§ 7. Section 165 of the state finance law is amended by adding two new
 subdivisions 9 and 10 to read as follows:
   9. AUTOMATED DECISION SYSTEM IMPACT ASSESSMENTS.
   A. FOR THE PURPOSE OF THIS SUBDIVISION, THE FOLLOWING TERMS SHALL HAVE
 THE FOLLOWING MEANINGS:
   (I) "AUTOMATED DECISION SYSTEM" SHALL MEAN ANY  SOFTWARE,  SYSTEM,  OR
 PROCESS  THAT  IS DESIGNED TO AID OR REPLACE HUMAN DECISION MAKING. SUCH
 TERM MAY INCLUDE ANALYZING COMPLEX DATASETS TO GENERATE SCORES,  PREDIC-
 TIONS, CLASSIFICATIONS, OR SOME RECOMMENDED ACTION OR ACTIONS, WHICH ARE
 USED BY AGENCIES TO MAKE DECISIONS THAT IMPACT HUMAN WELFARE.
   (II)  "AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT" SHALL MEAN A STUDY
 EVALUATING AN AUTOMATED  DECISION  SYSTEM  AND  THE  AUTOMATED  DECISION
 SYSTEM'S  DEVELOPMENT  PROCESSES, INCLUDING THE DESIGN AND TRAINING DATA
 OF THE AUTOMATED DECISION SYSTEM, FOR  STATISTICAL  IMPACTS  ON  CLASSES
 PROTECTED  UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW, AS
 WELL AS FOR IMPACTS ON PRIVACY, AND SECURITY THAT INCLUDES AT A MINIMUM:
   (A) A DETAILED DESCRIPTION  OF  THE  AUTOMATED  DECISION  SYSTEM,  ITS
 DESIGN, ITS TRAINING, ITS DATA, AND ITS PURPOSE;
   (B)  AN ASSESSMENT OF THE RELATIVE BENEFITS AND COSTS OF THE AUTOMATED
 DECISION SYSTEM IN LIGHT OF ITS PURPOSE, TAKING  INTO  ACCOUNT  RELEVANT
 FACTORS,  INCLUDING  DATA MINIMIZATION PRACTICES, THE DURATION FOR WHICH
 PERSONAL INFORMATION AND THE RESULTS OF THE  AUTOMATED  DECISION  SYSTEM
 ARE  STORED,  WHAT  INFORMATION  ABOUT THE AUTOMATED DECISION SYSTEM ARE
 AVAILABLE TO THE PUBLIC, AND THE RECIPIENTS OF THE RESULTS OF THE  AUTO-
 MATED DECISION SYSTEM;
   (C)  AN ASSESSMENT OF THE RISK OF HARM POSED BY THE AUTOMATED DECISION
 SYSTEM AND THE RISK THAT SUCH AUTOMATED DECISION SYSTEM MAY RESULT IN OR
 CONTRIBUTE TO INACCURATE, UNFAIR, BIASED,  OR  DISCRIMINATORY  DECISIONS
 IMPACTING INDIVIDUALS; AND
   (D)  THE  MEASURES  THE STATE AGENCY WILL EMPLOY TO MINIMIZE THE RISKS
 DESCRIBED IN ITEM (C) OF THIS SUBPARAGRAPH, INCLUDING TECHNOLOGICAL  AND
 PHYSICAL SAFEGUARDS.
   (III)  "HARM" SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO
 AN INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
   (A) DIRECT OR INDIRECT FINANCIAL HARM.
   (B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
 LIMITED TO BIAS-RELATED  CRIMES  AND  THREATS,  HARASSMENT,  AND  SEXUAL
 HARASSMENT.
   (C)  DISCRIMINATION  IN  GOODS,  SERVICES,  OR  ECONOMIC  OPPORTUNITY,
 INCLUDING BUT NOT LIMITED TO  HOUSING,  EMPLOYMENT,  CREDIT,  INSURANCE,
 EDUCATION,  OR  HEALTH  CARE  ON  THE BASIS OF AN INDIVIDUAL OR CLASS OF
 INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
   ORIENTATION,  GENDER  IDENTITY,  MARITAL  STATUS,  DISABILITY,  MILITARY
 STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
   (D)  INTERFERENCE  WITH  OR  SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
 ACTIVITIES BY STATE ACTORS.
   (E) INTERFERENCE WITH  THE  RIGHT  TO  VOTE  OR  WITH  FREE  AND  FAIR
 ELECTIONS.
   (F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
   (G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
 AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
   (H)  THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
 AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
 OF SECLUSION OR ACCESS CONTROL.
   (I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
 ABLE TO, CONTEMPLATED BY, OR EXPECTED BY  THE  INDIVIDUAL  TO  WHOM  THE
 PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
 BLE,  CONTEMPLATED  BY,  OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
 LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
   (IV) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON WHOM  A  COVERED  ENTITY
 KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
   (V)  "PERSONAL  INFORMATION"  SHALL  MEAN INFORMATION THAT DIRECTLY OR
 INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING  ASSO-
 CIATED  WITH,  OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
 HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN  INDIVID-
 UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
 WITH  OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
 OTHER INFORMATION IS HELD BY THE STATE AGENCY, TO IDENTIFY  AN  INDIVID-
 UAL, HOUSEHOLD, OR DEVICE.
   (VI) "PROXY" OR "PROXIES" SHALL MEAN INFORMATION THAT, BY ITSELF OR IN
 COMBINATION WITH OTHER INFORMATION, IS USED BY A COVERED ENTITY IN A WAY
 THAT DISCRIMINATES BASED ON ACTUAL OR PERCEIVED PERSONAL CHARACTERISTICS
 OR  CLASSES PROTECTED UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECU-
 TIVE LAW.
   (VII) "TRAINING DATA" SHALL MEAN THE DATASETS USED TO TRAIN  AN  AUTO-
 MATED  DECISION  SYSTEM,  MACHINE  LEARNING  ALGORITHM, OR CLASSIFIER TO
 CREATE AND DERIVE PATTERNS FROM A PREDICTION MODEL.B. THE STATE AND ANY GOVERNMENTAL  AGENCY,  POLITICAL  SUBDIVISION  OR
 PUBLIC  BENEFIT  CORPORATION  OF  THE  STATE SHALL NOT PURCHASE, OBTAIN,
 PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR  ACCESS  INFORMATION  FROM  AN
 AUTOMATED  DECISION SYSTEM UNLESS IT FIRST ENGAGES A NEUTRAL THIRD PARTY
 TO CONDUCT AN AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT AND  PUBLISHES
 ON ITS PUBLIC WEBSITE THAT AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT:
   (I)  OF  EXISTING  AUTOMATED  DECISION  SYSTEM  WITHIN ONE YEAR OF THE
 EFFECTIVE DATE OF THIS SUBDIVISION AND EVERY TWO YEARS THEREAFTER.
   (II) OF NEW AUTOMATED DECISION SYSTEMS PRIOR TO ACQUISITION AND  EVERY
 TWO YEARS THEREAFTER.C. UPON PUBLICATION OF AN AUTOMATED DECISION SYSTEM IMPACT ASSESSMENT,
 THE PUBLIC SHALL HAVE FORTY-FIVE DAYS TO SUBMIT COMMENTS ON SUCH ASSESS-
 MENT  TO THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
 PUBLIC BENEFIT CORPORATION. THE STATE AND ANY GOVERNMENTAL AGENCY, POLI-
 TICAL SUBDIVISION OR PUBLIC  BENEFIT  CORPORATION  SHALL  CONSIDER  SUCH
 PUBLIC  COMMENTS  WHEN DETERMINING WHETHER TO PURCHASE, OBTAIN, PROCURE,
 ACQUIRE, EMPLOY, USE, DEPLOY, OR ACCESS INFORMATION  FROM  AN  AUTOMATED
 DECISION  SYSTEM AND SHALL POST RESPONSES TO SUCH PUBLIC COMMENTS TO ITS
 WEBSITE WITHIN FORTY-FIVE DAYS AFTER THE CLOSE  OF  THE  PUBLIC  COMMENT
 PERIOD.D.  THE  STATE  PROCUREMENT  COUNCIL  SHALL,  IN CONSULTATION WITH THE
 OFFICE OF INFORMATION TECHNOLOGY SERVICES, THE DIVISION OF HUMAN  RIGHTS
 AND  EXPERTS  AND  REPRESENTATIVES  FROM  THE  COMMUNITIES  THAT WILL BE
 DIRECTLY AFFECTED BY AUTOMATED DECISION SYSTEMS,  PROMULGATE  RULES  AND
 REGULATIONS  TO SET THE MINIMUM STANDARD ENTITIES SHALL MEET TO SERVE AS
 NEUTRAL  THIRD  PARTIES  CONDUCTING  AUTOMATED  DECISION  SYSTEM  IMPACT
 ASSESSMENTS.
   E.  THE  STATE PROCUREMENT COUNCIL SHALL MAINTAIN A PUBLICLY AVAILABLE
 LIST OF NEUTRAL THIRD PARTIES THAT MEET THE QUALIFICATIONS  OUTLINED  IN
 PARAGRAPH D OF THIS SUBDIVISION.F.  WITHIN  TWO  YEARS  OF THE EFFECTIVE DATE OF THIS SUBDIVISION, THE
 OFFICE OF INFORMATION TECHNOLOGY  SERVICES,  IN  CONSULTATION  WITH  THE
 DIVISION OF HUMAN RIGHTS AND EXPERTS AND REPRESENTATIVES FROM THE COMMU-
 NITIES  THAT  WILL  BE  DIRECTLY AFFECTED BY AUTOMATED DECISION SYSTEMS,
 SHALL COMPLETE AND PUBLISH ON ITS WEBSITE A COMPREHENSIVE STUDY  OF  THE
 STATISTICAL  IMPACTS  OF AUTOMATED DECISION SYSTEMS ON CLASSES PROTECTED
 UNDER SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW, INCLUDING BUT
 NOT LIMITED TO, EVALUATING THE USE OF PROXIES AND THE TYPES OF DATA USED
 IN TRAINING DATA SETS AND THE RISKS ASSOCIATED WITH PARTICULAR TYPES  OF
 TRAINING DATA.
   (I)  AS  PART  OF  SUCH  STUDY,  THE  OFFICE OF INFORMATION TECHNOLOGY
 SERVICES SHALL REVIEW THE AUTOMATED DECISION SYSTEM  IMPACT  ASSESSMENTS
 THAT  HAVE  BEEN  PUBLISHED PRIOR TO COMPLETION OF THE STUDY, AS WELL AS
 THE PUBLIC COMMENTS SUBMITTED IN RESPONSE  TO  SUCH  AUTOMATED  DECISION
 IMPACT ASSESSMENTS.
   (II) THE OFFICE MAY REQUEST DATA AND INFORMATION FROM: STATE AGENCIES;
 CONSUMER  PROTECTION,  CIVIL  RIGHTS, AND PRIVACY ADVOCATES; RESEARCHERS
 AND ACADEMICS; PRIVATE ENTITIES THAT DEVELOP OR DEPLOY  AUTOMATED  DECI-
 SION  SYSTEMS;  AND  OTHER  RELEVANT SOURCES TO MEET THE PURPOSE OF SUCH
 STUDY. THE OFFICE SHALL RECEIVE, UPON REQUEST,  DATA  FROM  OTHER  STATE
 AGENCIES.10.  AUTOMATED  DECISION  SYSTEM USE POLICIES; NOTICE AND HUMAN REVIEW
 REQUIREMENTS.
   A. FOR THE PURPOSE OF THIS SUBDIVISION, THE FOLLOWING TERMS SHALL HAVE
 THE FOLLOWING MEANINGS:
   (I) "AUTOMATED DECISION SYSTEM" SHALL MEAN ANY  SOFTWARE,  SYSTEM,  OR
 PROCESS  THAT  IS DESIGNED TO AID OR REPLACE HUMAN DECISION MAKING. SUCH
 TERM MAY INCLUDE ANALYZING COMPLEX DATASETS TO GENERATE SCORES,  PREDIC-
 TIONS, CLASSIFICATIONS, OR SOME RECOMMENDED ACTION OR ACTIONS, WHICH ARE
 USED BY AGENCIES TO MAKE DECISIONS THAT IMPACT HUMAN WELFARE.
   (II) "AUTOMATED DECISION SYSTEM USE POLICY" SHALL MEAN:
   (A)  A  DESCRIPTION  OF  THE  CAPABILITIES  OF  THE AUTOMATED DECISION
 SYSTEM, ANY DECISIONS THAT SUCH SYSTEM IS USED  TO  MAKE  OR  ASSIST  IN
 MAKING  AND  ANY  SPECIFIC  TYPES  OR  GROUPS OF PERSONS PROTECTED UNDER
 SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE LAW WHO ARE LIKELY TO BE
 AFFECTED BY SUCH DECISIONS;
   (B) RULES, PROCESSES, AND GUIDELINES ISSUED BY THE STATE AGENCY  REGU-
 LATING  ACCESS  TO  OR USE OF SUCH AUTOMATED DECISION SYSTEM, AS WELL AS
 ANY PROHIBITIONS OR RESTRICTIONS ON USE;
   (C) SAFEGUARDS OR SECURITY MEASURES DESIGNED  TO  PROTECT  INFORMATION
 COLLECTED  BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM, INCLUDING
 BUT NOT LIMITED TO, THE EXISTENCE OF ENCRYPTION AND ACCESS CONTROL MECH-
 ANISMS;
   (D) POLICIES AND PRACTICES RELATING TO THE RETENTION, ACCESS, AND  USE
 OF DATA COLLECTED BY OR INPUTTED INTO SUCH AUTOMATED DECISION SYSTEM, AS
 WELL AS THE DECISIONS RENDERED BY SUCH AUTOMATED DECISION SYSTEM;
     (E) WHETHER OTHER ENTITIES OUTSIDE THE STATE AGENCY HAVE ACCESS TO THE
 INFORMATION  AND  DATA  USED  BY OR INPUTTED INTO THE AUTOMATED DECISION
 SYSTEM OR THE DECISIONS  RENDERED  BY  THE  AUTOMATED  DECISION  SYSTEM,
 INCLUDING  WHETHER  THE  OUTSIDE  ENTITY  IS  LOCAL,  STATE, FEDERAL, OR
 PRIVATE, THE TYPE OF INFORMATION AND DATA THAT MAY BE DISCLOSED, AND ANY
 SAFEGUARDS  OR  RESTRICTIONS IMPOSED BY THE AGENCY ON THE OUTSIDE ENTITY
 REGARDING THE USE OR DISSEMINATION OF THE INFORMATION,  DATA,  OR  DECI-
 SION;
   (F)  WHETHER ANY TRAINING IS REQUIRED BY THE STATE AGENCY FOR AN INDI-
 VIDUAL TO USE SUCH  AUTOMATED  DECISION  SYSTEM  OR  ACCESS  INFORMATION
 COLLECTED  BY  OR  INPUTTED  INTO  SUCH AUTOMATED DECISION SYSTEM OR THE
 DECISIONS RENDERED BY THE AUTOMATED DECISION SYSTEM;
   (G) A DESCRIPTION OF THE INTERNAL AND  EXTERNAL  AUDIT  AND  OVERSIGHT
 MECHANISMS,  INCLUDING  THE  MECHANISM  FOR  HUMAN REVIEW REQUIRED UNDER
 PARAGRAPH G OF THIS SUBDIVISION, TO ENSURE COMPLIANCE WITH THE AUTOMATED
 DECISION USE POLICY AND THAT THE  AUTOMATED  DECISION  SYSTEM  DOES  NOT
 RESULT IN HARM TO AN INDIVIDUAL;
   (H)  RELEVANT  TECHNICAL  INFORMATION  ABOUT  THE  AUTOMATED  DECISION
 SYSTEM, INCLUDING THE SYSTEM'S NAME, VENDOR, AND VERSION, AS WELL  AS  A
 DESCRIPTION  OF  THE  AUTOMATED  DECISION SYSTEM'S GENERAL CAPABILITIES,
 INCLUDING REASONABLY FORESEEABLE CAPABILITIES OUTSIDE THE SCOPE  OF  THE
 AGENCY'S PROPOSED USE;
   (I)  THE  TYPE  OR  TYPES  OF  DATA INPUTS THAT THE AUTOMATED DECISION
 SYSTEM USES, HOW THAT DATA IS GENERATED, COLLECTED, AND  PROCESSED,  AND
 THE TYPES OF DATA THE SYSTEM IS REASONABLY LIKELY TO GENERATE;
   (J)  HOW  AND  WHEN  THE AUTOMATED DECISION SYSTEM WILL BE DEPLOYED OR
 USED AND BY WHOM, INCLUDING BUT NOT LIMITED TO, THE FACTORS THAT WILL BE
 USED TO DETERMINE WHERE, WHEN, AND HOW THE TECHNOLOGY IS DEPLOYED;
   (K) A DESCRIPTION OF ANY PUBLIC OR COMMUNITY ENGAGEMENT HELD  AND  ANY
 FUTURE PUBLIC OR COMMUNITY ENGAGEMENT PLANS IN CONNECTION WITH THE AUTO-
 MATED DECISION SYSTEM; AND
   (L)  A  DESCRIPTION  OF  THE  FISCAL  IMPACT OF THE AUTOMATED DECISION
 SYSTEM, INCLUDING INITIAL ACQUISITION COSTS,  ONGOING  OPERATING  COSTS,
 SUCH  AS MAINTENANCE, LICENSING, PERSONNEL, LEGAL COMPLIANCE, USE AUDIT-
 ING, DATA RETENTION, AND SECURITY COSTS, AND ANY  CURRENT  OR  POTENTIAL
 SOURCES  OF FUNDING, INCLUDING ANY SUBSIDIES OR FREE PRODUCTS OFFERED BY
 VENDORS OR GOVERNMENTAL ENTITIES.
   (III) "DE-IDENTIFIED INFORMATION" SHALL MEAN INFORMATION  THAT  CANNOT
 REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED
 WITH,  OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR INDIVIDUAL;
 PROVIDED THAT A COVERED ENTITY THAT USES DE-IDENTIFIED INFORMATION:
   (A) HAS IMPLEMENTED TECHNICAL SAFEGUARDS THAT  PROHIBIT  REIDENTIFICA-
 TION OF THE INDIVIDUAL TO WHOM SUCH INFORMATION MAY PERTAIN;
   (B)  HAS  IMPLEMENTED  BUSINESS  PROCESSES  THAT SPECIFICALLY PROHIBIT
 REIDENTIFICATION OF SUCH INFORMATION;
   (C)  HAS  IMPLEMENTED  BUSINESS  PROCESSES  THAT  PREVENT  INADVERTENT
 RELEASE OF SUCH DE-IDENTIFIED INFORMATION; AND
   (D) MAKES NO ATTEMPT TO REIDENTIFY SUCH INFORMATION.
   (IV)  "HARM"  SHALL MEAN POTENTIAL OR REALIZED ADVERSE CONSEQUENCES TO
 AN INDIVIDUAL OR TO SOCIETY, INCLUDING BUT NOT LIMITED TO:
   (A) DIRECT OR INDIRECT FINANCIAL HARM.
   (B) PHYSICAL HARM OR THREATS TO PERSONS OR PROPERTY, INCLUDING BUT NOT
 LIMITED TO BIAS-RELATED  CRIMES  AND  THREATS,  HARASSMENT,  AND  SEXUAL
 HARASSMENT.
   (C)  DISCRIMINATION  IN  GOODS,  SERVICES,  OR  ECONOMIC  OPPORTUNITY,
 INCLUDING BUT NOT LIMITED TO  HOUSING,  EMPLOYMENT,  CREDIT,  INSURANCE,
   EDUCATION,  OR  HEALTH  CARE  ON  THE BASIS OF AN INDIVIDUAL OR CLASS OF
 INDIVIDUALS' ACTUAL OR PERCEIVED AGE, RACE, NATIONAL ORIGIN, SEX, SEXUAL
 ORIENTATION,  GENDER  IDENTITY,  MARITAL  STATUS,  DISABILITY,  MILITARY
 STATUS, AND/OR MEMBERSHIP IN ANOTHER PROTECTED CLASS.
   (D)  INTERFERENCE  WITH  OR  SURVEILLANCE OF FIRST AMENDMENT-PROTECTED
 ACTIVITIES BY STATE ACTORS.
   (E) INTERFERENCE WITH  THE  RIGHT  TO  VOTE  OR  WITH  FREE  AND  FAIR
 ELECTIONS.
   (F) INTERFERENCE WITH DUE PROCESS OR EQUAL PROTECTION UNDER LAW.
   (G) LOSS OF INDIVIDUAL CONTROL OVER PERSONAL INFORMATION, NONCONSENSU-
 AL SHARING OF PRIVATE INFORMATION, AND DATA BREACH.
   (H)  THE NONCONSENSUAL CAPTURE OF INFORMATION OR COMMUNICATIONS WITHIN
 AN INDIVIDUAL'S HOME OR WHERE AN INDIVIDUAL HAS A REASONABLE EXPECTATION
 OF SECLUSION OR ACCESS CONTROL.
   (I) OTHER EFFECTS ON AN INDIVIDUAL THAT MAY NOT BE REASONABLY FORESEE-
 ABLE TO, CONTEMPLATED BY, OR EXPECTED BY  THE  INDIVIDUAL  TO  WHOM  THE
 PERSONAL INFORMATION RELATES, THAT ARE NEVERTHELESS REASONABLY FORESEEA-
 BLE,  CONTEMPLATED  BY,  OR EXPECTED BY THE COVERED ENTITY THAT ALTER OR
 LIMIT SUCH INDIVIDUAL'S CHOICES OR PREDETERMINE RESULTS.
   (V) "INDIVIDUAL" SHALL MEAN A NATURAL PERSON  WHOM  A  COVERED  ENTITY
 KNOWS OR HAS REASON TO KNOW IS LOCATED WITHIN NEW YORK STATE.
   (VI)  "PERSONAL  INFORMATION"  SHALL MEAN INFORMATION THAT DIRECTLY OR
 INDIRECTLY IDENTIFIES, RELATES TO, DESCRIBES, IS CAPABLE OF BEING  ASSO-
 CIATED  WITH,  OR COULD REASONABLY BE LINKED TO A PARTICULAR INDIVIDUAL,
 HOUSEHOLD, OR DEVICE. INFORMATION IS REASONABLY LINKABLE TO AN  INDIVID-
 UAL, HOUSEHOLD, OR DEVICE IF IT CAN BE USED ON ITS OWN OR IN COMBINATION
 WITH  OTHER REASONABLY AVAILABLE INFORMATION, REGARDLESS OF WHETHER SUCH
 OTHER INFORMATION IS HELD BY THE STATE AGENCY, TO IDENTIFY  AN  INDIVID-
 UAL, HOUSEHOLD, OR DEVICE.
   (VII)  "RELEVANT  TECHNICAL  INFORMATION"  SHALL  INCLUDE,  BUT NOT BE
 LIMITED TO, SOURCE CODE, MODELS, DOCUMENTATION ON THE  ALGORITHMS  USED,
 DESIGN  DOCUMENTATION  AND  INFORMATION  ABOUT  TECHNICAL  ARCHITECTURE,
 TRAINING DATA, DATA PROVENANCE INFORMATION, JUSTIFICATION FOR THE VALID-
 ITY OF THE MODEL, ANY  RECORDS  OF  BIAS,  AND  ANY  VALIDATION  TESTING
 PERFORMED ON THE SYSTEM.B.  THE  STATE  AND  ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
 PUBLIC  BENEFIT  CORPORATION  OF  THE  STATE  THAT  PURCHASES,  OBTAINS,
 PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
 AN AUTOMATED DECISION SYSTEM SHALL PUBLISH ON ITS WEBSITE AT LEAST NINE-
 TY  DAYS  PRIOR TO THE PURCHASE, OBTAINING, USE, ACQUISITION, OR DEPLOY-
 MENT OF NEW AUTOMATED DECISION SYSTEMS AND, FOR EXISTING AUTOMATED DECI-
 SION SYSTEMS, WITHIN ONE HUNDRED EIGHTY DAYS OF THE  EFFECTIVE  DATE  OF
 THIS SUBDIVISION, AN AUTOMATED DECISION SYSTEM USE POLICY.
   (I)  WHEN THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION
 OR PUBLIC BENEFIT CORPORATION OF THE STATE SEEKS TO CHANGE OR CHANGES AN
 AUTOMATED DECISION SYSTEM IN A WAY THAT AFFECTS THE RESULTS OR  OUTCOMES
 OF  THE AUTOMATED DECISION SYSTEM OR USES SUCH AUTOMATED DECISION SYSTEM
 FOR A PURPOSE OR MANNER NOT PREVIOUSLY DISCLOSED  THROUGH  AN  AUTOMATED
 DECISION SYSTEM USE POLICY, IT SHALL PROVIDE AN ADDENDUM TO THE EXISTING
 AUTOMATED  DECISION  SYSTEM  USE  POLICY DESCRIBING SUCH CHANGE OR ADDI-
 TIONAL USE AND RETAIN AN ARCHIVED COPY OF THE PREVIOUS  AUTOMATED  DECI-
 SION  SYSTEM  SO THAT DECISIONS MADE UNDER THE OLD SYSTEM USE POLICY MAY
 BE CHALLENGED UNDER PARAGRAPH G OF THIS SUBDIVISION.
   (II) UPON PUBLICATION OF, OR ADDENDUM TO, ANY PROPOSED AUTOMATED DECI-
 SION SYSTEM POLICY, THE PUBLIC SHALL  HAVE  FORTY-FIVE  DAYS  TO  SUBMIT
   COMMENTS  ON  SUCH  POLICY  TO  THE STATE AND ANY GOVERNMENTAL AGENCY OR
 POLITICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION.
   (III)  THE STATE AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
 PUBLIC BENEFIT CORPORATION SHALL CONSIDER PUBLIC  COMMENTS  AND  PROVIDE
 THE FINAL AUTOMATED DECISION SYSTEM USE POLICY TO THE OFFICE OF INFORMA-
 TION  TECHNOLOGY  SERVICES,  THE  COMMITTEE  ON OPEN GOVERNMENT, AND THE
 STATE PROCUREMENT COUNCIL, AND SHALL POST SUCH DECISION TO  ITS  WEBSITE
 NO  LATER  THAN  FORTY-FIVE  DAYS  AFTER THE CLOSE OF THE PUBLIC COMMENT
 PERIOD.C. THE STATE AND ANY GOVERNMENTAL  AGENCY,  POLITICAL  SUBDIVISION  OR
 PUBLIC BENEFIT CORPORATION SHALL OBTAIN APPROVAL FROM THE CITY OR COUNTY
 COUNCIL  WITH APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE, FOLLOW-
 ING THE PUBLIC COMMENT PERIOD REQUIRED IN PARAGRAPH B OF  THIS  SUBDIVI-
 SION,  AND  A  PROPERLY-NOTICED,  GERMANE,  PUBLIC  HEARING AT WHICH THE
 PUBLIC IS AFFORDED A FAIR AND ADEQUATE OPPORTUNITY  TO  PROVIDE  ONLINE,
 WRITTEN, AND ORAL TESTIMONY, PRIOR TO:
   (I)  SEEKING  FUNDS  FOR  AN AUTOMATED DECISION SYSTEM THAT ASSIGNS OR
 CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES,  OR
 SERVICES FOR AN INDIVIDUAL, INCLUDING BUT NOT LIMITED TO, APPLYING FOR A
 GRANT,  OR  SOLICITING OR ACCEPTING STATE OR FEDERAL FUNDS OR IN-KIND OR
 OTHER DONATIONS;
   (II) ACQUIRING OR BORROWING AN AUTOMATED DECISION SYSTEM THAT  ASSIGNS
 OR  CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES,
 OR SERVICES FOR AN INDIVIDUAL, WHETHER OR NOT SUCH ACQUISITION  IS  MADE
 THROUGH THE EXCHANGE OF MONIES OR OTHER CONSIDERATION;
   (III)  USING  A NEW OR EXISTING AUTOMATED DECISION SYSTEM THAT ASSIGNS
 OR CONTRIBUTES TO THE DETERMINATION OF RIGHTS, BENEFITS,  OPPORTUNITIES,
 OR  SERVICES FOR AN INDIVIDUAL, OR DATA DERIVED THEREFROM, FOR A PURPOSE
 OR IN A MANNER NOT PREVIOUSLY APPROVED BY THE  CITY  OR  COUNTY  COUNCIL
 WITH APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE; OR
   (IV)  SOLICITING  PROPOSALS FOR OR ENTERING INTO AN AGREEMENT WITH ANY
 OTHER PERSON OR ENTITY TO ACQUIRE, SHARE, OR OTHERWISE USE AN  AUTOMATED
 DECISION  SYSTEM  THAT  ASSIGNS  OR  CONTRIBUTES TO THE DETERMINATION OF
 RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL OR  AUTO-
 MATED DECISION SYSTEM DATA.D.  THE  COMMITTEE  ON  OPEN GOVERNMENT SHALL CONDUCT ANNUAL AUDITS OF
 AUTOMATED DECISION SYSTEM USE POLICIES THAT SHALL:
   (I)  ASSESS  WHETHER  EACH  STATE  AGENCY  THAT  PURCHASES,   OBTAINS,
 PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
 AN  AUTOMATED  DECISION  SYSTEM COMPLIES WITH THE TERMS OF THE AUTOMATED
 DECISION SYSTEM USE POLICY;
   (II) DESCRIBES ANY KNOWN OR REASONABLY  SUSPECTED  VIOLATIONS  OF  ANY
 AUTOMATED DECISION SYSTEM USE POLICIES; AND
   (III)  PUBLISH  RECOMMENDATIONS,  IF  ANY, RELATING TO REVISION OF THE
 RELEVANT AUTOMATED DECISION SYSTEM USE POLICIES.E. THE STATE AND ANY GOVERNMENTAL  AGENCY,  POLITICAL  SUBDIVISION  OR
 PUBLIC  BENEFIT  CORPORATION  OF  THE  STATE SHALL NOT PURCHASE, OBTAIN,
 PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR  ACCESS  INFORMATION  FROM  AN
 AUTOMATED  DECISION  SYSTEM  THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
 NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
 UNLESS IT FIRST IMPLEMENTS A PROCESS TO PROVIDE A PLAIN-LANGUAGE NOTIFI-
 CATION TO ANY INDIVIDUAL WHOSE PERSONAL INFORMATION IS PROCESSED BY  THE
 AUTOMATED DECISION SYSTEM AND WHOM THE AUTOMATED DECISION SYSTEM'S DECI-
 SION  AFFECTS OF THE FACT THAT SUCH SYSTEM IS IN USE, THE SYSTEM'S NAME,
 VENDOR, AND VERSION, WHAT DECISION OR DECISIONS WILL BE USED TO MAKE  OR
 SUPPORT; AND WHAT POLICIES AND GUIDELINES APPLY TO ITS DEPLOYMENT.
     F.  THE  STATE  AND  ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
 PUBLIC BENEFIT CORPORATION OF THE  STATE  SHALL  NOT  PURCHASE,  OBTAIN,
 PROCURE,  ACQUIRE,  EMPLOY,  USE,  DEPLOY, OR ACCESS INFORMATION FROM AN
 AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES  TO  THE  DETERMI-
 NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
 UNLESS IT FIRST IMPLEMENTS A PROCESS TO PROVIDE A PLAIN-LANGUAGE NOTIFI-
 CATION TO ANY INDIVIDUAL WHOSE PERSONAL INFORMATION IS PROCESSED BY SUCH
 AUTOMATED  DECISION  SYSTEM  AND  WHOM  SUCH AUTOMATED DECISION SYSTEM'S
 DECISION AFFECTS, OF THE INVOLVEMENT OF AN AUTOMATED DECISION SYSTEM  IN
 MAKING THE DECISION, THE DEGREE OF HUMAN INTERVENTION IN THE SYSTEM, HOW
 THE  AUTOMATED  DECISION SYSTEM MADE THE DECISION, THE JUSTIFICATION FOR
 THE DECISION, THE VARIABLES CONSIDERED IN RENDERING THE DECISION, WHETH-
 ER AND HOW THE DECISION DEVIATED FROM THE AUTOMATED DECISION'S  SYSTEM'S
 RECOMMENDATION,  HOW THE INDIVIDUAL MAY CONTEST THE DECISION PURSUANT TO
 PARAGRAPH G OF THIS SUBDIVISION, AND THE PROCESS  FOR  REQUESTING  HUMAN
 REVIEW OF THE DECISION PURSUANT TO PARAGRAPH G OF THIS SUBDIVISION.
   (I)  THE  STATE  AND ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
 PUBLIC BENEFIT CORPORATION OF THE STATE SHALL ENSURE THAT IT CAN EXPLAIN
 THE BASIS FOR ITS DECISION TO ANY IMPACTED INDIVIDUAL  IN  TERMS  UNDER-
 STANDABLE TO A LAYPERSON INCLUDING, WITHOUT LIMITATION, BY REQUIRING THE
 VENDOR TO CREATE SUCH EXPLANATION.
   (II)  THE COMMITTEE ON OPEN GOVERNMENT, IN CONSULTATION WITH THE DIVI-
 SION OF HUMAN RIGHTS, THE OFFICE OF INFORMATION TECHNOLOGY SERVICES, AND
 EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL  BE  DIRECTLY
 AFFECTED  BY  AUTOMATED DECISION SYSTEMS, MAY PROMULGATE RULES AND REGU-
 LATIONS SPECIFYING THE REQUIREMENTS FOR SUCH NOTICE.G. THE STATE AND ANY GOVERNMENTAL  AGENCY,  POLITICAL  SUBDIVISION  OR
 PUBLIC  BENEFIT  CORPORATION  OF  THE  STATE SHALL NOT PURCHASE, OBTAIN,
 PROCURE, ACQUIRE, EMPLOY, USE, DEPLOY, OR  ACCESS  INFORMATION  FROM  AN
 AUTOMATED  DECISION  SYSTEM  THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
 NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
 UNLESS IT FIRST DEVELOPS A PROCESS FOR HUMAN REVIEW.
   (I) THE OFFICE OF INFORMATION  TECHNOLOGY  SERVICES,  IN  CONSULTATION
 WITH  THE DIVISION OF HUMAN RIGHTS, THE COMMITTEE ON OPEN GOVERNMENT AND
 EXPERTS AND REPRESENTATIVES FROM THE COMMUNITIES THAT WILL  BE  DIRECTLY
 AFFECTED  BY  AUTOMATED DECISION SYSTEMS, MAY PROMULGATE RULES AND REGU-
 LATIONS SPECIFYING  THE  REQUIREMENTS  FOR  HUMAN  REVIEW  OF  DECISIONS
 RENDERED BY AUTOMATED DECISION SYSTEMS.
   (II) AN INDIVIDUAL WHO WAS DENIED OR ASSIGNED A RIGHT, BENEFIT, OPPOR-
 TUNITY  OR SERVICE, MAY REQUEST HUMAN REVIEW OF THE DECISION RENDERED BY
 THE AUTOMATED DECISION SYSTEM.
   (III) WHERE THE HUMAN REVIEW OVERTURNS A DECISION RENDERED BY AN AUTO-
 MATED DECISION SYSTEM, THE AFFECTED INDIVIDUAL  EXPERIENCES  HARM  AS  A
 RESULT  OF  THE  OVERTURNED  DECISION, AND THE STATE OR ANY GOVERNMENTAL
 AGENCY, POLITICAL SUBDIVISION OR PUBLIC BENEFIT CORPORATION OF THE STATE
 CANNOT OR WILL NOT PROVIDE A REMEDY, OR WHERE THE HUMAN REVIEW DOES  NOT
 OVERTURN  A  DECISION  RENDERED  BY  AN  AUTOMATED  DECISION SYSTEM, THE
 AFFECTED INDIVIDUAL, OR THEIR HEIRS, ASSIGNS, ESTATE, OR  SUCCESSORS  IN
 INTEREST,  MAY  BRING  IN  ANY COURT OF COMPETENT JURISDICTION AN ACTION
 ALLEGING A VIOLATION OF THIS SUBDIVISION.
   (IV) THE COURT SHALL AWARD TO THE PREVAILING PLAINTIFF IN SUCH ACTION,
 THE FOLLOWING RELIEF:
   (A) ANY INJUNCTIVE OR OTHER EQUITABLE RELIEF THE COURT DEEMS APPROPRI-
 ATE;
     (B) ANY ACTUAL DAMAGES RESULTING FROM ANY VIOLATION OF  THIS  SUBDIVI-
 SION, OR TEN THOUSAND DOLLARS IN DAMAGES FOR EACH SUCH VIOLATION, WHICH-
 EVER IS GREATER;
   (C) REASONABLE ATTORNEY'S FEES AND COSTS; AND
   (D) ANY OTHER RELIEF THE COURT DEEMS APPROPRIATE.H.  THE  STATE  AND  ANY GOVERNMENTAL AGENCY, POLITICAL SUBDIVISION OR
 PUBLIC  BENEFIT  CORPORATION  OF  THE  STATE  THAT  PURCHASES,  OBTAINS,
 PROCURES, ACQUIRES, EMPLOYS, USES, DEPLOYS, OR ACCESSES INFORMATION FROM
 AN AUTOMATED DECISION SYSTEM THAT ASSIGNS OR CONTRIBUTES TO THE DETERMI-
 NATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN INDIVIDUAL
 SHALL  ANNUALLY PUBLISH PUBLICLY ON ITS WEBSITE METRICS ON THE NUMBER OF
 REQUESTS FOR HUMAN REVIEW OF A DECISION RENDERED BY THE AUTOMATED  DECI-
 SION  SYSTEM  IT  RECEIVED  AND  THE  OUTCOME  OF SUCH HUMAN REVIEW. THE
 METRICS MAY INCLUDE DE-IDENTIFIED INFORMATION IN THE AGGREGATE BUT SHALL
 NOT INCLUDE ANY PERSONAL INFORMATION.§ 8. Section 8 of the state finance law is amended  by  adding  a  new
 subdivision 21 to read as follows:
   21.  NOTWITHSTANDING  ANY  INCONSISTENT  PROVISION  OF LAW, NO PAYMENT
 SHALL BE MADE FOR AN AUTOMATED DECISION SYSTEM, AS  DEFINED  IN  SECTION
 ONE  HUNDRED  SIXTY-FIVE OF THIS CHAPTER, THAT ASSIGNS OR CONTRIBUTES TO
 THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN
 INDIVIDUAL UNLESS THE AUTOMATED DECISION SYSTEM USES  ONLY  OPEN  SOURCE
 SOFTWARE  AND THE ACQUIRING AGENCY HAS COMPLIED WITH THE AUTOMATED DECI-
 SION SYSTEM IMPACT ASSESSMENT AND AUTOMATED DECISION SYSTEM  USE  POLICY
 REQUIREMENTS  IN SECTION ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER. FOR THE
 PURPOSES OF THIS SUBDIVISION, "OPEN SOURCE SOFTWARE" SHALL MEAN SOFTWARE
 FOR WHICH THE HUMAN-READABLE SOURCE CODE IS AVAILABLE  FOR  USE,  STUDY,
 MODIFICATION, AND ENHANCEMENT BY THE USERS OF THAT SOFTWARE.§  9. Section 8 of the state finance law is amended by adding four new
 subdivisions 22, 23, 24 and 25 to read as follows:
   22. NOTWITHSTANDING ANY INCONSISTENT  PROVISION  OF  LAW,  NO  PAYMENT
 SHALL  BE  MADE  FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
 ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, THAT ASSIGNS OR  CONTRIBUTES  TO
 THE DETERMINATION OF RIGHTS, BENEFITS, OPPORTUNITIES, OR SERVICES FOR AN
 INDIVIDUAL,  PRIOR  TO THE APPROVAL FROM THE CITY OR COUNTY COUNCIL WITH
 APPROPRIATE JURISDICTION OR THE STATE LEGISLATURE AS REQUIRED IN SECTION
 ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER.
   23. NOTWITHSTANDING ANY INCONSISTENT  PROVISION  OF  LAW,  NO  PAYMENT
 SHALL  BE  MADE  FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
 ONE HUNDRED  SIXTY-FIVE  OF  THIS  CHAPTER,  IF  THE  VENDOR'S  CONTRACT
 CONTAINS  NONDISCLOSURE  OR OTHER PROVISIONS THAT PROHIBIT OR IMPAIR THE
 STATE AND ANY GOVERNMENTAL AGENCY OR  POLITICAL  SUBDIVISION  OR  PUBLIC
 BENEFIT  CORPORATION  OF THE STATE'S OBLIGATIONS UNDER SUBDIVISIONS NINE
 AND TEN OF SECTION ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER.
   24. NOTWITHSTANDING ANY INCONSISTENT  PROVISION  OF  LAW,  NO  PAYMENT
 SHALL  BE  MADE  FOR AN AUTOMATED DECISION SYSTEM, AS DEFINED IN SECTION
 ONE HUNDRED SIXTY-FIVE OF THIS CHAPTER, IF THE AUTOMATED DECISION SYSTEM
 DISCRIMINATES AGAINST AN INDIVIDUAL, OR TREATS AN INDIVIDUAL LESS FAVOR-
 ABLY THAN ANOTHER, IN WHOLE OR IN PART, ON THE  BASIS  OF  ONE  OR  MORE
 FACTORS  ENUMERATED  IN  SECTION TWO HUNDRED NINETY-SIX OF THE EXECUTIVE
 LAW.
   25. NOTWITHSTANDING ANY INCONSISTENT  PROVISION  OF  LAW,  NO  PAYMENT
 SHALL  BE  MADE  FOR AN AUTOMATED DECISION SYSTEM THAT MAKES FINAL DECI-
 SIONS, JUDGMENTS, OR CONCLUSIONS WITHOUT HUMAN INTERVENTION THAT  IMPACT
 THE  CONSTITUTIONAL  OR LEGAL RIGHTS, DUTIES, OR PRIVILEGES OF ANY INDI-
   VIDUAL IN NEW YORK STATE OR  FOR  ANY  AUTOMATED  DECISION  SYSTEM  THAT
 DEPLOYS OR TRIGGERS ANY WEAPON.