Current through all regulations passed and filed through September 16, 2024
(A)
As used in this
rule, "county family services agency" means a county department of job and
family services, public children services agency, child support enforcement
agency, or other entity designated by a board of county commissioners in
accordance with section
307.981 of the Revised
Code.
(B)
The county family services agency shall not download,
match, scrape or extract data, or data elements from any Ohio department of job
and family services (ODJFS) system(s) where the data owner is the internal
revenue service (IRS), social security administration (SSA) or other state or
federal entity, without obtaining express written permission from the data
owner, for the download, match, scrape or data extract. ODJFS can only
authorize the download, scrape or extract of data where ODJFS is the data
owner.
(C)
Excluding the data and data elements described in
paragraph (B) of this rule, the following are permissible uses of ODJFS systems
including but not limited to SETS, Ohio Benefits, SACWIS, OWCMS, and
CCIDS:
(1)
A
county family services agency employee may download, match, scrape or extract
data from an ODJFS system to perform duties directly related to or required by
his or her job functions or duties, but only if such job functions or duties
are directly related to administration of programs overseen by ODJFS for which
the county family services agency is responsible for administering on behalf of
ODJFS. This includes utilizing data to fulfill federal or state program-related
audit requirements, to the extent necessary and appropriate.
(2)
A person or third
party under contract with a county family services agency may download, match,
scrape or extract data from an ODJFS system if:
(a)
It is directly
related to or required for administration of program(s) overseen by ODJFS,
which the county family services agency is responsible for administering on
behalf of ODJFS;
(b)
The contract requires, at a minimum, that the
contractor comply with the same confidentiality and data security provisions to
which ODJFS and the county family services agency are subject;
and,
(c)
The county family services agency assumes full legal
and financial responsibility, including for any litigation or adverse federal,
state, or county audit findings resulting from the contractor's use,
management, misuse or mismanagement of the data.
(d)
Except as
prohibited by law, nothing in paragraph (C)(2)(c) of this rule shall prevent
the county family services agency from seeking and obtaining payment or other
compensation or relief from its contractor, either as set forth in the county
family services agency's contract with its contractor, or by way of legal,
administrative, or other action.
(3)
Any download,
match, scrape or extraction of data under paragraph (C) of this rule shall be
in compliance with data security requirements contained in rule
5101:9-9-37
of the Administrative Code and all other applicable federal and state
confidentiality laws.
(D)
Except when
specifically authorized by paragraph (C) of this rule, a county family services
agency shall obtain the written approval of ODJFS prior to performing or
authorizing any person or entity to perform any download, match, scraping or
extraction of data from ODJFS systems that is migrated to a computer system,
data base or application not under the control of ODJFS. To obtain approval
from ODJFS, the county family services agency shall utilize the following
procedure:
(1)
The director of the county family services agency or designee shall submit a
data request, as outlined in ODJFS "Internal Policy and Procedure 3002 Data
Stewardship and Managing Data Requests", to the ODJFS deputy director who is
responsible for authorizing the use of the data. The county family services
agency's request must identify:
(a)
The specific data being sought;
(b)
The business use
of the data;
(c)
The dates during which the data usage will be in
effect;
(d)
Why the data access through existing state supported
reporting software does not address the county's needs;
(e)
Any potential
impact upon ODJFS systems;
(f)
The technical
details involved;
(g)
Each entity that exercises control over the computer
system, application, or data base to which the data will be migrated;
and
(h)
The data security controls that will be used by the
county agency, including the completion of a "Privacy Impact Assessment" (PIA),
as required by section
1347.15 of the Revised Code,
when data is migrated to a computer system, data base or application not under
the control of ODJFS.
(2)
The authorizing
ODJFS deputy director, in conjunction with the ODJFS chief legal counsel and
ODJFS chief information officer, or their designees, will review the county
family services agency request to determine the appropriateness, feasibility,
and legality of the request. ODJFS may opt to have a representative from the
requesting county family services agency explain the request and answer any
questions from ODJFS, including but not limited to, technical, legal,
programmatic or confidentiality issues.
(3)
ODJFS will
provide a tentative approval or disapproval within sixty days of the receipt of
the county family services agency request, as well as ODJFS' receipt of any
additional information it needs to make a tentative decision. Final approval
does not occur until the supporting documentation, including the proposed "Data
Sharing Agreement" (DSA) and completed PIA is reviewed by ODJFS and the
authorizing deputy director notifies the county family services agency of the
decision in writing.
(4)
If the county family services agency data request is
approved by ODJFS, the county family services agency must execute the DSA with
any entity receiving and/or accessing the data. The DSA shall:
(a)
Specify the dates
during which the DSA will be in effect, which shall not be longer than two
years, subject to renewal.
(b)
Identify the
data, business use(s) of the data, technical details, and the responsibility of
the county family services agency to ensure that all federal and state data
security and confidentiality requirements are met.
(c)
Not be effective
prior to the date that it is signed by both the county family services agency
representative and any participating entity.
(5)
If the county
family services agency wants to change any provisions of the original request,
including the business use of the data and/or the computer system, data base or
application not under the control of ODJFS to which the data is being migrated,
the county family services agency shall seek approval of the changes from
ODJFS, following the requirements in paragraphs (D) (1) through (D) (4) of this
rule. No changes are permitted until ODJFS approves the request.
Replaces: 5101:9-9-38