N.Y. Comp. Codes R. & Regs. tit. 2, § 111.4
(a) The privacy officer is responsible for:
(3) insuring that appropriate procedures are developed and implemented so that one of the following actions is taken upon locating the record sought:
(6) certifying, upon request, that:
(c) The privacy officer shall coordinate with the privacy committee, as designated by the Comptroller, to develop and, from time to time, to update internal policies, procedures and guidance on the collection, use, safeguarding, disclosure and disposal of personal information. Those policies, procedures and guidance shall include, but not be limited to, addressing the following objectives: