Can I ignore my obligations as a service provider with access to personal information in Massachusetts? What are the requirements?

Obligations of Service Providers with Access to Personal Information in Massachusetts

As a service provider with access to personal information in Massachusetts, you cannot ignore your obligations under the law. The Massachusetts Attorney General’s Office (AGO) has established regulations under M.G.L. c. 66A that govern the receipt, collection, maintenance, and dissemination of personal data by state agencies, including service providers ^[1.2][1.3].

Under these regulations, service providers must comply with the following requirements:

1. General Rules Regarding Personal Data ^[1.2]:
2. Service providers shall not collect or maintain more personal data than is reasonably necessary for the performance of their functions.
3. Service providers shall take reasonable precautions to protect personal data from dangers of fire, identity theft, theft, flood, natural disaster, or other physical threat.
4. Service providers may receive, collect, and maintain personal data from agencies, public officials, and employees they represent in civil litigation.
5. Service providers may receive, collect, and maintain personal data from other federal, state, or local governmental entities, including the courts, for law enforcement purposes.
6. Access to Personal Data by Data Subjects ^[1.1]:
7. Data subjects may request, in writing, that the AGO perform a search to locate their own personal data held within the personal data systems maintained by the AGO.
8. The AGO shall inform any data subject in writing whether it maintains any personal data concerning such individual within its personal data systems.
9. Where access is required by law, the AGO shall grant a data subject access to their own personal data within the personal data systems maintained by the AGO.
10. The AGO may charge fees for responding to a request under M.G.L. c. 66A.
11. Access to Personal Data by Persons Other than the Data Subject ^[1.3]:
12. The AGO shall not allow any other agency or individual not employed or contracted by the AGO to have access to personal data unless such access is authorized by law, or is approved by the data subject if the data subject is entitled to access under M.G.L. c. 66A.
13. The AGO may disseminate personal data to persons other than the data subject in certain circumstances, such as in response to compulsory legal process or where such dissemination is necessary to make a good faith effort to settle a case in which the AGO is or represents a party in the course of litigation.
14. Duty to Protect and Standards for Protecting Personal Information ^[2.1]:
15. Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program.
16. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

Therefore, as a service provider with access to personal information in Massachusetts, you must comply with these regulations and ensure that you are only collecting and maintaining personal data that is reasonably necessary for the performance of your functions. You must also take reasonable precautions to protect personal data from physical threats and ensure that you have designated an Information Officer to serve as the responsible individual under M.G.L. c. 66A, § 2(a) for each personal data system you maintain ^[1.2].

If a data subject requests access to their personal data, you must comply with their request in accordance with the regulations and may charge fees for responding to the request ^[1.1]. Additionally, you may only disseminate personal data to persons other than the data subject in certain circumstances, such as in response to compulsory legal process or where such dissemination is necessary to make a good faith effort to settle a case in which you are or represent a party in the course of litigation ^[1.3].

You must also develop, implement, and maintain a comprehensive information security program that is appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program ^[2.1].

Failure to comply with these regulations may result in disciplinary actions consistent with the AGO Employee Manual and any applicable Collective Bargaining Agreement that is in place, and may be denied future contact with personal data and removed from holding responsibility relative to such data ^[1.2].

Source(s):

• [1.1] Access to Personal Data by Data Subjects
• [2.1] Duty to Protect and Standards for Protecting Personal Information
• [1.2] Receipt, Collection, and Maintenance of Personal Data
• [1.3] Access to Personal Data by Persons Other than the Data Subject

Jurisdiction

Massachusetts

• Privacy