Section 19a-401-30 - Maintenance of personal data(a) Personal data shall not be maintained unless relevant and necessary to accomplish the lawful purposes of the Office. Where the Office finds irrelevant or unnecessary public records in its possession, the Office shall dispose of the records in accordance with its record retention schedule and with the approval of the Public Records Administrator as per section 11-8a of the Connecticut General Statutes, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under section 11-8a of the Connecticut General Statutes.(b) The Office shall collect and maintain all records with accurateness and completeness.(c) Office employees involved in the operations of the Office's personal data systems shall be informed of the provisions of: (1) the Personal Data Act; (2) the commission's regulations adopted pursuant to section 4-196 of the Connecticut General Statutes; (3) the Freedom of Information Act and (4) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the Office.(d) All Office employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disasters and other physical threats.(e) The Office shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for operation of a personal data system or for research, evaluation and reporting of personal data for the Office or on its behalf.(f) The Office shall insure that personal data requested and received from any other agency is maintained in conformance with the Personal Data Act.(g) Only Office employees who have a specific need to review personal data records for lawful purposes of the Office shall be entitled to access to such records under the Personal Data Act.(h) The Office shall insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.(i) With respect to automated personal data systems, the Office shall: (1) to the greatest extent practical, locate automated equipment and records in a limited access area;(2) to the greatest extent practical, require visitors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only;(3) to the greatest extent practical, insure that regular access to automated equipment is limited to operations personnel;(4) utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.(j) Records for each personal data system are maintained in accordance with schedules prepared by the Connecticut State Library, Department of Public Records Administration and records retention schedule as approved by the Public Records Administrator as authorized by section 11-8a of the Connecticut General Statutes. Retention schedules shall be maintained on file at the Office and may be examined during normal business hours.Conn. Agencies Regs. § 19a-401-30
Adopted effective February 2, 2004