Section 17a-636-3 - Maintenance of personal data(a) Personal data shall not be maintained unless relevant and necessary to accomplish the lawful purposes of the Commission. Where the Commission finds irrelevant or unnecessary public records in its possession, the Commission shall dispose of the records in accordance with its record retention schedule and with the approval of the Public Records Administrator as per Connecticut General Statutes section 11-8a, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Connecticut General Statutes section 11-8a.(b) The Commission shall collect and maintain all records with accurateness and completeness.(c) Insofar as it is consistent with the needs and mission of the Commission, the Commission shall, whenever practical, collect personal data directly from the person to whom a record pertains.(d) Commission employees involved in the operations of the Commission's personal data systems shall be informed of the provisions of: (i) the Personal Data Act; (ii) the Commission's regulations adopted pursuant to Connecticut General Statutes section 4-196; (iii) the Freedom of Information Act and (iv) any other state or federal statute or regulations concerning maintenance or disclosure of personal data kept by the Commission.(e) All Commission employees shall take reasonable precautions to protect personal data under their custody from the danger of fire, theft, flood, natural disasters and other physical threats.(f) The Commission shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements or licenses for operation of a personal data system or for research, evaluation and reporting of personal data for the Commission or on its behalf.(g) The Commission shall insure that personal data requested and received from any other agency is maintained in conformance with Connecticut General Statutes section 4-190, et seq.(h) Only Commission employees who have a specific need to review personal data records for lawful purposes of the Commission shall be entitled to access to such records under the Personal Data Act.(i) The Commission shall maintain a written up-to-date list of individuals entitled to access to each of the Commission's personal data systems.(j) The Commission shall insure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records shall be sent in envelopes or boxes sealed and marked "confidential."(k) The Commission shall insure that all records in manual personal data systems are kept under lock and key and, to the greatest extent practical, are kept in controlled access areas.(l) With respect to automated personal data systems, the Commission shall:(1) to the greatest extent practical, locate automated equipment and records in a limited access area;(2) to the greatest extent practical, require vistors to such area to sign a visitor's log and permit access to said area on a bona-fide need-to-enter basis only;(3) to the greatest extent practical, insure that regular access to automated equipment is limited to operations personnel;(4) utilize appropriate access control mechanisms to prevent disclosure of personal data to unauthorized individuals.(m) Records for each personal data system are maintained in accordance with schedules prepared by the Connecticut State Library, Department of Public Records Administration and records retention schedule as approved by the Public Records Administrator as authorized by section 11-8a of the Connecticut General Statutes. Retention schedules shall be maintained on file at the Central Office of the Commission and may be examined during normal business hours.(n) When an individual is asked by the Commission to supply personal data about him/herself, the Commission, upon request, shall disclose to that individual: (1) the name of the division within the Commission requesting the personal data;(2) the legal authority under which the Commission is empowered to collect and maintain the personal data;(3) the individual's rights pertaining to such records under the Personal Data Act and Commission regulations;(4) the known consequences arising from supplying or refusing to supply the requested personal data;(5) the proposed use to be made of the requested personal data.Conn. Agencies Regs. § 17a-636-3