Sec.12-562-56a. Personal data

(a) Definitions

(1) The following definitions shall apply to Section 12-562-56a of these regulations:

(A) Category of personal data. Classifications of personal information set forth in the Personal Data Act, Connecticut General Statutes Section 4-190 (9).

(B) Other data. Any information which because of name, identifying number, mark or description can be readily associated with a particular person.

(C) Division. The division of special revenue.

(D) Board. The gaming policy board.

(2) Terms defined in Connecticut General Statutes Section 4-190 shall apply to Section 12-562-56a of the Regulations of Connecticut State Agencies.

(b) General nature and purpose of personal data systems.

The gaming policy board does not maintain personal data systems. The division of special revenue maintains the following personal data systems:

(1) Personnel records.

(A) All personnel records are maintained at the offices of the division, 555 Russell Road, Newington, Connecticut.

(B) Personnel records are maintained in both automated and written or typewritten form.

(C) Personnel records are maintained for the purpose of providing a history of payroll, promotion, discipline and related personnel information concerning division employees.

(D) Personnel records are the responsibility of the executive director of the division, whose business address is division of special revenue, 555 Russell Road, Newington, Connecticut. All requests for disclosure or amendment of these records should be directed to the executive director of the division.

(E) Routine sources for information retained in personnel records are generally the employee, previous employers of the employee, references provided by applicants for employment, the employee's supervisor, the comptroller's office, department of administrative services, division of personnel and labor relations, and state insurance carriers.

(F) Personal data in personnel records are collected, maintained and used under authority of the State Personnel Act, Connecticut General Statutes Section 5-193 et seq.

(2) Retirement system participant records.

(A) Participant records are maintained at the offices of the division, 555 Russell Road, Newington, Connecticut.

(B) Participant records are maintained in both automated and written or typewritten form.

(C) Participant records are maintained for the purpose of determining the eligibility for and the amount of benefit payments to be made to participants and beneficiaries.

(D) Participant records are maintained with the executive director of the division, 555 Russell Road, Newington, Connecticut. All requests for disclosure or amendment of these records should be directed to the executive director of the division.

(E) Routine sources of information retained in participant records are generally the participant and current and previous employers of the participant.

(F) Personal data in retirement system participant records are collected and maintained and used under authority of Connecticut General Statutes Section 5-152 et seq.

(3) Licensing and integrity assurance records.

(A) Licensing and integrity assurance records are maintained at the division, 555 Russell Road, Newington, Connecticut.

(B) Licensing and integrity assurance records are maintained in both automated and written or typewritten form.

(C) Licensing and integrity assurance records are maintained for the purpose of enabling the division to discharge its regulatory responsibilities relative to licensing and to assuring the integrity of pari-mutuel operations, lottery, charitable games and native american casino operations.

(D) Licensing and integrity assurance records are the responsibility of the executive director of the division, 555 Russell Road, Newington, Connecticut. All requests for disclosure or amendment of licensing and integrity assurance records should be directed to the executive director of the division.

(E) Routine sources of information retained in licensing and integrity assurance records are generally the license applicants, licensees, and pari-mutuel and lottery winners.

(F) Licensing and integrity assurance records are collected, maintained and used under authority of Chapters 226, 226b, 229a and 98 of the Connecticut General Statutes.

(c) Categories of personal data.

(1) Personnel records.

(A) The following categories of personal data are maintained in personnel records:

(i) Educational records.

(ii) Medical or emotional condition or history.

(iii) Employment records or business history.

(iv) Other reference records.

(B) The following categories of other data may be maintained in personnel records:

(i) Addresses.

(ii) Telephone numbers.

(C) Personnel records are maintained on employees of the division.

(2) Retirement system participant records.

(A) The following categories of personal data are maintained in retirement system participant records:

(i) Educational records.

(ii) Medical or emotional condition or history.

(iii) Employment records.

(iv) Salary records.

(v) Contributions records.

(vi) Income tax withholding information.

(vii) Social security number.

(B) The following categories of other data may be maintained in retirement system participant records:

(i) Addresses.

(ii) Marital status.

(iii) Retirement system membership number.

(iv) Telephone numbers.

(v) Date of birth.

(C) Retirement system participant records are maintained on current and former division employees.

(3) Licensing and integrity assurance records. Such records are primarily related to licensing and pari-mutuel and lottery winnings.

(A) The following categories of personal data related to licensing are maintained in licensing and integrity assurance records:

(i) Social security or federal identification number.

(ii) Family and military information.

(iii) Employment and business history.

(iv) Financial statements and tax returns.

(v) Miscellaneous financial information, i.e., bank accounts, safe deposit boxes, securities, liabilities, etc.

(B) The following categories of personal data related to pari-mutuel and lottery winnings are maintained to enable the division to meet internal revenue service reporting and withholding requirements, and for providing historical payment files for annuity winners, including, but not limited to:

(i) Names.

(ii) Addresses.

(iii) Social security numbers.

(iv) Amounts won.

(v) Amounts withheld.

(vi) Transaction numbers.

(vii) Types of wagers.

(viii) Payment histories.

(C) The following categories of other data may be maintained in licensing and integrity assurance records:

(i) Name.

(ii) Address.

(iii) Telephone number.

(iv) Marital status.

(d) Maintenance of personal data—general.

(1) Personal data will not be maintained by the division of special revenue unless relevant and necessary to accomplish the lawful purposes of the agency. Where the agency finds irrelevant or unnecessary public records in its possession, the agency shall dispose of the records in accordance with its records retention schedule and with the approval of the public records administrator as per Connecticut General Statutes Section 11-8a, or if the records are not disposable under the records retention schedule, request permission from the public records administrator to dispose of the records under Connecticut General Statutes Section 11-8a.

(2) The division shall collect and maintain all records accurately and completely.

(3) Insofar as it is consistent with the needs and mission of the division, the division, wherever practical, shall collect personal data directly from the persons to whom a record pertains.

(4) Employees of the division involved in the operations of the agency's personal data systems will be informed of the provisions of (A) the Personal Data Act, (B) the agency's regulations adopted pursuant to Section 4-196, (C) the Freedom of Information Act and (D) any other state or federal statute or regulation concerning maintenance or disclosure of personal data kept by the agency.

(5) All employees of the division shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.

(6) The division shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the agency or on its behalf.

(7) The division shall have an independent obligation to insure that personal data requested from any other state agency is properly maintained.

(8) Only employees of the division who have a specific need to review personal data records for lawful purposes of the agency will be entitled to access to such records under the Personal Data Act.

(9) The division will keep a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.

(10) The division will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartment mail, such records will be sent in envelopes or boxes sealed and marked "confidential."

(11) The division will insure that all records in written or typewritten personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.

(e) Maintenance of personal data—automated systems.

(1) To the greatest extent practical, automated equipment and records shall be located in a limited access area.

(2) To the greatest extent practical, the division of special revenue shall require visitors to such limited access area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only.

(3) To the greatest extent practical, the division of special revenue will insure that regular access to automated equipment is limited to operations personnel.

(4) The division shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.

(f) Maintenance of personal data—disclosure.

(1) Within four business days of receipt of a written request therefor, the division shall mail or deliver to the requesting individual, a written response in plain language, informing him as to whether or not the division maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.

(2) Except where nondisclosure is required or specifically permitted by law, the division shall disclose to any person upon written request, all personal data concerning that individual which is maintained by the division. The procedures for disclosure shall be in accordance with Connecticut General Statutes Sections 1-15 through 1-21k, inclusive. If the personal data is maintained in coded form, the division shall transcribe the data into a commonly understandable form before disclosure.

(3) The division is responsible for verifying the identity of any person requesting access to his own personal data.

(4) The division is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.

(5) The division may refuse to disclose to a person medical, psychiatric or psychological data relating to that person if the division determines that such disclosure would be detrimental to him.

(6) In any case where the division refuses disclosure, it shall advise that person of his right to seek judicial relief pursuant to the Personal Data Act.

(7) If the division refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the division shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's records to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the division shall disclose the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the division shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.

(8) The division shall maintain a complete log of each person, individual, agency or organization which has obtained access to, or whom disclosure has been made of, personal data under the Personal Data Act, together with the reason for each such disclosure or access. This log must be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.

(g) Contesting the content of personal data records.

(1) Any person who believes that the division is maintaining inaccurate, incomplete or irrelevant personal data concerning him may file a written request with the division for correction of said personal data.

(2) Within 30 days of receipt of such request, the division shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the division shall state the reason for its denial of such request and notify the person of his right to add his own statement to his personal data records.

(3) Following such denial by the division, the person requesting such correction shall be permitted to add a statement to his personal data record setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the division's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data is disclosed.

(h) Uses to be made of the personal data.

(1) Personnel records.

(A) Employees of the division who are assigned personnel and payroll responsibilities use the personal data contained in the division's personnel records in processing promotions, reclassifications, transfers to another agency, retirement, and other personnel actions. Supervisors use the personal data when promotion, career counseling, or disciplinary action against such employee is contemplated, and for other employment-related purposes.

(B) Personnel records are retained in accordance with a records retention schedule adopted pursuant to Connecticut General Statutes Section 11-8a, a copy of which is available at division offices.

(2) Retirement system participant records.

(A) Retirement system participant records are used for the preparation of retirement applications and longevity payrolls.

(B) Retirement system participant records are retained in accordance with a records retention schedule adopted pursuant to Connecticut General Statutes Section 11-8a, a copy of which is available at division offices.

(3) Licensing and integrity assurance records.

(A) Licensing and integrity assurance records are maintained for the purposes of determining the qualifications of license applicants and the continued suitability of licensees.

(B) Licensing and integrity assurance records are retained in accordance with a records retention schedule adopted pursuant to Connecticut General Statutes Section 11-8a, a copy of which is available at division offices.

(4) When an individual is asked to supply personal data to the division, the division shall disclose to that individual, upon request, the name of the agency and the division or unit within the agency which is requesting the data, the legal authority under which the agency is empowered to collect and maintain the personal data, the individual's rights pertaining to such records under the Personal Data Act and the agency's regulations, the known consequences arising from supplying or refusing to supply the requested personal data, and the proposed use to be made of the requested personal data.