Code of Massachusetts Regulations
760 CMR - HOUSING AND LIVABLE COMMUNITIES, EXECUTIVE OFFICE OF
Title 760 CMR 8.00 - Privacy And Confidentiality
Section 8.04 - Access to Personal Data
Current through Register 1531, September 27, 2024
(1) Contracts or Agreements with a Holder to Perform a Public or Governmental Purpose. A LHA or LRA shall allow another person, entity or agency to hold personal data for a governmental function or purpose only by written contract, agreement, or arrangement. Such contract, agreement, or arrangement shall contain provisions expressly informing the other person, entity or agency of its status as a Holder and covering its legal obligations as such.
(2) Dissemination of Personal Data - General. A Holder shall not allow any individual, agency, or entity not employed by the Holder or under contract or agreement with the Holder under 760 CMR 8.04(1) to have access to personal data unless such access is:
(3) Access bv Physicians in an Emergency. A Holder may disseminate medical or psychiatric data to a physician treating a data subject, upon the request of the physician, if a medical or psychiatric emergency arises precluding the data subject from approving the release of the data. Upon termination of the emergency, the Holder shall give notice to the data subject about the physician's access.
(4) Access by the Department. A Holder shall permit authorized employees of the Department to have access to personal data for the performance of legally authorized duties and responsibilities and shall disseminate personal data to the Department upon its request.
(5) Access by Holder Personnel and Board Members. A Holder shall:
(6) Access bv Data Subject. A data subject or his/her duly authorized representative shall have access to, as well as the right to inspect and copy, any personal data concerning him/her, unless prohibited by law or judicial order.
(7) Denial of Access to Data Subject. A Holder shall not rely on any exception contained in M.G.L. c. 4, § 7 clause twenty-sixth (public records law) to withhold personal data from a data subject. A Holder may deny a request by a data subject or his/her authorized representative for access to personal data if:
(8) Notice of Denial. A Holder shall notify a data subject in writing of any denial of his/her request for access, the reasons therefore, and the right of appeal set forth in 760 CMR 8.05.
(9) List of Data Requests. A Holder shall, at the request of a data subject, provide a written list of the uses made of his/her personal data, including any persons, agencies, or entities which have gained access to the personal data.
(10) Holder Authority to Make Additional Access Rules. A Holder may adopt reasonable written rules governing access to personal data, consistent with 760 CMR 8.00 and all pertinent statutes which:
(11) Judicial or Administrative Orders. Any Holder served with a subpoena or other judicial or administrative order directing it to disclose a data subject's personal data shall, unless otherwise prohibited by law or judicial order, immediately give notice to the data subject. Such notice, where possible, shall include a copy of the subpoena or order, except where the data subject himself requests the order or is otherwise obviously aware of its existence. The holder, wherever legally and practically possible, shall allow the data subject adequate time to attempt to secure a court order to quash the subpoena or order.
(12) Record of Data Access and Use. Each Holder shall maintain a complete and accurate record of every access to any personal data by persons, agencies, or entities other than the holder, including the identity of all such persons, agencies, and entities and their intended use of the data.
(13) Physical Safety of Data. A Holder shall take all reasonable measures to protect personal data from physical damage or removal.
