|
|
To amend section 1347.99 and to enact sections | 1 |
1347.15 and 5703.211 of the Revised Code to | 2 |
require state agencies to adopt rules governing | 3 |
access to the confidential personal information | 4 |
that they keep, to create a civil action for harm | 5 |
resulting from an intentional violation of these | 6 |
rules, to impose a criminal penalty for such an | 7 |
intentional violation, and to require the | 8 |
Department of Taxation to adopt rules to generally | 9 |
require the tracking of searches of any of the | 10 |
Department's databases. | 11 |
Section 1. That section 1347.99 be amended and sections | 12 |
1347.15 and 5703.211 of the Revised Code be enacted to read as | 13 |
follows: | 14 |
Sec. 1347.15. (A) As used in this section: | 15 |
(1) "Confidential personal information" means personal | 16 |
information that is not a public record for purposes of section | 17 |
149.43 of the Revised Code. | 18 |
(2) "State agency" does not include the courts or any | 19 |
judicial agency, any state-assisted institution of higher | 20 |
education, or any local agency. | 21 |
(B) Each state agency shall adopt rules under Chapter 119. of | 22 |
the Revised Code regulating access to the confidential personal | 23 |
information the agency keeps, whether electronically or on paper. | 24 |
The rules shall include all the following: | 25 |
(1) Criteria for determining which employees of the state | 26 |
agency may access, and which supervisory employees of the state | 27 |
agency may authorize those employees to access, confidential | 28 |
personal information; | 29 |
(2) A list of the valid reasons, directly related to the | 30 |
state agency's exercise of its powers or duties, for which only | 31 |
employees of the state agency may access confidential personal | 32 |
information; | 33 |
(3) References to the applicable federal or state statutes or | 34 |
administrative rules that make the confidential personal | 35 |
information confidential; | 36 |
(4) A procedure that requires the state agency to do all of | 37 |
the following: | 38 |
(a) Provide that any upgrades to an existing computer system, | 39 |
or the acquisition of any new computer system, that stores, | 40 |
manages, or contains confidential personal information include a | 41 |
mechanism for recording specific access by employees of the state | 42 |
agency to confidential personal information; | 43 |
(b) Until an upgrade or new acquisition of the type | 44 |
described in division (B)(4)(a) of this section occurs, except as | 45 |
otherwise provided in division (C)(1) of this section, keep a log | 46 |
that records specific access by employees of the state agency to | 47 |
confidential personal information; | 48 |
(5) A procedure that requires the state agency to comply with | 49 |
a written request from an individual for a list of confidential | 50 |
personal information about the individual that the state agency | 51 |
keeps, unless the confidential personal information relates to an | 52 |
investigation about the individual based upon specific statutory | 53 |
authority by the state agency; | 54 |
(6) A procedure that requires the state agency to notify each | 55 |
person whose confidential personal information has been accessed | 56 |
for an invalid reason by employees of the state agency of that | 57 |
specific access; | 58 |
(7) A requirement that the director of the state agency | 59 |
designate an employee of the state agency to serve as the data | 60 |
privacy point of contact within the state agency to work with the | 61 |
chief privacy officer within the office of information technology | 62 |
to ensure that confidential personal information is properly | 63 |
protected and that the state agency complies with this section and | 64 |
rules adopted thereunder; | 65 |
(8) A requirement that the data privacy point of contact for | 66 |
the state agency complete a privacy impact assessment form; and | 67 |
(9) A requirement that a password or other authentication | 68 |
measure be used to access confidential personal information that | 69 |
is kept electronically. | 70 |
(C)(1) A procedure adopted pursuant to division (B)(4) of | 71 |
this section shall not require a state agency to record in the log | 72 |
it keeps under division (B)(4)(b) of this section any specific | 73 |
access by any employee of the agency to confidential personal | 74 |
information in any of the following circumstances: | 75 |
(a) The access occurs as a result of research performed for | 76 |
official agency purposes, routine office procedures, or incidental | 77 |
contact with the information, unless the conduct resulting in the | 78 |
access is specifically directed toward a specifically named | 79 |
individual or a group of specifially named individuals. | 80 |
(b) The access is to confidential personal information about | 81 |
an individual, and the access occurs as a result of a request by | 82 |
that individual for confidential personal information about that | 83 |
individual. | 84 |
(2) Each state agency shall establish a training program for | 85 |
all employees of the state agency described in division (B)(1) of | 86 |
this section so that these employees are made aware of all | 87 |
applicable statutes, rules, and policies governing their access to | 88 |
confidential personal information. | 89 |
The office of information technology shall develop the | 90 |
privacy impact assessment form and post the form on its internet | 91 |
web site by the first day of December each year. The form shall | 92 |
assist each state agency in complying with the rules it adopted | 93 |
under this section, in assessing the risks and effects of | 94 |
collecting, maintaining, and disseminating confidential personal | 95 |
information, and in adopting privacy protection processes designed | 96 |
to mitigate potential risks to privacy. | 97 |
(D) Each state agency shall distribute the policies included | 98 |
in the rules adopted under division (B) of this section to each | 99 |
employee of the agency described in division (B)(1) of this | 100 |
section and shall require that the employee acknowledge receipt of | 101 |
the copy of the policies. The state agency shall create a poster | 102 |
that describes these policies and post it in a conspicuous place | 103 |
in the main office of the state agency and in all locations where | 104 |
the state agency has branch offices. The state agency shall post | 105 |
the policies on the internet web site of the agency if it | 106 |
maintains such an internet web site. A state agency that has | 107 |
established a manual or handbook of its general policies and | 108 |
procedures shall include these policies in the manual or handbook. | 109 |
(E) No collective bargaining agreement entered into under | 110 |
Chapter 4117. of the Revised Code on or after the effective date | 111 |
of this section shall prohibit disciplinary action against or | 112 |
termination of an employee of a state agency who is found to have | 113 |
accessed, disclosed, or used personal confidential information in | 114 |
violation of a rule adopted under division (B) of this section or | 115 |
as otherwise prohibited by law. | 116 |
(F) The auditor of state shall obtain evidence that state | 117 |
agencies adopted the required procedures and policies in a rule | 118 |
under division (B) of this section, shall obtain evidence | 119 |
supporting whether the state agency is complying with those | 120 |
policies and procedures, and may include citations or | 121 |
recommendations relating to this section in any audit report | 122 |
issued under section 117.11 of the Revised Code. | 123 |
(G) A person who is harmed by a violation of a rule of a | 124 |
state agency described in division (B) of this section may bring | 125 |
an action in the court of claims, as described in division (F) of | 126 |
section 2743.02 of the Revised Code, against any person who | 127 |
directly and proximately caused the harm. | 128 |
(H)(1) No person shall knowingly access confidential personal | 129 |
information in violation of a rule of a state agency described in | 130 |
division (B) of this section. | 131 |
(2) No person shall knowingly use or disclose confidential | 132 |
personal information in a manner prohibited by law. | 133 |
(3) No state agency shall employ a person who has been | 134 |
convicted of or pleaded guilty to a violation of division (H)(1) | 135 |
or (2) of this section. | 136 |
(4) A violation of division (H)(1) or (2) of this section is | 137 |
a violation of a state statute for purposes of division (A) of | 138 |
section 124.341 of the Revised Code. | 139 |
Sec. 1347.99. (A) No public official, public employee, or | 140 |
other person who maintains, or is employed by a person who | 141 |
maintains, a personal information system for a state or local | 142 |
agency shall purposely refuse to comply with division (E), (F), | 143 |
(G), or (H) of section 1347.05, section 1347.071, division (A), | 144 |
(B), or (C) of section 1347.08, or division (A) or (C) of section | 145 |
1347.09 of the Revised Code. Whoever violates this section is | 146 |
guilty of a minor misdemeanor. | 147 |
(B) Whoever violates division (H)(1) or (2) of section | 148 |
1347.15 of the Revised Code is guilty of a misdemeanor of the | 149 |
first degree. | 150 |
Sec. 5703.211. (A) The tax commissioner shall adopt rules | 151 |
under Chapter 119. of the Revised Code that, except as otherwise | 152 |
provided in division (B) of this section, require that any search | 153 |
of any of the databases of the department of taxation be tracked | 154 |
so that administrators of the database or investigators can | 155 |
identify each account holder who conducted a search of the | 156 |
database. | 157 |
(B) The rules adopted under division (A) of this section | 158 |
shall not require the tracking of any search of any of the | 159 |
databases of the department conducted by an account holder in any | 160 |
of the following circumstances: | 161 |
(1) The search occurs as a result of research performed for | 162 |
official agency purposes, routine office procedures, or incidental | 163 |
contact with the information, unless the search is specifically | 164 |
directed toward a specifially named individual or a group of | 165 |
specifically named individuals. | 166 |
(2) The search is for information about an individual, and it | 167 |
is performed as a result of a request by that individual for | 168 |
information about that individual. | 169 |
Section 2. That existing section 1347.99 of the Revised Code | 170 |
is hereby repealed. | 171 |