(b) The commission shall, when practical and consistent with its needs and purpose, collect personal data directly from the person to whom a record pertains.
(c) All employees who function as custodians for the commission's personal data system, or are involved in the operation thereof, shall be given a copy of the provisions of the personal data act; these regulations; and a copy of the Freedom of Information Act.
(d) All such commission employees shall take reasonable precautions to protect personal data under their control or custody from the danger of fire, theft, flood, natural disaster and other physical threats.
(e) The commission shall incorporate by reference the provisions of the personal data act and these regulations in all contracts, agreements or licenses for the operation of a personal data system or for research, evaluation and reporting of personal data for the commission or on its behalf.
(f) When the commission requests personal data from any other state agency, it shall have an independent obligation to ensure that the personal data are properly maintained, unless otherwise provided by law.
(g) Access to the commission's personal data system is available to commission employees who require such information in the performance of their official and lawful duties and to such other persons who are entitled to access under law. The commission shall keep an up-to-date roster of commission employees entitled to access to the commission's personal data system.
(h) The commission shall ensure against unnecessary duplication of personal data records. In the event it is necessary to send personal data records through interdepartmental mail, such records shall be sent in envelopes or boxes sealed and marked "confidential," where such records are required by law to be kept confidential.
(i) The commission shall ensure that all records in its manual personal data system are kept under lock and key, and, to the greatest extent practical, are kept in controlled access areas.
(j) The commission shall, to the greatest extent practical, locate automated equipment and records in a limited access area.
(k) Where required by law, to the greatest extent practical, the commission shall require visitors to such area to sign a visitor's log and permit access to said area on a bona fide need-to-enter basis only.
(l) The commission, to the greatest extent practical, shall ensure that regular access to automated equipment is limited to operations personnel and other authorized persons.
(m) The commission shall use appropriate access control mechanisms to prevent disclosure to unauthorized individuals of personal data required to be kept confidential by law.