Doc. T77-059, Passed by the Board of Trustees on February 2, 1977, Part I. General Provisions, Section 101. Authority, These regulations are promulgated pursuant to the provisions of General Laws chapter 75, sections 1 & 3, and the requirements of General Laws chapter 66A, as inserted by Statute 1975, chapter 776., Section 102. Scope and Purpose, Except where otherwise provided by law or judicial order the provisions of these regulations shall apply to the collections, maintenance, and dissemination of personal data contained in manual or computerized personal data systems. These regulations shall not apply to: criminal offender record information as defined in General Laws chapter 6, section 167; intelligence, analytical, or…, Section 103. Definitions, Audit Trail “Audit Trail” shall mean a recording by a holder of all persons who obtain access to the personal records of a data subject. Board “Board” shall mean the Board of Trustees of the University of Massachusetts. Campus and Campus Head “Campus” shall mean, depending on its context, the University of Massachusetts at Amherst, the University of Massachusetts at Boston, or the University of…, Part II. Administration, Section 201. Identification and Maintenance, Each campus shall identify the kinds of personal data held, and shall maintain such data with such accuracy, completeness, timeliness, pertinence and relevance as is necessary to assure fair determination of a data subject's qualifications, character, rights, opportunities or benefits when such determinations are based upon such data., Section 202. Individual in charge of Personal Data System, Each campus shall, for each personal data system it maintains, designates one person who serves as the officer immediately responsible for such system., Section 203. Additional Procedures, Each campus may, subject to the approval of the Board, adopt such supplemental procedures not inconsistent with these regulations as may be deemed necessary or convenient to the accomplishment of the purposes of General Laws chapter 66A., Section 204. Holder Agreements, Any campus holding personal data shall assure that all agreements affecting the collection, maintenance, or dissemination of personal data established between a holder and a person or entity not otherwise subject to these regulations, shall contain provisions requiring compliance with the regulations. Where agreements are absent, agencies shall arrange for the development of the same in order to…, Section 205. Personnel Security, Each campus shall permit only those employees whose duties require it to have access to personal data, and shall: keep to a minimum the number of employees whose duties involve access to personal data; inform existing personnel concerning standards of confidentiality and security required by these regulations; not allow any other agency or individual not employed by the University to have access…, Section 206. Physical Security, Each campus shall take reasonable precautions to protect personal data from dangers of fire, theft, unauthorized access, flood, natural disasters or other physical threat., Section 207. Periodic Review of Data Held; Expunction of Obsolete Data, Each campus shall periodically, or at the request of the data subject, review its personal data systems with respect to the accuracy, current need, relevance and timeliness of data held. The campus shall expunge all obsolete personal data in accordance with existing University policy on the keeping of records. If any data subject desires some item which he deems inappropriate removed from his…, Section 208. Use of Personal Data for Unrelated Purposes, Except where otherwise provided by statute, regulation or judicial order, personal data collected for one or more purposes, shall not be used for another unrelated purpose without informing the data subject and receiving his approval., Section 209. Duplicate Files, each holder shall insure that the number of duplicate files of personal data is maintained at an absolute minimum. each holder shall insure that any duplicate file systems are maintained consistent with the requirements of these regulations., Section 210. Audit Trail, Each holder shall maintain the most feasibly precise records indicating the names of all persons who have requested or gained access to personal data on a data subject, and the interest such person has expressed in obtaining such access. Such records or audit trails shall conform to the following requirements: where such data are held in computerized form, the data system shall have the…, Section 211. Dissemination – Notice to Subsequent Holders, Each holder, when disseminating personal data, shall ensure that any subsequent holder is aware of the requirements of these regulations, General Laws chapter 66A, other pertinent statutes, and any written policy directive developed by such campus relating to the use of such data, and shall take all reasonable steps to assure that such data is used only in accordance with such mandates:…, Section 212. Automation of Personal Data, Each campus, prior to the computerization or automation of any existing personal data system and prior to the initial development of any new manual or computerized system, shall: assure that such automation will be in compliance with each of the mandates presented in this part, particularly, provisions for an annual report, an audit trail and for periodic review of data held in accordance with…, Section 213. Notice and Annual Report to the Secretary of State and the Board, Each campus shall be September 1, 1976, and annually thereafter, and upon the subsequent establishment, termination, or change in character of a personal data system file a report with the Secretary of State and the Board regarding each personal data system it operates. Such report shall include, but not necessarily be limited to, the following information: the name of the system; the nature and…, Section 214. Directory Information, Directory information, as defined in section 103(f) above, may be disseminated generally, provided, that each campus shall cause to be published a statement listing the type of directory information it intends to publish or disseminate, and shall provide an opportunity for data subjects to request that such information concerning them not be published or disseminated except as required for…, Part III. General Provisions, Section 301. Holding to Data Subjects, Each campus shall inform data subjects of their rights under these regulations and other pertinent statutes of the type of data held by the agency, the length of time of such holding, and the expected uses of such data. Such notice may be given by posting general descriptions of data systems in appropriate places or by publication. No personal identifier shall be used in such posting or…, Section 302. Requests on Data, A holder, upon request of an individual, shall inform the individual, in writing, whether such holder maintains any personal data concerning him., Section 303. Statement of Rights, A holder shall furnish to any person requested to provide personal data a statement listing all individual rights set forth in these regulations., Section 304. Right of Access of Data Subject, Each data subject shall, upon written request, have access to any personal data concerning him, except where prohibited by law or judicial order or where the subject has waived his right to have such access pursuant to section 308. Such personal data shall be made available to the subject in a form comprehensible to him, and if failure to provide the subject with a copy of the data would…, Section 305. Rules Governing Access to Data, A holder may adopt reasonable written rules governing access to personal data, consistent with these regulations and all pertinent legislation, which: insure that any substitute or proxy for the individual data subject be duly authorized by him; regulate the time and place for inspection and the manner and cost of copying; provided that the time for inspection shall not be unduly restricted nor…, Section 306. Denial of Access to Data, A holder may deny a request by a data subject for access to personal data, which consists of psychiatric or psychological data, only if the denial of access is permitted by statute., Section 307. Notification of denial of Access to Data, A holder shall notify in writing any individual of its denial of his request for access, the reasons therefore, and the rights of appeal se forth in sections 315-317., Section 308. Waiver of Right of Access to Certain Data, A data subject may waive his right of access to confidential letters or statements of recommendation or evaluation, provided (a) that section 310 of these regulations shall have been complied with; (b) that the data subject, upon request, shall have been informed of the names of all persons submitting confidential recommendations or evaluations; (c) that such recommendations or evaluations shall…, Section 309. Right to Give or to Withhold Informed Consent or Waiver, Each data subject may give or withhold informed consent or waiver when requested by any holder to provide personal data., Section 310. Criteria for Informed Consent or Waiver, Consent or waiver may be deemed to be “informed” only if the holder provides the following information to the data subject and the data subject indicates his understanding and agreement: an explanation of how the data requested will be used and held; a statement identifying the agencies or person who are likely to receive or hold the data, and an assurance that all such holders will keep the data…, Section 311. Emergencies, A holder may disseminate medical or psychiatric data to a physician treating a data subject, upon the request of said physician, if a medical or psychiatric emergency arises which precludes the data subject from giving approval for the release of such data provided, however, that the data subject shall be given notice of such access upon termination of the emergency., Section 312. Duties of Information Officers, Each officer described in section 202 shall insure that all data subjects enjoy the rights provided under these regulations, and under General Laws chapter 66A, and she shall: receive complaints and objections; answer questions; and direct operations: with respect to the privacy, confidentiality, and security of personal data., Section 313. Objections by Data Subjects, A data subject who objects to the collection, maintenance, dissemination, use, accuracy, completeness or type of personal data held regarding him, may file an objection with the officer in immediate charge of the personal data system complained against. Should said officer be unavailable, the data subject may make his objection to the next immediate superior of such officer who is available., Section 314. Responsibilities of Holder Pursuant to Objection, Pursuant to an objection by a data subject, the officer in immediate charge of data systems shall within thirty (30) days of the receipt of the objection: notify, in writing, the appropriate individual under whose authority personal data is held regarding the nature of the objection; investigate the validity of the objection; and if, after the investigation: the objection is found to be…, Section 315. Appeal of Officer’s Decision, Any data subject, who objects to the decision of the officer in charge of the personal data system, may appeal the matter to the campus head under whose authority the personal data in question are held. Such appeal shall be filed in writing withing thirty (30) days of notification of the decision by the officer in charge of the personal data system., Section 316. Campus Head; Adjudicatory Hearing, A campus head or his designee hearing an appeal filed pursuant to section 315 shall: at the behest of the appellant data subject conduct a hearing withing thirty (30) days of the receipt of such appeal, and render a decision on the merits withing thirty (30) days of the conclusion of said hearing; notify, withing seven (7) days of the rendering of a decision, in writing, the appellant data…, Section 317. Failure to Render a Decision, Any failure to render a decision at any stage of the appeal process within the time periods set out in this part shall result in a decision favorable to the appellant data subject, except that the time periods may be extended by agreement between the data subject and the holder complained of., Section 318. Judicial Relief, No provision of this Part shall be interrupted in such a way as to preclude a data subject or the Attorney General from bringing an action in a court of proper jurisdiction in accordance with General Laws chapter 214, section 3B, as added by statute 1975, chapter 776, section 3., Part IV. Enforcement, Employees of the University of Massachusetts Any employee of the University found breaching the confidentiality of data subjects through violation of these regulations shall be subject to reprimand, suspension, dismissal, or other disciplinary actions by the President or Chancellor consistent with the rules and regulations of the Board and laws of the Commonwealth governing its employees, and may…, Section 402. Judicial Relief, Each campus shall be responsible for monitoring compliance with these regulations with respect to each personal data system under his general supervision.
Type: Book page
