No state agency, or any entity acting on behalf of such agency, which utilizes or applies any automated decision-making system, directly or indirectly, in performing any function that: (a) is related to the delivery of any public assistance benefit; (b) will have a material impact on the rights, civil liberties, safety or welfare of any individual within the state; or (c) affects any statutorily or constitutionally provided right of an individual, shall utilize such automated decision-making system, unless such automated decision-making system is subject to continued and operational meaningful human review.

No state agency shall authorize any procurement, purchase or acquisition of any service or system utilizing, or relying on, automated decision-making systems in performing any function that is: (a) related to the delivery of any public assistance benefit; (b) will have a material impact on the rights, civil liberties, safety or welfare of any individual within the state; or (c) affects any statutorily or constitutionally provided right of an individual unless such automated decision-making system is subject to continued and operational meaningful human review.

The use of an automated decision-making system shall not affect (a) the existing rights of employees pursuant to an existing collective bargaining agreement, or (b) the existing representational relationships among employee organizations or the bargaining relationships between the employer and an employee organization. The use of an automated decision-making system shall not result in the: (1) discharge, displacement or loss of position, including partial displacement such as a reduction in the hours of non-overtime work, wages, or employment benefits, or result in the impairment of existing collective bargaining agreements; (2) transfer of existing duties and functions currently performed by employees of the state or any agency or public authority thereof to an automated decision-making system; or (3) transfer of future duties and functions ordinarily performed by employees of the state or any agency or public authority. The use of an automated decision-making system shall not alter the rights or benefits, and privileges, including but not limited to terms and conditions of employment, civil service status, and collective bargaining unit membership status of all existing employees of the state or any agency or public authority thereof shall be preserved and protected.

State agencies seeking to utilize or apply an automated decision-making system permitted under section four hundred two of this article with continued and operational meaningful human review shall conduct or have conducted an impact assessment substantially completed and bearing the signature of one or more individuals responsible for meaningful human review for the lawful application and use of such automated decision-making system. Following the first impact assessment, an impact assessment shall be conducted in accordance with this section at least once every two years. An impact assessment shall be conducted prior to any material change to the automated decision-making system that may change the outcome or effect of such system. Such impact assessments shall include: (a) a description of the objectives of the automated decision-making system; (b) an evaluation of the ability of the automated decision-making system to achieve its stated objectives; (c) a description and evaluation of the objectives and development of the automated decision-making including: (i) a summary of the underlying algorithms, computational modes, and artificial intelligence tools that are used within the automated decision-making system; and (ii) the design and training data used to develop the automated decision-making system process; (d) testing for: (i) accuracy, fairness, bias and discrimination, and an assessment of whether the use of the automated decision-making system produces discriminatory results on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability and outlines mitigations for any identified performance differences in outcomes across relevant groups impacted by such use; (ii) any cybersecurity vulnerabilities and privacy risks resulting from the deployment and use of the automated decision-making system, and the development or existence of safeguards to mitigate the risks; (iii) any public health or safety risks resulting from the deployment and use of the automated decision-making system; (iv) any reasonably foreseeable misuse of the automated decision-making system and the development or existence of safeguards against such misuse; (e) the extent to which the deployment and use of the automated decision-making system requires input of sensitive and personal data, how that data is used and stored, and any control users may have over their data; and (f) the notification mechanism or procedure, if any, by which individuals impacted by the utilization of the automated decision-making system may be notified of the use of such automated decision-making system and of the individual's personal data, and informed of their rights and options relating to such use.

Notwithstanding the provisions of this article or any other law, if an impact assessment finds that the automated decision-making system produces discriminatory or biased outcomes, the state agency shall cease any utilization, application, or function of such automated decision-making system, and of any information produced using such system.

Each impact assessment conducted pursuant to this article shall be submitted to the governor, the temporary president of the senate, and the speaker of the assembly at least thirty days prior to the implementation of the automated decision-making system that is the subject of such assessment.

(a) The impact assessment of an automated decision-making system shall be published on the website of the relevant state agency. (b) If the state agency makes a determination that the disclosure of any information required in the impact assessment would result in a substantial negative impact on health or safety of the public, infringe upon the privacy rights of individuals, or significantly impair the state agency's ability to protect its information technology or operational assets, such state agency may redact such information, provided that an explanatory statement on the process by which the state agency made such determination is published along with the redacted impact assessment. (c) If the impact assessment covers any automated decision-making system that includes technology that is used to prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or other illegal activity, preserve the integrity or security of systems, or to investigate, report or prosecute those responsible for any such malicious or deceptive action, such state agency may redact such information for the purposes of this subdivision, provided that an explanatory statement on the process by which the state agency made such determination is published along with the redacted impact assessment.

Any state agency, that directly or indirectly, utilizes an automated decision-making system, as defined in section 401 of the state technology law, shall submit to the legislature a disclosure on the use of such system, no later than one year after the effective date of this section. Such disclosure shall include: (a) a description of the automated decision-making system utilized by such agency; (b) a list of any software vendors related to such automated decision-making system; (c) the date that the use of such system began; (d) a summary of the purpose and use of such system, including a description of human decision-making and discretion supported or replaced by the automated decision-making system; (e) whether any impact assessments for the automated decision-making system were conducted and the dates and summaries of the results of such assessments where applicable; and (f) any other information deemed relevant by the agency.