Sec.19a-2a-23. Maintenance of personal data  

(a) Personal data shall not be maintained unless relevant and necessary to accomplish the lawful purposes of the department. Where the department finds irrelevant or unnecessary public records in its possession, it shall dispose of these records in accordance with its records retention schedule and with the approval of the public records administrator as per Connecticut General Statutes section 11-8a, or if the records are not disposable under the records retention schedule, request permission from the public records administrator to dispose of the records under Connecticut General Statutes section 11-8a.

(b) The department shall collect and maintain all records accurately and completely.

(c) Insofar as it is consistent with the needs and mission of the department, the department wherever practical shall collect personal data directly from the persons to whom a record pertains.

(d) Department employees involved in the operations of the department's personal data systems shall be informed of the provisions of:

(1) the Personal Data Act, chapter 55 of the Connecticut General Statutes;

(2) the department's regulations adopted pursuant to Connecticut General Statutes section 4-196;

(3) the Freedom of Information Act, Sections 1-15 and 1-18 to 1-21l inclusive of the Connecticut General Statutes; and

(4) any other state or federal statutes or regulations concerning maintenance or disclosure of personal data kept by the department.

(e) All department employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.

(f) The department shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements, or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the department or on its behalf.

(g) The department shall ensure that personal data requested and received from any other agency is maintained in conformance with Connecticut General Statutes, Section 4-190 et seq., and sections 19a-2a-1 through 19a-2a-23 of the regulations of Connecticut State Agencies.

(h) Only department employees who have a specific need to review personal data records for lawful purposes of the department shall be entitled to access to such records under the Personal Data Act.

(i) The department shall maintain a written up-to-date list of individuals entitled to access to each of the agency's personal data systems.

(j) The department shall ensure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records shall be sent in envelopes or boxes sealed and marked "confidential."

(k) The department shall ensure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.

(l) With respect to automated personal data systems, the department shall:

(1) to the greatest extent practical, locate automated equipment and records in a limited access area;

(2) to the greatest extent practical, require visitors to such areas to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only;

(3) to the greatest extent practical, ensure that regular access to automated equipment is limited to operations personnel; and

(4) utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.

(m) When an individual is asked by the department to supply personal data about himself or herself, the department, upon request, shall disclose to that individual:

(1) the name of the division within the department requesting the personal data;

(2) the legal authority under which the department is empowered to collect and maintain the personal data;

(3) the individual's right pertaining to such records under the Personal Data Act and sections 19a-2a-1 through 19a-2a-23 of the regulations of Connecticut State Agencies;

(4) the known consequences arising from supplying or refusing to supply the requested personal data;

(5) the proposed use to be made of the requested personal data;

(6) except where non-disclosure is required or specifically permitted by law, the department shall disclose to any person upon written request all personal data concerning that individual which is maintained by the department. The department's procedures for disclosure shall be in accordance with Connecticut General Statutes, sections 1-15 through 1-21k. If the personal data is maintained in coded form, the department shall transcribe the data into a commonly understandable form before disclosure;

(7) the department is responsible for verifying the identity of any person requesting access to his or her own personal data;

(8) the department is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information;

(9) the department may refuse to disclose to a person, medical, psychiatric or psychological data on that person if the department determines that such disclosure would be detrimental to that person;

(10) in any case where the department refuses disclosure it shall advise that person of his or her right to seek judicial relief pursuant to the Personal Data Act;

(11) if the department refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and non-disclosure is not mandated by law, the department shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the department shall disclose the personal data to such person; if non-disclosure is recommended by such person's medical doctor, the department shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act; and

(12) the department shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data under the Personal Data Act, together with the reason for each disclosure or access. This log shall be maintained for not less than five (5) years from the date of such disclosure or access or for the life or the personal data records, whichever is longer.

(n) Contesting the content of personal data records:

(1) Any person who believes that the department is maintaining inaccurate, incomplete or irrelevant personal data concerning him or her may file a written request with the department for correction of said personal data.

(2) Within thirty (30) days of receipt of such request, the official of the department who is responsible for maintaining the records, shall give written notice to that person that the department will make the requested correction, or if the correction is not to be made as submitted, the official of the department shall state the reason for the department's denial of such request and notify the person of his or her right to add his or her own statement to his or her personal data records.

(3) Following such denial by the department, the person requesting such correction shall be permitted to add a statement to his or her personal data record setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the department's personal data system and shall be disclosed to any individual, agency or organization to which the disputed personal data is disclosed.