For personal information systems,
whether manual or computer systems, that contain confidential personal
information, the agency shall do the following:
(A)
Criteria for
accessing confidential personal information. Personal information systems of
the agency are managed on a "need-to-know" basis whereby the information owner
determines the level of access required for an employee of the agency to
fulfill his/her job duties. The determination of access to confidential
personal information shall be approved by the employee's supervisor and the
information owner prior to providing the employee with access to confidential
personal information within a personal information system. The agency shall
establish procedures for determining a revision to an employee's access to
confidential personal information upon a change to that employee's job duties
including, but not limited to, transfer or termination. Whenever an employee's
job duties no longer require access to confidential personal information in a
personal information system, the employee's access to confidential personal
information shall be removed.
(B)
Individual's
request for a list of confidential personal information. Upon the signed
written request of any individual for a list of confidential personal
information about the individual maintained by the agency, the agency shall do
all of the following:
(1)
Verify the identity of the individual by a method that
provides safeguards commensurate with the risk associated with the confidential
personal information;
(2)
Provide to the individual the list of confidential
personal information that does not relate to an investigation about the
individual or is otherwise not excluded from the scope of Chapter 1347. of the
Revised Code; and
(3)
If all information relates to an investigation about
that individual, inform the individual that the agency has no confidential
personal information about the individual that is responsive to the
individual's request.
(C)
Notice of
invalid access.
(1)
Upon discovery or notification that confidential
personal information of a person has been accessed by an employee for an
invalid reason, the agency shall notify the person whose information was
invalidly accessed as soon as practical and to the extent known at the time.
However, the agency shall delay notification for a period of time necessary to
ensure that the notification would not delay or impede an investigation or
jeopardize homeland or national security. Additionally, the agency may delay
the notification consistent with any measures necessary to determine the scope
of the invalid access, including which individuals' confidential personal
information invalidly was accessed, and to restore the reasonable integrity of
the system.
"Investigation" as used in this
paragraph means the investigation of the circumstances and involvement of an
employee surrounding the invalid access of the confidential personal
information. Once the agency determines that notification would not delay or
impede an investigation, the agency shall disclose the access to confidential
personal information made for an invalid reason to the person.
(2)
Notification provided by the agency shall inform the person of the type of
confidential personal information accessed and the date(s) of the invalid
access.
(3)
Notification may be made by any method reasonably
designed to accurately inform the person of the invalid access, including
written, electronic, or telephone notice.
(D)
Appointment of a
data privacy point of contact. The agency director shall designate an employee
of the agency to serve as the data privacy point of contact. The data privacy
point of contact shall work with the chief privacy officer within the office of
information technology to assist the agency with both the implementation of
privacy protections for the confidential personal information that the agency
maintains and compliance with section
1347.15 of the Revised Code and
the rules adopted pursuant to the authority provided by that chapter.
(E)
Completion of a privacy impact assessment. The agency director shall designate
an employee of the agency to serve as the data privacy point of contact who
shall timely complete the privacy impact assessment form developed by the
office of information technology.
Notes
Ohio Admin. Code 4901-2-02
Five Year Review (FYR) Dates:
9/30/2021 and
09/30/2026
Promulgated
Under:
111.15
Statutory Authority:
1347.05,
1347.15
Rule Amplifies:
1347.15
Prior Effective Dates:
09/18/2010
Five Year Review (FYR) Dates:
08/14/2015 and
08/14/2020
Promulgated
Under: 111.15
Statutory
Authority: 1347.05,
1347.15
Rule
Amplifies: 1347.15
Prior
Effective Dates: 9/18/10