801 CMR 3.02 - Administration of Personal Data
(1)
General Rules.
(a)
Each holder shall designate an information officer who shall serve as the
responsible person for each personal data system maintained by the holder. The
holder shall ensure that the requirements for preventing unauthorized access to
or dissemination of personal data, as set out in M.G.L. c. 66A, are followed. A
single employee may serve as the responsible person for more than one personal
data system.
(b) Each holder shall
inform each of its employees having any responsibility or function involving
the design, development, operation, or maintenance of a personal data system,
or the use of any personal data contained therein, of the provisions of
801
CMR 3.00 and any other regulations promulgated under
M.G.L. c. 66A, the safeguards of M.G.L. c. 66A pertaining to the operation of
the personal data system, and the civil remedies available to individuals whose
rights under M.G.L. c. 66A are allegedly violated.
(c) Each holder shall not collect or maintain
more personal data than is reasonably necessary for the performance of the
holder's statutory functions. The holder shall permit only those employees
whose duties reasonably require access to have access to personal
data.
(d) Each holder shall take
reasonable precautions to protect personal data from dangers of fire, identity
theft, theft, flood, natural disaster, or other physical threat.
(e) Each holder shall maintain personal data
with such accuracy, completeness, timeliness, pertinence and relevance as is
necessary to assure fair determination of a data subject's qualifications,
character, rights, opportunities, or benefits when such determinations are
based upon such data.
(f) Holders
may enter into contracts to hold personal data but no such contract shall
relieve the holder of its obligations under M.G.L. c. 66A or
801
CMR 3.00. Every such contract shall include such
provisions as are necessary to ensure compliance with M.G.L. c. 66A and
801
CMR 3.00.
(2)
Record of
Access. In the case of data held in automated personal data
systems, and to the extent feasible with data held in manual personal data
systems, each holder shall maintain complete and accurate records showing any
access to or use of personal data by persons or organizations outside of or
other than the holder. These records shall include every disclosure of personal
data, including the identity of all such persons and organizations to which
such access or use has been granted. To the extent maintained pursuant to 801
CMR 3.02(2), a list of the uses made of personal data, including the identity
of all persons and organizations which have gained access to the data, shall be
provided to the data subject upon request. Access to or use by employees and
agents of the holder need not be recorded.
(3)
Notice and Report to
Secretary of Commonwealth. Each holder shall, upon the
establishment, termination, or substantial change in character of a personal
data system, file a report with the Secretary of the Commonwealth regarding
each such personal data system, as required by M.G.L. c. 30, § 63 and c.
66A, § 2(e).
Notes
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.