Current through all regulations passed and filed through March 18, 2024
(A) Definitions.
(1) "Personal information" means any
information that describes anything about a person, or indicates action done by
or to a person, or indicates that a person possesses certain personal
characteristics, and that contains, and can be retrieved from a system by a
name, identifying number, symbol, or other identifier assigned to a person.
(a) Personal information includes, but is not
limited to, the following:
(i) An individual's
social security number, driver's license number, state identification number,
state or federal tax identification number, financial account number, and
credit or debit card number.
(ii)
Identifying information about applicants for or recipients of
ODJFS-administered benefits or services, including, but not limited to, their
names, addresses, social security numbers, phone numbers, and social and
economic status.
(iii) Information
about ODJFS employees that does not meet the definition of "record" in section
149.011
of the Revised Code, which includes, but is not limited to, their home
addresses, home or personal cell phone numbers, social security numbers,
driver's license numbers, financial account numbers (especially personal
identification numbers), and other non-work-related information.
(iv) Medical or health data about a
particular person, including diagnosis and past history of disease or
disability, past or current mental health status, and any reports or records
pertaining to physical or mental health examinations status.
(b)
As
used in this rule, the term
"personal information"
excludes non-confidential and non-exempt
(work-related) records about an individual that ODJFS or other public entities
routinely make available to the general public, or ODJFS records that are
required to be made available to the public pursuant to federal or state laws
or regulations. An example is the public, work-related
portion of an employee's personnel file. In addition, ODJFS staff assisting
with responding to requests for aggregate data about applicants for, recipients
of, and participants in ODJFS-administered or supervised programs, services, or
benefits should review and comply with the masking requirement in Part VI,
Section III of IPP 3002.
(2) "Records", per section
149.011
of the Revised Code, include any document, device, or item, regardless of
physical form or characteristic, that is created or received by or coming under
the jurisdiction of any public office of the state or its political
subdivisions, which serves to document the organization, functions, policies,
decisions, procedures, operations, or other activities of that
office.
(3) "System" means any
collection or group of related records that are kept in an organized manner,
either manually or by any other method, and that are maintained by a state or
local agency, and from which personal information is retrieved by the name of
the person or by some identifying number, symbol, or other identifier assigned
to the person. System does not include collected archival records in the
custody of or administered under the authority of the Ohio history connection,
published directories, reference materials or newsletters, or routine
information that is maintained for the purpose of internal office
administration, the use of which would not adversely affect a person.
(B) Release of any personal
information that is maintained by ODJFS is governed by federal and state laws
and regulations, including but not limited to the following:
(1) Section
149.43
of the Revised Code, which lists records that are exempt from treatment as
public record, and which therefore need not be disclosed to the general public
upon their request;
(2) Chapter
1347. of the Revised Code, which pertains to personal information systems,
including the duties and obligations of state and local government agencies in
the collection, maintenance, protection, use, modification, and release of
personal information.
(3) Laws
specific to programs administered or supervised by ODJFS, such as sections
5101.27,
4141.22,
and
3125.50
of the Revised Code, which, along with corresponding rules and regulations,
specify what applicant, recipient and participant-identifying information can
be released, to whom it can be released, and under what circumstances it can be
released.
(C) An
individual will be designated as the chief privacy officer for ODJFS. The chief
privacy officer is responsible for helping ensure
that access to
and use of ODJFS's personal information systems conforms with applicable confidentiality and privacy
requirements,
and that all necessary privacy impact assessments are
performed. The chief privacy officer shall work with the chief information
security officer on ODJFS's implementation of data security measures. Any
unauthorized modification, destruction, use, disclosure, or breach of a
personal information system must be reported to the chief privacy officer
and chief inspector of ODJFS; and, if a system breach
occurs or is believed to have occurred, it must also be reported to the chief
information security officer of ODJFS.
(D) Any person authorized to access,
maintain, or use a personal information system shall take reasonable
precautions, including but not limited to role-based
and job-specific security and privacy training offered or arranged by
ODJFS to protect personal information in the system from unauthorized
modification, destruction, use, or disclosure. In determining what is
reasonable, consideration will be given to the following:
(1) The nature and vulnerability of the
personal information.
(2) The
physical facilities where the personal information is maintained or
used.
(3) The requirements of
federal and state law governing use of the personal information.
(4) Applicable ODJFS rules and
policies.
(E)
Disciplinary action, including, but not limited to, suspension or removal, may
be brought against any employee who does the following:
(1) Intentionally violates any provision of
Chapter 1347. of the Revised Code or other law related to the release of
records or personal information.
(2) Initiates or otherwise contributes to any
disciplinary or other punitive action against any individual who brings to the
attention of appropriate authorities, the press, or any member of the public
evidence of unauthorized use of personal information.
(3) Releases personal information in
violation of state or federal law or refuses or fails to release information as
provided by state or federal law.
(F) The office of legal and acquisition
services acts as a clearinghouse for information and consultation related to
requests for public records and personal information. Any employee of ODJFS who
is unable to determine whether a record or information can be released, should
consult with legal counsel regarding this determination.