Section 18-81-20 - Personal data(a)Definitions.(1) Definitions of terms set forth in the Personal Data Act, Connecticut General Statutes, Chapter 55, shall apply to this section.(2) As used in this section, unless the context otherwise requires:(A) "Category of Personal Data" means the classifications of personal information set forth in the Personal Data Act, Connecticut General Statutes, Section 4-190(9).(B) "Agency" means the Department of Correction.(C) "Other Data" means any information, which because of name, identifying number, mark or description can be readily associated with a particular person.(D) "Employee" means a current or past employee of the Department of Correction.(E) "Inmate" means a person who is currently or was previously in the custody of the Commissioner of Correction, or confined in an institution or facility of the Department of Correction.(b)General Nature and Purpose of the Personal Data System. The Agency maintains the following personal data system:
(1) Personnel records. (A) Personnel records are maintained in both automated and manual form.(B) All personnel records are maintained at the Department of Correction's central office.(C) Personnel records are maintained for the purpose of retaining payroll, benefit, discipline and related personnel information concerning employees.(D) Personnel records are the responsibility of the Director of Human Resources of the Department of Correction, 24 Wolcott Hill Road, Wethersfield, CT 06109. All requests for disclosure or amendment of these records should be addressed directly to the Director of Human Resources.(E) Routine sources for information retained in personnel records include the employee, previous employers of the employee, references provided by applicants, the employee's supervisor, the Comptroller's Office, the Department of Administrative Services, and the Office of Policy and Management, Office of Labor Relations.(F) Personal data in personnel records is collected, maintained and used under the authority of the State Personnel Act, Connecticut General Statutes, Section 5-193et seq.(2) Inmate Master File Records.(A) Inmate master file records are maintained in both automated and manual form.(B) Manual inmate master file records are maintained at the correctional facility or field service office responsible for the supervision of the inmate. Automated inmate master file records are maintained by the Research and Management Information System Unit of the Department of Correction.(C) Inmate master file records are maintained for the purpose of retaining a wide variety of criminal and personal background information on inmates.(D) Inmate master file records are the responsibility of the Director of Offender Classification and Population Management of the Department of Correction, 1153 East Street South, Suffield, CT 06080. All requests for disclosure or amendment of these records should be addressed directly to the Unit Administrator of the facility having custody of the inmate and master file.(E) Routine sources for information retained in inmate master file records include the inmate, departmental documents relating to risk and needs assessment, disciplinary history and institutional adjustment, and arrest and conviction records.(F) Personal data in inmate master files records are collected, maintained and used under the authority of Connecticut General Statutes, Section 18-81.(3) Inmate Medical Records. (A) Inmate medical records are maintained in manual form.(B) Manual inmate medical records are maintained at the correctional facility or field service office responsible for the supervision of the inmate.(C) Inmate medical file records are maintained for the purpose of retaining medical and mental health information in order to comply with the agency's legal obligation to provide medical care to inmates.(D) Inmate medical records are the responsibility of the Director of Health, Mental Health and Addiction Services, 24 Wolcott Hill Road, Wethersfield, CT 06109. All requests for disclosure or amendment of these records should be addressed directly to the Unit Administrator of the facility having custody of the inmate and medical file.(E) Routine sources of information retained in the inmate medical record include the inmate, results of clinical tests, treatment histories and evaluations conducted by licensed department and contracted health and mental health professionals.(F) Personal data in inmate health records are collected, maintained and used under the authority of Connecticut General Statutes, Section 18-81.(c)Categories of Personal Data. (1) Personnel Records of current and past employees.(A) The following categories of personal data are maintained in personnel records: (ii) Medical or emotional condition or history.(iii) Employment records.(iv) Demographic information. (vi) Financial information.(vii) Insurance information.(viii) Benefit and retirement records.(B) Categories of other data may be maintained in personnel records as follows: (iii) Social security number.(2) Inmate Master File Records of current and prior inmates.(A) The following categories of personal data are maintained in inmate master file records: (i) Legal custody documents.(ii) Identification documentation.(iii) Criminal history documentation.(iv) Classification history.(v) Program participation documentation.(vi) Sentence Calculation.(3) Inmate Medical Records of current and prior inmates.(A) The following categories of personal data are maintained in inmate medical records: (i) Medical intake evaluation.(iii) Medications prescribed.(iv) Mental health assessments.(d)Maintenance of Personal Data - General. (1) The Department of Correction shall maintain relevant and necessary personal data in order to accomplish the lawful purposes of the agency. Where the agency finds irrelevant or unnecessary public records in its possession, the agency shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per Connecticut General Statutes, Section 11-8a, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Connecticut General Statutes, Section 11-8a.(2) The agency shall collect and maintain all records with accurateness and completeness.(3) Insofar as it is consistent with the needs and mission of the agency, the agency, wherever practical, shall collect personal data directly from the persons to whom a record pertains,(4) Employees of the Department of Correction involved in the operations of the agency's personal data systems shall be informed of the provisions of:(A) the Personal Data Act,(B) the agency's regulation adopted pursuant to Connecticut General Statutes, Section 4-196,(C) the Freedom of Information Act, and(D) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the agency.(5) All employees of the Department of Correction shall take reasonable precautions to protect personal data under their custody from danger of fire, theft, flood, natural disaster and other physical threats.(6) The Department of Correction shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the agency or on its behalf.(7) An agency requesting personal data from any other state agency shall have an independent obligation to insure that the personal data is properly maintained.(8) Only Department of Correction employees who have a specific need to review personal data records for lawful purposes of the agency shall be entitled to access such records under the Personal Data Act.(9) The Department of Correction shall keep a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.(10) The Department of Correction shall insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential".(11) The Department of Correction shall insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.(e)Maintenance of Personal Data - Automated Systems.(1) The Department of Correction shall, to the greatest extent practical, locate automated equipment and records in a limited access area.(2) To the greatest extent practical, the Department of Correction shall require visitors to such an area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only.(3) The Department of Correction, to the greatest extent practical, shall insure that regular access to automated equipment is limited to operations personnel.(4) The Department of Correction shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.(f)Maintenance of Personal Data - Disclosure.(1) Within four business days of receipt of a written request therefor, the Department of Correction shall mail or deliver to the requesting individual a written response, in plain language, informing the requestor as to whether the agency maintains personal data on the individual, the category and location of the personal data maintained on that individual and the procedures available to review the records.(2) Except where nondisclosure is required or specifically permitted by law, the Department of Correction shall provide access to any person upon written request, all personal data concerning that person that is maintained by the agency. The procedures for disclosure shall be in accordance with Connecticut General Statutes, Sections 1-200 through 1-241. If the personal data is maintained in a coded form, the agency shall transcribe the data into a commonly understandable form before disclosure.(3) The Department of Correction is responsible for verifying the identity of any person requesting access to his or her own personal data.(4) The Department of Correction is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to provide access to any personal data concerning persons other than the person requesting the information.(5) The Department of Correction may refuse to provide access to a person's medical, psychiatric or psychological data if the agency determines that such disclosure would be detrimental to that person or if nondisclosure is otherwise permitted or required by law.(6) In any case where the Department of Correction refuses to provide access to a person, it shall advise that person of the right to seek judicial relief pursuant to the Personal Data Act.(7) If the Department of Correction refuses to provide access to medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the agency, at the written request of such person, shall permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the agency shall provide access to the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the agency shall not provide access to the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.(8) The Department of Correction shall maintain a complete record of every person, individual, agency or organization that has obtained access to, or to whom disclosure has been made of, personal data under the Personal Data Act, together with the reason for each such disclosure or access. The record shall be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.(g)Contesting the Content of Personal Data Records. (1) Any person who believes that the Department of Correction is maintaining inaccurate, incomplete or irrelevant personal data concerning him or her may file a written request with the agency for amendment of said personal data.(2) Within thirty days of receipt of such request, the Department of Correction shall give written notice to that person that it will make the requested amendment, or if the amendment is not to be made as submitted, the agency shall state the reason for its denial of such request and notify the person of the right to add a statement to the person's own personal data records.(3) Following such denial by the Department of Correction, the person requesting such amendment shall be permitted to add a statement to the personal data record setting forth what the person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the agency's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data is disclosed.(h)Uses to be made of the Personal Data. (1) Employees of the Department of Correction who are assigned personnel and payroll responsibilities use the personal data contained in the agency's personnel records primarily in processing promotions, reclassifications, transfers to another agency, benefits and retirement, and other personnel actions. Supervisors use that personal data primarily when promotion, performance evaluations, career counseling or disciplinary action against such employee is contemplated, and for other employment-related purpose.(2) Employees and supervisors of the Department of Correction use the personal data contained in inmate master file records primarily to make classification decisions with regard to risk assessment, needs assessment, housing assignment, discretionary release to the community, and employment and programmatic assignment.(3) Medical staff assigned to Department of Correction facilities use personal data contained in inmate medical records primarily to make proper medical decisions.(4) The uses of such records shall be in accordance with the retention schedule adopted pursuant to Connecticut General Statutes, Section 11-8a.(5) When an individual is asked to supply personal data to the Department of Correction, the agency shall disclose to that individual, upon request, the name of the agency and the division within the agency requesting the personal data, the legal authority under which the agency is empowered to collect and maintain the personal data, the individual's rights pertaining to such records under the Personal Data Act and agency regulations, the known consequences arising from supplying or refusing to supply the requested personal data and the proposed use to be made of the requested personal data.Conn. Agencies Regs. § 18-81-20
Adopted effective February 18, 2003