The following requirements for maintenance of audit trails shall be observed:
- (1) Where such records are held, in whole or in part in computer or in electronically controlled or accessible files, the audit trail shall include a complete and accurate record of every disclosure of client or applicant records, including: the date of access; and the name of the individual or organization to whom access is granted; and the purpose of the access; and the authorization for granting access.
- (2) Where such records are held in manual files, the person granting access to records or information shall, to the maximum extent feasible, make a notation each time access to a record or information is granted. Such notation shall include the date of access; the name of the individual or organization to whom access is granted; the purpose of the access; and the authorization for granting access.
- (3) 107 CMR 2.15 shall not apply to use of or access to client or applicant records by employees of the Commission acting within the scope of their official duties.