(a) Within four business days of receipt of a written request the Department shall mail or deliver to the requesting individual a written response in plain language, informing him/her as to whether or not the Department maintains personal data on that individual, the category and location of the personal data maintained on that individual and procedures available to review the records.
(b) Except where nondisclosure is required or specifically permitted by law, the Department shall disclose to any person upon written request all personal data concerning that individual which is maintained by the Department. The Department's procedures for disclosure shall be in accordance with Sections 1-15 through 1-21k of the General Statutes. If the personal data is maintained in coded form, the Department shall transcribe the data into a commonly understandable form before disclosure.
(c) The Department is responsible for verifying the identity of any person requesting access to his/her own personal data.
(d) The Department is responsible for ensuring that disclosure made pursuant to the Personal Data Act is conducted so as not to disclose any personal data concerning persons other than the person requesting the information.
(e) The Department may refuse to disclose to a person medical, psychiatric or psychological data on that person if the Department determines that such disclosure would be detrimental to that person.
(f) In any case where the Department refuses disclosure, it shall advise that person of his/her right to seek judicial relief pursuant to the Personal Data Act.
(g) If the Department refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and nondisclosure is not mandated by law, the Department shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If disclosure is recommended by the person's medical doctor, the Department shall disclose the personal data to such person; if nondisclosure is recommended by such person's medical doctor, the Department shall not disclose the personal data and shall inform such person of the judicial relief provided under the Personal Data Act.
(h) The Department shall maintain a complete log of each person, individual, agency or organization who has obtained access or to whom disclosure has been made of personal data under the Personal Data Act, together with the reason of each such disclosure or access. This log must be maintained for not less than five years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.