Ohio Administrative Code
Title 4775 - Motor Vehicle Collision Repair Board
Chapter 4775-5 - Accessing Confidential Personal Information
Section 4775-5-02 - Procedures for accessing confidential personal information
Current through all regulations passed and filed through September 16, 2024
For personal information systems, whether manual or computer systems, that contain confidential personal information, the board shall do the following:
(A) Criteria for accessing confidential personal information. Personal information systems of the board are managed on a need-to-know basis whereby the information owner determines the level of access required for an employee of the board to fulfill his/her job duties. The determination of access to confidential personal information shall be approved by the employee's supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system. The board shall establish procedures for determining a revision to an employee's access to confidential personal information upon a change to that employee's job duties including, but not limited to, transfer or termination. Whenever an employee's job duties no longer require access to confidential personal information in a personal information system, the employee's access to confidential personal information shall be removed.
(B) Individual's request for a list of confidential personal information. Upon the signed written request of any individual for a list of confidential personal information about the individual maintained by the board, the board shall do all of the following:
(C) Notice of invalid access.
Investigation as used in this paragraph means the investigation of the circumstances and involvement of an employee surrounding the invalid access of the confidential personal information. Once the board determines that notification would not delay or impede an investigation, the board shall disclose the access to confidential personal information made for an invalid reason to the person.
(D) Appointment of a data privacy point of contact. The board director shall designate an employee of the board to serve as the data privacy point of contact. The date privacy point of contact shall work with the chief privacy officer within the office of information technology to assist the board with both the implementation of privacy protections for the confidential personal information that the board maintains and compliance with section 1347.15 of the Revised Code and rules adopted pursuant to the authority provided by that chapter.
(E) Completion of a privacy impact assessment. The board director shall designate an employee of the board to serve as the data privacy point of contact who shall timely complete the privacy impact assessment form developed by the office of information technology.
Five Year Review (FYR) Dates:
04/07/2016 and
04/07/2021
Promulgated
Under: 119.03
Statutory
Authority: 4775.02
Rule
Amplifies: 4775.05
Prior
Effective Dates: 01/10/11