This bill would require, to facilitate City Council oversight, the creation of an application program interface (API) for any integrated data infrastructure that automates combinations of agency data sources for the purposes of oversight, analysis or monitoring by a Mayoral office or agency. It would also require the establishment of a data clean room, for the purposes of analyzing public and non-public data in an environment that protects confidentiality and privacy.
- Laid Over in Committee
Int. No. 1094
By The Speaker (Council Member Johnson) and Council Members Holden, Kallos and Constantinides
A Local Law to amend the administrative code of the city of New York, in relation to oversight access to agency data
Be it enacted by the Council as follows:
Section 1. Chapter 8 of title 23 of the administrative code of the city of New York is amended to add a new section 23-803, to read as follows:
§ 23-803. Oversight access to agency data. a. For the purposes of this section, the following terms have the following meanings:
Approved data product. The term “approved data product” means an electronic file, in any format or structure, whether narrative, non-narrative, table, graph, chart or some combination thereof, produced by an approved person in a data clean room using covered data and approved by the chief privacy officer, as defined in section 23-1201, or a designated representative, for removal from the data clean room. The chief privacy officer shall review the proposed data product and approve it if it does not contain any personal identifying information, as defined in section 10-501, identifying information, as defined in section 23-1201, or information prohibited from public disclosure pursuant to federal or state law.
Approved person. The term “approved person” means an employee or member of the city council who has successfully completed trainings or certifications for all relevant federal or state privacy laws.
Covered data. The term “covered data” means both public and non-public mayoral agency data either in a format as maintained by such agency or in a cleaned format as maintained by an office or agency that routinely cleans such data for the purposes of its own analysis. Such data shall include personal identifying information, as defined in section 10-501, and identifying information, as defined in section 23-1201.
Data clean room. The term “data clean room” means a physical location where an approved person shall have electronic access to covered data, as well as software for the analysis and manipulation of such covered data. Such data clean room shall prohibit the printing or transmission of such covered data, except for the creation of an approved data product.
b. For any integrated data infrastructure that automates combinations of agency data sources for the purposes of oversight, analysis, or monitoring by the office of operations, or any other mayoral office or agency similarly responsible for the oversight, analysis or monitoring of agency operations, including but not limited to the data infrastructure known as databridge, or any successor data infrastructure, the department of information technology and telecommunications shall make available to the city council either i) a web application program interface with relevant key; or ii) a system for querying such data infrastructure. Such application program interface or query system shall not include access to any information prohibited from being disclosed under federal law and shall not include access to personal identifying information, as defined in section 10-501, or identifying information, as defined in section 23-1201, provided that such restriction of access shall be achieved in a manner that requires the least restriction of access to other data.
c. The department of information technology and telecommunications shall establish no less than one data clean room for the purposes of permitting approved persons electronic access to covered data, provided that:
1. an approved person must submit a request for access to covered data no less than 15 days in advance to the department of information technology and telecommunications. Such request shall include a description of the covered data for which access is sought and a description of any software necessary for analysis of such covered data;
2. access to covered data in a data clean room shall be available to such approved person, after timely submission of such request, during normal business hours, for the duration of each such request;
3. prior to accessing covered data, such approved person must sign a non-disclosure agreement relevant to such request, prohibiting the disclosure of any covered data to any third party, except for an approved data product;
4. such approved person may not remove any covered data from the data clean room, except for an approved data product; and
5. after the production of one or more approved data products, or a statement by such approved person that no approved data products will be produced, such request shall be considered complete.
§ 2. This local law takes effect six months after it becomes law.