Section 3.02 - Administration of Personal Data(1)General Rules.(a) Each holder shall designate an information officer who shall serve as the responsible person for each personal data system maintained by the holder. The holder shall ensure that the requirements for preventing unauthorized access to or dissemination of personal data, as set out in M.G.L. c. 66A, are followed. A single employee may serve as the responsible person for more than one personal data system.(b) Each holder shall inform each of its employees having any responsibility or function involving the design, development, operation, or maintenance of a personal data system, or the use of any personal data contained therein, of the provisions of 801 CMR 3.00 and any other regulations promulgated under M.G.L. c. 66A, the safeguards of M.G.L. c. 66A pertaining to the operation of the personal data system, and the civil remedies available to individuals whose rights under M.G.L. c. 66A are allegedly violated.(c) Each holder shall not collect or maintain more personal data than is reasonably necessary for the performance of the holder's statutory functions. The holder shall permit only those employees whose duties reasonably require access to have access to personal data.(d) Each holder shall take reasonable precautions to protect personal data from dangers of fire, identity theft, theft, flood, natural disaster, or other physical threat.(e) Each holder shall maintain personal data with such accuracy, completeness, timeliness, pertinence and relevance as is necessary to assure fair determination of a data subject's qualifications, character, rights, opportunities, or benefits when such determinations are based upon such data.(f) Holders may enter into contracts to hold personal data but no such contract shall relieve the holder of its obligations under M.G.L. c. 66A or 801 CMR 3.00. Every such contract shall include such provisions as are necessary to ensure compliance with M.G.L. c. 66A and 801 CMR 3.00.(2)Record of Access. In the case of data held in automated personal data systems, and to the extent feasible with data held in manual personal data systems, each holder shall maintain complete and accurate records showing any access to or use of personal data by persons or organizations outside of or other than the holder. These records shall include every disclosure of personal data, including the identity of all such persons and organizations to which such access or use has been granted. To the extent maintained pursuant to 801 CMR 3.02(2), a list of the uses made of personal data, including the identity of all persons and organizations which have gained access to the data, shall be provided to the data subject upon request. Access to or use by employees and agents of the holder need not be recorded.(3)Notice and Report to Secretary of Commonwealth. Each holder shall, upon the establishment, termination, or substantial change in character of a personal data system, file a report with the Secretary of the Commonwealth regarding each such personal data system, as required by M.G.L. c. 30, § 63 and c. 66A, § 2(e).Amended by Mass Register Issue 1334, eff. 3/10/2017.