Code of Massachusetts Regulations
965 CMR - DEPARTMENT OF STATE AUDITOR
Title 965 CMR 2.00 - Fair Information Practices Act
Section 2.04 - Administration of Personal Data
Current through Register 1531, September 27, 2024
(1) General. The holder shall not collect, maintain, or disseminate any personal data that is not essential for the performance of functions authorized by law, except where otherwise provided by statute or judicial order.
(2) Holder Agreements.
(3) Destruction of Obsolete Personal Data. Each holder shall develop and implement a definite plan for the destruction of obsolete personal data with the approval of the Records Conservation Board, pursuant to M.G.L. c. 30, § 42.
(4) Use of Personal Data for Unrelated Purposes. Except where otherwise provided by statute or judicial order, personal data collected for one purpose shall not be used for another unrelated purpose without the informed consent of the data subject.
(5) Access by a Holder. A holder shall have unlimited access, subject to 965 CMR 2.04(6), to personal data it holds, or which is held on its behalf by another holder.
(6) Access by Employees of the Holder. Each holder shall permit only those employees whose duties require access to the personal data to have access. They shall be trained in the standards of confidentiality and security required by 965 CMR 2.00.
(7) Access by Non-Holders. A holder shall not allow any person, entity, or agency, who is not employed by the holder, to have access to the personal data unless such access is:
(8) Access by Data Subject. Access by data subject is governed by 965 CMR 2.06.
(9) Access in Medical or Psychiatric Emergencies. Where release of personal data is not otherwise authorized by statute or regulation, a holder may disseminate medical or psychiatric data to a physician treating a data subject, upon the request of said physician, if a medical or psychiatric emergency arises which precludes the data subject from giving approval for the release of such data; provided, however, that the data subject shall be given notice of such access upon termination of the emergency.
(10) Physical Security. Each holder shall take all reasonable steps to protect the personal data from physical damage or removal, including but not limited to provisions for:
(11) Duplicate Files.
(12) Personnel Training. The State Auditor shall inform all of his employees who have responsibilities or functions for the design, development, operation, or maintenance of a personal data system, or the use of a personal data system therein, of the provisions of these regulations and of the civil remedies described in M.G.L. c. 214,§.3B, available to individuals whose rights under M.G.L. c. 66A are allegedly violated, and shall use his best effort to ensure that such employees understand and comply with 965 CMR 2.00.
(13) Audit Trail Procedures. The officer in charge of each system shall maintain as an audit trail records which show any access to or use of personal data he holds; provided, however, that access by employees within the Department of the State Auditor need not be recorded. In the case of personal data systems in which personal data are stored, in whole or in part, in a computer or in electronically controlled or accessible files, the audit trail shall include a complete and accurate record of every disclosure of personal data, including the identity of all persons and organizations to whom such access or use has been granted and their declared intentions regarding the use of such personal data. In the case of all other personal data systems, the audit trail shall include such information to the maximum extent feasible. The audit trail shall be deemed part of the data to which it relates for all purposes under 965 CMR 2.00.
(14) Objection by Data Subject -- Dispensing Holding Activities. A data subject may file an objection with the holder regarding procedures for holding data, in accordance with 965 CMR 2.07. During the pendency of any objection, except where otherwise provided by law or judicial order, the holder in question shall make all reasonable attempts to dispense with any further holding activities beyond mere storage, relating to the particular data in question, until such objection has been resolved.