Section 17a-451(c)-3 - Maintenance of personal data(a) Records for each personal data system are maintained in accordance with schedules prepared by the Connecticut State Library, Department of Public Records Administration and retention schedules approved by the Public Records Administrator as authorized by Conn. Gen. Stat. Sec. 11-8a, as may be amended from time to time. Retention schedules are on file in the Personnel Office at the Office of the Commissioner and at each Department facility. They may be examined during the normal business hours, which are 8:30 a.m. to 4:30 p.m. at the Office of the Commissioner and 8:00 a.m. to 4:00 p.m. at the facilities.(b) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the Department. Where the Department finds irrelevant or unnecessary public records in its possession, the Department shall dispose of the records in accordance with its records retention schedule and with the approval of the Public Records Administrator pursuant to Conn. Gen. Stat. Sec. 11-8a, as may be amended from time to time, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Conn. Gen. Stat. Sec. 11-8a, as may be amended from time to time.(c) The Department shall collect and maintain all records with accurateness and completeness.(d) Insofar as it is consistent with the needs and mission of the Department, it shall, wherever practical, collect personal data directly from the person to whom a record pertains.(e) When an individual is asked to supply personal data to the Department, the Department shall disclose to that individual, upon request:(1) the name of the Department and division within the Department requesting the personal data;(2) the legal authority under which the Department is empowered to collect and maintain the personal data;(3) the individual's rights pertaining to such records under the Personal Data Act and the Department regulations;(4) the known consequences arising from supplying or refusing to supply the requested personal data;(5) the proposed use to be made of the requested personal data.(f) Department employees involved in the operations of the Department's personal data systems will be informed of the provisions of the Personal Data Act and the Department's Regulations, the Freedom of Information Act and any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the Department.(g) All Department employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disaster and other physical threats.(h) The Department shall incorporate by reference the provisions of the Personal Data Act and Regulations promulgated thereunder in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the Department or on its behalf.(i) The Department shall ensure that personal data requested from any other state agency is properly maintained.(j) Only Department employees who have a specific need to review personal data records for lawful purposes of the Department will be entitled to access to such records under the Personal Data Act.(k) The Department will keep a written up-to-date list of individuals entitled to access to each of the Department's personal data systems.(l) The Department will ensure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records will be sent in envelopes or boxes sealed and marked "confidential."(m) The Department will ensure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.(n) Where automated personal data systems records are maintained, the Department will: (1) to the greatest extent practical, locate automated equipment and records in a limited access area;(2) to the greatest extent practical, require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only;(3) to the greatest extent practical, ensure that regular access to automated equipment is limited to operations personnel;(4) utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.Conn. Agencies Regs. § 17a-451(c)-3