODE, MODELS, DOCUMENTATION ON THE ALGORITHMS USED,
DESIGN DOCUMENTATION AND INFORMATION ABOUT TECHNICAL ARCHITECTURE,
TRAINING DATA, DATA PROVENANCE INFORMATION, JUSTIFICATION FOR THE VALID-
ITY OF THE MODEL, ANY RECORDS OF BIAS, AND ANY VALIDATION TESTING
PERFORMED ON THE SYSTEM.
B. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE THAT PURCHASES, OBTAINS,
PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
AN AUTOMATED DECISION SYSTEM SHALL PUBLISH ON ITS WEBSITE AT LEAST NINE-
TY DAYS PRIOR TO THE PURCHASE, OBTAINING, USE, ACQUISITION, OR DEPLOY-
MENT OF NEW AUTOMATED DECISION SYSTEMS AND, FOR EXISTING AUTOMATED DECI-
SION SYSTEMS, WITHIN ONE HUNDRED EIGHTY DAYS OF THE EFFECTIVE DATE OF
THIS SUBDIVISION, AN AUTOMATED DECISION SYSTEM USE POLICY.
(I) WHEN THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION
OR PUBLIC BENEFIT CORPORATION OF THE STATE SEEKS TO CHANGE OR CHANGES AN
AUTOMATED DECISION SYSTEM IN A WAY THAT AFFECTS THE RESULTS OR OUTCOMES
OF THE AUTOMATED DECISION SYSTEM OR USES SUCH AUTOMATED DECISION SYSTEM
FOR A PURPOSE OR MANNER NOT PREVIOUSLY DISCLOSED THROUGH AN AUTOMATED
DECISION SYSTEM USE POLICY, IT SHALL PROVIDE AN ADDENDUM TO THE EXISTING
AUTOMATED DECISION SYSTEM USE POLICY DESCRIBING SUCH CHANGE OR ADDI-
TIONAL USE AND RETAIN AN ARCHIVED COPY OF THE PREVIOUS AUTOMATED DECI-
SION SYSTEM SO THAT DECISIONS MADE UNDER THE OLD SYSTEM USE POLICY MAY
BE CHALLENGED UNDER PARAGRAPH G OF THIS SUBDIVISION.
(II) UPON PUBLICATION OF, OR ADDENDUM TO, ANY PROPOSED AUTOMATED DECI-
SION SYSTEM POLICY, THE PUBLIC SHALL HAVE FORTY-FIVE DAYS TO SUBMIT
COMMENTS ON SUCH POLICY TO THE STATE AND ANY GOVERNMENTAL AGENCY OR
POLITICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION.
(III) THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION SHALL CONSIDER PUBLIC COMMENTS AND PROVIDE
THE FINAL AUTOMATED DECISION SYSTEM USE POLICY TO THE OFFICE OF INFORMA-
TION TECHNOLOGY SERVICES, THE COMMITTEE ON OPEN GOVERNMENT, AND THE
STATE PROCUREMENT COUNCIL, AND SHALL POST SUCH DECISION TO ITS WEBSITE
NO LATER THAN FORTY-FIVE DAYS AFTER THE CLOSE OF THE PUBLIC COMMENT
PERIOD.
C. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION SHALL OBTAIN APPROVAL FROM THE CITY OR COUNTY
COUNCIL WITH APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE, FOLLOW-
ING THE PUBLIC COMMENT PERIOD REQUIRED IN PARAGRAPH B OF THIS SUBDIVI-
SION, AND A PROPERLY-NOTICED, GERMANE, PUBLIC HEARING AT WHICH THE
PUBLIC IS AFFORDED A FAIR AND ADEQUATE OPPORTUNITY TO PROVIDE ONLINE,
WRITTEN, AND ORAL TESTIMONY, PRIOR TO:
(I) SEEKING FUNDS FOR AN AUTOMATED DECISION SYSTEM THAT ASSIGNS OR
CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR
SERVICES FOR AN INDIVIDUAL, INCLUDING BUT NOT LIMITED TO, APPLYING FOR A
GRANT, OR SOLICITING OR ACCEPTING STATE OR FEDERAL FUNDS OR IN-KIND OR
OTHER DONATIONS;
(II) ACQUIRING OR BORROWING AN AUTOMATED DECISION SYSTEM THAT ASSIGNS
OR CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES,
OR SERVICES FOR AN INDIVIDUAL, WHETHER OR NOT SUCH ACQUISITION IS MADE
THROUGH THE EXCHANGE OF MONIES OR OTHER CONSIDERATION;
(III) USING A NEW OR EXISTING AUTOMATED DECISION SYSTEM THAT ASSIGNS
OR CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES,
OR SERVICES FOR AN INDIVIDUAL, OR DATA DERIVED THEREFROM, FOR A PURPOSE
OR IN A MANNER NOT PREVIOUSLY APPROVED BY THE CITY OR COUNTY COUNCIL
WITH APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE; OR
(IV) SOLICITING PROPOSALS FOR OR ENTERING INTO AN AGREEMENT WITH ANY
OTHER PERSON OR ENTITY TO ACQUIRE, SHARE, OR OTHERWISE USE AN AUTOMATED
DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMINATION OF
RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL OR AUTO-
MATED DECISION SYSTEM DATA.
D. THE COMMITTEE ON OPEN GOVERNMENT SHALL CONDUCT ANNUAL AUDITS OF
AUTOMATED DECISION SYSTEM USE POLICIES THAT SHALL:
(I) ASSESS WHETHER EACH STATE AGENCY THAT PURCHASES, OBTAINS,
PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
AN AUTOMATED DECISION SYSTEM COMPLIES WITH THE TERMS OF THE AUTOMATED
DECISION SYSTEM USE POLICY;
(II) DESCRIBES ANY KNOWN OR REASONABLY SUSPECTED VIOLATIONS OF ANY
AUTOMATED DECISION SYSTEM USE POLICIES; AND
(III) PUBLISH RECOMMENDATIONS, IF ANY, RELATING TO REVISION OF THE
RELEVANT AUTOMATED DECISION SYSTEM USE POLICIES.
E. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
UNLESS IT FIRST IMPLEMENTS A PROCESS TO PROVIDE A PLAIN-LANGUAGE NOTIFI-
CATION TO ANY INDIVIDUAL WHOSE PERSONAL INFORMATION IS PROCESSED BY THE
AUTOMATED DECISION SYSTEM AND WHOM THE AUTOMATED DECISION SYSTEM'S DECI-
SION AFFECTS OF THE FACT THAT SUCH SYSTEM IS IN USE, THE SYSTEM'S NAME,
VENDOR, AND VERSION, WHAT DECISION OR DECISIONS WILL BE USED TO MAKE OR
SUPPORT; AND WHAT POLICIES AND GUIDELINES APPLY TO ITS DEPLOYMENT.
F. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
UNLESS IT FIRST IMPLEMENTS A PROCESS TO PROVIDE A PLAIN-LANGUAGE NOTIFI-
CATION TO ANY INDIVIDUAL WHOSE PERSONAL INFORMATION IS PROCESSED BY SUCH
AUTOMATED DECISION SYSTEM AND WHOM SUCH AUTOMATED DECISION SYSTEM'S
DECISION AFFECTS, OF THE INVOLVEMENT OF AN AUTOMATED DECISION SYSTEM IN
MAKING THE DECISION, THE DEGREE OF HUMAN INTERVENTION IN THE SYSTEM, HOW
THE AUTOMATED DECISION SYSTEM MADE THE DECISION, THE JUSTIFICATION FOR
THE DECISION, THE VARIABLES CONSIDERED IN RENDERING THE DECISION, WHETH-
ER AND HOW THE DECISION DEVIATED FROM THE AUTOMATED DECISION'S SYSTEM'S
RECOMMENDATION, HOW THE INDIVIDUAL MAY CONTEST THE DECISION PURSUANT TO
PARAGRAPH G OF THIS SUBDIVISION, AND THE PROCESS FOR REQUESTING HUMAN
REVIEW OF THE DECISION PURSUANT TO PARAGRAPH G OF THIS SUBDIVISION.
(I) THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL ENSURE THAT IT CAN EXPLAIN
THE BASIS FOR ITS DECISION TO ANY IMPACTED INDIVIDUAL IN TERMS UNDER-
STANDABLE TO A LAYPERSON INCLUDING, WITHOUT LIMITATION, BY REQUIRING THE
VENDOR TO CREATE SUCH EXPLANATION.
(II) THE COMMITTEE ON OPEN GOVERNMENT, IN CONSULTATION WITH THE DIVI-
SION OF HUMAN RIGHTS, THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND
EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL BE DIRECTLY
AFFECTED BY AUTOMATED DECISION SYSTEMS, MAY PROMULGATE RULES AND REGU-
LATIONS SPECIFYING THE REQUIREMENTS FOR SUCH NOTICE.
G. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE SHALL NOT PURCHASE, OBTAIN,
PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION FROM AN
AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
UNLESS IT FIRST DEVELOPS A PROCESS FOR HUMAN REVIEW.
(I) THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, IN CONSULTATION
WITH THE DIVISION OF HUMAN RIGHTS, THE COMMITTEE ON OPEN GOVERNMENT AND
EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL BE DIRECTLY
AFFECTED BY AUTOMATED DECISION SYSTEMS, MAY PROMULGATE RULES AND REGU-
LATIONS SPECIFYING THE REQUIREMENTS FOR HUMAN REVIEW OF DECISIONS
RENDERED BY AUTOMATED DECISION SYSTEMS.
(II) AN INDIVIDUAL WHO WAS DENIED OR ASSIGNED A RIGHT, BENEFIT, OPPOR-
TUNITY OR SERVICE, MAY REQUEST HUMAN REVIEW OF THE DECISION RENDERED BY
THE AUTOMATED DECISION SYSTEM.
(III) WHERE THE HUMAN REVIEW OVERTURNS A DECISION RENDERED BY AN AUTO-
MATED DECISION SYSTEM, THE AFFECTED INDIVIDUAL EXPERIENCES HARM AS A
RESULT OF THE OVERTURNED DECISION, AND THE STATE OR ANY GOVERNMENTAL
AGENCY, POLITICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION OF THE STATE
CANNOT OR WILL NOT PROVIDE A REMEDY, OR WHERE THE HUMAN REVIEW DOES NOT
OVERTURN A DECISION RENDERED BY AN AUTOMATED DECISION SYSTEM, THE
AFFECTED INDIVIDUAL, OR THEIR HEIRS, ASSIGNS, ESTATE, OR SUCCESSORS IN
INTEREST, MAY BRING IN ANY COURT OF COMPETENT JURISDICTION AN ACTION
ALLEGING A VIOLATION OF THIS SUBDIVISION.
(IV) THE COURT SHALL AWARD TO THE PREVAILING PLAINTIFF IN SUCH ACTION,
THE FOLLOWING RELIEF:
(A) ANY INJUNCTIVE OR OTHER EQUITABLE RELIEF THE COURT DEEMS APPROPRI-
ATE;
(B) ANY ACTUAL DAMAGES RESULTING FROM ANY VIOLATION OF THIS SUBDIVI-
SION, OR TEN THOUSAND DOLLARS IN DAMAGES FOR EACH SUCH VIOLATION, WHICH-
EVER IS GREATER;
(C) REASONABLE ATTORNEY'S FEES AND COSTS; AND
(D) ANY OTHER RELIEF THE COURT DEEMS APPROPRIATE.
H. THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
PUBLIC BENEFIT CORPORATION OF THE STATE THAT PURCHASES, OBTAINS,
PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
AN AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
SHALL ANNUALLY PUBLISH PUBLICLY ON ITS WEBSITE METRICS ON THE NUMBER OF
REQUESTS FOR HUMAN REVIEW OF A DECISION RENDERED BY THE AUTOMATED DECI-
SION SYSTEM IT RECEIVED AND THE OUTCOME OF SUCH HUMAN REVIEW. THE
METRICS MAY INCLUDE DE-IDENTIFIED INFORMATION IN THE AGGREGATE BUT SHALL
NOT INCLUDE ANY PERSONAL INFORMATION.
§ 8. Section 8 of the state finance law is amended by adding a new
subdivision 21 to read as follows:
21. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, THAT ASSIGNS OR CONTRIBUTES TO
THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN
INDIVIDUAL UNLESS THE AUTOMATED DECISION SYSTEM USES ONLY OPEN SOURCE
SOFTWARE AND THE ACQUIRING AGENCY HAS COMPLIED WITH THE AUTOMATED DECI-
SION SYSTEM IMPACT ASSESSMENT AND AUTOMATED DECISION SYSTEM USE POLICY
REQUIREMENTS IN SECTION ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER. FOR THE
PURPOSES OF THIS SUBDIVISION, "OPEN SOURCE SOFTWARE" SHALL MEAN SOFTWARE
FOR WHICH THE HUMAN-READABLE SOURCE CODE IS AVAILABLE FOR USE, STUDY,
MODIFICATION, AND ENHANCEMENT BY THE USERS OF THAT SOFTWARE.
§ 9. Section 8 of the state finance law is amended by adding four new
subdivisions 22, 23, 24 and 25 to read as follows:
22. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, THAT ASSIGNS OR CONTRIBUTES TO
THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN
INDIVIDUAL, PRIOR TO THE APPROVAL FROM THE CITY OR COUNTY COUNCIL WITH
APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE AS REQUIRED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER.
23. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, IF THE VENDOR'S CONTRACT
CONTAINS NONDISCLOSURE OR OTHER PROVISIONS THAT PROHIBIT OR IMPAIR THE
STATE AND ANY GOVERNMENTAL AGENCY OR POLITICAL SUBDIVISION OR PUBLIC
BENEFIT CORPORATION OF THE STATE'S OBLIGATIONS UNDER SUBDIVISIONS NINE
AND TEN OF SECTION ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER.
24. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, IF THE AUTOMATED DECISION SYSTEM
DISCRIMINATES AGAINST AN INDIVIDUAL, OR TREATS AN INDIVIDUAL LESS FAVOR-
ABLY THAN ANOTHER, IN WHOLE OR IN PART, ON THE BASIS OF ONE OR MORE
FACTORS ENUMERATED IN SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE
LAW.
25. NOTWITHSTANDING ANY INCONSISTENT PROVISION OF LAW, NO PAYMENT
SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM THAT MAKES FINAL DECI-
SIONS, JUDGMENTS, OR CONCLUSIONS WITHOUT HUMAN INTERVENTION THAT IMPACT
THE CONSTITUTIONAL OR LEGAL RIGHTS, DUTIES, OR PRIVILEGES OF ANY INDI-
VIDUAL IN NEW YORK STATE OR FOR ANY AUTOMATED DECISION SYSTEM THAT
DEPLOYS OR TRIGGERS ANY WEAPON.