760 CMR, § 8.04

Current through Register 1533, October 25, 2024
Section 8.04 - Access to Personal Data
(1) Contracts or Agreements with a Holder to Perform a Public or Governmental Purpose. A LHA or LRA shall allow another person, entity or agency to hold personal data for a governmental function or purpose only by written contract, agreement, or arrangement. Such contract, agreement, or arrangement shall contain provisions expressly informing the other person, entity or agency of its status as a Holder and covering its legal obligations as such.
(2) Dissemination of Personal Data - General. A Holder shall not allow any individual, agency, or entity not employed by the Holder or under contract or agreement with the Holder under 760 CMR 8.04(1) to have access to personal data unless such access is:
(a) authorized by statute or by regulations which are consistent with the purposes of M.G.L. c. 66A; or
(b) approved by the data subject, unless the data subject is not entitled to access.
(3) Access bv Physicians in an Emergency. A Holder may disseminate medical or psychiatric data to a physician treating a data subject, upon the request of the physician, if a medical or psychiatric emergency arises precluding the data subject from approving the release of the data. Upon termination of the emergency, the Holder shall give notice to the data subject about the physician's access.
(4) Access by the Department. A Holder shall permit authorized employees of the Department to have access to personal data for the performance of legally authorized duties and responsibilities and shall disseminate personal data to the Department upon its request.
(5) Access by Holder Personnel and Board Members. A Holder shall:
(a) design personnel procedures which limit the number of employees whose duties involve access to personal data and train existing personnel concerning standards of confidentiality and security required by 760 CMR 8.00;
(b) permit only those employees whose duties require access to have access to personal data; and
(c) strictly limit board member access to personal data concerning an applicant or tenant to situations where there is a need for access in order for the board to conduct business properly.
(6) Access bv Data Subject. A data subject or his/her duly authorized representative shall have access to, as well as the right to inspect and copy, any personal data concerning him/her, unless prohibited by law or judicial order.
(7) Denial of Access to Data Subject. A Holder shall not rely on any exception contained in M.G.L. c. 4, § 7 clause twenty-sixth (public records law) to withhold personal data from a data subject. A Holder may deny a request by a data subject or his/her authorized representative for access to personal data if:
(a) the denial of access is expressly permitted by statute; or
(b) the personal data is currently the subject of an investigation and its disclosure would probably so prejudice the possibility of effective law enforcement that the disclosure would not be in the public interest. 760 CMR 8.04(7) is not intended to limit any right or power of access the data subject might have under pertinent administrative or judicial procedures. Such personal data may be withheld for the time for completion of the investigation and commencement of an administrative or judicial proceeding on its basis, or for one year from the commencement of the investigation, whichever occurs first.
(8) Notice of Denial. A Holder shall notify a data subject in writing of any denial of his/her request for access, the reasons therefore, and the right of appeal set forth in 760 CMR 8.05.
(9) List of Data Requests. A Holder shall, at the request of a data subject, provide a written list of the uses made of his/her personal data, including any persons, agencies, or entities which have gained access to the personal data.
(10) Holder Authority to Make Additional Access Rules. A Holder may adopt reasonable written rules governing access to personal data, consistent with 760 CMR 8.00 and all pertinent statutes which:
(a) insure that any substitute or proxy for the data subject be duly authorized by him/her;
(b) regulate the time and place for inspection and the manner and cost of copying, provided that the time for inspection shall not be unduly restricted, and the fee for copies shall not exceed that allowed for public records under the Freedom of Information regulations of the Massachusetts Supervisor of Public Records; and
(c) require that data be reviewed in the presence of or under the supervision of the Holder.
(11) Judicial or Administrative Orders. Any Holder served with a subpoena or other judicial or administrative order directing it to disclose a data subject's personal data shall, unless otherwise prohibited by law or judicial order, immediately give notice to the data subject. Such notice, where possible, shall include a copy of the subpoena or order, except where the data subject himself requests the order or is otherwise obviously aware of its existence. The holder, wherever legally and practically possible, shall allow the data subject adequate time to attempt to secure a court order to quash the subpoena or order.
(12) Record of Data Access and Use. Each Holder shall maintain a complete and accurate record of every access to any personal data by persons, agencies, or entities other than the holder, including the identity of all such persons, agencies, and entities and their intended use of the data.
(13) Physical Safety of Data. A Holder shall take all reasonable measures to protect personal data from physical damage or removal.

760 CMR, § 8.04