Conn. Agencies Regs. § 3-77-24

Current through October 16, 2024
Section 3-77-24 - Personal data
(a)Definitions.
(1) The following definitions shall apply to these regulations:
(A) "Category of Personal Data" means the classifications of personal information set forth in the Personal Data Act, Conn. Gen. Stat. § 4-190(9).
(B) "Other Data" means any information which because of name, identification number, mark or description can be readily associated with a particular person.
(2) Terms defined in Conn. Gen. Stat. § 4-190 shall apply to these regulations.
(b)General nature and purpose of personal data systems.
(1) The office of the Secretary of the State maintains the following personal data system:
(A) Personnel Records.
(i) All personnel records are maintained at the office of the Secretary of the State, Management & Support Services Division, 30 Trinity Street, Hartford, Connecticut 06106.
(ii) Personnel records are maintained in both automated and manual form.
(iii) Personnel records are maintained for the purposes of providing a history of payroll, promotion, discipline and related personnel information concerning employees of the office of the Secretary of the State.
(iv) Personnel records are the responsibility of the Administrator of the Management & Support Services Division, whose business address is Office of the Secretary of the State, Management & Support Services Division, 30 Trinity Street, Hartford, Connecticut 06106. All requests for disclosure or amendment of these records should be directed to the Administrator of the Management & Support Services Division.
(v) Routine sources for information retained in personnel records include the employee, previous employers of the employee, references provided by applicants for employment, the employee's supervisor, the Comptroller's Office, Department of Administrative Services, Division of Personnel and Labor Relations, and State insurance carriers.
(vi) Personal data in personnel records are collected, maintained and used under authority of the State Personnel Act, Conn. Gen. Stat. § 5-193 et. seq.
(B) Notary Public Appointment Records.
(i) Notary Public appointment records are the responsibility of the Administrator of the Records & Legislative Services Division, 30 Trinity Street, Hartford, Connecticut 06106.
(ii) Notary Public appointment records are maintained in both automated and manual form.
(iii) Notary Public appointment records are maintained for the purposes of determining the qualifications of notary public applicants and the continued suitability of appointees applying for renewal of their appointments.
(iv) All requests for disclosure or amendment of Notary Public appointment records should be directed to the Administrator of the Records & Legislative Services Division, 30 Trinity Street, Hartford, Connecticut 06106.
(v) Routine sources of information retained in appointment records include applicants for appointment, personal and professional references provided by applicants and town clerk's recommendations.
(vi) Personal data in Notary Public appointment records are collected, maintained and used under authority of Conn. Gen. Stat. § 3-91.
(C) Waivers of Disclosure of Personal Residence by Directors and Officers of Corporations.
(i) Waivers of disclosure of personal residence by directors and officers of corporations are maintained with the Commercial Recording Division, Office of the Secretary of the State, 30 Trinity Street, Hartford, Connecticut 06106.
(ii) Waivers of disclosure of personal residence by directors and officers of corporations are maintained in manual form.
(iii) Waivers of disclosure of personal residence by directors and officers of corporations are maintained to protect the personal security of public figures.
(iv) Waivers of disclosure of personal residence by directors and officers of corporations are maintained by the Administrator of the Commercial Recording Division, Office of the Secretary of the State, 30 Trinity Street, Hartford, Connecticut 06106. All requests for disclosure or amendment of these records should be directed to the Administrator.
(v) Routine sources of information retained in waivers of disclosure of personal residence by directors and officers of corporations include directors and officers.
(vi) Personal data in waivers of disclosure of personal residence by directors and officers of corporations are collected, maintained and used under authority of Conn. Gen. Stat. § 33-298, § 33-406, § 33-435, and § 33-514.
(c)Categories of personal data.
(1) Personnel Records.
(A) The following categories of personal data are maintained in personnel records:
(i) Educational records.
(ii) Medical or emotional condition or history.
(iii) Employment records.
(iv) Marital status.
(v) Other reference records.
(B) The following categories of other data may be maintained in personnel records:
(i) Addresses.
(ii) Telephone numbers.
(C) Personnel records are maintained on employees of the office of the Secretary of the State and applicants for employment with the office of the Secretary of the State.
(2) Notary Public appointment records.
(A) The following categories of personal data may be maintained in Notary Public appointment records:
(i) Employment or business history.
(ii) Criminal records.
(iii) Personal and professional references.
(iv) Town Clerk's recommendations.
(B) The following categories of other data may be maintained in Notary Public appointment records:
(i) Addresses.
(ii) Telephone numbers.
(iii) Renewal records.
(C) Notary Public appointment records are maintained on appointed Notary Publics and applicants for appointment.
(3) Waivers of disclosure of personal residence by directors and officers of corporations.
(A) The following categories of personal data are maintained in records of waivers of disclosure of personal residence by directors and officers of corporations:
(i) Finances.
(ii) Personal relationships.
(iii) Reputation or public status.
(iv) Personal residence address.
(v) Employment history.
(B) The following categories of other data may be maintained in records of waivers of disclosure of personal residence by directors and officers of corporations:
(i) Telephone numbers.
(C) Records of waivers of disclosure of personal residence by directors and officers of corporations are maintained on directors and officers of foreign and domestic corporations seeking or holding waivers of disclosure of personal residence.
(d)Maintenance of personal data-general.
(1) Personnel data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the office of the Secretary of the State. Where the office finds irrelevant or unnecessary public records in its possession, the office shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator in accordance with the provisions of Conn. Gen. Stat. § 11-8a, or if the records are not disposable under the records retentions schedule, request permission from the Public Records Administrator to dispose of the records under Conn. Gen. Stat. § 11-8a.
(2) The office of the Secretary of the State will collect and maintain all records with accurateness and completeness.
(3) Insofar as it is consistent with the needs and mission of the office, wherever practical, the office shall collect personal data directly from the persons to whom a record pertains.
(4) Employees of the office of the Secretary of the State involved in the operations of the office's personal data systems will be informed of the provisions of the (A) Personal Data Act, (B) the office's regulations adopted pursuant to Conn. Gen. Stat. § 4-196, (C) the Freedom of Information Act, and (D) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the agency.
(5) All employees of the office of the Secretary of the State shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.
(6) The office of the Secretary of the State shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the office or on its behalf.
(7) The office of the Secretary of the State shall have an independent obligation to insure that personal data requested from any other state agency is properly maintained.
(8) Only office employees of the Secretary of the State who have a specific need or legal authority to review personal data records for lawful purposes of the agency will be entitled to access to such records under the Personal Data Act.
(9) The office of the Secretary of the State will keep a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.
(10) The office of the Secretary of the State will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartment mail, such records will be sent in envelopes or boxes sealed and marked "personal and confidential."
(11) The office of the Secretary of the State will insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.
(e)Maintenance of personal data-automated systems.
(1) To the greatest extent practical, automated equipment and records pertaining to personal data shall be located in a limited access area.
(2) To the greatest extent practical, the office of the Secretary of the State shall require visitors to such limited access area to sign a visitor's log and permit access to said area on a bonafide need-to-enter basis only.
(3) To the greatest extent practical, the office of the Secretary of the State will insure that regular access to automated equipment pertaining to personal data is limited to operations personnel.
(4) The office of the Secretary of the State shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.
(f)Maintenance of personal data-disclosure.
(1) Within four business days of receipt of a written request therefor, the office shall mail or deliver to the requesting individual a written response in plain language, informing him/her as to whether or not the office maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.
(2) Except where nondisclosure is required or specifically permitted by law, the office of the Secretary of the State shall disclose to any person upon written request all personal data concerning that individual which is maintained by the office. The procedures for disclosure shall be in accordance with Conn. Gen. Stat. § 1-15 through § 1-21k. If the personal data is maintained in coded form, the office shall transcribe the data into a commonly understandable form before disclosure.
(3) The office of the Secretary of the State is responsible for verifying the identity of any person requesting access to his/her own personal data.
(4) The office is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.
(5) The office of the Secretary of the State may refuse to disclose to a person medical, psychiatric or psychological data on that person if the office determines that such disclosure would be detrimental to that person.
(6) In any case where the office of the Secretary of the State refuses disclosure, it shall advise the person of his/her right to seek judicial relief pursuant to the Personal Data Act.
(7) If the office refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the office shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's records to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the office shall disclose the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the office shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.
(8) The office of the Secretary of the State shall maintain a complete log of each person, individual, agency or organization who has obtained access to, or to whom disclosure has been made of personal data, under the Personal Data Act, together with the reason for each such disclosure or access. This log shall be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.
(g)Contesting the content of personal data records.
(1) Any person who believes that the office is maintaining inaccurate, incomplete or irrelevant personal data concerning him/her may file a written request with the office for correction of said personal data.
(2) Within 30 days of receipt of such request, the office shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the office shall state the reason for its denial of such request and notify the person of his/her right to add his/her own statement to his/ her personal data records.
(3) Following such denial by the office, the person requesting such correction shall be permitted to add a statement to his or her personal data record setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the office's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data is disclosed.
(h)Uses to be made of the personal data.
(1) Personnel Records.
(A) Employees of the office of the Secretary of the State who are assigned personnel and payroll responsibilities use the personal data contained in the office's personnel records in processing promotions, reclassifications, transfers to another agency, retirement and other personnel actions. Managers and supervisors use the personal data when promotion, career counseling, or disciplinary action against such employee is contemplated, and for other employment-related purposes.
(B) Personnel records are retained in accordance with a records retention schedule adopted pursuant to Conn. Gen. Stat. § 11-8a, a copy of which is available from the Management & Support Services Division.
(2) Notary Public Appointment Records.
(A) Notary Public appointment records are used to determine the qualifications of applicants for appointment as notary public and the continued qualification of appointees. Users include all employees of the Records & Legislative Services Division of the office of the Secretary of the State, and others where permitted or required by law.
(B) Notary Public appointment records are retained in accordance with a records retention schedule adopted pursuant to Conn. Gen. Stat. § 11-8a, a copy of which is available from the Records & Legislative Services Division.
(3) Waiver of disclosure of Personal Residence by Directors and Officers of Corporations.
(A) Records of waiver of disclosure of personal residence by directors and officers of corporations are maintained to protect the personal security of public figures. Users include the Administrator of the Commercial Recording Division or his designee.
(B) Records of waiver of disclosure of personal residence by directors and officers of corporations are retained permanently.
(4) When an individual is asked to supply personal data to the office of the Secretary of the State, the office shall disclose to that individual, upon request, the name of the agency which is requesting the data, the legal authority under which the agency is empowered to collect and maintain the personal data, the individual's rights pertaining to such records under the Personal Data Act and the agency's regulations, the known consequences arising from supplying or refusing to supply the requested personal data, and the proposed use to be made of the requested personal data.

Conn. Agencies Regs. § 3-77-24

Effective March 23, 1989