Code of Massachusetts Regulations
801 CMR - EXECUTIVE OFFICE FOR ADMINISTRATION AND FINANCE
Title 801 CMR 3.00 - Privacy And Confidentiality
Section 3.02 - Administration of Personal Data
Current through Register 1531, September 27, 2024
(1) General Rules.
(2) Record of Access. In the case of data held in automated personal data systems, and to the extent feasible with data held in manual personal data systems, each holder shall maintain complete and accurate records showing any access to or use of personal data by persons or organizations outside of or other than the holder. These records shall include every disclosure of personal data, including the identity of all such persons and organizations to which such access or use has been granted. To the extent maintained pursuant to 801 CMR 3.02(2), a list of the uses made of personal data, including the identity of all persons and organizations which have gained access to the data, shall be provided to the data subject upon request. Access to or use by employees and agents of the holder need not be recorded.
(3) Notice and Report to Secretary of Commonwealth. Each holder shall, upon the establishment, termination, or substantial change in character of a personal data system, file a report with the Secretary of the Commonwealth regarding each such personal data system, as required by M.G.L. c. 30, § 63 and c. 66A, § 2(e).