Can I collect server log information from participants in Massachusetts? What are the requirements?

Yes, you can collect server log information from participants in Massachusetts, but there are requirements that you must follow.

Requirements for Collecting Server Log Information in Massachusetts

1. Coordination with the Massachusetts State Police and Attorney General: If you plan to collect server log information, you must coordinate with the Massachusetts State Police and Attorney General in accordance with the provisions of M.G.L. c. 22C, § 70, M.G.L. c. 23K, § 6, M.G.L. c. 23N, § 11(d) and M.G.L. c. 12, § 11M ^[2.1][2.2].
2. Secondary Dissemination Log: If you plan to disseminate the collected server log information outside of your organization, you must maintain a secondary dissemination log that records the subject’s name, date of birth, date and time of dissemination, name of the individual to whom the information was disseminated, the specific reason for dissemination, and other information as required by 803 CMR 2.19 ^[3.1].
3. Procedures for Requesting Criminal Offender Record Information (CORI): If you plan to collect server log information to screen your own employees, you must follow the procedures related to the CORI Acknowledgment Form and verification of identity procedures as set forth in 803 CMR 2.11 ^[4.1].
4. Access to the Monitoring Room: If you plan to use server-based monitoring systems, you must have a plan for restricting access to monitoring and recording by unauthorized personnel such as IT personnel and members of management. All servers and related equipment associated with the surveillance system shall be under control of the surveillance department. There shall be limited access to the surveillance server equipment. Notification in writing shall be made to the on-site IEB in advance of any outside vendor having access to the surveillance system. Emergency service access notification may be made via telephone to the on-site IEB, but shall be followed up with notification in writing as to the nature of the emergency. An electronic log shall be generated for any remote access into the system ^[5.1].

Therefore, you can collect server log information from participants in Massachusetts, but you must follow the requirements outlined above.

Source(s):

• [2.1] Coordination with the Massachusetts State Police
• [2.2] Coordination with the Massachusetts Attorney General
• [3.1] Requirement to Maintain a Secondary Dissemination Log
• [4.1] Procedures for Requesting Criminal Offender Record Information (CORI)
• [5.1] Access to the Monitoring Room

Jurisdiction

Massachusetts

• Privacy