Ohio Admin. Code 3769-2-41

Current through all regulations passed and filed through October 14, 2024
Section 3769-2-41 - Restricting and logging access to confidential personal information in computerized personal information systems

For personal information systems that are computer systems and contain confidential personal information, the commission will do the following:

(A) Access restrictions. Access to confidential personal information that is kept electronically will need a password or other authentication measure.
(B) Acquisition of a new computer system. When the commission acquires a new computer system that stores, manages or contains confidential personal information, the commission will include a mechanism for recording specific access by employees of the commission to confidential personal information in the system.
(C) Upgrading existing computer systems. When the commission modifies an existing computer system that stores, manages or contains confidential personal information, the commission will make a determination whether the modification constitutes an upgrade. Any upgrades to a computer system will include a mechanism for recording specific access by employees of the commission to confidential personal information in the system.
(D) Logging obligations regarding confidential personal information in existing computer systems.
(1) Employees of the commission who access confidential personal information within computer systems have to maintain a log that records that access.
(2) Access to confidential information is not needed to be entered into the log under the following circumstances:
(a) The employee of the commission is accessing confidential personal information for official commission purposes, including research, and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.
(b) The employee of the commission is accessing confidential personal information for routine office procedures and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.
(c) The employee of the commission comes into incidental contact with confidential personal information and the access of the information is not specifically directed toward a specifically named individual or a group of specifically named individuals.
(d) The employee of the commission accesses confidential personal information about an individual based upon a request made under either of the following circumstances:
(i) The individual requests confidential personal information about himself/herself.
(ii) The individual makes a request that the commission takes some action on that individual's behalf and accessing the confidential personal information is needed in order to consider or process that request.
(3) For purposes of this paragraph, the commission may choose the form or forms of logging, whether in electronic or paper formats.
(E) Log management. The commission will issue a policy that specifies the following:
(1) Who maintains the log;
(2) What information is captured in the log;
(3) How the log is to be stored; and
(4) How long information kept in the log is to be retained.

Nothing in this rule limits the commission from mandating logging in any circumstance that it deems necessary.

Ohio Admin. Code 3769-2-41

Effective: 3/21/2024
Five Year Review (FYR) Dates: 1/3/2024 and 03/21/2029
Promulgated Under: 119.03
Statutory Authority: 3769.03
Rule Amplifies: 3769.03
Prior Effective Dates: 02/01/2011