940 CMR 11.00: Fair Information Practices Act

11.01: General Provisions
11.02: Meaning of Terms
11.03: Information Officers
11.04: Administration of Personal Data
11.05: Access to Personal Data By Persons Other Than the Data Subject
11.06: Access by Data Subjects

11.07: Objections
11.08: Enforcement
11.09: Exemption From 940 CMR 11.00
11.10: Requirement for Research Projects Eligible for Access to Personal Data

11.01: General Provisions

(1) Authority. 910 CMR 11.00 is promulgated pursuant to M.G.L. c. 66A, § 3, as amended by St. 1977, c. 691.

(2) Application. 940 CMR 11.00 shall apply to the Attorney General and the Department of the Attorney General.

(3) Scope. 940 CMR 11.00 shall govern the collection, maintenance and disclosure of personal data contained in manual or computerized personal data systems. 940 CMR 11.00 shall not apply to criminal offender record information, evaluative information or intelligence information, as defined by M.G.L. c. 6, § 167, as amended by St. 1977, c. 691, § 2 nor to data about corporations, corporate trusts, partnerships, limited partnerships, trusts, sole proprietorships, or other business, not for profit, or charitable entities.

(4) Policy on Fees. Where applicable, the Attorney General will charge fees where an individual requests that a copy be made of the record to which he is granted access under the following fee schedule set forth in 940 CMR 11.01(5).

(5) Fee Schedule. The Attorney General will charge a fee substantially equivalent to the actual cost of reproduction for copying records, and he will charge an additional fee reasonably related to the cost for making a search of a system of records. If the total time for search and reproduction exceeds 15 minutes, a charge for a search will be made at the rate of $3.75 per hour.

(6) Payment of Fees. The Attorney General will require prepayment of fees unless he waives the requirement.


Top of Page

11.02: Meaning of Terms

As used in this Chapter, unless the context otherwise requires, the following terms shall have the following meanings:

(1) Attorney General. "Attorney General" means the Attorney General of the Commonwealth or the First Assistant Attorney General or other designee.

(2) Criminal Offender Record Information. "Criminal offender record information" records and data in any communicable form compiled by a criminal justice agency which concern an identifiable individual and relate to the nature or disposition of a criminal charge, an arrest, a pre-trial proceeding, other judicial proceedings, sentencing, incarceration, rehabilitation, or release. Such information shall be restricted to that recorded as a result of the initiation of criminal proceedings or any consequent proceedings related thereto. Criminal offender record information shall not include evaluative information, statistical and analytical reports and files in which individuals are not directly or indirectly identifiable, nor intelligence information. Criminal offender record information shall be limited to information concerning persons who have attained the age of 17 and shall not include any information concerning criminal offenses or acts of delinquency committed by any person before he attained the age of 17; provided, however, that if a person under the age of 17 is adjudicated as an adult, information relating to such criminal offender record information shall not include any information concerning any offenses which are not punishable by incarceration.

(3) Data Subject. "Data subject" means an individual to whom personal data refers. This term shall not include corporations, corporate trusts, partnerships, limited partnerships, trusts, sole proprietorships, or other business, not for profit, or charitable entities.

(4) Department of the Attorney General or Department. "Department of the Attorney General" or " Department" means the agency of government created by M.G.L. c. 12, § 1.

(5) Evaluative Information. "Evaluative information" means records, data, or reports concerning individuals charged with crime and compiled by criminal justice agencies which appraise mental condition, physical condition, extent of social adjustment, rehabilitative progress and the like, and which are primarily used in connection with bail, pre-trial or post-trial release proceedings, sentencing, correctional and rehabilitative planning, probation or parole.

(6) Holds. "Holds" means collects, stores, maintains, disseminates, or uses, whether manually, mechanically, or electronically.

(7) Intelligence Information. "Intelligence information" means records and data compiled by a criminal justice agency for the purpose of criminal investigation including reports of informants, investigators or other persons, or from any type of surveillance associated with an identifiable individual. Intelligence information shall also include records and data compiled by a criminal justice agency for the purpose of investigating a substantial threat of harm to an individual, or to the order or security of a correctional facility.

(8) Personal Data. "Personal data" means any information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual; provided, however, that such information is not contained in a public record, as defined in M.G.L. c. 4, § 7 clause twenty-sixth and shall not include intelligence information, evaluative, or criminal offender record information, as defined in 940 CMR 11.02.

(9) Personal Data System. "Personal data system" means a system containing personal data where the data are retrievable by use of the identity of the data subject.

(10) Personal Identifier. "Personal identifier" means any element of data which may be used to fix a person's identity either by itself or when combined with other data and which may include, but is not necessarily limited to: name, address, social security number, date of birth, race, zip code, mother's given name, mother's maiden name, or any part of the mother's given or maiden name, account, invoice, or purchase order number, commercial paper identifiers, and business or commercial names.

Top of Page

11.03: Information Officers

(1) Officer Designation. The Attorney General shall designate, for each personal data system he maintains, a person to serve as the responsible person under M.G.L. c. 66A, § 2(a). A single employee may serve as the responsible person for more than one such system.

(2) Duties and Responsibilities. The officer described in 940 CMR 11.03(1) shall, with respect to the system or systems for which he is immediately responsible

(a) ensure that the requirements of M.G.L. c. 66A and 940 CMR 11.00 for preventing unauthorized access to personal data are followed;

(b) receive complaints and objections concerning the operation of the system for which he is responsible and the implementation of 940 CMR 11.00; and

(c) answer questions concerning the operation of the system for which he is responsible and the implementation of 940 CMR 11.00.

Top of Page

11.04: Administration of Personal Data

(1) Personnel Training. The Attorney General shall inform all of his employees who have responsibilities or functions for the design, development, operation, or maintenance of a personal data system or the use of personal data therein, of the provisions of 940 CMR 11.00 and of the civil remedies described in M.G.L. c. 214, § 3B, available to individuals whose rights under M.G.L. c. 66A are allegedly violated, and shall use his best efforts to assure that such employees understand and comply with 940 CMR 11.00.

(2) Physical Security. The Department shall take all reasonable and appropriate steps for the protection of data from physical damage or unauthorized access to or removal.

(3) Duplicate Files.

(a) The Department shall ensure that the number of duplicate files of personal data is maintained at an absolute minimum.

(b) The Department shall ensure that all duplicate file systems are maintained consistent with the requirements of 940 CMR 11.00.

(4) Notice and Annual Report to the Secretary of State. The Attorney General shall, upon the establishment, termination, or change in character of a personal data system, file a report with the Secretary of State regarding each personal data system he operates, as required by M.G.L. c. 30, § 63.

(5) Audit Trail. The officer in charge of each system shall maintain as an audit trail records which show any access to or use of personal data he holds; provided, however, that access by employees within the Department of the Attorney General need not be recorded. In the case of personal data systems in which personal data are stored, in whole or in part, in a computer or in electronically controlled or accessible files, the audit trail shall include a complete and accurate record of every disclosure of personal data, including the identity of all persons and organizations to whom such access or use has been granted and their declared intentions regarding the use of such personal data. In the case of all other personal data systems, the audit trail shall include such information to the maximum extent feasible. The audit trail shall be deemed part of the data to which it relates for all purposes under 940 CMR 11.00.

(6) Destruction of Obsolete Personal Data. Pursuant to M.G.L. c. 30, § 42, the Attorney General will develop and implement a plan for the destruction of obsolete personal data.


Top of Page

11.05: Access to Personal Data By Persons Other Than The Data Subject

(1) General Rules Regarding Access To Personal Data.

(a) Regulation of Access to Personal Data. Except as provided in 940 CMR 11.05(1)(b), the officer in charge of each system will not permit access to personal data to any person other than an employee of the Department or the data subject unless such access is authorized by state or federal statute or regulation consistent with the purposes of M.G.L. c. 66A or is approved by the data subject whose personal data are sought if the data subject is entitled to access as provided in 940 CMR 11.06.

(b) Exception for Medical or Psychiatric Emergencies. Where release of personal data is not authorized by statute or regulation, medical or psychiatric data may be made available to a physician treating a data subject, upon the request of said physician, if a medical or psychiatric emergency arises which precludes the data subject's giving approval for the release of such data; provided, however, that the Department will give notice of the fact of such release to the data subject upon termination of the emergency.

(c) Approval by Data Subject. A data subject may authorize access to his personal data concerning himself in writing.

(d) Response to Compulsory Legal Process. The Department will, as required by M.G.L. c. 66A, § 2(k), ensure that no personal data are made available from its personal data systems in response to a demand for data made by means of compulsory legal process unless the data subject has been notified of such demand in reasonable time that he may seek to have the process quashed.

(e) Dissemination for Purposes of Settling a Case. Personal data may be disseminated by the Department where such dissemination is necessary to make a good faith effort to resolve or settle a case which will otherwise be necessary to litigate.

(f) Access for Authorized Research. Access to personal data may be granted by the Department to personal data which it holds where a research project meets requirements of the provisions in 940 CMR 11.10.

Top of Page

11.06 Access by Data Subjects

(1) Public Inquiry. Where an individual has reason to believe that personal data relating to him are held, the individual may request, in writing, that the Attorney General or his designee locate all personal data held by the Department of the Attorney General.

(2) Request of Individual for Notification of Holding. The Department will inform any individual in writing, within 20 days, of receipt of a request, whether the Department maintains any personal data concerning such individual.

(3) Right of Data Subject to Access. Unless access by a data subject is prohibited by statute, the Department will, as promptly as possible, but in any event within 20 days of receipt of a request, grant access to any data subject to any personal data concerning him which the Department holds. In addition, such data subject shall have the right to inspect and to copy any personal data to which he has access.

(4) Notification of Denial of Access to Data. The Department will, within 20 days of receipt of a request, notify in writing an individual, in terms comprehensible to him, of its denial of his request for access, and the reasons therefore.


Top of Page

11.07: Objections

(1) Objections by Data Subjects. A data subject who objects to the collection, storage, maintenance, dissemination, withholding, use, accuracy, completeness or type of personal data held regarding him, may file an objection with the officer in charge of the personal data system complained against designated pursuant to 940 CMR 11.03(1).

(2) Duties of Responsible Officer Pursuant to Objection. The Officer responsible for a data system shall, within 30 days of the receipt of an objection:

(a) investigate the validity of the objection;

(b) if, after the investigation --

1. the objection is found to be meritorious, correct the contents of the data or the methods for holding or the use of such data; or,

2. if the objection is found to lack merit, provide the data subject the opportunity to have a statement reflecting his views recorded and disseminated with the data in question; and

(c) notify the data subject in writing of his decision.

Top of Page

11.08: Enforcement

(1) Sanctions Against Department Employees. Any employee of the Department found breaching the confidentiality of data subjects through violation of 940 CMR 11.00 shall be subject to reprimand, suspension, dismissal, or other disciplinary actions by the Attorney General consistent with the Personnel Manual of the Department and may be denied future contact with personal data and removed from holding responsibility relative to such information.


Top of Page

11.09: Exemption From 940 CMR 11.00

Pursuant to the definitions of data subject of personal data in and personal data system in 940 CMR 11.02, the following are exempt from 940 CMR 11.00:

(1) All intelligence and evaluative information held within the Department;

(2) All criminal offender record information held within the Department;

(3) Any records or data or parts thereof pertaining to corporations, corporate trusts, partnerships, limited partnerships, trusts, sole proprietorships, or other business entities, including such records or data held by the Consumer Protection Division, the Division of Public Charities, the Criminal Bureau, and any other Bureau, Division, or Section within the Department.

(4) Work product contained in the files maintained by the Attorney General or any employee of the Department in their representation of any matter in any proceeding. The data subject's access to such information in these files shall be limited to that available to him through existing discovery rules.

Top of Page

11.10: Requirement for Research Projects Eligible for Access to Personal Data

(1) Applicability.

(a) All individuals and agencies outside of the Department of the Attorney General which seek access to or use of personal data contained in any personal data system of the Attorney General for purposes of research shall apply to the Attorney General for approval for such access or use.

(b) The word "research" shall, whenever used in this part mean careful, diligent, studious inquiry involving critical and exhaustive investigation or experimentation having for its aim the discovery of new facts and their correct interpretation, or the revision of accepted conclusions, theories, or laws.

(2) Requirement of Prior Approval. Any individual or agency referred to in 940 CMR 11.10(1) shall obtain the prior approval of the Attorney General in order to have access to or use of personal data.

(3) Qualifications of Researcher.

(a) In order to be considered for approval to conduct research with personal data, the person in charge of such research shall demonstrate his qualifications by submitting relevant information which may include prior research, publications, or letters of recommendation.

(b) Researchers working for, or sponsored by a recognized private or public research organization such as a college, university, private research foundation or a public agency that has an explicit mandate to perform research may be presumed qualified where such research organization certifies that the research project is for valid educational, scientific or other public purposes.

(4) Purposes and Quality of the Research. The Attorney General may approve or not approve a request for access to or use of personal data based upon the purposes for which the research is being conducted, the quality of the research project design, and the compliance with other requirements of 940 CMR 11.00.

(5) Completion of a Written Application. Each party requesting access shall complete a written application for the approval of the Attorney General. The written application shall:

(a) provide a detailed description of the research project;

(b) specify precisely the information required and reasons why access to or use of such information is necessary; and

(b) the security and privacy measures to be taken in order to safeguard unauthorized access to or use of personal data.

(6) Security and Privacy Requirements. All research projects eligible for approval shall be designed to preserve the anonymity of the individuals to whom the personal data relate except as provided in 940 CMR 11.10(8). The following requirements shall be met and conditions accepted before the Attorney General will permit an applicant access to personal data:

(a) All personal identifiers shall be excluded from each record before access to or use is given to the researcher, or before such data is removed from the possession and control of the Department.

(b) In the event that the removal of personal identifiers alone is insufficient to preserve data subject anonymity, the Attorney General may also require other information to be excluded.

(c) In cases where the purposes of the research justify and require access to personal identifiers by the researcher, the researcher shall separate the personal identifiers from the rest of the personal data record prior to removing any such record from the custody or control of the Department.

1. Where it is necessary to use identifying information for further carrying out the research, the researcher shall develop an arbitrary code consisting of a non-duplicating numbering system. Each number shall be linked to identifying information on an identifying key kept separate from the personal data record no longer having identifiers. In place of the personal identifiers, the personal data record shall now contain the number which links it to the personal identifiers on the identifying key.

2. The identifying key shall be kept by the Attorney General, unless specific approval is given for another arrangement.

3. Such an identifying key shall be maintained in a secure place, and when not actually being used shall be kept in a locked container accessible only to the person in charge of the research, or the Attorney General or his designee.

4. The identifying key shall be destroyed and its destruction certified in writing whenever the need under the research for such a key ceases, or the Attorney General deems such destruction necessary to protect security and privacy.

5. Except for the Attorney General, or his designee, only the person in charge of the research and any of his staff specifically named in the research application may have access to the identifying key.

(d) No information gathered from personal data may be reproduced except with the specific approval of the Attorney General. The person in charge of an approved research project and all other persons having access to personal data must sign written assurances that these prohibitions will be honored.

(e) Each member of the research staff shall complete an agreement that he will not disclose to unauthorized persons any personal data or information extracted therefrom except in the form of research reports referred to below in 940 CMR 11.10(6)(g).

(f) At the completion of the research, data gathered from personal data shall either be returned to its source or destroyed. If the person in charge of the research certifies that the data may be used for a research purpose at some later date or that the data has been combined and stored with other data collected by the project so that its expungement would be both difficult and costly and the Attorney General is satisfied that sufficient security measures have been taken to protect that data, the applicant may keep such data.

(g) Findings and conclusions in any publicly available research reports must be presented so that individuals cannot be identified, either directly or by specifying items of the information or the small number of units in any statistical sample.

(7) Right to Inspect. The Attorney General or his designee shall have the right to inspect any research project periodically. The Attorney General may require periodic compliance reports. Any report based upon the personal data shall be submitted to the Attorney General prior to publication, so that the Attorney General may determine whether the privacy rights of any data subject would be violated by such publication.

(8) Exception to Security and Privacy Requirements. Where research is being performed that entails by its very nature the publication of identifying information, and the personal data to which access is required is greater than 25 years old, the Attorney General may permit personal data to be disseminated where he certified in writing that the public interest in dissemination clearly outweighs the interest in security and privacy.

(9) Sanctions for Failure to Comply. Upon the failure to comply with either the statute or 940 CMR 11.00, the Attorney General may (a) deny access to personal data in the future; (b) terminate current access to personal data; or (c) demand and secure the return of all personal data. Violations of 940 CMR 11.00 may also subject the violator to applicable statutory sanctions.


Top of Page

REGULATORY AUTHORITY

940 CMR 11.00: M.G.L. c. 66A, § 3.