New York State Department of Environmental Conservation
Issuing Authority: Denise M. Sheehan, Acting Commissioner
Date Issued: 8/27/2004
Latest Date Revised: 3/27/2005
For purposes of this Policy, "user" means any individual or business who visits any part of the Department's website.
For purposes of this Policy, "personal information" means any information concerning an individual (i.e. a natural person) which, because of name, number, symbol, mark, or other identifier, can be used to identify that individual. The Department shall not use its website to collect any personal information about a user unless that information is provided by sending an e-mail or by initiating an online transaction, such as a survey, registration or order form.
For purposes of this Policy, "Department" includes any of the Department's contractors or subcontractors that collect personal information from users of the Department's website as described in this policy.
Information Collected Automatically On Website Users
When a user visits the Department's website, the following information will be automatically collected:
(1) The Internet Protocol Address and domain name used, but not the e-mail address. The Internet Protocol Address is a numerical identifier assigned either to an internet service provider or directly to a computer;
(2) The type of browser and operating system used;
(3) The date and time the website was visited;
(4) The web pages or services accessed at the website, and any files downloaded;
(5) The website visited prior to coming to the website, if a user arrived at the Department's site by following link from that site.
None of the foregoing information is deemed to constitute personal information.
The information that is collected automatically shall be used to improve the Department's website content and to help the Department understand how users interact with the website. This information shall be collected for statistical analysis, to determine what information is of most and least interest to website users, and to improve the utility of the content available on the website. The information shall not be collected for commercial marketing purposes and shall not be sold or otherwise disclosed for such purposes.
The Department uses two types of cookies on its website, Session cookies and Persistent cookies.
Session cookies - These are temporary and are automatically erased when the user closes their browser at the end of a session. The next time the user visits the website, the site will not recognize the user and the user will be treated as a completely new visitor. The Department uses session cookies to enhance or customize the visits to its website by remembering what pages have been visited previously during that same one continuous session. Session cookies do not collect information from the user's computer, do not collect personal information, and do not compromise the user's privacy or security.
Persistent cookies - These remain on the user's computer until they are erased by the user or they expire. Persistent cookies are created when a user enters certain information on the Department's site, such as an identification or log in sequence. They are only used in cases where the user has affirmatively requested that the site recognize the user each time that they return to the site, and that information on the site be tailored to the user based upon the user's expressed needs, interests and request. The Department shall only use persistent cookies with the user's permission.
The software and hardware utilized by the user to access the website will allow the user to refuse new cookies or delete existing cookies. Refusing or deleting these cookies may limit the user's ability to take advantage of some features of the website, but this is the user's prerogative.
Information Collected When A User E-mails The Website Or Initiates An Online Transaction
If a user sends an e-mail to the Department, the e-mail address and the contents of the message shall be collected. The information collected shall not be limited to text characters and may include audio, video, and graphic information formats included in the message. The e-mail address and the information included in the message may be used to respond, to address issues identified, to improve the website, or to forward the message to another State agency for appropriate action. The e-mail address shall not be collected for commercial purposes and shall not be sold or otherwise disclosed for such purposes.
If a user initiates a transaction on the Department's website, such as a survey, registration, license application or order form, the information volunteered by the user shall be used by the Department in processing and recording that transaction and for those purposes that may be reasonably ascertained from the nature and terms of the transaction for which the information was submitted.
Pursuant to the Children's Online Privacy Protection Act (COPPA), the Department shall not knowingly collect unnecessary personal information from children or create profiles of children through its website. However, the collection of personal information submitted in an e-mail or in an appropriate online transaction shall be treated as though it was submitted by an adult, and may, unless exempted from access by federal or state law, be subject to public access.
Information And Choice
The Department shall not collect any personal information about an individual user during a visit to its website unless that information is provided voluntarily by sending an e-mail or initiating an online transaction such as a survey, registration, license application or order form. A user may choose not to send the department an e-mail, respond to a survey, apply for a license, or complete an order form through the website. While the choice to not participate in these activities may limit the ability to receive specific services or products through the website, it shall not prevent a user from requesting services or products from the Department by other means and will not normally have an impact on the ability to take advantage of other features of the website, including browsing or downloading publicly available information.
Disclosure Of Information Collected Through The Website
The disclosure of information, including personal information, collected through the website is both prohibited by the Personal Privacy Protection Law and exempted from disclosure by the Freedom of Information Law. The Department's full compliance with these two statutes serves as a further protection of the user's personal information.
The collection of information through the website and the disclosure of that information are also subject to the provisions of the Internet Security and Privacy Act. Under these provisions the Department shall only collect personal information through its website or disclose personal information collected through its website if the user has consented to the collection or disclosure of such personal information. The voluntary disclosure of personal information to the Department by the user, whether solicited or unsolicited, constitutes consent to the collection and disclosure of the information by the Department for the purposes for which the user disclosed the information to the Department, as shall be reasonably ascertainable from the nature and terms of the disclosure.
However, the Department may collect or disclose personal information without user consent if the collection or disclosure is:
(1) necessary to perform the statutory duties of the Department, or necessary for the Department to operate a program authorized by law, or authorized by state or federal statute or regulation;
(2) made pursuant to a court order or by law;
(3) for the purpose of validating the identity of the user; or
(4) of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.
The Department may disclose personal information to federal or state law enforcement authorities to enforce the Department's rights against unauthorized access or attempted unauthorized access to the Department's information technology assets.
Retention Of Information Collected Through The Website
The information collected through its website shall be retained by the Department in accordance with the records retention and disposition requirements of the New York State Arts & Cultural Affairs Law.
In general, the Internet services logs of the Department, comprising electronic files or automated logs created to monitor access and use of Agency services provided through the website, shall be retained for an indeterminate period of time. Information, including personal information, that is submitted in an e-mail or when a user initiates an online transaction such as a survey, registration form, or order form shall be retained in accordance with the records retention and disposition schedule established for the records of the program unit to which the user submitted the information.
Access To And Correction Of Personal Information Collected Through The Website
Any user may submit a request to the Department's Privacy Compliance Officer to determine whether personal information pertaining to that user has been collected through the website. Any such request shall be made in writing and must be accompanied by reasonable proof of identity of the user. Reasonable proof of identity may include verification of a signature, inclusion of an identifier generally known only to the user, or similar appropriate identification.
The Privacy Compliance Officer shall, within five (5) business days of the date of the receipt of a proper request:
(1) provide access to the personal information;
(2) deny access in writing, explaining the reasons therefore; or
(3) acknowledge the receipt of the request in writing, stating the approximate date when the request will be granted or denied, which date shall not be more than thirty (30) days from the date of the acknowledgment.
In the event that the Department has collected personal information pertaining to a user through the state agency website and that information is to be provided to the user pursuant to the user's request, the Privacy Compliance Officer shall inform the user of his or her right to request that the personal information be amended or corrected under the procedures set forth in section 95 of the Public Officers Law.
Confidentiality And Integrity Of Personal Information Collected Through The Website
The Department is committed to protecting personal information collected through its website against unauthorized access, use, or disclosure. Consequently, the Department shall limit access to personal information collected through its website to only those employees who need access to the information in the performance of their official duties. Employees who have access to this information shall be required to follow appropriate procedures in connection with any disclosures of personal information.
In addition, the Department shall implement procedures to safeguard the integrity of its information technology assets, including, but not limited to, authentication, monitoring, auditing, and encryption. These security procedures shall be integrated into the design, implementation, and day-to-day operations of the website as part of a continuing commitment to the security of electronic content as well as the electronic transmission of information.
III. Purpose and Background:
Users of the Department's website need to know what kind of information the Web site collects, to whom it gives that information, and how it uses the information. Personal information that can be used to identify or contact the user, such as name, e-mail address, home or work address, or telephone number should not be collected without the user's permission. The Department's Web site only has access to such personal information that the user knowingly provides. For example, the Web site cannot determine a user's e-mail address unless the user provides it.
The Department's Privacy Compliance Officer is responsible for creating and updating this Policy, for responding to inquires related to this Policy, and ensuring that a statement of this Policy is posted on the Department's website.
The Department's Division of Information Services, and each Department division, office, contractor, subcontractor and trusted partner that collects personal information from users as described in this Policy, is responsible for developing the appropriate procedures necessary to implement this Policy.
The procedures required for the implementation of this Policy are to be developed by the divisions, office, contractor, subcontractor and trusted partner affected by the Policy.
VI. Related References:
Chapter 57-A of the Consolidated Laws, State Technology Law - Article II Internet Security and Privacy Act, Sections 201-207
Chapter 47 of the Consolidated Laws, Public Officers Law - Article 6-A, Personal Privacy Protection Law Sections 91-99
15 USC 6501 - Children's Online Privacy Protection