Section 5A Personal data; purposes for which disclosure permitted; safeguards; exceptions; unauthorized inspection or disclosure; penalties

Section 5A. (a) Personal data collected and maintained by the IV-D agency shall not be a public record under chapter 66 and access to this data shall be available only to employees of the IV-D agency and its contractors only to the extent reasonably necessary for the performance of said contractors duties; provided, however, that the IV-D agency may disclose such data for purposes connected with establishing paternity, establishing, modifying or enforcing child support obligations pursuant to this chapter and Title IV, Part D of the Social Security Act; and provided further, that subject to subsection (b), section 5B and section 21 of chapter 62C, the IV-D agency may disclose personal data-

(1) to any state or federal public assistance program or to the IV-D agency of another state for purposes connected with the administration of such program or of the child support enforcement program, as authorized by Title IV, Part D of the Social Security Act and by the secretary of the federal department of health and human services;

(2) for the purpose of conducting information comparisons pursuant to section 4;

(3) to persons authorized to receive information from the Federal Parent Locator Service established pursuant to Title IV, Part D of the Social Security Act;

(4) as provided in section 21 of chapter 62C, section 8 of chapter 62E, and section 10 of chapter 14, to the director of the bureau of special investigations for purposes directly connected with detecting and preventing fraud in any assistance program administered by the department of transitional assistance or any program administered by the department of children and families;

(5) to the department of children and families for purposes directly connected with an investigation under section 51B of chapter 119 or proceedings related to termination of parental rights or adoption;

(6) as provided in section 10 of chapter 62D, for the purpose of setoff debt collection pursuant to the provisions of said chapter 62D;

(7) to a person authorized in writing by the parent or, in the case of the child, by the custodial parent or legal guardian of the child, to receive such personal data;

(8) for purposes directly connected to obtaining health care coverage for a child receiving IV-D services, to an employer or provider of health care coverage;

(9) in the case of personal data about an individual parent, to that parent or, in the case of personal data about the child, to the custodial parent or legal guardian of the child.

Before disclosing personal data pursuant to this section, the IV-D agency may require the person or agency requesting such data to verify that such data is required for a purpose permitted by this section and that such data will be used solely for such purpose. The IV-D agency shall limit disclosure to the specific data required by the person or agency to carry out a purpose permitted by this chapter. For the purposes of this chapter, “personal data” shall have the same meaning as provided in section 1 of chapter 66A.

(b) The IV-D agency shall safeguard personal data if the IV-D agency is provided with reasonable evidence of a risk of harm. A state agency, court, IV-D agency of another state, obligor, obligee, and such other persons or entities as the IV-D agency may specify may provide the IV-D agency with reasonable evidence of a risk of harm in such manner as the IV-D agency may require. The IV-D agency shall not be required to safeguard personal data for longer than two years unless the IV-D agency is provided with reasonable evidence of a continued risk of harm in such manner as the IV-D agency may require. The IV-D agency shall notify individuals whose personal data is safeguarded under this section that in order for the safeguards to remain in effect, such individuals must provide the IV-D agency every two years with reasonable evidence of a continued risk of harm. For the purposes of this section, “reasonable evidence of a risk of harm” shall mean reasonable evidence that the release of information may result in physical harm to the parent or child, that the release of information may result in emotional harm to the parent or child which would significantly reduce the parent’s capacity to care for the child, or would significantly reduce the parent or child’s ability to function adequately, or that a protective order or restraining order has been issued on behalf of the parent or the child pursuant to section 18 or 34B of chapter 208, section 32 of chapter 209, section 3, 4 or 5 of chapter 209A, or section 15 or 20 of chapter 209C, or similar law of another jurisdiction.

If the IV-D agency is provided with reasonable evidence of a risk of harm, the IV-D agency, its employees and its contractors shall not disclose any personal data that could otherwise be disclosed pursuant to subsection (a) about the location of a parent or child, including residential address, telephone number, and name, address and telephone number of employer, and shall not disclose the social security number of a parent or child; provided, however, that such personal data may be shared by and between employees of the IV-D agency and its contractors; provided further that the IV-D agency may disclose such personal data to the Federal Parent Locator Service, to a court or agent of a court that is authorized to receive information from the Federal Parent Locator Service established pursuant to Title IV, Part D of the Social Security Act, to the department of transitional assistance, to the department of children and families for purposes directly connected with an investigation under section 51B of chapter 119 or proceedings related to termination of parental rights or adoption, to a person authorized to receive such personal data by the parent or, in the case of the child, by the custodial parent or legal guardian of the child; provided further, that the IV-D agency may disclose personal data for purposes directly connected to obtaining health care coverage for a parent or child receiving IV-D services to an employer or provider of health care coverage and to the division of medical assistance.

If the IV-D agency is provided with reasonable evidence of a risk of harm pursuant to this section, the IV-D agency shall notify the Federal Parent Locator Service established pursuant to Title IV, Part D of the Social Security Act that a risk of harm exists. Upon written request by a court or agent of a court authorized to receive information from the Federal Parent Locator Service, the IV-D agency shall release personal data, which may include location information and social security numbers, to such court or agent, as required by said Title IV, Part D of the Social Security Act; provided, however, that if the IV-D agency has been provided with reasonable evidence of a risk of harm, the IV-D agency shall notify the court or agent that the IV-D agency has received such information and that pursuant to section 5B, before making any disclosure of such personal data, the court is required to determine whether such disclosure to any other person could be harmful to the parent or child. A person or agency seeking disclosure of personal data which the IV-D agency is prohibited from disclosing because of a risk of harm, but which could otherwise be disclosed pursuant to subsection (a), may file a petition with the probate and family court pursuant to section 5B to request disclosure of such personal data.

(c) The IV-D agency shall have in effect safeguards to ensure the integrity, accuracy, and completeness of, access to, and use of data, including personal data and data in the automated system required by section 4, which shall include: (1) written policies concerning access to data by IV-D agency personnel and its contractors, and sharing of data with other persons, which permit access to and use of data only to the extent necessary to carry out the purposes of the child support enforcement program, and which specify the data which may be used for particular program purposes, and the personnel permitted access to such data; (2) systems controls to ensure strict adherence to said policies; (3) routine monitoring of access to and use of the automated system required by section 4, through methods such as audit trails, to guard against and promptly identify unauthorized access or use; (4) procedures to ensure that all personnel, including employees of the IV-D agency and its contractors, who may have or had access to or who may be or were required to use confidential program data and personal data are informed of applicable requirements and penalties, including those in this section, section 6103 of the Internal Revenue Code of 1986 and section 21 of chapter 62C, and are adequately trained in security procedures; (5) penalties, as provided in this section for willful inspection or disclosure of, or unauthorized access to, personal data; and (6) such other safeguards as the commissioner of revenue and the secretary of the federal Department of Health and Human Services may specify in regulations.

The willful inspection or disclosure of personal data, except as authorized by this section or section 5B, by any employee of the IV-D agency, its contractors, or any person obtaining unauthorized access to such data, including data stored in a computer system or computer files, while such data are in the custody of the commissioner of revenue or in the custody of any employee of the IV-D agency or its contractors is prohibited. Personal data may be inspected, and shared by and between employees of the IV-D agency in the performance of their official duties as provided in this chapter. Authorized employees of the department of revenue may disclose personal data to any employee of a contractor of the IV-D agency to the extent necessary for performance of the contracted duties of the employee. Personal data properly disclosed by employees of the IV-D agency may be inspected and shared by and between employees of a contractor of the IV-D agency in performance of their contracted duties and for the purpose for which such data was disclosed. Any violation of this section by an employee of the IV-D agency, its contractors or an officer, director or employee thereof, a person obtaining unauthorized access to personal data, or any other individual shall be punished by a fine of not more than $1,000 with respect to each person concerning whom information has been disclosed or inspected or by imprisonment for not more than one year, or both, and by disqualification from holding office in the commonwealth for such period, not exceeding three years, as the court determines. The determination by the commissioner of revenue that an employee of the IV-D agency, or the determination by another agency head that an employee of such other agency, has made a disclosure or willful inspection of personal data that was not authorized by this section and not protected by the good faith provision of subsection (d) shall be grounds for dismissal of such employee. A violation, as determined by the commissioner of revenue, of this section by an officer, director or employee of any contractor of the commonwealth shall be grounds for prohibiting such officer, director or employee from working on a contract between the contractor and the commonwealth. A violation, as determined by the commissioner of revenue, of this section by any contractor of the commonwealth, or any officer, director or employee thereof, shall also be cause for terminating any current contract between such contractor and the commonwealth and for prohibiting such contractor from entering into any future contract with the commonwealth.

(d) Any unauthorized disclosure or unauthorized willful inspection made in a good faith effort to comply with this section shall not be considered a violation of this section.