Code of Massachusetts Regulations
610 CMR - BOARD OF HIGHER EDUCATION
Title 610 CMR 10.00 - Privacy, Confidentiality, and Data Security
Section 10.04 - Individual Rights and Safeguards

Universal Citation: 610 MA Code of Regs 610.10

Current through Register 1531, September 27, 2024

(1) Information Officers: Officer Designation. Each holder, as defined under 610 CMR 10.02, shall designate one person to serve as the officer responsible for any personal data system maintained by such holder.

(2) Duties and Responsibilities of Information Officers. The officer described in 610 CMR 10.04(1) shall ensure that all data subjects enjoy the rights provided under 610 CMR 10.00, M.G.L. c. 66A, c. 30, § 63 and c. 214, § 3B, and he or she shall receive complaints and objections, answer questions, and direct operations with respect to the privacy, confidentiality, and security of personal data.

(3) Right to Give or to Withhold Informed Consent. Each data subject may give or withhold informed consent when requested by any holder to provide personal data.

(4) Criteria for Informed Consent. Consent may be deemed to be "informed consent" only if the holder provides the following information to the data subject and the data subject indicates his or her understanding and agreement:

(a) an explanation of how the data requested will be used and held;

(b) a statement identifying the agencies or persons who are likely to receive or hold the data, and an assurance that all such holders will keep the data confidential;

(c) an offer to answer any inquiries concerning the methods of holding data and the types of data to be held, with a statement indicating the right of a person to object to such methods or types in accordance with 610 CMR 10.04(12) through (16); and

(d) a statement indicating any legal requirements of a person to provide the data requested and of any legal or administrative consequences arising from a decision to withhold such data.

(5) Request on Data. A holder, upon request of an individual, shall inform the individual in writing and in a form comprehensible to him or her whether such holder maintains, holds, or has held any personal data concerning him or her within the previous 24 months.

(6) Statement of Rights. A holder shall furnish to any person requested to provide personal data a statement listing all individual rights set forth in 610 CMR 10.00.

(7) Emergencies. A holder may disseminate medical or psychiatric data to a physician treating a data subject, upon the request of said physician, if a medical or psychiatric emergency arises which precludes the data subject from giving approval for the release of such data; provided, however, that the data subject shall be given notice of such access upon termination of the emergency.

(8) Right of Access of Data Subject. Each data subject or his or her duly authorized representative shall, upon request, have access to any personal data concerning him or her, except where prohibited by law or judicial order. In addition, each data subject or his or her duly authorized representative shall enjoy the right to inspect and copy any personal data held concerning him or her except where prohibited by law or judicial order.

(9) Access to Data by Data Subject. A holder may adopt reasonable written rules governing access to personal data, consistent with 610 CMR 10.00 and all pertinent legislation, which:

(a) ensure that any substitute or proxy for the individual data subject be duly authorized by him;

(b) regulate the time and place for inspection and the manner and cost of copying. The time for inspection shall not be unduly restricted nor shall any unreasonable cost for copying to be charged; and

(c) require that data files be reviewed in the presence of or under the supervision of the holder.

(10) Denial of Access to Data. A holder may deny a request by a data subject for access to personal data, which consists of psychiatric or psychological date, only if the denial of access is permitted by statute.

(11) Notification of Denial of Access to Data. A holder shall notify in writing any individual of its denial of his or her request for access, the reasons therefore, and the rights of appeal set forth in 610 CMR 10.04(12) through (16).

(12) Objection by the Individual. An individual whose educational or personal data is held by the Board may contest the accuracy, completeness, pertinence, timeliness or relevance of the data, or its dissemination or access to third parties. Such objection shall be in writing and filed with the data holder for its administrative review, investigation and final determination.

(13) Responsibilities of Holder Pursuant to Objection. Pursuant to an objection by a data subject, the officer responsible for a data system shall within 30 days of the receipt of the objection:

(a) notify, in writing, the appropriate agency head under whose authority personal data is held regarding the nature of the objection;

(b) investigate the validity of the objection. If, after the investigation the objection is found to be meritorious, correct the contents of the data or the methods for holding or the use of such data; or, if the objection is found to lack merit, provide the data subject the opportunity to have a statement reflecting his or her views recorded and disseminated with the data in question;

(c) notify, in writing, the appropriate chief executive officer of the institution or Commissioner of the Board of Higher Education under whose authority personal data is held regarding the action taken; and

(d) notify in writing the data subject of the outcomes of the investigation.

(14) Appeal of Holder's Decision. Any data subject, who objects to the decision of the officer in charge of the personal data system may appeal the matter to the chief executive officer of the institution or the Commissioner of the Board of Higher Education under whose authority the personal data in question is held. Such appeal shall be filed in writing within 30 days of notification of the decision by the officer in charge of the personal data system.

(15) Chief Executive Officer of the Institution or the Commissioner of the Board of Higher Education; Adjudicatory Hearing. A chief executive officer of the institution or the Commissioner of the Board of Higher Education hearing an appeal filed pursuant to 610 CMR 10.04(14) shall:

(a) at the written request of the appellant data subject convene an adjudicatory hearing, in accordance with the provisions of M.G.L. c. 30A, within 30 days of the receipt of such appeal, and render a decision on the merits within 30 days of the conclusion of said hearing;

(b) notify, in writing, the Commissioner of the Board of Higher Education within seven days of the receipt of such appeal, regarding the nature of and filing of the appeal; and, within seven days of rendering a final decision on the merits, notify the appellant data subject and the appellee holder regarding the nature of the decision.

(16) Failure to Render a Decision. Any failure to render a decision at any stage of the appeal process within the time periods set out in 610 CMR 10.04(16) shall result in a decision favorable to the appellant data subject, except that the time periods may be extended by agreement between the data subject and the holder.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.