The PPPL (and related laws and regulations) mandates that certain information about persons may not be disclosed, including under FOIL or by municipalities generally, even if the information may otherwise be public or obtainable. Thus, for example, even though a person's name and address can be obtained from an official public tax roll, it is still improper and a potential or actual violation of law for the Town to disclose the name and address of any person in reply to a FOIL request (though there are exceptions as well). Therefore, to inform the public and provide guidance to the RAO and others concerning the PPPL and personal privacy laws, the following protection and redaction rules are implemented as part of this chapter:
A. For purposes of this policy, "personal information" means any information concerning a natural person, as opposed, for instance, to a corporate entity, which, because of name, number, symbol, mark, or other identifier, can be used to identify that natural person. To prevent an unwarranted invasion of personal privacy the RAO and all Town officers and employees shall observe guidelines for the nondisclosure or redaction of identifying details from specified records according to rules promulgated by the New York State Committee on Open Government, or as otherwise required by law.
B. In the absence of specific guidelines for a particular situation, personal information and identifying details shall not be disclosed, or shall be redacted and made unreadable and nonrecoverable, whenever such disclosure may constitute an unwarranted invasion of personal privacy. In addition to FOIL exemptions, this shall include the following:
(1) Disclosure of employment, medical or credit histories or personal references of employees and applicants for employment.
(2) Any person's social security number or any significant portion thereof.
(3) Disclosure of items involving the medical or personal records of any person or employee, including any medical facility records or medically related records, including, without limitations, workers' compensation records, disability records, records pertaining to disability accommodations, and other medical records protected by HIPAA (the Health Insurance Portability and Accountability Act of 1996, as now codified or hereafter amended).
(4) Disclosure of lists of names and addresses if such lists would be used for commercial or fund-raising purposes.
(5) Disclosure of information of a personal nature when disclosure would result in economic or personal hardship to the subject person and such information is not relevant to the work of the agency or person requesting or maintaining such records.
(6) Disclosure of information of a personal nature reported in confidence to an agency and not relevant to the ordinary work of such agency.
C. The nondisclosure or redaction rules stated above shall not apply when the records are actually redacted, when the person to whom a record pertains consents, in writing, to disclosure, or when a person, upon presenting reasonable proof of identify, seeks their own records, or when otherwise required by law.
D. Voice mail, e-mail, computers, computer networks, digital media and storage and transfer devices, computer files, software programs, and all communications created on, received by, stored on or transmitted through those systems are the sole and exclusive property of the Town. Records, data, files, software, and all electronic communications contained in these systems likewise are the property of the Town. These systems and their contents are subject to inspection, examination and monitoring by authorized Town officers and personnel (or authorized third-party contractors) at any time and without notice. The authorized personnel are the Town Supervisor, the in-house IT, the Town Clerk and Deputy Town Clerk, and any of their designees as indicated by a written document bearing their original signature(s). No organic data or metadata shall be supplied in any native format unless it is cleared of any personal information.
E. Town officers and employees are advised that the computers, computer networks, e-mail systems, telephone systems (including voice mail), and other electronic communications systems (and all communications created on, received by, stored on or transmitted through those systems) are the sole and exclusive property of the Town and that there is and should not be any expectation of privacy regarding any such documents, records, or communications. Passwords are only intended to prevent unauthorized access to e-mail, computer files, or voice mail, but the Town reserves the right to allow authorized persons to access messages and files on the Town-owned systems or telephones at any time, and all employees must supply their current passwords to the Town Supervisor, who shall keep the same secured from third-party review or capture.
F. The collection of information through Town websites, servers, and telephones, and similar devices used by the public and by the Town, are further subject to the provisions of the Internet Security and Privacy Act. Participation in an online transaction resulting in the disclosure of personal information to the Town by the user, whether solicited or unsolicited, constitutes consent to the collection and disclosure of such information by the Town for the purposes reasonably ascertainable from the nature and terms of the transaction. Nonetheless, if any such personal information is the subject of a FOIL request, the above-noted rules of nondisclosure or redaction shall apply unless such disclosure is:
(1) Necessary to perform the statutory duties of the Town, or necessary for the Town to operate a program authorized by law, or authorized by state or federal statute or regulation.
(2) Made pursuant to a court order or otherwise compelled by law.
(3) For the purpose of validating the identity of the user.
(4) Of information to be used solely for statistical purposes that is in a form that cannot be used to identify any particular person.
G. While Town officers and employees are prohibited from misusing or improperly disclosing personal information, these policies shall not provide any claim or cause of action should improper disclosure occur, and the information provided in this privacy policy should not be construed as giving business, legal, or other advice, or warranting that the Town's systems are fail-proof, or that all information provided through the Town's website or hosted on any Town servers or media are not subject to being improperly accessed by any person. Town officers and employees and the public are warned that the Town utilizes telephonic and facsimile transmissions and e-mail and web-based correspondences in the provision of municipal services, and these are each and all digital forms of communication that carry unique risks, including, but not limited to, the accidental, unlawful, or improper interception thereof by unintended recipients and the transmission of viruses, malware, and other deleterious codes.