Regulations of Connecticut State Agencies (Last Updated: June 14,2023) |
Title38a Insurance Department |
SubTitle38a-8-1_38a-8-126. Organization and Rules of Practice |
Sec.38a-8-76. Personal data
-
(a) Definitions
The following definitions shall apply to this section:
(1) "Other data" means any information, other than personal data, which because of name, identification number, mark or description can be readily associated with a particular person.
(2) "Licensee" means individuals licensed by the Insurance Commissioner as producers, public adjusters, temporary agents, casualty claim adjusters, surplus lines brokers, fraternal agents, motor vehicle physical damage appraisers, and certified insurance consultants.
(3) Terms defined in section 4-190 of the Connecticut General Statutes shall apply to this section.
(b) General Nature and Purpose of Personal Data
(1) The Insurance Department maintains the following personal data system:
(A) Personnel Records.
(i) All personnel records are maintained at the Insurance Department, 153 Market Street, Hartford, Connecticut.
(ii) Personnel records are maintained in both automated and manual form.
(iii) Personnel records are maintained for the purpose of retaining payroll, health discipline and related personnel information concerning Insurance Department employees.
(iv) Personnel records are the responsibility of the Human Resources Director of the Insurance Department, 153 Market Street, Hartford, Connecticut. All requests for disclosure or amendment of these records shall be directed to the Human Resources Director.
(v) Routine sources for information retained in personnel records include the employee, previous employers of the employee, references provided by the applicants, the employee's supervisor, the Comptroller's Office, Department of Administrative Services, Division of Personnel and Labor Relations, and State insurance carriers.
(vi) Personal data in personnel records are maintained under authority of the State Personnel Act, sections 5-193 et seq. of the Connecticut General Statutes.
(B) License Records.
(i) License records for licensees are maintained in the Market Conduct/Fraud Investigations and Licensing Division, 153 Market Street, Hartford, Connecticut.
(ii) License records are maintained in both automated and manual form.
(iii) License records are maintained for the purpose of determining the qualifications of applicants and the continued suitability of licensees.
(iv) Licensee records are maintained with the Director of the Market Conduct/Fraud Investigations and Licensing Division, 153 Market Street, Hartford, Connecticut. All requests for disclosure or amendment of these records shall be directed to the Director.
(v) Routine sources of information retained in license records include license application, financial, employment, criminal history and other personal background data and information secured and maintained by the Insurance Department for individuals licensed by the department.
(c) Categories of Personal Data
(1) Personnel Records
(A) The following categories of personal data may be maintained in personnel records:
(i) Educational records.
(ii) Medical or emotional condition or history.
(iii) Employment or business history.
(iv) Other reference records.
(B) The following categories of other data may be maintained in personnel records:
(i) Addresses.
(ii) Marital status.
(iii) Telephone numbers.
(C) Personnel records are maintained on employees of the Insurance Department and applicants for employment with the Insurance Department.
(2) Licensee Records
(A) The following categories of personal data may be maintained in license records of licensees.
(i) Educational records.
(ii) Medical or emotional condition or history.
(iii) Employment or business history.
(iv) Criminal records.
(v) Police investigation records.
(vi) Investigative records from other jurisdictions.
(vii) Other reference records.
(B) The following categories of other data may be maintained in license records:
(i) Application records.
(ii) Renewal records.
(iii) Removal records.
(iv) Records of administrative action.
(v) Addresses.
(vi) Marital status.
(vii) Social security number.
(viii) Telephone numbers.
(C) License records are maintained on applicants for and holders of licenses to act as an insurance agent, an insurance broker, a public adjuster, a temporary agent, a casualty claim adjuster, an excess line broker, a fraternal agent, a motor vehicle physical damage appraiser, and a certified insurance consultant.
(d) Maintenance of Personal Data
(1) Personal data shall not be maintained unless relevant and necessary to accomplish the lawful purposes of the Insurance Department. Where the Insurance Department finds irrelevant or unnecessary public records in its possession, the department shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator as per section 11-8a of the Connecticut General Statutes, or if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under section 11-8a of the Connecticut General Statutes.
(2) The Insurance Department shall collect and maintain all records with accurateness and completeness.
(3) Insofar as it is consistent with the needs and mission of the Insurance Department, the department wherever practical, shall collect personal data directly from the persons to whom a record pertains.
(4) Insurance Department employees involved in the operation of the department's personal data systems shall be informed of the provisions of the (A) Personal Data Act, (B) the department's regulations adopted pursuant to section 4-196 of the Connecticut General Statutes, (C) the Freedom of Information Act and (D) any other state or federal statute or regulations concerning maintenance or disclosure or personal data kept by the department.
(5) All Insurance Department employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.
(6) The Insurance Department shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the department or on its behalf.
(7) An agency requesting personal data from any other state agency shall have an independent obligation to ensure that the personal data is properly maintained.
(8) Only Insurance Department employees who have a specific need to review personal data records for lawful purposes of the department shall be entitled to access to such records under the Personal Data Act.
(9) The Insurance Department shall keep a written up-to-date list of individuals entitled to access to each of the department's personal data systems.
(10) The Insurance Department shall ensure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records shall be sent in envelopes or boxes sealed and marked "confidential."
(11) The Insurance Department shall ensure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practicable, are kept in controlled access areas.
(12) With respect to the automated personal data system:
(A) The Insurance Department shall, to the greatest extent practicable, locate automated equipment and records in a limited access area.
(B) To the greatest extent practicable, the Insurance Department shall require visitors to such area to sign a visitor's log and permit access to said area on a bonafide need-to-enter basis only.
(C) The Insurance Department, to the greatest extent practicable, shall ensure that the regular access to automated equipment is limited to operations personnel.
(D) The Insurance Department shall utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.
(e) Disclosure of Personal Data
(1) Not later than four business days after it receives a written request for personal data, the Insurance Department shall mail or deliver to the requesting individual a written response in plain language, informing that individual as to whether or not the department maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.
(2) Except where nondisclosure is required or specifically permitted by law, the Insurance Department shall disclose to any person upon written request all personal data concerning that individual which is maintained by the department. The procedures for disclosure shall be in accordance with section 1-16 through section 1-18 of the Connecticut General Statutes, and sections 1-200, 1-202, 1-205, 1-206, 1-210 through 1-217, 1-225 through 1-232, 1-240, and 1-241 of the Connecticut General Statutes. If the personal data is maintained in coded form, the department shall transcribe the data into a commonly understandable form before disclosure.
(3) The Insurance Department is responsible for verifying the identity of any person requesting access to such person's own personal data.
(4) The Insurance Department is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.
(5) The Insurance Department may refuse to disclose to a person medical, psychiatric or psychological data on that person if the agency determines that such disclosure would be detrimental to that person.
(6) In any case where the Insurance Department refuses to make a disclosure, it shall advise that person of that person's right to seek judicial relief pursuant to the Personal Data Act.
(7) If the Insurance Department refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and non-disclosure is not mandated by law, the department shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the medical doctor, the department shall disclose the personal data to such person; if nondisclosure is recommended by such medical doctor, the department shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.
(8) The Insurance Department shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data under the Personal Data Act, together with the reason for each such disclosure or access. This log shall be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.
(f) Contesting the Content of Personal Data Records
(1) Any person who believes that the Insurance Department is maintaining inaccurate, incomplete or irrelevant personal data concerning such person may file a written request with the department for correction of said personal data.
(2) Not later than thirty days after it receives such written request, the Insurance Department shall give written notice to that person that it will make the requested correction, or if the correction is not to be made as submitted, the department shall state the reason for its denial of such request and notify the person of his/her right to add his/her own statement to such person's personal data records.
(3) Following such denial by the Insurance Department, the person requesting such correction shall be permitted to add a statement to such person's personal data records setting forth what that person believes to be an accurate, complete and relevant version of the personal data in question. Such statements shall become a permanent part of the department's personal data system and shall be disclosed to any individual, agency or organization to which the disputed data is disclosed.
(g) Uses To Be Made of the Personal Data
(1) Personnel Records
(A) Personnel records are routinely used for evaluating the qualifications of employment applicants and the work performance of employees of the Insurance Department. Users include state officers and employees with responsibility for evaluating the work performance of employees of the department, and others where permitted or required by law.
(B) The Insurance Department retains personnel records according to guidelines published by the Public Records Administrator, Connecticut State Library.
(2) License Records
(A) License records of individuals are routinely used for evaluating the suitability of applicants and the continued suitability of licensees. Users include all officers and employees of the department, police authorities and others where permitted or required by law.
(B) The Insurance Department retains licensee records according to guidelines published by the Public Records Administrator, Connecticut State Library.
(3) When an individual is asked to supply personal data to the Insurance Department the department shall disclose to that individual, upon request:
(A) The name of the Department and division within the department requesting the personal data;
(B) The legal authority under which the department is empowered to collect and maintain the personal data;
(C) The individual's rights pertaining to such records under the Personal Data Act and agency regulations;
(D) The known consequences arising from supplying or refusing to supply the requested personal data;
(E) The proposed use to be made of the requested personal data.
(Effective September 25, 1992; Amended September 9, 2013; Amended April 6, 2018)