Regulations of Connecticut State Agencies (Last Updated: June 14,2023) |
Title17a Social and Human Services and Resources |
SubTitle17a-581-1_17a-581-59. General Operations and Procedures |
Sec.17a-581-59. Personal data
-
(a) Definitions.
(1) The following definitions shall apply to these regulations:
(A) "Category of Personal Data" means the classifications of personal information set forth in the Personal Data Act, Connecticut General Statutes, Section 4-190 (9).
(B) "Other Data" means any other information which because of name, identifying number, mark or description can be readily associated with a particular person.
(C) "Agency" means Psychiatric Security Review Board.
(2) Terms defined in Connecticut General Statutes, Section 4-190 shall apply to Section 17a-581-59 of these regulations.
(b) General Nature and Purpose of Personal Data Systems.
(1) The Psychiatric Security Review Board maintains the following personal data systems:
(A) Acquittee records.
(i) Acquittee records are maintained under the authority of Connecticut General Statutes, Sections 17a-581 through 17a-602.
(ii) Acquittee records are maintained for the purpose of carrying out the agency responsibilities pursuant to Connecticut General Statutes, Sections 17a-580 through 17a-602.
(iii) Records are maintained in both automated and manual form.
(iv) All records are maintained at the office of the Psychiatric Security Review Board, 86 Cedar Street, Hartford, CT 06106.
(v) The Executive Director of the agency is the official responsible for maintaining the records.
(vi) The following categories of personal data may be maintained in acquittee records: medical, psychiatric, psychological, emotional condition and history, criminal history, family and personal history, finances, education and work history, court files.
(vii) The following categories of other data may be maintained in acquittee records:
(aa) Transcripts of Psychiatric Security Review Board hearings
(bb) Memoranda of Board Decisions
(cc) Counsel of record
(dd) Addresses
(viii) Routine sources of information retained in acquittee records are: the Department of Mental Health, hospitals, courts, the Department of Public Safety, State's Attorneys, Public Defenders.
(ix) Persons on whom records are maintained are acquittees as defined by Con-necticut General Statutes, Sections 17a-580 and 17a-602.
(x) All the requests for personal data shall be directed to the Executive Director of the agency at 90 Washington Street, Hartford, CT 06106.
(xi) Acquittee records are routinely used for the purposes of evidence at board hearings, to make decisions regarding the placement of acquittees, and to monitor acquittees.
Users include the employees of the Psychiatric Security Review Board, the board members, the counsel for the acquittee, State's Attorney or employees of that office and others authorized by law.
(xii) Acquittee records are retained in accordance with a records retention schedule adopted pursuant to Connecticut General Statutes, Section 11-8a, a copy of which is available from the Psychiatric Security Review Board office during normal business hours.
(B) Victim Notification Records.
(i) Victim notification records are maintained under the authority of Connecticut General Statutes, Section 17a-601.
(ii) Victim records are maintained for the purpose of carrying out agency responsibilities pursuant to Connecticut General Statutes, Section 17a-601.
(iii) Records are maintained in both automated and manual form.
(iv) All records are maintained at the office of the Psychiatric Security Review Board, 86 Cedar Street, Hartford, Connecticut 06106.
(v) The Executive Director of the agency is the official responsible for maintaining the records.
(vi) The following categories of personal data may be maintained in victim notification records: medical records, police investigation records.
(vii) The following categories of other data may be maintained in victim notification records:
(aa) Addresses
(bb) Phone numbers.
(viii) Routine sources of information retained in victim notification records are the Superior Court and State's Attorneys.
(ix) Persons on whom records are maintained are victims as defined by Connecticut General Statutes, Section 17a-601.
(x) All requests for personal data shall be directed to the Executive Director of the agency at 90 Washington Street, Hartford, CT 06106.
(xi) Victim notification records are routinely used for the purpose of notifying victims of hearings, board actions and the escape of acquittees. The users of the victim notification records are the employees of the Psychiatric Security Review Board and other persons authorized by law.
(xii) Victim notification records are retained in accordance with a records retention schedule adopted pursuant to Connecticut General Statutes, Section 11-8a, a copy of which is available from the Psychiatric Security Review office during normal business hours.
(C) Maintenance of Personal Data.
(i) Personal data shall not be maintained unless relevant and necessary to accomplish the lawful purposes of the agency. Where the agency finds irrelevant or unnecessary public records in its possession, the agency shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per Connecticut General Statutes, Section 11-8a, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Connecticut General Statutes, Section 11-8a.
(ii) The agency shall collect and maintain all records with accurateness and completeness.
(iii) Insofar as it is consistent with the needs and mission of the agency, the agency, wherever practical, shall collect personal data directly from the person to whom a record pertains.
(iv) Agency employees involved in the operations of the agency's personal data systems will be informed of the provisions of:
(aa) The Personal Data Act, Connecticut General Statutes, Sections 4-190 through 4-197;
(bb) The agency's regulations adopted pursuant to Connecticut General Statutes, Section 4-196;
(cc) The Freedom of Information Act, Connecticut General Statutes, Sections 1-7 through 1-21k; and
(dd) Any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the agency.
(v) All agency employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.
(vi) The agency shall incorporate by reference the provisions of the Personal Data Act, Connecticut General Statutes, Sections 4-190 through 4-197, and regulations adopted thereunder in all contracts, agreements or licenses for the operation of personal data system or for research, evaluation and reporting of personal data for the agency or on its behalf.
(vii) The agency shall have an independent obligation to insure that personal data requested from any other agency are properly maintained.
(viii) Only agency employees or their lawful representative who have a specific need to review personal data records for lawful purposes of the agency shall be entitled to access to such records under the Personal Data Act, Connecticut General Statutes, Section 4-190 through 4-197.
(ix) The agency shall keep a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.
(x) The agency shall insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential."
(xi) The agency shall insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.
(xii) With respect to automated personal data systems:
(aa) The agency shall, to the greatest extent practical, locate automated equipment and records in a limited access area.
(bb) To the greatest extent practical, the agency shall require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only.
(cc) The agency, to the greatest extent practical, shall insure that regular access to automated equipment is limited to the operations personnel.
(dd) The agency shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.
(D) Disclosure of Personal Data.
(i) Within four business days of receipt of a written request therefore, the agency shall mail or deliver to the requesting individual a written response in plain language, informing him/her as to whether or not the agency maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.
(ii) Except where nondisclosure is required or specifically permitted by law, the agency shall disclose to any person upon written request all personal data concerning that individual which is maintained by the agency. The procedures for disclosure shall be in accordance with Connecticut General Statutes, Sections 1-15 through 1-21k. If the personal data is maintained in coded form, the agency shall transcribe the data into a commonly understandable form before the disclosure.
(iii) The agency is responsible for verifying the identity of any person requesting access to his/her own personal data.
(iv) The agency is responsible for ensuring that disclosure made pursuant to the Personal Data Act, Connecticut General Statutes, Sections 4-190 through 4-197, is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.
(v) The agency may refuse to disclose to a person medical, psychiatric or psychological data on the person if the agency determines that such disclosure would be detrimental to that person.
(vi) In any case where the agency refuses disclosure, it shall advise that person of his/her right to seek judicial relief pursuant to the Personal Data Act, Connecticut General Statutes, Sections 4-190 through 4-197.
(vii) If the agency refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the agency shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the agency shall disclose the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the agency shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act, Connecticut General Statutes, Sections 4-190 through 4-197.
(viii) The agency shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data, together with the reason for each such disclosure or access. This log shall be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.
(ix) When an individual is asked to supply personal data to the agency, the agency shall disclose to that individual, upon request:
(aa) The name of the agency and division within the agency requesting the personal data;
(bb) The legal authority under which the agency is empowered to collect and maintain the personal data;
(cc) The individual's rights pertaining to such records under the Personal Data Act, Connecticut General Statutes, Sections 4-190 through 4-197, and agency regulations;
(dd) The known consequences arising from supplying or refusing to supply the requested personal data; and
(ee) The proposed use to be made of the requested personal data.
(E) Contesting the Content of Personal Data Records.
(i) Any person who believes that the agency is maintaining inaccurate, incomplete or irrelevant personal data concerning him/her may file a written request with the agency for correction of said Personal data.
(ii) Within 30 days of receipt of such request, the agency shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the agency shall state the reason for its denial of such request and notify the person of his/her right to add his/her own statement to his/her personal data records.
(iii) Following such denial by the agency, the person requesting such correction shall be permitted to add a statement to his or her personal data record setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the agency's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data is disclosed.
(Effective July 2, 1993)