Subject to
801 CMR 3.01
and 3.03, the holder shall not allow any other agency or individual not
employed by the holder to have access to personal data unless such access is
authorized by statute or regulation which are consistent with the purposes of
M.G.L. c. 66A, or is approved by the data subject if the data subject is
entitled to access under M.G.L. c. 66A, § 2(I). The holder may adopt rules
identifying the specific types of personal data applicable to that holder and a
manner of dissemination that is consistent with
801
CMR 3.00. Nothing in
801
CMR 3.00 shall be construed as authorizing the holder
to release information, the disclosure of which is prohibited by any statute
other than M.G.L. c. 66A.
Consistent with the purposes of M.G.L. c. 66A and
801
CMR 3.00, the holder may disseminate personal data to
persons other than the data subject as follows:
(a) The holder may disseminate personal data
in response to compulsory legal process, provided that the procedures required
by M.G.L. c. 66A, § 2(k) are followed. The holder need not provide the
notice required under M.G.L. c. 66A, § 2(k), if a court orders otherwise
upon a finding that notice to the data subject would probably so prejudice the
administration of justice that good cause exists to delay or dispense with such
notice.
(b) A holder may
disseminate personal data to any federal, state, or local governmental entity
for criminal or civil law enforcement purposes, provided that an authorized
representative of the governmental entity has made a written request to the
holder specifying the record desired and the law enforcement activity for which
the record is sought, and the governmental entity agrees in writing to keep the
personal data confidential to the extent permitted by law.
(c) The holder may disseminate personal data
to the United States Census Bureau to aid the Bureau in connection with an
official census or survey, provided that the Bureau agrees to keep the personal
data confidential to the extent permitted by law.
(d) The holder may disseminate personal data
as required by an order of a court of competent jurisdiction.
(e) The holder may disseminate medical or
psychiatric data to a physician treating a data subject upon the request of
said physician, or to other persons to the extent consistent with federal or
other applicable law, if a medical or psychiatric emergency arises which
precludes the data subject's giving approval for the release of such data, but
the data subject shall be given notice of such access upon termination of the
emergency. The holder may disseminate personal data to other persons if an
emergency arises that precludes the data subject's giving approval for the
release of such data and dissemination is necessary for reasons related to the
health or safety of the data subject, or in circumstances posing an immediate
threat to public safety, provided that the scope of disclosure is limited to
the extent necessary to alleviate or address the emergency. The data subject
shall be given notice of such dissemination upon termination of the
emergency.