The online versions of legislation provided on this website are not official. Enrolled bills are the final version passed by the Ohio General Assembly and presented to the Governor for signature. The official version of acts signed by the Governor are available from the Secretary of State's Office in the Continental Plaza, 180 East Broad St., Columbus.
|
H. B. No. 648 As IntroducedAs Introduced
127th General Assembly | Regular Session | 2007-2008 |
| |
Cosponsors:
Representatives Batchelder, Hottinger, Stebelton, Bubp, Nero, Grady, Setzer, Adams, Schindel, Wachtmann, Gardner, Widener, Brinkman, Zehringer, Uecker, Mecklenborg, Wagner, McGregor, R., McGregor, J., Combs, Sears, Goodwin
A BILL
To amend section 1347.99 and to enact sections
1347.15 and 5703.211
of the Revised Code to
require state agencies to
adopt rules governing
access to the confidential
personal information
that they keep, to create a
civil action for harm
resulting from an
intentional violation of these
rules, to
impose a criminal penalty for such an
intentional
violation, and to require the
Department of Taxation to adopt rules to require
the tracking of searches of any of the
Department's databases.
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section 1. That section 1347.99 be amended and sections
1347.15 and 5703.211 of the Revised Code be enacted to read as
follows:
Sec. 1347.15. (A) As used in this section, "confidential
personal information" means personal information that is not a
public record for purposes of section 149.43 of the Revised Code.
(B) Each state agency shall adopt rules under Chapter 119. of
the Revised Code regulating access to the confidential personal
information the agency keeps. The rules shall include all the
following:
(1) Criteria for determining which employees of the state
agency may access, and which supervisory employees of the state
agency may authorize those employees to access, confidential
personal information;
(2) A list of the valid reasons, directly related to the
state agency's exercise of its powers or duties, for which only
employees of the
state agency may access confidential personal
information;
(3) References to the applicable federal or state statutes or
administrative rules that make the confidential personal
information confidential;
(4) A procedure that requires the state agency to record each
specific access by employees of the state agency to confidential
personal information;
(5) A procedure that requires the state agency to comply with
a written request from an individual for a list of confidential
personal
information about the individual that the state agency
keeps;
(6) A procedure that requires the state agency to notify each
person whose confidential personal information has been accessed
for an invalid reason
by employees of the state agency of that
specific access;
(7) A requirement that the director of each state agency
designate an employee of the state agency to serve as the data
privacy point of contact within that state agency to work with the
chief privacy officer within the office of information technology
to ensure that confidential personal information is properly
protected and that the state agency complies with this section and
rules adopted thereunder;
(8) A requirement that the data privacy point of contact for
the state agency complete a privacy impact assessment form which
the office of information technology shall develop and post on its
internet web site by the first day of December of each year. The
form shall assist each state agency in complying with the rules
adopted under this section, in assessing the risks and effects of
collecting, maintaining, and disseminating confidential personal
information, and in adopting privacy protection processes designed
to mitigate potential risks to privacy; and
(9) A requirement that a password be used to access
confidential personal information.
(C) Each state agency shall establish a training program for
all employees of the state agency described in division (B)(1) of
this section so that these employees are made aware of all
applicable statutes, rules, and policies governing their access to
confidential personal information;
(D) Each state agency shall distribute the policies included
in the rules adopted under division (B) of this section to each
employee of the agency described in division (B)(1) of this
section and shall require that the employee acknowledge receipt of
the copy of the policies. The state agency shall create a poster
that describes these policies and post it in a conspicuous place
in the main office of the state agency and in all locations where
the state agency has branch offices. The state agency shall post
the policies on the internet web site of the agency if it
maintains such an internet web site. A state agency that has
established a manual or handbook of its general policies and
procedures shall include these policies in the manual or handbook.
(E) No collective bargaining agreement entered into under
Chapter 4117. of the Revised Code on or after the effective date
of this section shall prohibit disciplinary action against or
termination of an employee of a state agency who is found to have
accessed, disclosed, or used personal confidential information in
violation of a rule adopted under division (B) of this section or
as otherwise prohibited by law.
(F) The auditor of state shall review the procedures and
policies included in a rule adopted under division (B) of this
section, shall ensure compliance with this section, and may
include citations or recommendations relating to this section in
any audit report issued under section 117.11 of the Revised Code.
(G) A person who is harmed by an intentional violation of a
rule of a state agency described in division (B) of this section
has a cause of action to recover damages and attorney's fees from
any person who directly and proximately caused the harm. The
action may be commenced in the county where the violation
occurred, in the county where the person bringing the action
resides, or in Franklin county.
(H)(1) No person shall purposely access confidential personal
information in violation of a rule of a state
agency described in
division (B) of this section.
(2) No person shall purposely use or disclose confidential
personal information in a manner prohibited by law.
(3) A state agency shall terminate the employment of an
employee of the state agency who is in the unclassified civil
service and who the state agency determines has violated division
(H)(1) or (2) of this section.
Sec. 1347.99. (A) No public official, public employee, or
other person who
maintains, or is employed by a person who
maintains, a personal information
system for a state or local
agency shall purposely refuse to comply with
division (E), (F),
(G), or (H) of section 1347.05, section 1347.071, division
(A),
(B), or (C) of section 1347.08, or division (A) or (C) of section
1347.09
of the Revised Code. Whoever violates this section is
guilty of a minor
misdemeanor.
(B) Whoever violates division (H)(1) or (2) of section
1347.15 of the
Revised Code is guilty of a misdemeanor of the
first degree.
Sec. 5703.211. The director of taxation shall adopt rules
under Chapter 119. of the Revised Code that require that any
search of any of the databases of the department of taxation be
tracked so that administrators of the database or investigators
can identify each account holder who conducted a search of the
database.
Section 2. That existing section 1347.99 of the Revised Code
is hereby repealed.
|
|