Section 7-323k-6 - Personal data(a)Definitions(1) The following definitions shall apply to this section of regulations. (A) "Category of Personal Data" means the classifications of personal information set forth in the Personal Data Act, Connecticut General Statutes 4-190 (9).(B) "Other Data" means any information which because of name, identification number, mark or description can be readily associated with a particular person.(C) "Commission" means Commission on Fire Prevention and Control.(2) Terms defined in Connecticut General Statutes Sec. 4-190 shall apply to this section of regulations.(b)General Nature and Purpose of Personal Data Systems(1) The Commission maintains the following personal data system: (A) Personnel Records (i) All personnel records are maintained at the Commission's Office, 34 Perimeter Road, Windsor Locks, Connecticut.(ii) Personnel records are maintained in both automated and manual form.(iii) Personnel records are maintained for the purpose of retaining payroll, health, discipline and related personnel information concerning Commission employees.(iv) Personnel records are the responsibility of the fiscal administrative supervisor of the commission. All requests for disclosure or amendment of these records should be directed to the fiscal administrative supervisor.(v) Routine sources for information retained in personnel records include the employee, previous employers of the employee, references provided by the applicants, the employee's supervisor, the Comptroller's Office, Department of Administrative Services, Division of Personnel and Labor Relations, and State insurance carriers.(vi) Personal data in personnel records are collected, maintained and used under authority of the State Personnel Act, Connecticut General Statutes Sec. 5-193 et seq.(B) Training and Certification Records(i) Records are maintained at the Commission's Office, 34 Perimeter Road, Windsor Locks, Connecticut, 06096.(ii) Records are maintained in both automated and manual form.(iii) Records are maintained for the purpose of determining training completed and certification achieved by firefighters, fire instructors, and fire officers.(iv) Training records are maintained by the Director of Fire Training, 34 Perimeter Road, Windsor Locks, Connecticut, 06096. Certification records are maintained by the Certification Division Fire Service Analyst, 34 Perimeter Road, Windsor Locks, Connecticut, 06096. All requests for disclosure or amendment of training records should be made to the Director of Fire Training. All requests for disclosure or amendment of certification records should be made to the Certification Division Fire Service Analyst.(v) Routine sources of information retained in training and certification records include applications for training, certification, training records, certification testing grades and fire department affiliation.(vi) Personal data in training and certification records are collected, maintained and used under authority of Connecticut General Statutes Sec. 7-323.(c)Categories of Personal Data(1) Personnel Records (A) The following categories of personal data may be maintained in personnel records: (ii) Medical or emotional condition or history.(iii) Employment or business history.(iv) Other reference records.(B) The following categories of other data may be maintained in personnel records: (C) Personnel records are maintained on employees of the Commission and applicants for employment with the Commission.(2) Training and Certification Records (A) The following categories of personal data may be maintained in training and certification records: (ii) Certification test scores.(iii) Application records for purpose of determining the qualifications of applicants.(iv) Certification exam scores.(v) Other reference records.(B) The following categories of other data may be maintained in training and certification records: (i) Fire department affiliation.(ii) Fire department rank.(v) Records of administrative action.(vii) Social Security number.(C) Training and certification records are maintained on applicants or holders of certificates in either training or certification.(d)Maintenance of Personal Data(1) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the Commission. Where the Commission finds irrelevant or unnecessary public records in its possession, the Commission shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per Connecticut General Statutes Sec. 11-8a, or if the records are not disposable under the records retention schedule, shall request permission from the Public Records Administrator to dispose.(2) The Commission will collect and maintain all records with accuracy and completeness.(3) Insofar as it is consistent with the needs and mission of the Commission, the Commission, wherever practical, shall collect personal data directly from the persons to whom a record pertains.(4) Commission employees involved in the operation of the Agency's personal data systems will be informed of the provisions of the (A) The Personal Data Act, (B) the Commission's regulations adopted pursuant to Sec. 4-196, (C) the Freedom of Information Act and (D) any other state or federal statute or regulations concerning maintenance or disclosure or personal data kept by the Commission.(5) All Commission employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.(6) The Commission shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the Commission or on its behalf.(7) An agency requesting personal data from any other state agency shall have an independent obligation to insure that the personal data is properly maintained.(8) Only Commission employees who have a specific need to review personal data records for lawful purposes of the Commission shall be entitled to access to such records under the Personal Data Act.(9) The Commission will keep a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.(10) The Commission will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential."(11) The Commission will insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.(12) With respect to automated personal data systems:(A) The Commission shall, to the greatest extent practical, locate automated equipment and records in a limited access area,(B) To the greatest extent practical, the Commission shall require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only,(C) The Commission, to the greatest extent practical, will insure that the regular access to automated equipment is limited to operations personnel,(D) The Commission shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.(e) Disclosure of Personal Data(1) Within four business days of receipt of a written request therefor, the Commission shall mail or deliver to the requesting individual a written response in plain language, informing him/her as to whether or not the Commission maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.(2) Except where nondisclosure is required or specifically permitted by law, the Commission shall disclose to any person upon written request all personal data concerning that individual which is maintained by the Commission. The procedures for disclosure shall be in accordance with Connecticut General Statute Section 1-15 through 1-21k. If the personal data is maintained in coded form, the Commission shall transcribe the data into a commonly understandable form before disclosure.(3) The Commission is responsible for verifying the identity of any person requesting access to his/her own personal data.(4) The Commission is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.(5) The Commission may refuse to disclose to a person medical, psychiatric or psychological data on that person if the Commission determines that such disclosure would be detrimental to that person.(6) In any case where the Commission refuses disclosure, it shall advise that person of his/her right to seek judicial relief pursuant to the Personal Data Act.(7) If the Commission refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the Commission shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the Commission shall disclose the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the Commission shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.(8) The Commission shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data under the Personal Data Act, together with the reason for each such disclosure or access. This log must be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.(f)Contesting the Content of Personal Data Records(1) Any person who believes that the Commission is maintaining inaccurate, incomplete or irrelevant personal data concerning him/her may file a written request with the Commission for correction of said personal data.(2) Within 30 days of receipt of such request, the Commission shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the Commission shall state the reason for its denial of such request and notify the person of his/her right to add his/her own statement to his/her personal data records.(3) Following such denial by the Commission, the person requesting such correction shall be permitted to add a statement to his or her personal data records setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the Commission's personal data system and shall be disclosed to any individual, agency or organization to which the disputed data is disclosed.(g)Uses To Be Made Of The Personal Data(1) Personnel Records (A) Personnel records are routinely used for evaluating the qualifications of employment applicants and the work performance of employees of the Commission. Users include the Business Manager and other state officers and employees with responsibility for evaluating the work performance of employees of the Commission and others where permitted or required by law.(B) Personnel records are retained in accordance with a records retention schedule adopted pursuant to Conn. Gen. Stat. Sec. 11-8a, a copy of which is available at Commission offices.(2) Training and Certification Records (A) Records of individuals are routinely used for evaluating skills and knowledge of applicants. Users include those officers and employees of the Commission involved with training and certification.(B) Training and certification records are retained in accordance with a records retention schedule adopted pursuant to Conn. Gen. Stat. Sec. 11-8a, a copy of which is available at Commission offices.(3) When an individual is asked to supply personal data to the Commission, the Commission shall disclose to that individual, upon request: (A) The name of the Commission and division within the Commission requesting the personal data;(B) The legal authority under which the Commission is empowered to collect and maintain the personal data;(C) The individual's rights pertaining to such records under the Personal Data Act and agency regulations;(D) The known consequences arising from supplying or refusing to supply the requested personal data;(E) The proposed use to be made of the requested personal data.Conn. Agencies Regs. § 7-323k-6
Effective June 7, 1996; Amended October 6, 2005