Appendix A
Summary of Personal Data Act
Under the Personal Data Act, each agency must:
1. Inform each employee who operates or maintains a personal data system or who has access to personal data of the provisions of the Personal Data Act; agency regulations required by PDA (see item 9 below); the Freedom of Information Act; and any other state or federal law concerning maintenance or disclosure of personal data kept by the agency;
2. Take reasonable precautions to protect personal data from the dangers of fire, theft, flood, natural disaster or other physical threats;
3. Keep a complete record of every individual or entity who has obtained access to personal data, and the reason for access, and maintain this record for at least 5 years after access was given or for the life of the record under the agency's retention schedule, whichever is longer;
4. Make available to the person to whom the personal data pertains the record kept in item 3, upon written request.
5. Maintain only relevant and necessary information about a person to accomplish the lawful purposes of the agency;
6. Inform an individual in writing whether the agency maintains personal data concerning him or her, upon written request;
7. Disclose to a person, upon written request, all personal data concerning him or her maintained by the agency (but the agency cannot disclose personal data about other persons in this process);
8. Establish procedures that 1) allow a person to contest the accuracy, completeness or relevancy of his or her personal data; 2) allow personal data to be corrected upon request of a person when the agency agrees with the proposed correction; 3) allow a person who believes the agency maintains inaccurate or incomplete personal data concerning him or her to add a statement setting out what he or she believes to be an accurate or complete version of the personal data. (The statement becomes a permanent part of the agency's personal data system and must be disclosed to anyone to whom the disputed personal data is disclosed.)
9. Adopt regulations that describe: the general nature and purpose of the agency's personal data systems; the categories of personal and other data kept in the agency's personal data systems; the agency's procedures regarding the maintenance of personal data; and the uses to be made of the personal data maintained by the agency.
Finally, an agency may refuse to disclose medical, psychiatric or psychological data to a person to whom the data pertains if an agency believes disclosure would be detrimental to the person, or if nondisclosure is allowed or required by law. (In this situation, the agency must advise the person of his or her right to appeal the decision to court).