For personal information systems,
whether manual or computer systems, that contain confidential personal
information, the "Department" shall do the following:
(A)
Criteria for
accessing confidential personal information. Personal information systems of
the "Department" are managed on a "need-to-know" basis whereby the information
owner determines the level of access required for an employee of the
"Department" to fulfill his/her job duties. The determination of access to
confidential personal information shall be approved by the employee's
supervisor and the information owner prior to providing the employee with
access to confidential personal information within a personal information
system. The "Department" shall establish procedures for determining a revision
to an employee's access to confidential personal information upon a change to
that employee's job duties including, but not limited to, transfer or
termination. Whenever an employee's job duties no longer require access to
confidential personal information in a personal information system, the
employee's access to confidential personal information shall be removed.
(B)
Individual's request for a list of confidential personal information. Upon the
signed, written request of any individual for a list of confidential personal
information about the individual maintained by the "Department," the
"Department" shall do all of the following:
(1)
Verify the
identity of the individual by a method that provides safeguards commensurate
with the risk associated with the confidential personal information;
(2)
Provide to the individual the list of confidential personal information that
does not relate to an investigation about the individual or is otherwise not
excluded from the scope of Chapter 1347 of the Revised Code; and
(3)
If
all information relates to an investigation about that individual, inform the
individual that the "Department" has no confidential personal information about
the individual that is responsive to the individual's request.
The "Department" may charge the
appropriate fees allowed by law for services provided under this rule.
(C)
Notice of invalid access.
(1)
Upon discovery
or notification that confidential personal information of a person(s) has been
accessed by an employee for an invalid reason, the "Department" shall notify
the person(s) whose information was invalidly accessed as soon as practical and
to the extent known at the time. However, the "Department" shall delay
notification for a period of time necessary to ensure that the notification
would not delay or impede an investigation or jeopardize homeland or national
security. Additionally, the "Department"
may delay the notification consistent
with any measures necessary to determine the scope of the invalid access,
including whose confidential personal information was invalidly accessed, and
to restore the reasonable integrity of the system.
"Investigation" as used in this
paragraph means the investigation of the circumstances and involvement of an
employee surrounding the invalid access of the confidential personal
information. Once the "Department" determines that notification would not delay
or impede an investigation, the "Department" shall disclose the access to
confidential personal information made for an invalid reason to the
person.
(2)
Notification provided by the "Department" shall inform
the person of the type of confidential personal information accessed and the
date(s) of the invalid access.
(3)
Notification may
be made by any method reasonably designed to accurately inform the person of
the invalid access, including written, electronic, or telephone notice.
(4)
Notification provided by the "Department" shall refer the person to section
1347.08 of the Revised Code:
"Rights of person who are subject of personal information."
(D)
Appointment of a data privacy point of contact. The "Department's" director
shall designate an employee of the "Department" to serve as the data privacy
point of contact. The data privacy point of contact shall work with the chief
privacy officer within the office of information technology to assist the
"Department" with both the implementation of privacy protections for the
confidential personal information that the "Department" maintains and
compliance with section
1347.15 of the Revised Code and
the rules adopted pursuant to the authority provided by that chapter.
(E)
Completion of a privacy impact assessment. The "Department's" director shall
designate an employee of the "Department" to serve as the data privacy point of
contact who shall timely complete the privacy impact assessment form developed
by the office of information technology.
Notes
Ohio Admin. Code 4501-55-02
Five Year Review (FYR) Dates:
11/3/2023 and
11/01/2028
Promulgated
Under: 119.03
Statutory Authority: 1347.15
Rule
Amplifies: 1347.15
Prior Effective Dates:
09/19/2010
Five Year Review (FYR) Dates:
09/15/2015 and
09/15/2020
Promulgated
Under: 119.03
Statutory
Authority: 1347.15
Rule
Amplifies: 1347.15
Prior
Effective Dates: 9/19/2010
