Code of Massachusetts Regulations
940 CMR - OFFICE OF THE ATTORNEY GENERAL
Title 940 CMR 11.00 - Fair Information Practices Act
Section 11.03 - Receipt, Collection, and Maintenance of Personal Data

(a) The AGO shall not collect or maintain more personal data than is reasonably necessary for the performance of its functions;

(b) The AGO shall take reasonable precautions to protect personal data from dangers of fire, identity theft, theft, flood, natural disaster, or other physical threat;

(c) The AGO may receive, collect, and maintain personal data from agencies, public officials, and employees the AGO represents in civil litigation; and

(d) The AGO may receive, collect, and maintain personal data from other federal, state, or local governmental entities, including the courts, for law enforcement purposes.

(a) Training. The AGO shall inform all of its employees who have responsibilities or functions involving the design, development, operation, or maintenance of a personal data system, or the use of personal data therein, of the provisions of these regulations, the AGO obligations regarding such data, and of the civil remedies available to individuals whose rights under M.G.L. c. 66A are allegedly violated.

(b) Information Officer Designation. For each personal data system it maintains, the AGO shall designate an Information Officer to serve as the responsible individual under M.G.L. c. 66A, § 2(a). Such individual should be one with familiarity in the operation of the system and have unlimited access to the data within. A single employee or designee may serve as the Information Officer for more than one such system.

(c) Record of Access. The AGO shall maintain complete and accurate records which show any access to or use of personal data the AGO holds; provided, however, that access or use by employees within the AGO need not be recorded. These records shall include every disclosure of personal data, including the identity of all persons and organizations to which such access or use has been granted. To the extent feasible, these records shall be made part of the data to which they relate for all purposes under 940 CMR 11.00.

(d) Notice and Report to the Secretary of the Commonwealth. The AGO shall, upon the establishment, termination, or substantial change in character of a personal data system, file a report with the Secretary of the Commonwealth regarding each such personal data system, as required by M.G.L. c. 30, § 63.

(e) Sanctions Against Employees. Any employee of the AGO found breaching the confidentiality of data through violation of 940 CMR 11.00 shall be subject to reprimand, suspension, dismissal, or other disciplinary actions consistent with the AGO Employee Manual and any applicable Collective Bargaining Agreement that is in place, and may be denied future contact with personal data and removed from holding responsibility relative to such data.