Code of Massachusetts Regulations
965 CMR - DEPARTMENT OF STATE AUDITOR
Title 965 CMR 2.00 - Fair Information Practices Act
Section 2.04 - Administration of Personal Data

Universal Citation: 965 MA Code of Regs 965.2

Current through Register 1531, September 27, 2024

(1) General. The holder shall not collect, maintain, or disseminate any personal data that is not essential for the performance of functions authorized by law, except where otherwise provided by statute or judicial order.

(2) Holder Agreements.

(a) A holder shall not allow any other person, entity, or agency to hold personal data in the absence of an express contract or agreement.

(b) A holder which enters into a contract or agreement with any other person, entity, or agency, to hold personal data, shall:
1. expressly inform the other person, entity, or agency of its status as a holder under 965 CMR 2.00; and

2. contractually bind the other holder to its obligation under 965 CMR 2.00 and M.G.L. c. 66A.

(c) A holder shall ensure that all contracts and agreements affecting the collection, maintenance, or dissemination of personal data between it, or another holder of the same personal data, and the person or entity not otherwise subject to 965 CMR 2.00 shall contain provisions requiring compliance with 965 CMR 2.00 and M.G.L. c. 66A.

(3) Destruction of Obsolete Personal Data. Each holder shall develop and implement a definite plan for the destruction of obsolete personal data with the approval of the Records Conservation Board, pursuant to M.G.L. c. 30, § 42.

(4) Use of Personal Data for Unrelated Purposes. Except where otherwise provided by statute or judicial order, personal data collected for one purpose shall not be used for another unrelated purpose without the informed consent of the data subject.

(5) Access by a Holder. A holder shall have unlimited access, subject to 965 CMR 2.04(6), to personal data it holds, or which is held on its behalf by another holder.

(6) Access by Employees of the Holder. Each holder shall permit only those employees whose duties require access to the personal data to have access. They shall be trained in the standards of confidentiality and security required by 965 CMR 2.00.

(7) Access by Non-Holders. A holder shall not allow any person, entity, or agency, who is not employed by the holder, to have access to the personal data unless such access is:

(a) Authorized by statute or regulations consistent with the purpose of M.G.L. c. 66A and 965 CMR 2.00; or

(b) Approved by the data subject, or the data subject himself has access under statute or 965 CMR 2.00; or

(c) Demanded by another holder as authorized by 965 CMR 2.04(5); or

(d) In response to compulsory legal process. The Department will, as required by M.G.L. c. 66A, § 2(k), ensure that no personal data are made available from its personal data systems in response to a demand for data made by means of a compulsory legal process unless the data subject has been notified of such a demand in reasonable time that he may seek to have the process quashed.

(8) Access by Data Subject. Access by data subject is governed by 965 CMR 2.06.

(9) Access in Medical or Psychiatric Emergencies. Where release of personal data is not otherwise authorized by statute or regulation, a holder may disseminate medical or psychiatric data to a physician treating a data subject, upon the request of said physician, if a medical or psychiatric emergency arises which precludes the data subject from giving approval for the release of such data; provided, however, that the data subject shall be given notice of such access upon termination of the emergency.

(10) Physical Security. Each holder shall take all reasonable steps to protect the personal data from physical damage or removal, including but not limited to provisions for:

(a) Adequate fire detection and sprinkler systems;

(b) Protection against smoke and water damage;

(c) Alarm systems, safes, and locked files or other reasonably expected ways to prevent loss through larceny or other means of removal for manually held data; and

(d) Passwords, keys, access logs, or other reasonably expected ways to prevent loss through larceny or other means of removal for mechanically or electronically held data.

(11) Duplicate Files.

(a) Each holder shall ensure that the number of duplicate personal data files are held to an absolute minimum.

(b) Each holder shall ensure that any duplicate personal data files are maintained under the requirements of 965 CMR 2.00.

(12) Personnel Training. The State Auditor shall inform all of his employees who have responsibilities or functions for the design, development, operation, or maintenance of a personal data system, or the use of a personal data system therein, of the provisions of these regulations and of the civil remedies described in M.G.L. c. 214,§.3B, available to individuals whose rights under M.G.L. c. 66A are allegedly violated, and shall use his best effort to ensure that such employees understand and comply with 965 CMR 2.00.

(13) Audit Trail Procedures. The officer in charge of each system shall maintain as an audit trail records which show any access to or use of personal data he holds; provided, however, that access by employees within the Department of the State Auditor need not be recorded. In the case of personal data systems in which personal data are stored, in whole or in part, in a computer or in electronically controlled or accessible files, the audit trail shall include a complete and accurate record of every disclosure of personal data, including the identity of all persons and organizations to whom such access or use has been granted and their declared intentions regarding the use of such personal data. In the case of all other personal data systems, the audit trail shall include such information to the maximum extent feasible. The audit trail shall be deemed part of the data to which it relates for all purposes under 965 CMR 2.00.

(14) Objection by Data Subject -- Dispensing Holding Activities. A data subject may file an objection with the holder regarding procedures for holding data, in accordance with 965 CMR 2.07. During the pendency of any objection, except where otherwise provided by law or judicial order, the holder in question shall make all reasonable attempts to dispense with any further holding activities beyond mere storage, relating to the particular data in question, until such objection has been resolved.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.