Section 10-4-10 - Maintenance of personal data(a)All Personal Data Systems.(1) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the agency. Where an agency finds irrelevant or unnecessary public records in its possession, the agency shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per Connecticut General Statutes Section 11-8a, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Connecticut General Statutes Section 11-8a.(2) The agency will collect and maintain all records with accurateness and completeness.(3) Insofar as it is consistent with the needs and mission of the agency, the agency, wherever practical, shall collect personal data directly from the persons to whom a record pertains.(4) Agency employees involved in the operations of the agency's personal data systems will be informed of the provisions of the (i) personal data act, (ii) the agency's regulations adopted pursuant to Section 4-196, (iii) the Freedom of Information Act and (iv) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the agency.(5) All agency employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.(6) The agency shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the agency or on its behalf.(7) The agency requesting personal data from any other state or federal agency shall have an independent obligation to insure that the personal data is properly maintained.(8) Only agency employees who have a specific need to review personal data records for lawful purposes of the agency will be entitled to access to such records under the Personal Data Act.(9) The agency will keep a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.(10) The agency will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential."(11) The agency will insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.(b)Automated Personal Data Systems(1) The agency shall, to the greatest extent practical, locate automated equipment and records in a limited access area.(2) To the greatest extent practical, the agency shall require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only.(3) The agency, to the greatest extent practical, will insure that regular access to automated equipment is limited to operations personnel.(4) The agency shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.(c)Disclosure of Personal Data to Person.(1) Within four business days of receipt of a written request therefor, the agency shall mail or deliver to the requesting individual a written response in plain language, informing him/her as to whether or not the agency maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.(2) Except where nondisclosure is required or specifically permitted by law, the agency shall disclose to any person upon written request all personal data concerning that individual which is maintained by the agency. The procedures for disclosure shall be in accordance with Connecticut General Statutes Sections 1-15 through 1-21k. If the personal data is maintained in coded form, the agency shall transcribe the data into a commonly understandable form before disclosure.(3) The agency is responsible for reasonable verification of the identity of any person requesting access to his/her own personal data.(4) The agency is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.(5) An agency may refuse to disclose to a person medical, psychiatric or psychological data on that person if the agency determines that such disclosure would be detrimental to that person.(6) In any case where the agency refuses disclosure, it shall advise that person of his/her right to seek judicial relief pursuant to the Personal Data Act.(7) If the agency refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the agency shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the agency shall disclose the personal data to such person; if nondisclosure is recommended by such persons' medical doctor, the agency shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.(8) The agency shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data under the Personal Data Act, together with the reason for each such disclosure or access. This log must be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.(d)Notice of Disclosure to a State Agency.When an individual is asked to supply personal data to a state agency, including the agency, the agency shall disclose to that individual, upon request:
(1) The name of such agency and division within such agency requesting the personal data;(2) The legal authority under which such agency is empowered to collect and maintain the personal data;(3) The individual's rights pertaining to such records under the Personal Data Act and agency regulations;(4) The known consequences arising from supplying or refusing to supply the requested personal data; and(5) The proposed use to be made of the requested personal data.(e)Procedures for Contesting the Content of Personal Data Records.(1) Any person who believes that the agency is maintaining inaccurate, incomplete or irrelevant personal data concerning him/her may file a written request with the agency for correction of said personal data.(2) Within 30 days of receipt of such request, the agency shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the agency shall state the reason for its denial of such request and notify the person of his/her right to add his/her own statement to his/her personal data records.(3) Following such denial by the agency, the person requesting such correction shall be permitted to add a statement to his or her personal data record setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the agency's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data is disclosed.Conn. Agencies Regs. § 10-4-10