Ohio Admin. Code 4701-2-06 - Restricting and logging access to confidential personal information in computerized personal information systems
(A) Access to confidential personal
information that is kept electronically shall require a password or other
authentication measure.
(B) When
the board acquires a new computer system
that stores, manages or contains confidential personal information, the board
shall include a mechanism for recording specific access by employees of the
board to confidential personal information in the system.
(C) When the board modifies an existing
computer system that
which stores,
manages or contains confidential personal information, the board shall
make a determination
determine whether the modification constitutes an
upgrade. Any upgrades to a computer system
shall include a mechanism for recording specific access by employees of the
board to confidential personal information in the system.
(D) The board shall require employees of the
board who access confidential personal information within
computer
personal
information systems to maintain a log that records that access. Access to
confidential information is not required to be entered into the log under the
following circumstances:
(1) The employee of
the board is accessing confidential personal information for official board
purposes, including research, and the access is not specifically directed
toward a specifically named individual or a group of specifically named
individuals.
(2) The employee of
the board is accessing confidential personal information for routine office
procedures and the access is not specifically directed toward a specifically
named individual or a group of specifically named individuals.
(3) The employee of the board comes into
incidental contact with confidential personal information and the access of the
information is not specifically directed toward a specifically named individual
or a group of specifically named individuals.
(4) The employee of the board accesses
confidential personal information about an individual based upon a request made
under either of the following circumstances:
(a) The individual requests confidential
personal information about himself or herself.
(b) The individual makes a request that
requests the board takes
take some action
on that
the
individual's behalf and accessing the confidential personal information is
required in order to consider or process that
the
request.
(5) For
purposes of this paragraph, the board may choose the form or forms of logging,
whether in electronic or paper formats.
(E) The board shall issue a log management
policy that specifies the following:
(1) Who
shall maintain the log;
(2) What
information shall be captured in the log;
(3) How the log is to be stored;
and
(4) How long information kept
in the log is to be retained.
Notes
Promulgated Under: 119.03
Statutory Authority: 119.03
Rule Amplifies: 1347.15
Prior Effective Dates: 08/22/2010, 09/01/2020
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 08/22/2010
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
(A) Access to confidential personal information that is kept electronically shall require a password or other authentication measure.
(B) When the board acquires a new computer system that stores, manages or contains confidential personal information , the board shall include a mechanism for recording specific access by employees of the board to confidential personal information in the system .
(C) When the board modifies an existing computer system that which stores, manages or contains confidential personal information , the board shall make a determination determine whether the modification constitutes an upgrade . Any upgrades to a computer system shall include a mechanism for recording specific access by employees of the board to confidential personal information in the system .
(D) The board shall require employees of the board who access confidential personal information within computer personal information systems to maintain a log that records that access . Access to confidential information is not required to be entered into the log under the following circumstances:
(1) The employee of the board is accessing confidential personal information for official board purposes, including research , and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.
(2) The employee of the board is accessing confidential personal information for routine office procedures and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.
(3) The employee of the board comes into incidental contact with confidential personal information and the access of the information is not specifically directed toward a specifically named individual or a group of specifically named individuals.
(4) The employee of the board accesses confidential personal information about an individual based upon a request made under either of the following circumstances:
(a) The individual requests confidential personal information about himself or herself.
(b) The individual makes a request that requests the board takes take some action on that the individual 's behalf and accessing the confidential personal information is required in order to consider or process that the request.
(5) For purposes of this paragraph, the board may choose the form or forms of logging, whether in electronic or paper formats.
(E) The board shall issue a log management policy that specifies the following:
(1) Who shall maintain the log;
(2) What information shall be captured in the log;
(3) How the log is to be stored; and
(4) How long information kept in the log is to be retained.
Notes
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 08/22/2010