Code of Massachusetts Regulations
940 CMR - OFFICE OF THE ATTORNEY GENERAL
Title 940 CMR 11.00 - Fair Information Practices Act
Section 11.05 - Access to Personal Data by Data Subjects

Universal Citation: 940 MA Code of Regs 940.11

Current through Register 1531, September 27, 2024

(1) General Rules Regarding Access to Personal Data.

(a) Data Subject Inquiry. The data subject may request, in writing, that the AGO perform a search to locate the subject's own personal data held within the personal data systems maintained by the AGO. Such search shall be considered compliant with M.G.L. c. 66A, § 2 if the name of the data subject is used to search for any such personal data within all personal data systems.

(b) Request of Data Subject for Notification of Holding. Where required by law, the AGO shall, within 20 days of receipt of a request, inform any data subject in writing whether the AGO maintains any personal data concerning such individual within its personal data systems.

(c) Notification of Denial of Access to Data. If access is denied, the AGO shall, within 20 days of receipt of a request, notify in writing a data subject of its denial of the request for access.

(d) Right of Data Subject to Access. Where access is required by law, the AGO shall, in a timely manner, grant a data subject access to the subject's own personal data within the personal data systems maintained by the AGO to which the data subject is entitled in accordance with 940 CMR 11.05.

(e) Modes of Access. The AGO may, at its discretion, provide a data subject with the subject's own personal data by either creating a compilation of the data that is contained within the personal data systems maintained by the AGO, or reproducing the records that contain personal data.

(f) Payment of Fees. The AGO may charge fees in accordance with 940 CMR 11.05 when a data subject requests that a search for personal data be made, and for the inspection, creation, or copying of any record containing the personal data to which access is granted, according to the fee schedule set forth in 940 CMR 11.05(1)(g). The AGO may require prepayment of fees or may waive such requirement.

(g) Fee Schedule. The AGO may charge the following fees for responding to a request under M.G.L. c. 66A:
1.The labor cost to search a system of records for personal data, and, if found, to remove third party identifiers (redaction), if applicable, and to prepare the personal data, or the records containing the personal data, for inspection or photocopying will be $15.00 per hour;

2.The cost to provide a copy of the personal data, or the records containing personal data, will be $.25 per page, which may be adjusted from time to time according to the Consumer Price Index. Notice of any such adjustment will be provided to the requesting party before any copies are made;

3.Where the records containing personal data cannot be simply photocopied or printed from a computer, the actual cost to reproduce the personal data may be assessed; and

4.For requests entailing less than one hour of search and redaction time, and resulting in no more than 50 pages of records, a flat fee of $15.00 may be assessed; a flat fee of $15.00 may also be assessed for requests requiring the creation of a compilation in order to more efficiently provide the personal data to the data subject.

(h) Known Personal Data. A request by a data subject for a copy of the records containing all of the subject's own personal data submitted to the AGO by the data subject, or a copy of all records containing personal data already provided to the data subject by the AGO, shall not be considered a request for personal data under M.G.L. 66A. The AGO, in its discretion and in compliance with records retention policies, may copy or return such records after receipt from the requester of a flat fee of $20.00.

(2) Exclusions. Consistent with M.G.L. c. 66A, § 1, and 940 CMR 11.02, certain types of information maintained by the AGO will not be considered personal data, and therefore, need not be provided to a data subject upon request. As illustration, and without limitation, the following are some examples of such information:

(a) Criminal Offender Record Information (CORI): police reports; grand jury minutes, testimony, and exhibits; witness statements and depositions; and reports of scientific tests or experiments;

(b) Intelligence Information: information contained within criminal investigations files; and

(c) Proprietary or financial records or data collected by the AGO from corporations, partnerships, sole proprietorships, trusts, or other business entities.

(3) Objections by Data Subjects.

(a) A data subject who objects to the accuracy, completeness, pertinence, timeliness, relevance, dissemination, or denial of access to the subject's own personal data that is maintained in the personal data system(s) of the AGO, may, individually or through a duly authorized representative, file an objection with the Information Officer Designee responsible for the personal data system in question.

(b) The Information Officer Designee responsible for such personal data system shall, within 30 days of the receipt of an objection:
1.Investigate the validity of the objection; and

2.If the objection is found to be meritorious after investigation, alter the contents of, or the methods for holding, or the dissemination or use of such personal data, or grant access to it; or

3.If the objection is found to lack merit after investigation, provide the data subject the opportunity to have a statement reflecting the individual's views maintained and disseminated with the data in question; and

4.Notify the data subject in writing of any AGO decision regarding the individual's objection.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.