N.Y. Comp. Codes R. & Regs. tit. 10, § 350.3
(b) Upon reasonable assurance that subdivision (a) of this section has been satisfied, the department may release data in the following manner:
(c) Data users shall adhere to security, confidentiality, and privacy guidelines established by the department to prevent breaches or unauthorized disclosures of personal information resulting from any data analysis or re-disclosure. Data users bear full responsibility for breaches or unauthorized disclosures of personal information resulting from use of APD data.
(2) Data users who wish to request APD data that includes identifying data elements shall submit an application for a proposed project in a form established by the department, which shall include an explicit plan for preventing breaches or unauthorized disclosures of identifying data elements of any individual who is a subject of the information. The department’s review of the proposed project shall include, but not be limited to:
(d)