(a) Any individual may request from the commission whether it maintains personal data on that individual, the category and location of the personal data maintained on that individual, and procedures available to review said information. The commission promptly shall mail or deliver to the requesting individual a written response in plain language.
(b) Except where prohibited by law, the commission shall disclose to any person upon request all personal data concerning that person which are maintained by the commission. Where required by law, such disclosure shall be conducted so as not to disclose any personal data concerning persons other than the individual requesting such information.
(c) Where required by law, commission personnel shall verify the identity of any person requesting access to his or her own personal data.
(d) The commission may refuse to disclose to a person medical, psychiatric or psychological data regarding that person if it is determined by the commission that such disclosure would be detrimental to the person, or if such nondisclosure is otherwise permitted or required by law. If the commission refuses to disclose medical, psychiatric or psychological data to a person, it must inform the person of his or her right to seek judicial relief pursuant to the personal data act.
(e) If the commission refuses to disclose medical, psychiatric or psychological data to a person based on its determination that disclosure would be detrimental to that person and the nondisclosure is not mandated by law, the commission shall, at the written request of such person, permit a qualified medical doctor to review the personal data contained in the person's record to determine if the personal data should be disclosed. If nondisclosure is recommended by such person's medical doctor, the commission shall not disclose the personal data and shall inform such person of the judicial relief provided under the personal data act.
(f) Where required by law, a record shall be maintained of each person, individual, agency or organization that has obtained access to or to which disclosure has been made of personal data in accordance with subsection (c) of section 4-193 of the general statutes, together with a reason for each such disclosure or access. This log shall be maintained for not less than five (5) years from the date of such disclosure or access or for the life of the personal data record, whichever is longer.