Sub. H. B. No. 648 As Passed by the House

Cosponsors: Representatives Batchelder, Hottinger, Stebelton, Bubp, Nero, Grady, Setzer, Adams, Schindel, Wachtmann, Gardner, Widener, Brinkman, Zehringer, Uecker, Mecklenborg, Wagner, McGregor, R., McGregor, J., Combs, Sears, Goodwin, Daniels, Hite, Collier, Domenick, Reinhard, Schlichter, Aslanides, Bacon, Blessing, Carmichael, Ciafardini, Coley, Core, DeWine, Dolan, Evans, Flowers, Gibbs, Hagan, J., Huffman, Hughes, Schneider, Stewart, J., Webster, White, Wolpert

Section 1. That section 1347.99 be amended and sections	12
1347.15 and 5703.211 of the Revised Code be enacted to read as	13
follows:	14

(1) "Confidential personal information" means personal	16
information that is not a public record for purposes of section	17
149.43 of the Revised Code.	18

(2) "State agency" does not include the courts or any	19
judicial agency, any state-assisted institution of higher	20
education, or any local agency.	21

(B) Each state agency shall adopt rules under Chapter 119. of	22
the Revised Code regulating access to the confidential personal	23
information the agency keeps, whether electronically or on paper.	24
The rules shall include all the following:	25

(1) Criteria for determining which employees of the state	26
agency may access, and which supervisory employees of the state	27
agency may authorize those employees to access, confidential	28
personal information;	29

(2) A list of the valid reasons, directly related to the	30
state agency's exercise of its powers or duties, for which only	31
employees of the state agency may access confidential personal	32
information;	33

(3) References to the applicable federal or state statutes or	34
administrative rules that make the confidential personal	35
information confidential;	36

(4) A procedure that requires the state agency to provide	37
that any upgrades to an existing computer system, or the	38
acquisition of any new computer system, that stores, manages, or	39
contains confidential personal information include a mechanism for	40
recording specific access by employees of the state agency to	41
confidential personal information and that until such an upgrade	42
or new acquisition occurs, the state agency keep a log that record	43
specific access by employees of the state agency to confidential	44
personal information;	45

(5) A procedure that requires the state agency to comply with	46
a written request from an individual for a list of confidential	47
personal information about the individual that the state agency	48
keeps, unless the confidential personal information relates to an	49
investigation based upon specific statutory authority by the state	50
agency about the individual;	51

(6) A procedure that requires the state agency to notify each	52
person whose confidential personal information has been accessed	53
for an invalid reason by employees of the state agency of that	54
specific access;	55

(7) A requirement that the director of the state agency	56
designate an employee of the state agency to serve as the data	57
privacy point of contact within the state agency to work with the	58
chief privacy officer within the office of information technology	59
to ensure that confidential personal information is properly	60
protected and that the state agency complies with this section and	61
rules adopted thereunder;	62

(8) A requirement that the data privacy point of contact for	63
the state agency complete a privacy impact assessment form; and	64

(9) A requirement that a password or other authentication	65
measure be used to access confidential personal information that	66
is kept electronically.	67

(C) Each state agency shall establish a training program for	68
all employees of the state agency described in division (B)(1) of	69
this section so that these employees are made aware of all	70
applicable statutes, rules, and policies governing their access to	71
confidential personal information.	72

The office of information technology shall develop the	73
privacy impact assessment form and post the form on its internet	74
web site by the first day of December each year. The form shall	75
assist each state agency in complying with the rules it adopted	76
under this section, in assessing the risks and effects of	77
collecting, maintaining, and disseminating confidential personal	78
information, and in adopting privacy protection processes designed	79
to mitigate potential risks to privacy.	80

(E) No collective bargaining agreement entered into under	93
Chapter 4117. of the Revised Code on or after the effective date	94
of this section shall prohibit disciplinary action against or	95
termination of an employee of a state agency who is found to have	96
accessed, disclosed, or used personal confidential information in	97
violation of a rule adopted under division (B) of this section or	98
as otherwise prohibited by law.	99

(G) A person who is harmed by a violation of a rule of a	105
state agency described in division (B) of this section has a	106
cause of action to recover damages and reasonable attorney's fees	107
from any person who directly and proximately caused the harm. The	108
action may be commenced in the county where the violation	109
occurred, in the county where the person bringing the action	110
resides, or in Franklin county.	111

(2) No person shall knowingly use or disclose confidential	115
personal information in a manner prohibited by law.	116

(3) No state agency shall employ a person who has been	117
convicted of or pleaded guilty to a violation of division (H)(1)	118
or (2) of this section.	119

(D) Each state agency shall distribute the policies included	81
in the rules adopted under division (B) of this section to each	82
employee of the agency described in division (B)(1) of this	83
section and shall require that the employee acknowledge receipt of	84
the copy of the policies. The state agency shall create a poster	85
that describes these policies and post it in a conspicuous place	86
in the main office of the state agency and in all locations where	87
the state agency has branch offices. The state agency shall post	88
the policies on the internet web site of the agency if it	89
maintains such an internet web site. A state agency that has	90
established a manual or handbook of its general policies and	91
procedures shall include these policies in the manual or handbook.	92

(F) The auditor of state shall review the procedures and	100
policies included in a rule adopted under division (B) of this	101
section, shall ensure compliance with this section, and may	102
include citations or recommendations relating to this section in	103
any audit report issued under section 117.11 of the Revised Code.	104

(H)(1) No person shall knowingly access confidential personal	112
information in violation of a rule of a state agency described in	113
division (B) of this section.	114

(4) A violation of division (H)(1) or (2) of this section is	120
a violation of a state statute for purposes of division (A) of	121
section 124.341 of the Revised Code.	122

Sec. 1347.99. (A) No public official, public employee, or	123
other person who maintains, or is employed by a person who	124
maintains, a personal information system for a state or local	125
agency shall purposely refuse to comply with division (E), (F),	126
(G), or (H) of section 1347.05, section 1347.071, division (A),	127
(B), or (C) of section 1347.08, or division (A) or (C) of section	128
1347.09 of the Revised Code. Whoever violates this section is	129
guilty of a minor misdemeanor.	130

(B) Whoever violates division (H)(1) or (2) of section	131
1347.15 of the Revised Code is guilty of a misdemeanor of the	132
first degree.	133

Sec. 5703.211. The tax commissioner shall adopt rules under	134
Chapter 119. of the Revised Code that require that any search of	135
any of the databases of the department of taxation be tracked so	136
that administrators of the database or investigators can identify	137
each account holder who conducted a search of the database.	138

Section 2. That existing section 1347.99 of the Revised Code	139
is hereby repealed.	140