760 CMR 8.04 - Access to Personal Data
(1) Contracts or
Agreements with a Holder to Perform a Public or Governmental Purpose. A LHA or LRA
shall allow another person, entity or agency to hold personal data for a
governmental function or purpose only by written contract, agreement, or
arrangement. Such contract, agreement, or arrangement shall contain provisions
expressly informing the other person, entity or agency of its status as a Holder and
covering its legal obligations as such.
(2) Dissemination of Personal Data - General. A
Holder shall not allow any individual, agency, or entity not employed by the Holder
or under contract or agreement with the Holder under 760 CMR 8.04(1) to have access
to personal data unless such access is:
(a)
authorized by statute or by regulations which are consistent with the purposes of
M.G.L. c. 66A; or
(b) approved by the
data subject, unless the data subject is not entitled to access.
(3) Access bv Physicians in an
Emergency. A Holder may disseminate medical or psychiatric data to a physician
treating a data subject, upon the request of the physician, if a medical or
psychiatric emergency arises precluding the data subject from approving the release
of the data. Upon termination of the emergency, the Holder shall give notice to the
data subject about the physician's access.
(4) Access by the Department. A Holder shall
permit authorized employees of the Department to have access to personal data for
the performance of legally authorized duties and responsibilities and shall
disseminate personal data to the Department upon its request.
(5) Access by Holder Personnel and Board Members.
A Holder shall:
(a) design personnel procedures
which limit the number of employees whose duties involve access to personal data and
train existing personnel concerning standards of confidentiality and security
required by
760 CMR 8.00;
(b) permit only those employees whose duties
require access to have access to personal data; and
(c) strictly limit board member access to personal
data concerning an applicant or tenant to situations where there is a need for
access in order for the board to conduct business properly.
(6) Access bv Data Subject. A data subject or
his/her duly authorized representative shall have access to, as well as the right to
inspect and copy, any personal data concerning him/her, unless prohibited by law or
judicial order.
(7) Denial of Access to
Data Subject. A Holder shall not rely on any exception contained in M.G.L. c. 4,
ยง 7 clause twenty-sixth (public records law) to withhold personal data from a
data subject. A Holder may deny a request by a data subject or his/her authorized
representative for access to personal data if:
(a)
the denial of access is expressly permitted by statute; or
(b) the personal data is currently the subject of
an investigation and its disclosure would probably so prejudice the possibility of
effective law enforcement that the disclosure would not be in the public interest.
760 CMR 8.04(7) is not intended to limit any right or power of access the data
subject might have under pertinent administrative or judicial procedures. Such
personal data may be withheld for the time for completion of the investigation and
commencement of an administrative or judicial proceeding on its basis, or for one
year from the commencement of the investigation, whichever occurs first.
(8) Notice of Denial. A Holder shall
notify a data subject in writing of any denial of his/her request for access, the
reasons therefore, and the right of appeal set forth in
760 CMR
8.05.
(9) List of Data Requests. A Holder shall, at the
request of a data subject, provide a written list of the uses made of his/her
personal data, including any persons, agencies, or entities which have gained access
to the personal data.
(10) Holder
Authority to Make Additional Access Rules. A Holder may adopt reasonable written
rules governing access to personal data, consistent with
760 CMR 8.00 and all pertinent
statutes which:
(a) insure that any substitute or
proxy for the data subject be duly authorized by him/her;
(b) regulate the time and place for inspection and
the manner and cost of copying, provided that the time for inspection shall not be
unduly restricted, and the fee for copies shall not exceed that allowed for public
records under the Freedom of Information regulations of the Massachusetts Supervisor
of Public Records; and
(c) require that
data be reviewed in the presence of or under the supervision of the
Holder.
(11) Judicial or
Administrative Orders. Any Holder served with a subpoena or other judicial or
administrative order directing it to disclose a data subject's personal data shall,
unless otherwise prohibited by law or judicial order, immediately give notice to the
data subject. Such notice, where possible, shall include a copy of the subpoena or
order, except where the data subject himself requests the order or is otherwise
obviously aware of its existence. The holder, wherever legally and practically
possible, shall allow the data subject adequate time to attempt to secure a court
order to quash the subpoena or order.
(12) Record of Data Access and Use. Each Holder
shall maintain a complete and accurate record of every access to any personal data
by persons, agencies, or entities other than the holder, including the identity of
all such persons, agencies, and entities and their intended use of the
data.
(13) Physical Safety of Data. A
Holder shall take all reasonable measures to protect personal data from physical
damage or removal.
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.