Code of Massachusetts Regulations
610 CMR - BOARD OF HIGHER EDUCATION
Title 610 CMR 10.00 - Privacy, Confidentiality, and Data Security
Section 10.03 - Collection, Maintenance, and Dissemination of Personal Data

Universal Citation: 610 MA Code of Regs 610.10

Current through Register 1531, September 27, 2024

(1) Personal Data.

(a) General. Except where otherwise provided by statute, regulation, or judicial order, a holder shall not collect, maintain, or disseminate any personal data other than that which is essential for the performance of functions authorized by law.
1. Administration. Acting pursuant to applicable provisions of M.G.L. c. 15A, the Board is legally responsible for providing certain aggregate educational data in report form to the legislative and executive branches of the Commonwealth and to the public. This aggregate data which shall be available for dissemination shall be produced in standard reports, including but not limited to enrollment, program inventory, regular statistical reports, special studies, tuition and fees, and enrollment projections. Such reports shall be prepared, issued or released on a regular schedule and upon executive or legislative request.

2. Release of Official Data. The Board shall prepare and have available certain aggregate educational data for release through public statements and in standard report format whenever reasonably practicable. Such data may be contained in regular statistical reports, special studies, testimonies or public statements. Data releases that do not conform to the established Board's available standard report format(s) shall meet the Board's internal standards to assure that they are current, consistent with other sources, and supported by adequate background information and analysis.

3. Accuracy of Data. The Board shall take reasonable steps to ensure that all educational data collected from data holders is accurate, complete and consistent with data previously on file with the Board or provided to the Board by other data holders. Data or reports prepared by the Board for disclosure which do not conform to the established Board's standard report format(s) shall be accurate, current and consistent with their sources, and shall, whenever practicable, be supported by adequate background information and analysis.

(b) Identification and Assurance as Essential. A holder shall identify the kinds of personal data held and demonstrate that the holding of such data is essential for the performance of functions authorized by law:
1. prior to the inception of any personal data system, notices should be published in generally read newspapers in all communities in the Commonwealth, through all other reasonable means of drawing attention to such data held;

2. statements of identification of kinds of data held and assurance should be recorded in an individual file accessible to periodic examination by the Commissioner or his or her designee and the inclusion of such statements in the notice and annual report to be submitted pursuant to 610 CMR 10.03(2)(f);

3. to the extent possible, at the time of collection of data within the context of informed consent procedures conducted pursuant to 610 CMR 10.04(3) and (4).

(c) Review by the Commissioner. The Commissioner or his or her designee may review the procedure of any institution relating to the conformance with 610 CMR 10.00. If the Commissioner or his or her designee should find that any institution or Board employee is not conforming to the procedures set forth in 610 CMR 10.00 the Commissioner may direct the chief executive officer of the institution or the Board's employee's supervisor to arrange for compliance forthwith. The Commissioner shall report further violations to the Attorney General for action pursuant to M.G.L. c. 214, § 3B.

(d) Public Inquiry. Where an individual has reason to believe that personal data relating to him or her is held, but where the specific holder of such data is unknown to him or her, the Commissioner or his or her designee upon written request from the individual, shall within 30 days make every reasonable effort to locate all such personal data held by the Board of Higher Education or the institutions affected by 610 CMR 10.00.

(e) Holder Agreements. All institutions and the Board of Higher Education holding personal data shall assure that all agreements affecting the collection, maintenance, or dissemination of personal data established between a holder and a person or entity not otherwise subject to 610 CMR 10.00 shall contain provisions requiring compliance with 610 CMR 10.00. Where agreements are absent, institutions and the Board of Higher Education shall arrange for the development of such to require compliance with 610 CMR 10.03.

(2) Administration of Personal Data.

(a) Expungement of Obsolete Data. Each holder shall develop and implement a definite plan for the expungement of obsolete data with the approval of the Records Conservation Board pursuant to M.G.L. c. 30, § 42.

(b) Use of Personal Data for Unrelated Purposes. Except where otherwise provided by statute, regulation or judicial order, personal data collected for one purpose shall not be used for another unrelated purpose without the informed consent of the data subject pursuant to 610 CMR 10.04(3) and (4).

(c) Personnel Security. Each holder shall permit only those employees whose duties require access, to have access to personal data, and shall:
1. design personnel procedures which limit the number of employees whose duties involve access to personal data;

2. train existing personnel concerning standards of confidentiality and security required by 610 CMR 10.00;

3. not allow any other agency or individual not employed by the holder to have access to personal data unless such access is authorized by statute or regulation or is approved by the holder and by the data subject;

4. screen prospective personnel with regard to previous work experience with personal data and corresponding violations of confidentiality; and

5. ensure that all personnel working with or having access to personal data are familiar with 610 CMR 10.00, the provisions of M.G.L.c. 66A, c. 30, § 63, c. 214, § 3B, and other pertinent legislation.

(d) Physical Security. Each holder shall take all reasonable steps for the protection of data from physical damage or removal, including procedures providing for:
1. adequate fire detection and sprinkling systems;

2. protection against water and smoke damage;

3. watertight facilities; and

4. alarm systems, safes and locked files, window bars, security guards or any other devices reasonably expected to prevent loss through larceny or other means of removal for manually held data, including files, tapes, cards and like materials; and

5. passwords, keys, badges, access logs, or other methods reasonably expected to prevent loss through larceny or other means of removal for mechanically or electronically held data.

(e) Duplicate Files. Each holder shall ensure that the number of duplicate files of personal data is maintained at an absolute minimum. Each holder shall ensure that any duplicate file systems are maintained consistent with the requirements of 610 CMR 10.00.

(f) Notice and Annual Report to the Commissioner of the Board of Higher Education. Each holder shall annually and upon the subsequent establishment, termination, or change in character of a personal data system file a report with the Commissioner regarding each personal data system it operates. Such reports shall include, but not necessarily be limited to the following information:
1. the name of the system and the title and address of the person in charge of it;

2. the nature and purpose of the system;

3. the identification of the types, categories, uses and sources of data held in the system and the assurance that such data is essential, pursuant to 610 CMR 10.03(1)(b);

4. the approximate number of individuals about whom data is held in the system;

5. whether and to what extent the data is held in computerized form;

6. a description of each person and organization having access to the system;

7. a description of the policies and practices of the holder with regard to data maintenance, retention, and disposal;

8. a description of the manner in which any individual who believes that the data about him or her is held in the system may have a search made, and, if such data is so held, may inspect, copy, and object to it as provided in 610 CMR 10.00;

9. a description of other actions take to comply with 610 CMR 10.00 and Massachusetts Law, particularly M.G.L. c. 66A; and

10. a statement that this report is available upon request in compliance with 610 CMR 10.00.

(g) Audit Trail. Each holder shall maintain the most feasibly precise records of having access to and the uses of the personal data it holds, consistent with the following requirements:
1. where such data is held in computerized form, the data system shall have the capacity for a program or programs to electronically record all persons collecting, examining or using data and purposes of such collection, examination, or use.

2. where the data is held in manual form, the holder shall require that a manual notation be made, to the maximum extent possible, of all persons collecting, examining or using data and the purposes of such collection, examination, or use.

3. the audit trail developed shall all be deemed part of the data held, and shall thereby be accessible only to the following persons:
a. the data subject or his or her authorized representative;

b. individuals authorized to have access in accordance with 610 CMR 10.03(2)(c); and

c. the Commissioner or his or her designee for purposes of reviewing and monitoring compliance with 610 CMR 10.00.

4. in cases where a room is maintained solely for the purpose of holding data, the holder shall maintain a log which records the names of persons having access to the room. Where a room is not maintained solely for that purpose, the holder shall maintain a log which records the names of persons actually working with such data, and the dates and lengths of time of such use.

(h) Periodic Review of Personal Data Held. Each holder shall, at least once every 24 months, review its personal data system(s) with respect to the accuracy, current need, relevance, and timeliness of data held, and shall adhere to the following provisions:
1. each holder shall adopt a written plan for such review, describing the systems involved, the schedule for such review, and the persons making the review. Each holder shall submit such review plan to the Commissioner or his or her designee. The plan as approved shall be a public record;

2. immediately following the completion of such a review, the persons who conducted the review shall make a written report describing the files, tapes, records, films or data reviewed and the degree of conformance by the holder with 610 CMR 10.00; and

3. a copy of the report shall be submitted to the chief executive officer of the institution and the Commissioner along with any suggestions as to whether any changes to 610 CMR 10.00 should be considered.

(i) Holding -- Notice to Secretary of the Commonwealth. The holders of personal data shall comply with the requirements of M.G.L. c. 66A, § 2.

(j) Dissemination -- Notice to Subsequent Holders. Each holder, when disseminating personal data, shall insure that any subsequent holder is aware of the requirements of 610 CMR 10.00, M.G.L. c. 66A, c. 30, § 63, c. 214, § 3B, other pertinent statutes, Executive Order No. Ill (Fair Information Practices), and any written policy directives developed by such agency relating to the use of such data, and shall take all reasonable steps to assure that such data is used only in accordance with such mandates.

(k) Objection by Data Subject -- Dispensing Holding Activities. A data subject may file an objection with a holder regarding procedures for holding data or the types of data held, in accordance with 610 CMR 10.04(2) through (16). During the pendency of any objection, except where otherwise provided by law or judicial order, the holder in question shall make all reasonable attempts to dispense with any further holding activities beyond mere storage, relating to the particular data in question, until such objection has been resolved.

(l) Master Plan. Each holder, prior to the computerization or automation of any existing personal data system and prior to the initial development of any new manual or computerized system, shall establish in writing a master plan containing the following elements:
1. identification and justification of personal data as essential in accordance with 610 CMR 10.03(1);

2. brief descriptions of existing or planned agreements involving the holding of personal data in accordance with 610 CMR 10.03(1)(e).

3. statements reflecting proposed action on and compliance with each of the mandates presented in this part, particularly, the provision of an annual report and a written plan for periodic review of data held, in accordance with 610 CMR 10.03(2)(f) and (h); and

4. the identification of foreseeable threats to the security of personal data held, and a corresponding description of all measures to be employed as safeguards designed to avoid or mitigate such threats, including but not necessarily limited to, plans involving personnel training relating to data system operations and 610 CMR 10.00.

(m) Access by Non-holders. A holder shall not allow any other entity or individual not employed by the holder to have access to personal data unless such access is authorized by statute or regulation, or is approved by the holder and by the data subject whose personal data is held.

(n) Subpoena -- Special Notice. Any holder served with a subpoena or other judicial or administrative order directing it to disseminate personal data, unless otherwise prohibited by law or judicial order, shall immediately give notice of such fact to the data subject. Such notice, where possible, shall include a copy of the order, except where the data subject is the moving party or is otherwise obviously aware of its existence. The holder, wherever legally and practically possible, shall allow the data subject ample time to seek to quash the order prior to complying with the order.

(o) Funding Applications. Any holder applying for a loan, grant, contract or appropriation to fund a project involving the holding of personal data in a personal data system shall include in such application a funding request for financing the protection of the privacy of personal data and for compliance with 610 CMR 10.00.

(p) Legal Proceeding Exception.
1. Where a suit (or legal proceeding) has been threatened or instituted by a data subject against the Commonwealth, the Board of Higher Education, division, or public institution of higher education, or against any official employee of the Board or a public institution of higher education, arising from his or her official duties or scope of employment, any personal data concerning the data subject held by the entity that is or employs a party to such suit (or legal proceeding) which is relevant to a determination of the issues in dispute shall be furnished to the Attorney General or authorized assistant attorney general or special assistant attorney general who may further disclose such personal data to the extent he or she deems necessary for purposes of representing the defendant(s), subject to the following conditions:
a. disclosure shall be furnished in response to a written or oral request from the office of the Attorney General which shall indicate the purpose of which the personal data is requested and describe, with particularity, the data requested; and

b. personal data of persons not a party of the litigation (or legal proceeding) will be redacted in order to protect the privacy interests of such persons.

2. In the event that a personal data system maintained by the Commonwealth, Board of Higher Education or public institutions of higher education to carry out its functions, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising under a statute, rule, regulation or order issued pursuant thereto, the relevant data may be referred to the Attorney General in order to enforce or implement the statute, rule, regulation or order issued pursuant thereto, or to investigate or prosecute such violation.

3. Nothing in 610 CMR 10.03 shall be construed to authorize the Board of Higher Education or Public institutions of higher education to release information, the disclosure of which is prohibited by any statute other than the Fair Information Practices Act. M.G.L. c. 66A.

(3) Enforcement.

(a) Employees of the Board of Higher Education or of institutions under the Board of Higher Education:
1. Any employee at the Board of Higher Education or at a public institution of higher education found breaching the confidentiality of data subjects through violations of 610 CMR 10.00 shall be subject to reprimand, suspension, dismissal or other disciplinary actions by the holder, the chief executive officer of the institution, the Board of Higher Education and the Commonwealth governing its employees, and may be denied future access to personal data and removed from any custodial responsibilities.

2. The Board of Higher Education or any institution under the Board of Higher Education or any institution which violates the terms of 610 CMR 10.00 may be liable to individuals injured, pursuant to M.G.L. c. 214, § 3B, to legal action to enjoin such violations brought by the Attorney General, and to administrative action by the institution or the Board of Higher Education to remove authorization to hold personal data.

(b) Non-agency Holders. Any holder, other than defined under 610 CMR 10.02, found breaching the confidentiality of data subjects through violation of 610 CMR 10.00 shall be subject to a review and an investigation by the appropriate contracting agency which may lead to suspension of any contractual or licensure relationship and to legal sanctions brought by the Attorney General.

(c) Monitoring and Enforcement. The Commissioner shall be responsible for the monitoring of compliance with 610 CMR 10.00 in cooperation with the Office of the Attorney General pursuant to M.G.L. c. 214, § 3B.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.