January 29, 1998 98-R-0173
FROM: Sandra Norman-Eady, Senior Attorney
RE: Personal Data Act
You asked for a summary of the Personal Data Act, including a summary of all changes since it was enacted.
Connecticut enacted the Personal Data Act in 1976. Dr. Herbert Sacks, chairman pro tem of the Connecticut Coalition for a Fair Information Practices Act, testified before the Judiciary Committee that the “principal motivating forces behind the Act have been the accrual of large amounts of information by the states on its citizenry and the stimulation provided by the Washington hearings leading to the establishment of the federal privacy act of 1974, which became effective on September 27, 1975.” The act was modeled after Massachusetts' version of the Fair Practices Act.
The 1976 act (PA 76-421) regulated the maintenance and dissemination of personal data by any state board, commission, department, or officer other than the legislature, courts, governor, lieutenant governor, attorney general, or town or regional boards of education. More specifically, the act (1) prohibited state agencies from disseminating personal data without the subject's consent, (2) specified the manner in which personal data had to be maintained and administered and the right of data subjects regarding access to and dissemination of such data, (3) required agencies subject to the act to adopt regulations on use and maintenance, and (4) subjected agencies that violated its provisions to civil penalties.
The Personal Data Act has been substantially amended five times since its enactment—once in 1977, twice in 1978, and once each in 1979 and 1984. This report begins by summarizing the current law and then each of the revisions in descending, chronological order by year.
PERSONAL DATA ACT
The act requires each state or municipal board, commission, department, or officer, except town or regional boards of education, that maintains a collection of records containing personal data to:
1. keep a record of everyone who has obtained access to or to whom disclosure has been made of personal data and the reason for each disclosure or access for at least five years;
2. make this record available upon request;
3. maintain only that information about a person that is relevant and necessary for the agency to accomplish its lawful purpose;
4. inform an individual who makes a written request whether the agency maintains personal data concerning him;
5. disclose to anyone who so requests all personal data concerning him that the agency maintains; and
6. establish procedures that allow a person to contest the accuracy, completeness, or relevancy of his personal data; allow personal data to be corrected when the agency concurs with the proposed correction; and allow a person who believes that the agency maintains inaccurate or incomplete personal data concerning him to add a statement to the record setting forth what he believes to be an accurate or complete version of that personal data (CGS § 4-193). “Personal data” means any information about a person's education, finances, medical or emotional condition or history, employment or business history, family or personal relationships, reputation or character, which because of name, identifying number, mark, or description can be readily associated with a particular person (CGS § 4-190 (9)).
If an agency determines that disclosing a person's medical, psychiatric, or psychological data to him would be detrimental, the agency may refuse to disclose that personal data and advise the requestor of his right to seek judicial relief. Any agency that refuses to disclose personal data on this ground must permit a qualified doctor to review it to determine if it should be disclosed. If the doctor recommends disclosure, the agency must disclose it. If he recommends nondisclosure, the agency must not disclose it and must inform the requestor of his right to seek judicial relief (CGS § 4-194).
Anyone aggrieved by an agency's decision not to disclose his personal data to him may petition the Superior Court for the judicial district in which he resides for an order requiring the agency to disclose it. The petition must be filed within 30 days of the date of the refusal. The court must issue the requested order unless it determines that disclosure would be detrimental to the person or otherwise prohibited by law (CGS § 4-195).
Each agency maintaining personal data must have regulations describing the nature and purpose of its personal data system, the categories of personal and other data kept in the system, the agency's procedures regarding personal data maintenance, and how the agency intends to use the information (CSG § 4-196).
Any agency that violates the act is subject to an action for injunctive relief, a declaratory judgment, or a mandamus or civil action for damages. The action may be brought in the Hartford-New Britain Superior Court. In all actions, except a civil action for damages, prosecution may be brought in the name of the state. Anyone who prevails in an action against an agency is entitled to court costs and reasonable attorney's fees (CGS § 4-197).
REVISIONS TO THE PERSONAL DATA ACT
An Act Concerning Confidentiality of Personal Data (PA 77-431)
1. required personal medical, psychiatric, or psychological data (when nondisclosure was not mandated by statute) to be disclosed to patients if their doctors recommended it and the patient requested it;
2. prohibited disclosure when a physician recommended nondisclosure but required the agency to inform the requestor of his right to petition the Court of Common Pleas for disclosure;
3. specified that agencies had to maintain records of each person or organization to whom personal data was disclosed for at least five years or for the life of the of the record, whichever was longer;
4. required people requesting their own personal data to do so in writing and required the agency releasing it to present it in a form understandable to the requestor;
5. expanded the definition of “computer accessible files,” which was one type of personal data system, to include microfilm, internal memory, and telecommunications control units;
6. defined “record” as any collection of personal data collected, maintained, or disseminated; and
7. postponed the effective date of the original act from July 1, 1977 to January 1, 1978, except the effective date of the section that required agencies to adopt regulations concerning personal data was advanced from July 1 to June 14, 1977.
An Act Concerning Security and Privacy of Criminal History Record Information as Required by Federal Regulations (PA-78-200)
This act removed criminal history records from the definition of “personal data.”
An Act Concerning State Building Contracts and the Disclosure of Personal Data Without Permission (PA 78-362)
This act permitted state agencies to disclose personal data without an individual's consent if the data was necessary for the collection of outstanding student loans or any other obligations owed to the state.
An Act Concerning the State Personal Data Act (PA 79-538)
After conflicts arose over how to reconcile the Personal Data Act, which prohibited state officials from disclosing personal data without the subject's consent, with the Freedom of Information Act, which requires public records to be disclosed, this act was passed repealing that part of the Personal Data Act that prohibited state officials from disclosing personal data without the subject's consent. In so doing, the act made personal data contained in public records available for public inspection without the consent of the data subject unless state statute or federal law prohibits disclosure.
The act also specifically required state agencies, which already had to inform employees with access to personal data about the Personal Data Act and other relevant disclosure statutes, to inform them about the Freedom of Information act as well.
The act left intact those provisions of the Personal Data Act that require state agencies to disclose personal data in their files to the data subject, on request, and to allow the subject to contest the data's accuracy.
An Act Concerning the Protection of Personal Data Maintained by State and Municipal Agencies (PA 84-380)
This act made the Personal Data Act applicable to municipal employees. It specified that only state agencies had to adopt personal data system regulations and permitted the attorney general to disapprove regulations that failed to conform to his standards.