|
|
To amend section 1347.99 and to enact sections | 1 |
1347.15 and 5703.211 of the Revised Code to | 2 |
require state agencies to adopt rules governing | 3 |
access to the confidential personal information | 4 |
that they keep, to create a civil action for harm | 5 |
resulting from an intentional violation of these | 6 |
rules, to impose a criminal penalty for such an | 7 |
intentional violation, and to require the | 8 |
Department of Taxation to adopt rules to require | 9 |
the tracking of searches of any of the | 10 |
Department's databases. | 11 |
Section 1. That section 1347.99 be amended and sections | 12 |
1347.15 and 5703.211 of the Revised Code be enacted to read as | 13 |
follows: | 14 |
Sec. 1347.15. (A) As used in this section: | 15 |
(1) "Confidential personal information" means personal | 16 |
information that is not a public record for purposes of section | 17 |
149.43 of the Revised Code. | 18 |
(2) "State agency" does not include the courts or any | 19 |
judicial agency, any state-assisted institution of higher | 20 |
education, or any local agency. | 21 |
(B) Each state agency shall adopt rules under Chapter 119. of | 22 |
the Revised Code regulating access to the confidential personal | 23 |
information the agency keeps, whether electronically or on paper. | 24 |
The rules shall include all the following: | 25 |
(1) Criteria for determining which employees of the state | 26 |
agency may access, and which supervisory employees of the state | 27 |
agency may authorize those employees to access, confidential | 28 |
personal information; | 29 |
(2) A list of the valid reasons, directly related to the | 30 |
state agency's exercise of its powers or duties, for which only | 31 |
employees of the state agency may access confidential personal | 32 |
information; | 33 |
(3) References to the applicable federal or state statutes or | 34 |
administrative rules that make the confidential personal | 35 |
information confidential; | 36 |
(4) A procedure that requires the state agency to provide | 37 |
that any upgrades to an existing computer system, or the | 38 |
acquisition of any new computer system, that stores, manages, or | 39 |
contains confidential personal information include a mechanism for | 40 |
recording specific access by employees of the state agency to | 41 |
confidential personal information and that until such an upgrade | 42 |
or new acquisition occurs, the state agency keep a log that record | 43 |
specific access by employees of the state agency to confidential | 44 |
personal information; | 45 |
(5) A procedure that requires the state agency to comply with | 46 |
a written request from an individual for a list of confidential | 47 |
personal information about the individual that the state agency | 48 |
keeps, unless the confidential personal information relates to an | 49 |
investigation based upon specific statutory authority by the state | 50 |
agency about the individual; | 51 |
(6) A procedure that requires the state agency to notify each | 52 |
person whose confidential personal information has been accessed | 53 |
for an invalid reason by employees of the state agency of that | 54 |
specific access; | 55 |
(7) A requirement that the director of the state agency | 56 |
designate an employee of the state agency to serve as the data | 57 |
privacy point of contact within the state agency to work with the | 58 |
chief privacy officer within the office of information technology | 59 |
to ensure that confidential personal information is properly | 60 |
protected and that the state agency complies with this section and | 61 |
rules adopted thereunder; | 62 |
(8) A requirement that the data privacy point of contact for | 63 |
the state agency complete a privacy impact assessment form; and | 64 |
(9) A requirement that a password or other authentication | 65 |
measure be used to access confidential personal information that | 66 |
is kept electronically. | 67 |
(C) Each state agency shall establish a training program for | 68 |
all employees of the state agency described in division (B)(1) of | 69 |
this section so that these employees are made aware of all | 70 |
applicable statutes, rules, and policies governing their access to | 71 |
confidential personal information. | 72 |
The office of information technology shall develop the | 73 |
privacy impact assessment form and post the form on its internet | 74 |
web site by the first day of December each year. The form shall | 75 |
assist each state agency in complying with the rules it adopted | 76 |
under this section, in assessing the risks and effects of | 77 |
collecting, maintaining, and disseminating confidential personal | 78 |
information, and in adopting privacy protection processes designed | 79 |
to mitigate potential risks to privacy. | 80 |
(D) Each state agency shall distribute the policies included | 81 |
in the rules adopted under division (B) of this section to each | 82 |
employee of the agency described in division (B)(1) of this | 83 |
section and shall require that the employee acknowledge receipt of | 84 |
the copy of the policies. The state agency shall create a poster | 85 |
that describes these policies and post it in a conspicuous place | 86 |
in the main office of the state agency and in all locations where | 87 |
the state agency has branch offices. The state agency shall post | 88 |
the policies on the internet web site of the agency if it | 89 |
maintains such an internet web site. A state agency that has | 90 |
established a manual or handbook of its general policies and | 91 |
procedures shall include these policies in the manual or handbook. | 92 |
(E) No collective bargaining agreement entered into under | 93 |
Chapter 4117. of the Revised Code on or after the effective date | 94 |
of this section shall prohibit disciplinary action against or | 95 |
termination of an employee of a state agency who is found to have | 96 |
accessed, disclosed, or used personal confidential information in | 97 |
violation of a rule adopted under division (B) of this section or | 98 |
as otherwise prohibited by law. | 99 |
(F) The auditor of state shall review the procedures and | 100 |
policies included in a rule adopted under division (B) of this | 101 |
section, shall ensure compliance with this section, and may | 102 |
include citations or recommendations relating to this section in | 103 |
any audit report issued under section 117.11 of the Revised Code. | 104 |
(G) A person who is harmed by a violation of a rule of a | 105 |
state agency described in division (B) of this section has a | 106 |
cause of action to recover damages and reasonable attorney's fees | 107 |
from any person who directly and proximately caused the harm. The | 108 |
action may be commenced in the county where the violation | 109 |
occurred, in the county where the person bringing the action | 110 |
resides, or in Franklin county. | 111 |
(H)(1) No person shall knowingly access confidential personal | 112 |
information in violation of a rule of a state agency described in | 113 |
division (B) of this section. | 114 |
(2) No person shall knowingly use or disclose confidential | 115 |
personal information in a manner prohibited by law. | 116 |
(3) No state agency shall employ a person who has been | 117 |
convicted of or pleaded guilty to a violation of division (H)(1) | 118 |
or (2) of this section. | 119 |
(4) A violation of division (H)(1) or (2) of this section is | 120 |
a violation of a state statute for purposes of division (A) of | 121 |
section 124.341 of the Revised Code. | 122 |
Sec. 1347.99. (A) No public official, public employee, or | 123 |
other person who maintains, or is employed by a person who | 124 |
maintains, a personal information system for a state or local | 125 |
agency shall purposely refuse to comply with division (E), (F), | 126 |
(G), or (H) of section 1347.05, section 1347.071, division (A), | 127 |
(B), or (C) of section 1347.08, or division (A) or (C) of section | 128 |
1347.09 of the Revised Code. Whoever violates this section is | 129 |
guilty of a minor misdemeanor. | 130 |
(B) Whoever violates division (H)(1) or (2) of section | 131 |
1347.15 of the Revised Code is guilty of a misdemeanor of the | 132 |
first degree. | 133 |
Sec. 5703.211. The tax commissioner shall adopt rules under | 134 |
Chapter 119. of the Revised Code that require that any search of | 135 |
any of the databases of the department of taxation be tracked so | 136 |
that administrators of the database or investigators can identify | 137 |
each account holder who conducted a search of the database. | 138 |
Section 2. That existing section 1347.99 of the Revised Code | 139 |
is hereby repealed. | 140 |