(a) Personal data will not be maintained unless relevant and necessary to accomplish the lawful purposes of the Department. Where the Department finds irrelevant or unnecessary public records in its possession, the Department shall dispose of the records in accordance with its records retention schedule, or, if the records are not disposable under the records retention schedule, request permission from the Public Records Administrator to dispose of the records under Connecticut General Statutes Section 11-8a.
(b) The Department shall collect and maintain all records completely and accurately.
(c) Insofar as it is consistent with the needs and mission of the Department, and where it is practical, personal data shall be collected directly from the person to whom the record pertains.
(d) Department employees involved in the operations of the Department's personal data systems shall be informed of the provisions of (i) the Personal Data Act, (ii) the Department's regulations adopted pursuant to § 4-196, (iii) the Freedom of Information Act and (iv) any other state or federal statute or regulations concerning maintenance or disclosure or personal data kept by the Department.
(e) All employees of the Department shall take reasonable precautions to protect personal data in their custody from the danger of fire, theft, flood, natural disaster, and other physical threats.
(f) The Department shall incorporate by reference the provisions of the Personal Data Act and regulations promulgated thereunder in all contracts, agreements, or licenses for the operation of a personal data system, or for research, evaluation, and reporting of personal data for the Department or on its behalf.
(g) The Department shall have an independent obligation to ensure that personal data requested from any other state agency is properly maintained.
(h) Only employees of the Department with a specific need to review personal data records for lawful purposes of the Department shall be permitted to do so.
(i) The Department of Housing shall keep a written up-to-date list of all individuals entitled to access to each of the Department's personal data systems.
(j) The Department shall ensure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records shall be sent in envelopes or boxes sealed and marked "confidential."
(k) The Department shall ensure that all records in conventional files are kept under lock and key and, to the greatest extent possible, are kept in controlled access areas.
(l) To the extent practical, automated equipment and records shall be located in a limited access area.
(m) To the extent practical, the Department shall permit visitors or non-operations personnel to enter the limited access area only for a necessary, specific, and authorized purpose. Any person entering this area must sign a visitor's log.
(n) To the extent practical, the Department shall ensure that regular access to automated equipment is limited to operations personnel.
(o) The Department shall implement appropriate access control measures to prevent disclosure of personal data on automated systems to unauthorized individuals.