|
|
| To amend section 1347.99 and to enact sections | 1 |
| 1347.15 and 5703.211 of the Revised Code to | 2 |
| require state agencies to adopt rules governing | 3 |
| access to the confidential personal information | 4 |
| that they keep, to create a civil action for harm | 5 |
| resulting from an intentional violation of these | 6 |
| rules, to impose a criminal penalty for such an | 7 |
| intentional violation, and to require the | 8 |
| Department of Taxation to adopt rules to generally | 9 |
| require the tracking of searches of any of the | 10 |
| Department's databases. | 11 |
| Section 1. That section 1347.99 be amended and sections | 12 |
| 1347.15 and 5703.211 of the Revised Code be enacted to read as | 13 |
| follows: | 14 |
| Sec. 1347.15. (A) As used in this section: | 15 |
| (1) "Confidential personal information" means personal | 16 |
| information that is not a public record for purposes of section | 17 |
| 149.43 of the Revised Code. | 18 |
| (2) "State agency" does not include the courts or any | 19 |
| judicial agency, any state-assisted institution of higher | 20 |
| education, or any local agency. | 21 |
| (B) Each state agency shall adopt rules under Chapter 119. of | 22 |
| the Revised Code regulating access to the confidential personal | 23 |
| information the agency keeps, whether electronically or on paper. | 24 |
| The rules shall include all the following: | 25 |
| (1) Criteria for determining which employees of the state | 26 |
| agency may access, and which supervisory employees of the state | 27 |
| agency may authorize those employees to access, confidential | 28 |
| personal information; | 29 |
| (2) A list of the valid reasons, directly related to the | 30 |
| state agency's exercise of its powers or duties, for which only | 31 |
| employees of the state agency may access confidential personal | 32 |
| information; | 33 |
| (3) References to the applicable federal or state statutes or | 34 |
| administrative rules that make the confidential personal | 35 |
| information confidential; | 36 |
| (4) A procedure that requires the state agency to do all of | 37 |
| the following: | 38 |
| (a) Provide that any upgrades to an existing computer system, | 39 |
| or the acquisition of any new computer system, that stores, | 40 |
| manages, or contains confidential personal information include a | 41 |
| mechanism for recording specific access by employees of the state | 42 |
| agency to confidential personal information; | 43 |
| (b) Until an upgrade or new acquisition of the type | 44 |
| described in division (B)(4)(a) of this section occurs, except as | 45 |
| otherwise provided in division (C)(1) of this section, keep a log | 46 |
| that records specific access by employees of the state agency to | 47 |
| confidential personal information; | 48 |
| (5) A procedure that requires the state agency to comply with | 49 |
| a written request from an individual for a list of confidential | 50 |
| personal information about the individual that the state agency | 51 |
| keeps, unless the confidential personal information relates to an | 52 |
| investigation about the individual based upon specific statutory | 53 |
| authority by the state agency; | 54 |
| (6) A procedure that requires the state agency to notify each | 55 |
| person whose confidential personal information has been accessed | 56 |
| for an invalid reason by employees of the state agency of that | 57 |
| specific access; | 58 |
| (7) A requirement that the director of the state agency | 59 |
| designate an employee of the state agency to serve as the data | 60 |
| privacy point of contact within the state agency to work with the | 61 |
| chief privacy officer within the office of information technology | 62 |
| to ensure that confidential personal information is properly | 63 |
| protected and that the state agency complies with this section and | 64 |
| rules adopted thereunder; | 65 |
| (8) A requirement that the data privacy point of contact for | 66 |
| the state agency complete a privacy impact assessment form; and | 67 |
| (9) A requirement that a password or other authentication | 68 |
| measure be used to access confidential personal information that | 69 |
| is kept electronically. | 70 |
| (C)(1) A procedure adopted pursuant to division (B)(4) of | 71 |
| this section shall not require a state agency to record in the log | 72 |
| it keeps under division (B)(4)(b) of this section any specific | 73 |
| access by any employee of the agency to confidential personal | 74 |
| information in any of the following circumstances: | 75 |
| (a) The access occurs as a result of research performed for | 76 |
| official agency purposes, routine office procedures, or incidental | 77 |
| contact with the information, unless the conduct resulting in the | 78 |
| access is specifically directed toward a specifically named | 79 |
| individual or a group of specifially named individuals. | 80 |
| (b) The access is to confidential personal information about | 81 |
| an individual, and the access occurs as a result of a request by | 82 |
| that individual for confidential personal information about that | 83 |
| individual. | 84 |
| (2) Each state agency shall establish a training program for | 85 |
| all employees of the state agency described in division (B)(1) of | 86 |
| this section so that these employees are made aware of all | 87 |
| applicable statutes, rules, and policies governing their access to | 88 |
| confidential personal information. | 89 |
| The office of information technology shall develop the | 90 |
| privacy impact assessment form and post the form on its internet | 91 |
| web site by the first day of December each year. The form shall | 92 |
| assist each state agency in complying with the rules it adopted | 93 |
| under this section, in assessing the risks and effects of | 94 |
| collecting, maintaining, and disseminating confidential personal | 95 |
| information, and in adopting privacy protection processes designed | 96 |
| to mitigate potential risks to privacy. | 97 |
| (D) Each state agency shall distribute the policies included | 98 |
| in the rules adopted under division (B) of this section to each | 99 |
| employee of the agency described in division (B)(1) of this | 100 |
| section and shall require that the employee acknowledge receipt of | 101 |
| the copy of the policies. The state agency shall create a poster | 102 |
| that describes these policies and post it in a conspicuous place | 103 |
| in the main office of the state agency and in all locations where | 104 |
| the state agency has branch offices. The state agency shall post | 105 |
| the policies on the internet web site of the agency if it | 106 |
| maintains such an internet web site. A state agency that has | 107 |
| established a manual or handbook of its general policies and | 108 |
| procedures shall include these policies in the manual or handbook. | 109 |
| (E) No collective bargaining agreement entered into under | 110 |
| Chapter 4117. of the Revised Code on or after the effective date | 111 |
| of this section shall prohibit disciplinary action against or | 112 |
| termination of an employee of a state agency who is found to have | 113 |
| accessed, disclosed, or used personal confidential information in | 114 |
| violation of a rule adopted under division (B) of this section or | 115 |
| as otherwise prohibited by law. | 116 |
| (F) The auditor of state shall obtain evidence that state | 117 |
| agencies adopted the required procedures and policies in a rule | 118 |
| under division (B) of this section, shall obtain evidence | 119 |
| supporting whether the state agency is complying with those | 120 |
| policies and procedures, and may include citations or | 121 |
| recommendations relating to this section in any audit report | 122 |
| issued under section 117.11 of the Revised Code. | 123 |
| (G) A person who is harmed by a violation of a rule of a | 124 |
| state agency described in division (B) of this section may bring | 125 |
| an action in the court of claims, as described in division (F) of | 126 |
| section 2743.02 of the Revised Code, against any person who | 127 |
| directly and proximately caused the harm. | 128 |
| (H)(1) No person shall knowingly access confidential personal | 129 |
| information in violation of a rule of a state agency described in | 130 |
| division (B) of this section. | 131 |
| (2) No person shall knowingly use or disclose confidential | 132 |
| personal information in a manner prohibited by law. | 133 |
| (3) No state agency shall employ a person who has been | 134 |
| convicted of or pleaded guilty to a violation of division (H)(1) | 135 |
| or (2) of this section. | 136 |
| (4) A violation of division (H)(1) or (2) of this section is | 137 |
| a violation of a state statute for purposes of division (A) of | 138 |
| section 124.341 of the Revised Code. | 139 |
| Sec. 1347.99. (A) No public official, public employee, or | 140 |
| other person who maintains, or is employed by a person who | 141 |
| maintains, a personal information system for a state or local | 142 |
| agency shall purposely refuse to comply with division (E), (F), | 143 |
| (G), or (H) of section 1347.05, section 1347.071, division (A), | 144 |
| (B), or (C) of section 1347.08, or division (A) or (C) of section | 145 |
| 1347.09 of the Revised Code. Whoever violates this section is | 146 |
| guilty of a minor misdemeanor. | 147 |
| (B) Whoever violates division (H)(1) or (2) of section | 148 |
| 1347.15 of the Revised Code is guilty of a misdemeanor of the | 149 |
| first degree. | 150 |
| Sec. 5703.211. (A) The tax commissioner shall adopt rules | 151 |
| under Chapter 119. of the Revised Code that, except as otherwise | 152 |
| provided in division (B) of this section, require that any search | 153 |
| of any of the databases of the department of taxation be tracked | 154 |
| so that administrators of the database or investigators can | 155 |
| identify each account holder who conducted a search of the | 156 |
| database. | 157 |
| (B) The rules adopted under division (A) of this section | 158 |
| shall not require the tracking of any search of any of the | 159 |
| databases of the department conducted by an account holder in any | 160 |
| of the following circumstances: | 161 |
| (1) The search occurs as a result of research performed for | 162 |
| official agency purposes, routine office procedures, or incidental | 163 |
| contact with the information, unless the search is specifically | 164 |
| directed toward a specifially named individual or a group of | 165 |
| specifically named individuals. | 166 |
| (2) The search is for information about an individual, and it | 167 |
| is performed as a result of a request by that individual for | 168 |
| information about that individual. | 169 |
| Section 2. That existing section 1347.99 of the Revised Code | 170 |
| is hereby repealed. | 171 |