For personal information systems, whether manual or computer
systems, that contain confidential personal information, the agency shall do
the following:
(A) Criteria for
accessing confidential personal information. Personal information systems of
the agency are managed on a "need-to-know" basis whereby the information owner
determines the level of access required for an employee of the agency to
fulfill the employee's job duties. The determination of access to confidential
personal information shall be approved by the employee's supervisor and the
information owner prior to providing the employee with access to confidential
personal information within a personal information system. The agency shall
establish procedures for determining a revision to an employee's access to
confidential personal information upon a change to that employee's job duties
including, but not limited to, transfer or termination. Whenever an employee's
job duties no longer require access to confidential personal information in a
personal information system, the employee's access to confidential personal
information shall be removed.
(B)
Individual's request for a list of confidential personal information. Upon the
signed written request of any individual for a list of confidential personal
information about the individual maintained by the agency, the agency shall do
the following:
(1) Verify the identity of the
individual by a method that provides safeguards commensurate with the risk
associated with the confidential personal information.
(2) Provide to the individual the list of
confidential personal information that does not relate to an investigation
about the individual or is otherwise not excluded from the scope of Chapter
1347. of the Revised Code.
(3) If
all information relates to an investigation about that individual, inform the
individual that the agency has no confidential personal information about the
individual that is responsive to the individual's request.
(C) Notice of invalid access.
(1) Upon discovery or notification that
confidential personal information of a person has been accessed by an employee
for an invalid reason, the agency shall notify the person whose information was
invalidly accessed as soon as practical and to the extent known at the time.
However, the agency shall delay notification for a period of time necessary to
ensure that the notification would not delay or impede an investigation or
jeopardize homeland or national security. Additionally, the agency may delay
the notification consistent with any measures necessary to determine the scope
of the invalid access, including which individuals' confidential personal
information invalidly was accessed, and to restore the reasonable integrity of
the system.
"Investigation" as used in this paragraph means the
investigation of the circumstances and involvement of an employee surrounding
the invalid access of the confidential personal information. Once the agency
determines that notification would not delay or impede an investigation, the
agency shall disclose the access to confidential personal information made for
an invalid reason to the person.
(2) Notification provided by the agency shall
inform the person of the type of confidential personal information accessed and
the date of the invalid access.
(3)
Notification may be made by any method reasonably designed to accurately inform
the person of the invalid access, including written, electronic, or telephone
notice.
(D) Appointment
of a data privacy point of contact. The agency director shall designate an
employee of the agency to serve as the data privacy point of contact. The data
privacy point of contact shall work with the chief privacy officer within the
office of information technology to assist the agency with both the
implementation of privacy protections for the confidential personal information
that the agency maintains and compliance with section
1347.15 of the Revised Code and
this chapter.
(E) Completion of a
privacy impact assessment. The agency director shall designate an employee of
the agency to serve as the data privacy point of contact who shall timely
complete the privacy impact assessment form developed by the office of
information technology.
Notes
Ohio Admin. Code
3745-48-02
Five Year Review (FYR) Dates:
1/25/2022 and
01/25/2027
Promulgated
Under:
119.03
Statutory Authority:
1347.15
Rule Amplifies:
1347.15
Prior Effective Dates: 09/10/2010,
02/15/2016
Five Year Review (FYR) Dates:
1/25/2022 and
01/25/2027
Promulgated
Under:
119.03
Statutory Authority:
1347.15
Rule Amplifies:
1347.15
Prior Effective Dates: 09/10/2010,
02/15/2016