Sec.3-11-29. Maintenance of personal data  

(a) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the Office of the Treasurer. Where the Office of the Treasurer finds irrelevant or unnecessary public records in its possession, the Department shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per Conn. Gen. Stat. Sec. 11-8a, or if the records are not disposable under the record retention schedule, request permission from the Public Records Administrator to dispose of the records under Conn. Gen. Stat. Sec. 11-8a.

(b) The Office of the Treasurer will collect and maintain all records with accurateness and completeness.

(c) Insofar as it is consistent with its needs and mission, the Office of the Treasurer wherever practical, shall collect personal data directly from the persons to whom a record pertains.

(d) The Office of the Treasurer employees involved in the operation of the Agency's personal data systems will be informed of the provisions of (1) the Personal Data Act, (2) the Agency's regulations adopted pursuant to Sec. 4-196, (3) the Freedom of Information Act and (4) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the Agency.

(e) All Office of the Treasurer employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.

(f) The Office of the Treasurer shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the Agency or on its behalf.

(g) When requesting personal data from any other state agency, the Office of the Treasurer shall have an independent obligation to insure that the personal data is properly maintained.

(h) Only employees who have a specific need to review personal data records for lawful purposes of the Agency shall be entitled to access to such records under the Personal Data Act.

(i) The Office of the Treasurer will keep a written up-to-date list of individuals entitled to access to each of the Agency's personal data systems.

(j) The Office of the Treasurer will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential."

(k) The Office of the Treasurer will insure that all records in the manual personal data systems are kept under lock and key and, to the greatest extend practical, kept in controlled access areas.

(l) With respect to automated personal data systems the Office of the Treasurer shall:

(1) To the greatest extent practical, locate automated equipment and records in a limited access area.

(2) To the greatest extent practical, require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only.

(3) To the greatest extent practical, insure that the regular access to automated equipment is limited to operations personnel; and

(4) Utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.