803 CMR, § 9.08

Current through Register 1533, October 25, 2024
Section 9.08 - Responsibilities of Authenticated User Agencies
(1) Each authenticated user agency shall draft and enforce a VNR policy that shall include, at a minimum, provisions for the following:
(a) guidelines for agency employees who may have authorized access to VNR data;
(b) procedures regarding registration of VNR applicants;
(c) procedures regarding notification of registered individuals;
(d) procedures to ensure the confidentiality of information contained in the VNR; and
(e) procedures regarding the cancellation of individual accounts.
(2) Authenticated user agencies shall determine which agency employees are granted access to the VNR.
(3) All authenticated user agency employees authorized for VNR access must be trained in the use of the VNR. In addition, all VNR authenticated users must take the CJIS Certification examination.
(4) Authenticated user agencies shall require that each agency employee approved for VNR access provide a signed acknowledgment that the employee has received a copy of, and understands, the agency's VNR policy and 803 CMR 9.00. Authenticated user agencies shall retain all signed acknowledgment forms for at least one year following the conclusion of the employment of each authorized VNR user.
(5) Authenticated user agencies shall not disclose, in any manner, the existence or status of a registration without the express, written authorization of the registered individual.
(6) Authenticated user agencies shall update the applicant registration information in the VNR at the request of the applicant.
(7) Authenticated user agencies shall report registration misuse by any individual to the DCJIS as soon as practicable.
(8) Prior to requesting the cancellation of a registration, the authenticated user agency shall attempt to contact the applicant by using, at a minimum, all applicant contact information provided by the individual.
(9) If an individual applying for VNR registration, or a person already registered, requests that only one particular type of notification (e.g., email, telephone, U.S. Mail) be used for contact, the authenticated user agency may comply with that request.

803 CMR, § 9.08

Amended by Mass Register Issue 1333, eff. 2/24/2017.