For the purposes of rules promulgated by this agency in accordance with section 1347.15 of the Revised Code, the following definitions apply:
Revised Code, that stores, maintains, or retrieves personal information using electronic data processing equipment.
Personal information systems of the Ohio department of job and family services (ODJFS) are managed on a "need-to-know" basis whereby the information owner determines the level of access required for an employee of the agency to fulfill his or her job duties. The determination of access to confidential personal information shall be approved by the employee's supervisor and the information owner before providing the employee with access to confidential personal information within a personal information system. The agency shall establish procedures for determining a revision to an employee's access to confidential personal information upon a change to that employee's job duties including, but not limited to, transfer or termination. Whenever an employee's job duties no longer require access to confidential personal information in a personal information system, the employee's access to confidential personal information shall be removed.
Upon the signed written request of any individual for confidential personal information that ODJFS maintains about the individual , ODJFS shall do all of the following:
Pursuant to the requirements of division (B)(2) of section 1347.15 of the Revised Code, this rule contains a list of valid reasons, directly related to the ODJFS exercise of its powers or duties, for which only employees of the agency may access confidential personal information regardless of whether the personal information system is manual or electronic.
Except as prohibited by federal/state law, performing the following functions constitute valid reasons for authorized employees of the agency to access confidential personal information:
The federal statutes and regulations and state statutes and administrative rules listed in the appendix to this rule make personal information maintained by the agency confidential and identify the confidential personal information that are subject to rules promulgated by this agency in accordance with section 1347.15 of the Revised Code.
For personal information systems that are computer systems and contain confidential personal information, ODJFS shall do the following:
Access to confidential personal information that is kept electronically shall require a password or other sufficient authentication measure as determined by the ODJFS chief privacy officer as part of the "privacy impact assessment process."
When the agency acquires a new computer system that stores, manages, or contains confidential personal information, ODJFS shall include a mechanism for recording specific access by employees of ODJFS to confidential personal information in the system.
When ODJFS modifies an existing computer system that stores, manages, or contains confidential personal information, that results in over half of the lines of code associated with that system being modified, then that system must have an automated mechanism for recording specific access by employees of ODJFS to any confidential personal information that is accessed via that system.
Additionally, each update to a computer system is to be reviewed by the ODJFS chief privacy officer, or designee, to determine if an automated logging mechanism should be implemented with the proposed change. This review is to be conducted during the design phase of the proposed change to the computer system. It is the responsibility of the development team to consult with the ODJFS chief privacy officer at the design phase for this determination.
Each office within ODJFS shall issue a policy that includes who shall keep the log, what information shall be captured on the log, how the log is stored, and how long the log is maintained. Nothing in this rule limits the agency from requiring logging in any circumstance that it deems necessary.
Ohio Admin. Code 5101:9-22-16
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 12/31/2010, 01/11/2016
Five Year Review (FYR) Dates: 10/07/2015 and 01/11/2021
Promulgated Under: 119.03
Statutory Authority: 1347.15
Rule Amplifies: 1347.15
Prior Effective Dates: 12/31/10