Sec.4-23b-4. Maintenance of personal data  


Latest version.
  • (a) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the Department of Administrative Services. All records will be maintained in accordance with the approved records retention schedule on file.

    (b) All records will be collected and maintained with a maximum of accuracy and completeness.

    (c) Insofar as it is consistent with the needs and mission of the Department, each Bureau shall collect personal data from authorized sources or directly from the person to whom a record pertains.

    (d) All Department of Administrative Services employees involved in the operation of any data system requiring personal data will be informed of the provisions of the Personal Data Act, any regulations adopted pursuant to Section 4-196, CGS, the basic principles of the Freedom of Information Act and any other state or federal statutes or regulations pertaining to the maintenance or disclosure of personal data kept by the particular Bureau to which the employee is assigned.

    (e) All Department employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.

    (f) The Department shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the Department or on its behalf.

    (g) Each Bureau of the Department, when requesting and receiving personal data from other agencies, shall maintain an independent obligation to insure that the personal data is properly maintained.

    (h) Only employees of each Bureau of the Department who have a specific need to review personal data records for lawful purposes of their Bureau will be entitled to access to such records under the Personal Data Act.

    (i) Each Bureau will keep a written up-to-date list of individuals entitled to access to each of that Bureau's personal data systems.

    (j) The Department will insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through Interdepartmental mail such records will be sent in sealed envelopes or boxes marked "Confidential."

    (k) Each Bureau of the Department will insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.

    (l) Where automated personal data systems are maintained each Bureau of the Department will:

    (1) To the greatest extent practical, locate automated equipment and records in a limited access area.

    (2) To the greatest extent practical, require visitors to such area to sign a visitor's log and to permit access to said area on a bona-fide need-to-enter basis only.

    (3) To the greatest extent practical, insure that regular access to automated equipment is limited to operations personnel.

    (4) Utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.

(Effective December 4, 1986)