801 CMR: EXECUTIVE OFFICE FOR ADMINISTRATION AND FINANCE
801 CMR 3.00: PRIVACY AND CONFIDENTIALITY
3.01:   General Provisions 3.02:   Administration of Personal Data 3.03:   Objections and Administrative Appeals 3.04:   Access by the Office of the Attorney General
3.01:   General Provisions
(1) Authority. 801 CMR 3.00 is promulgated in accordance with M.G.L. c. 66A, and M.G.L. c. 214.
(2) Scope and Purpose. Except where otherwise provided by law or judicial order, 801 CMR 3.00 shall apply to the collection, maintenance, and dissemination of personal data. 801 CMR 3.00 shall not apply to:
(a) Criminal offender record information as defined in M.G.L. c. 6, § 167;
(b) Intelligence, or evaluative information as defined in M.G.L. c. 6, § 167; or
(c) Any data contained in a public record as defined in M.G.L. c. 4, § 7.
(3) Applicability. 801 CMR 3.00 is jointly promulgated by and, except where otherwise provided by law or judicial order, shall apply to the Executive Office for Administration and Finance, the Executive Office of Elder Affairs, the Executive Office of Environmental Affairs, the Executive Office of Health and Human Services, the Executive Office of Transportation and Construction, the Executive Office of Public Safety, the Departments of Economic Development, Housing and Community Development, and Labor and Workforce Development, and the Office of Consumer Affairs and Business Regulation.
(4) Definitions. Refer to all definitions and provisions appearing in M.G.L. c. 66A and M.G.L. c. 214 §§ 1B and 3B.
3.02:   Administration of Personal Data
(1) Need to Know Standard. Each holder shall permit only those employees whose duties require access to have access to personal data.
(2) Informed Consent. Any agency or department requesting a person to supply personal data not strictly for statistical purposes, shall inform the person
(a) of the intended use of the data;
(b) of any legal requirement to supply the data; and
(c) the legal consequences of a refusal to supply the data.
3.03:   Objections and Administrative Appeals
(1) Objections by Data Subjects. A data subject who objects to the collection, maintenance, dissemination, use, accuracy, completeness, type of, or denial of access to, personal data held regarding him, may file an objection with the officer in charge of the personal data system. If the officer is unavailable, the data subject may make his or her objection to the appropriate agency head.
(2) Responsibilities of Holder Pursuant to Objections. Pursuant to a data subject's objection, the officer responsible for a data system shall investigate the validity of the objection within 30 days of receipt of the objection. He or she shall notify the data subject in writing of the results of his or her investigation.
(a) If the officer determines that the objection is meritorious, he or she shall correct the contents of the data or the methods for holding or use of the data.
(b) If the officer determines that the objection is without merit, he or she shall inform the data subject that the subject may provide a statement reflecting the data subject's position regarding the data and that the statement shall be included and disseminated with the data. The officer shall provide written notice of the objection, the results of the investigation, and the action taken to the agency head under whose authority the personal data are held.
(3) Appeal of Holder's Decision. Any data subject, or his agent, who objects to the decision of the officer in charge of the personal data system, may appeal the matter to the agency head under whose authority the personal data in question are held. The appeal shall be filed in writing within 30 days of notification of the decision by the officer in charge.

The agency head shall review the objection, and may hold an informal hearing to determine the merit of the appeal. Within 30 days of receipt of the written appeal, the agency head shall notify the data subject of the decision.

(a) If the agency head determines that the objection is meritorious, he or she shall correct the contents of the data or the methods for holding or use of the data.
(b) If the agency head determines that objection lacks merit, he or she shall inform the data subject that that the data subject may provide a statement reflecting the data subjectís views and that the statement shall be included and disseminated with the data in question.
(4) Failure to Render a Decision. Failure to render a decision at any stage of the appeal process, within the time periods set out in this part, shall constitute a denial. Where a denial results from failure to render a decision, any reviewing court should not give deference to the denial.
3.04:   Access by the Office of the Attorney General
Whenever a data subject files or threatens to file a claim against the Commonwealth, including executive offices, agencies, or departments, or against any employee or officer of the Commonwealth, concerning a matter within the scope of the office or employment with the Commonwealth, any personal data concerning the data subject that is relevant to the determination of issues in dispute shall be provided to the Office of the Attorney General upon request. Such request must be in writing and contain a clear description of the data sought, the reason for the request, and the intended use of the data. In supplying such data, the holder must redact any data concerning non-parties. Any personal data indicating a violation of law may be referred to the Office of the Attorney General for investigation and enforcement. Any authorized assistant attorney general may further disclose the personal data to the extent deemed necessary to defend the Commonwealth, officer or employee effectively against the data subject's claim. No data may be released where prohibited by statute.
REGULATORY AUTHORITY
801 CMR 3.00: M.G.L c. 66A; M.G.L. c. 214, §§ 1B and 3B.