SubTitle10a-6-1_10a-6-14. Personal Data Systems  


Sec. 10a-6-1. Purpose and authority
Latest version.

The purpose of these regulations is to implement the requirements of Section 4-196 of the Connecticut General Statutes, herein after referred to as the Personal Data Act, pertaining to the protection and maintenance of personal data systems maintained by state and municipal agencies and to protect the right of an individual to see his or her own record. These regulations conform to the uniform standards promulgated by the Attorney General as required by Subsection (b) of Section 4-196 of the Connecticut General Statutes.

(Effective July 21, 1986)

Sec. 10a-6-2. Definitions
Latest version.

The definition of terms as used in these regulations, except as otherwise required by context or provided by law, include those set forth in the Personal Data Act and the Attorney General's Standards and are as follows:

(a) "Agency" means each state or municipal board, commission, department or officer, other than the legislature, courts, governor, lieutenant governor, attorney general or town or regional boards of education, which maintains a personal data system.

(b) "Attorney" means an attorney at law empowered by a person to assert the confidentiality of or right of access to personal data under these regulations.

(c) "Authorized representative" means a parent, or a guardian or conservator, other than an attorney, appointed to act on behalf of a person and empowered by such person to assert the confidentiality of or right of access to personal data under these regulations.

(d) "Automated personal data system" means a personal data system in which data are stored, in whole or part, in a computer or in computer accessible files.

(e) "Computer accessible files" means any personal data which are stored on-line or off-line which can be identified by use of electronic means, including but not limited to microfilm and microfilm devices, which includes but is not limited to magnetic tape, magnetic film, magnetic disks, magnetic drums, internal memory utilized by any processing device, including computer or telecommunications control units, punched cards, optically scanable paper or film.

(f) "Maintain" means collect, maintain, use or disseminate.

(g) "Manual personal data system" means a personal data system other than an automated personal data system.

(h) "Person" means an individual of any age concerning whom personal data is maintained in a personal data system, or a person's attorney or authorized representative.

(i) "Personal data" means any information about a person's education, finances, medical or emotional condition or history, employment or business history, family or personal relationships, reputation or character which because of name, identifying number, mark or description can be readily associated with a particular person. "Personal data" shall not be construed to make available to a person any record described in subdivision (3) of subsection (b) of section 1-19 of the Connecticut General Statutes.

(j) "Personal data system" means a collection of records containing personal data.

(k) "Record" means any collection of personal data, defined in subsection (i) above, which is collected, maintained or disseminated.

(l) "Category of personal data" means the classifications of personal information set forth in subsection (i) above.

(m) "Other Data" means any information which because of name, identifying number, mark or description can be readily associated with a particular person.

(n) "Board" means the Board of Governors for Higher Education as established by Section 10a-2 of the General Statutes and, where applicable, its predecessor agencies.

(o) "Department" means the Commissioner and the Department of Higher Education as described in the General Statutes, specifically Section 10a-5.

(p) "Commissioner" means the Commissioner of Higher Education as described in the General Statutes, specifically Section 10a-5.

(Effective July 21, 1986)

Sec. 10a-6-3. Location of systems
Latest version.

All personal data systems operated or maintained by the Board or Department are located at the Board's official address, which is 61 Woodland Street, Hartford, Connecticut 06105.

(Effective July 21, 1986)

Sec. 10a-6-4. Responsible official
Latest version.

The Commissioner of Higher Education is the responsible official for Board and Department personal data systems. All requests for disclosure or amendment of such records by the individual to whom the data pertains should be directed to the Commissioner at the address specified in Section 3.

(Effective July 21, 1986)

Sec. 10a-6-5. Personal data systems
Latest version.

The Board of Governors for Higher Education and the Department of Higher Education maintain eight (8) personal data systems, the general nature and purposes of which are specified in subsections (a) through (h) below. In accordance with the Attorney General Standards, the following information is provided for each personal data system: (1) Name of system; (2) Type of system (automated, manual or combination of both); (3) Purpose of system; (4) Routine sources of data for system; (5) Legal authority to collect, maintain and use personal data in system; (6) Categories of personal data maintained; (7) Categories of other data maintained; (8) Categories of persons on whom records are maintained, (9) Routine use of records, including types of users and purpose of use; and (10) Retention schedule adopted pursuant to Section 11-8a of the General Statutes, if applicable.

The eight systems are:

(a)

1. Name: STUDENT FILE

2. Type: Automated

3. Purpose: To allow the Board of Governors to meet the requirements of Section 10a-9 of the General Statutes to develop a comprehensive management information system for planning and budget purposes. This system will support the research necessary to assess programmatic, financial, demographic, academic and other trends necessary to effectively coordinate higher education in Connecticut.

4. Source of Data: Data collected by institutions within the state system of higher education and transmitted to the Department of Higher Education.

5. Legal Authority: Section 10a-9 of the General Statutes.

6. Categories of Personal Data: Education, including semester standing, degrees earned, registration date, institutions attended, residential status, general credits earned, remedial credits earned, extension credits earned, credits transferred, program of study, major, level of study, degree sought, date of high school graduation, high school rank and SAT scores; Finances, including type of tuition paid (instate, out-of-state, general fund, extension fund) and financial aid received (type and amount); and whether or not a student has a graduate assistantship.

7. Categories of Other Data: Social security number; gender; racial/ethnic origin; date of birth; permanent address and current address.

8. Category of Person: Undergraduate and graduate students attending or who have attended institutions within the state system of higher education.

9. Use of Records: This system is routinely used by the research and budget staffs to generate descriptive statistical reports to support budget development, academic program review and legislative initiatives. It also allows for students to be tracked through college, thus providing greater understanding of transfer trends, dropout and reentry patterns and longitudinal changes in student choice.

10. Retention Schedule: For ten years, or for the period of time required by applicable state retention schedules, whichever is longer.

(b)

1. Name: STATE SCHOLASTIC ACHIEVEMENT GRANT FINANCIAL AID FILE (SSAG)

2. Type: Automated

3. Purpose of System: To assist the Department of Higher Education in administering the SSAG program. This program provides to Connecticut resident high school seniors or graduates, scholarships based on need and previous high school academic achievement or performance on standardized academic aptitude tests.

4. Source of Data: Data provided by students on their application or by the College Scholarship Service based upon data supplied to them by the student and authorized by the student to be transferred to the Department.

5. Legal Authority: Sections 10a-169 and 10a-170 of the General Statutes.

6. Categories of Personal Data: Education, including high school attended, graduation date, class rank, class size, SAT scores, college attended, type and address; finances, including, family income, possible family contribution to college costs and level of award.

7. Categories of Other Data: Name, address and social security number.

8. Category of Person: Data collected only on those high school students who apply to or continue in the SSAG program.

9. Use of Records: Records are used by the Student Financial Aid Division to select SSAG recipients and to monitor the program.

10. Retention Schedule: In accordance with applicable state retention schedules.

(c)

1. Name: TEACHER INCENTIVE LOAN PROGRAM FINANCIAL FILE (TILP)

2. Type: Automated

3. Purpose: To aid the Department in administering the TILP program. TILP is a program which provides academic loans to students who enroll in teacher education programs and plan to teach in disciplines where there is a declared shortage of teachers. Students who become teachers in shortage areas in Connecticut have a portion of their loans forgiven for each year of service to the state. This system allows the Department to screen applicants, select award recipients, monitor student status and track loan repayment should a student decide not to teach.

4. Source of Data: Information provided by students on application form and follow-up verification forms.

5. Legal Authority: Section 10a-163 to 10a-163a inclusive of the General Statutes as amended by Public Act 85-479.

6. Categories of Personal Data: Education, including college name, type and location, level of study and major; Finances, including amount of loan awarded, interest rate, forgiveness provisions, repayment activity and loan deferments; Family, including parental names, addresses and telephone numbers; Employment, including school of employment if teaching, grade level taught, name of superintendent, employer address and telephone number.

7. Categories of Other Data: Name, social security number, date of birth and permanent address.

8. Category of Person: Data collected only on high school students, undergraduates, or graduate students who apply for TILP loans.

9. Use of Records: Records are used by the Student Financial Aid Division to determine award recipients, payback provisions and to monitor student progress.

10. Retention Schedule: In accordance with applicable state retention schedules.

(d)

1. Name: EDUCATION LOANS TO ENCOURAGE EXCELLENCE IN TEACHING FINANCIAL AID FILE (ELEET)

2. Type: Automated

3. Purpose: To aid the Department in administering the ELEET program. ELEET is a program which provides academic loans to students of higher academic ability who enroll in teacher education programs. Students who subsequently teach in Connecticut have a portion of their loan forgiven for each year of service rendered. This system allows the Department to screen applicants, select award recipients, monitor student status and track loan repayments should a student decide not to teach.

4. Source of Data: Information provided by students on application and renewal form.

5. Legal Authority: Section 10a-170e to 10a-170m inclusive of the General Statutes as amended by Public Act 85-479.

6. Categories of Personal Data: Education, including college name, type and location, level of study, major, high school attended, class rank and SAT scores; Finances, including amount of loan awarded, interest rate, forgiveness provisions, repayment activity, loan deferments and family contribution; Family, including parental names, addresses and telephone numbers; Employment, including school of employment if teaching, grade level taught, name of superintendent, employer address and telephone number.

7. Categories of Other Data: Name, social security number, date of birth and permanent address.

8. Category of Person: Data collected only on high school students or undergraduates who apply for an ELEET loan.

9. Use of Records: Records are used by the Student Financial Aid Division to determine award recipients, payback provisions and to monitor student progress.

10. Retention Schedule: In accordance with applicable state retention schedules.

(e)

1. Name: STUDENT TRANSCRIPTS FROM DEFUNCT INSTITUTIONS

2. Type: Automated (Microfiche)

3. Purpose: To maintain transcripts of students who attended Connecticut institutions of higher education which ceased to exist after September 1, 1969.

4. Source of Data: Institutions which cease to operate.

5. Legal Authority: Section 10a-6a-(17) of the General Statutes.

6. Categories of Personal Data: Education, including school name, level of study, grade and credits earned by course by semester.

7. Categories of Other Data: Student name, address, date of birth and social security number.

8. Category of Person: Any student who has attended a Connecticut institution which no longer operates.

9. Use of Records: Records can be released only to the student or to a person or organization which receives written authority from the student to receive the record.

10. Retention Schedule: In accordance with applicable state retention schedules.

(f)

1. Name: DEPARTMENT OF HIGHER EDUCATION TIME AND ATTENDANCE FILE

2. Type: Automated

3. Purpose: To assist the Department in carrying out its business functions of payroll, budgeting and evaluation.

4. Source of Data: Bi-weekly attendance sheets completed and signed by all employees.

5. Legal Authority: Section 10a-5 of the General Statutes.

6. Categories of Personal Data: Employment, including vacation, sick and personal days accrued and utilized.

7. Categories of Other Data: Name, social security number and employee number.

8. Category of Person: All classified and unclassified employees of the Department.

9. Use of Records: Records are used by the Business Office staff to plan payroll, calculate budgets and to provide staff with monthly summaries of attendance.

10. Retention Schedule: In accordance with applicable state retention schedules.

(g)

1. Name: DEPARTMENT OF HIGHER EDUCATION PERSONNEL FILE

2. Type: Manual at the Department Level, Automated within the Comptroller's Office.

3. Purpose: To assist the Department in carrying out its business functions of payroll, budgeting and evaluation.

4. Sources of Data: Contracts and other forms completed by the employees.

5. Legal Authority: Section 10a-5 of the General Statutes.

6. Categories of Personal Data: Financial, including salary, longevity payments, compensation plan, and payroll deductions; Employment, including starting date, title and previous state service.

7. Catetories of Other Data: Name, address, social security number, telephone number, date of birth, designation if a veteran, racial/ethnic designation and designation if handicapped.

8. Category of Person: All classified and unclassified employees of the Department.

9. Use of Records: Records are used by the Business Office staff to plan payroll and to calculate budget.

10. Retention Schedule: In accordance with applicable state retention schedules.

(h)

1. Name: DEPARTMENT OF HIGHER EDUCATION EMPLOYEE APPRAISAL FILE

2. Type: Manual

3. Purpose: To maintain records regarding employee performance.

4. Source of Data: Supervisor's employee appraisals.

5. Legal Authority: Section 10a-5 of the General Statutes.

6. Categories of Personal Data: Employment history.

7. Categories of Other Data: Name

8. Category of Person: All classified and unclassified employees of the Department.

9. Use of Records: Records are used as part of salary decisions.

10. Retention Schedule: In accordance with applicable state retention schedules.

(Effective July 21, 1986)

Sec. 10a-6-6. Relevance, accuracy of data and waiver of access
Latest version.

(a) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the Department. Where the Department finds irrelevant or unnecessary public records in its possession, it shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per Section 11-8a of the Connecticut General Statutes, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Section 11-8a of the General Statutes.

(b) The Department will collect and maintain all records with accurateness and completeness. Insofar as it is consistent with the needs and mission of the Department, the Department, wherever practical, shall collect personal data directly from the person to whom a record pertains.

(c) Any waiver of access given by an affected individual to a constituent unit of the state system of higher education or institution therein pursuant to state or federal law, also shall waive the right of access to the same records held by the Department.

(Effective July 21, 1986)

Sec. 10a-6-7. Internal distribution of policy
Latest version.

Department employees involved in the operations of personal data systems will be informed of the provisions of the (a) personal data act, (b) the Department's regulations adopted pursuant to Section 4-196 of the General Statutes, (c) the Freedom of Information Act and (d) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the Department.

(Effective July 21, 1986)

Sec. 10a-6-8. Protection of data
Latest version.

All Department employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.

(Effective July 21, 1986)

Sec. 10a-6-9. Incorporation into agency contracts
Latest version.

The Department shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the Department or on its behalf.

(Effective July 21, 1986)

Sec. 10a-6-10. Unnecessary duplication
Latest version.

The Department will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential."

(Effective July 21, 1986)

Sec. 10a-6-11. Protecting records
Latest version.

(a) The Department will insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.

(b) With respect to automated personal data systems:

(1) The Department shall, to the greatest extent practical, locate automated equipment and records in a limited access area;

(2) To the greatest extent practical, the Department shall require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only.

(3) The Department, to the greatest extent practical, will insure that regular access to automated equipment is limited to operations personnel.

(4) The Department shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.

(Effective July 21, 1986)

Sec. 10a-6-12. Disclosure of personal data
Latest version.

The Department shall not disclose to the public personal records of a confidential or private nature except as allowable under state and federal law.

(a) Within four business days of receipt of a written request therefor, the Department shall mail or deliver to the requesting individual a written response in plain language, informing him/her as to whether or not the Department maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.

(b) Except where nondisclosure is required or specifically permitted by law, the Department shall disclose to any individual upon written request all personal data concerning that individual which are maintained by the Department. The procedures for disclosure shall be in accordance with Connecticut General Statutes Section 1-15 through 1-21k. If the personal data are maintained in coded form, the Department shall transcribe the data into a commonly understandable form before disclosure.

(c) The Department is responsible for verifying the identity of any person requesting access to his/her own personal data.

(d) The Department is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.

(e) The Department may refuse, unless prohibited under the Buckley Amendment (34 C.F.R., Sec. 99.21), to disclose to a person medical, psychiatric or psychological data pertaining to that person if the agency determines that such disclosure would be detrimental to that person. In any case, where the Department refuses disclosure, it shall advise that person of his/her right to seek judicial relief pursuant to the Personal Data Act.

(f) Unless covered by the Buckley Amendment (34 C.F.R., Sec. 99.21), if the Department refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the Department shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the Department shall disclose the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the Department shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.

(g) The Department shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data under the Personal Data Act, together with the reason for each such disclosure or access. This log must be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.

(Effective July 21, 1986)

Sec. 10a-6-13. Procedures for contesting the content of personal data records
Latest version.

(a) Any person who believes that the Department is maintaining inaccurate, incomplete or irrelevant personal data concerning him/her may file a written request with the Department for correction of said personal data;

(b) Within 30 days of receipt of such request, the Department shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the Department shall state the reason for its denial of such request and notify the person of his/her right to add his/her own statement to his/her personal data records and to meet with the Commissioner or the Commissioner's designee regarding the requested correction.

(c) Following a denial by the Department of a correction, the person requesting such correction shall be permitted to add a statement to his or her personal data record setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the Department's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data are disclosed.

(d) If personal data are covered by the Buckley Amendment (34 C.F.R., Sec. 99.21), the hearing requirements of the Buckley Amendment shall be applicable.

(Effective July 21, 1986)

Sec. 10a-6-14. Other provisions
Latest version.

(a) If the Department requests personal data from any other state agency it shall have an independent obligation to insure that the personal data is properly maintained.

(b) Only Department employees who have a specific need to review personal data records for lawful purposes of the Department will be entitled access to such records under the Personal Data Act.

(c) The Department will keep a written up-to-date list of individuals entitled access to each of the Department's personal data systems.

(d) When an individual is asked to supply personal data to the Department, the Department shall disclose to that individual, upon request:

(1) The name of the division within the Department requesting the personal data;

(2) The legal authority under which the Department is empowered to collect and maintain the personal data;

(3) The individual's rights pertaining to such records under the Personal Data Act and Department regulations;

(4) The known consequences arising from supplying or refusing to supply the requested personal data;

(5) The proposed use to be made of the requested personal data.

(Effective July 21, 1986)