Section 17a-210-13 - Maintenance of personal data(a) Records for each personal data system are maintained in accordance with schedules prepared by the Connecticut State Library, Department of Public Records Administration and retention schedules approved by the Public Records Administrator as authorized by Section 11-8a of the Connecticut General Statutes.(b) Personal data shall not be maintained unless relevant and necessary to accomplish the lawful purposes of the department. Where the department finds irrelevant or unnecessary public records in its possession, the department shall dispose of the records with the approval of the public records administrator pursuant to Section 11-8a of the Connecticut General Statutes.(c) The department shall collect and maintain all records with accuracy and completeness.(d) Insofar as it is consistent with the needs and mission of the department, the department shall, wherever practical, collect personal data directly from the person to whom a record pertains.(e) When an individual is asked to supply personal data to the department, the department shall disclose to that individual, upon request: (1) the name of the department and division within the department requesting the personal data;(2) the legal authority under which the department is empowered to collect and maintain the personal data;(3) the individual's rights pertaining to such records under the Personal Data Act and the department regulations;(4) the known consequences arising from supplying or refusing to supply the requested personal data; and(5) the proposed use to be made of the requested personal data.(f) Department employees involved in the operation of the department's personal data systems will be informed of the provisions of the Personal Data Act and the department's regulations, the Freedom of Information Act and any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the department.(g) All department employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.(h) The department shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the department or on its behalf.(i) The department shall ensure that personal data requested from any other state agency is properly maintained.(j) Only department employees who have a specific need to review personal data records for lawful purposes of the department will be entitled to access such records.(k) The department shall keep a written up-to-date list of individuals entitled to access each of the department's personal data systems.(l) The department will ensure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked confidential.(m) The department will ensure that all records in manual personal data systems are kept safe.(n) Where automated personal data systems records are maintained, the department shall: (1) locate automated equipment and records in a limited access area;(2) ensure that regular access to automated equipment is limited to operations personnel; and(3) utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.Conn. Agencies Regs. § 17a-210-13
Adopted effective April 9, 1998