Ohio Admin. Code 3745-48-05 - Restricting and logging access to confidential personal information in computerized personal information systems
For personal information systems that are computer systems and contain confidential personal information, the agency shall do the following:
(A) Access restrictions.
Access to confidential personal information that is kept electronically shall
require a password or other authentication measure.
(B) Acquisition of a new computer system.
When the agency acquires a new computer system that stores, manages or contains
confidential personal information, the agency shall include a mechanism for
recording specific access by employees of the agency to confidential personal
information in the system.
(C)
Upgrading existing computer systems. When the agency modifies an existing
computer system that stores, manages or contains confidential personal
information, the agency shall make a determination whether the modification
constitutes an upgrade. Any upgrades to a computer system shall include a
mechanism for recording specific access by employees of the agency to
confidential personal information in the system.
(D) Logging requirements regarding
confidential personal information in existing computer systems.
(1) The agency shall require employees of the
agency who access confidential personal information within computer systems to
maintain a log that records that access.
(2) Access to confidential personal
information is not required to be entered into the log under the following
circumstances:
(a) The employee of the agency
is accessing confidential personal information for official agency purposes,
including research, and the access is not specifically directed toward a
specifically named individual or a group of specifically named
individuals.
(b) The employee of
the agency is accessing confidential personal information for routine office
procedures and the access is not specifically directed toward a specifically
named individual or a group of specifically named individuals.
(c) The employee of the agency comes into
incidental contact with confidential personal information and the access of the
information is not specifically directed toward a specifically named individual
or a group of specifically named individuals.
(d) The employee of the agency accesses
confidential personal information about an individual based upon a request made
under either of the following circumstances:
(i) The individual requests confidential
personal information about the individual.
(ii) The individual makes a request that the
agency takes some action on that individual's behalf and accessing the
confidential personal information is required in order to consider or process
that request.
(3) For purposes of this paragraph, the
agency may choose the form or forms of logging whether electronic or paper
formats.
(E) Log
management. The agency shall issue a policy that specifies the following:
(1) Who shall maintain the log.
(2) What information shall be captured in the
log.
(3) How the log is to be
stored.
(4) How long information
kept in the log is to be retained.
Nothing in this rule limits the agency from requiring logging in any circumstance that the agency deems necessary.
Notes
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 09/10/2010, 02/15/2016
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 09/10/2010, 02/15/2016
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.