130th Ohio General Assembly
The online versions of legislation provided on this website are not official. Enrolled bills are the final version passed by the Ohio General Assembly and presented to the Governor for signature. The official version of acts signed by the Governor are available from the Secretary of State's Office in the Continental Plaza, 180 East Broad St., Columbus.

Sub. H. B. No. 648  As Passed by the House
As Passed by the House

127th General Assembly
Regular Session
2007-2008
Sub. H. B. No. 648


Representative Jones 

Cosponsors: Representatives Batchelder, Hottinger, Stebelton, Bubp, Nero, Grady, Setzer, Adams, Schindel, Wachtmann, Gardner, Widener, Brinkman, Zehringer, Uecker, Mecklenborg, Wagner, McGregor, R., McGregor, J., Combs, Sears, Goodwin, Daniels, Hite, Collier, Domenick, Reinhard, Schlichter, Aslanides, Bacon, Blessing, Carmichael, Ciafardini, Coley, Core, DeWine, Dolan, Evans, Flowers, Gibbs, Hagan, J., Huffman, Hughes, Schneider, Stewart, J., Webster, White, Wolpert 



A BILL
To amend section 1347.99 and to enact sections 1347.15 and 5703.211 of the Revised Code to require state agencies to adopt rules governing access to the confidential personal information that they keep, to create a civil action for harm resulting from an intentional violation of these rules, to impose a criminal penalty for such an intentional violation, and to require the Department of Taxation to adopt rules to require the tracking of searches of any of the Department's databases.

BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF OHIO:
Section 1.  That section 1347.99 be amended and sections 1347.15 and 5703.211 of the Revised Code be enacted to read as follows:
Sec. 1347.15. (A) As used in this section:
(1) "Confidential personal information" means personal information that is not a public record for purposes of section 149.43 of the Revised Code.
(2) "State agency" does not include the courts or any judicial agency, any state-assisted institution of higher education, or any local agency.
(B) Each state agency shall adopt rules under Chapter 119. of the Revised Code regulating access to the confidential personal information the agency keeps, whether electronically or on paper. The rules shall include all the following:
(1) Criteria for determining which employees of the state agency may access, and which supervisory employees of the state agency may authorize those employees to access, confidential personal information;
(2) A list of the valid reasons, directly related to the state agency's exercise of its powers or duties, for which only employees of the state agency may access confidential personal information;
(3) References to the applicable federal or state statutes or administrative rules that make the confidential personal information confidential;
(4) A procedure that requires the state agency to provide that any upgrades to an existing computer system, or the acquisition of any new computer system, that stores, manages, or contains confidential personal information include a mechanism for recording specific access by employees of the state agency to confidential personal information and that until such an upgrade or new acquisition occurs, the state agency keep a log that record specific access by employees of the state agency to confidential personal information;
(5) A procedure that requires the state agency to comply with a written request from an individual for a list of confidential personal information about the individual that the state agency keeps, unless the confidential personal information relates to an investigation based upon specific statutory authority by the state agency about the individual;
(6) A procedure that requires the state agency to notify each person whose confidential personal information has been accessed for an invalid reason by employees of the state agency of that specific access;
(7) A requirement that the director of the state agency designate an employee of the state agency to serve as the data privacy point of contact within the state agency to work with the chief privacy officer within the office of information technology to ensure that confidential personal information is properly protected and that the state agency complies with this section and rules adopted thereunder;
(8) A requirement that the data privacy point of contact for the state agency complete a privacy impact assessment form; and
(9) A requirement that a password or other authentication measure be used to access confidential personal information that is kept electronically.
(C) Each state agency shall establish a training program for all employees of the state agency described in division (B)(1) of this section so that these employees are made aware of all applicable statutes, rules, and policies governing their access to confidential personal information.
The office of information technology shall develop the privacy impact assessment form and post the form on its internet web site by the first day of December each year. The form shall assist each state agency in complying with the rules it adopted under this section, in assessing the risks and effects of collecting, maintaining, and disseminating confidential personal information, and in adopting privacy protection processes designed to mitigate potential risks to privacy.
(D) Each state agency shall distribute the policies included in the rules adopted under division (B) of this section to each employee of the agency described in division (B)(1) of this section and shall require that the employee acknowledge receipt of the copy of the policies. The state agency shall create a poster that describes these policies and post it in a conspicuous place in the main office of the state agency and in all locations where the state agency has branch offices. The state agency shall post the policies on the internet web site of the agency if it maintains such an internet web site. A state agency that has established a manual or handbook of its general policies and procedures shall include these policies in the manual or handbook.
(E) No collective bargaining agreement entered into under Chapter 4117. of the Revised Code on or after the effective date of this section shall prohibit disciplinary action against or termination of an employee of a state agency who is found to have accessed, disclosed, or used personal confidential information in violation of a rule adopted under division (B) of this section or as otherwise prohibited by law.
(F) The auditor of state shall review the procedures and policies included in a rule adopted under division (B) of this section, shall ensure compliance with this section, and may include citations or recommendations relating to this section in any audit report issued under section 117.11 of the Revised Code.
(G) A person who is harmed by a violation of a rule of a state agency described in division (B) of this section has a cause of action to recover damages and reasonable attorney's fees from any person who directly and proximately caused the harm. The action may be commenced in the county where the violation occurred, in the county where the person bringing the action resides, or in Franklin county.
(H)(1) No person shall knowingly access confidential personal information in violation of a rule of a state agency described in division (B) of this section.
(2) No person shall knowingly use or disclose confidential personal information in a manner prohibited by law.
(3) No state agency shall employ a person who has been convicted of or pleaded guilty to a violation of division (H)(1) or (2) of this section.
(4) A violation of division (H)(1) or (2) of this section is a violation of a state statute for purposes of division (A) of section 124.341 of the Revised Code.
Sec. 1347.99. (A) No public official, public employee, or other person who maintains, or is employed by a person who maintains, a personal information system for a state or local agency shall purposely refuse to comply with division (E), (F), (G), or (H) of section 1347.05, section 1347.071, division (A), (B), or (C) of section 1347.08, or division (A) or (C) of section 1347.09 of the Revised Code. Whoever violates this section is guilty of a minor misdemeanor.
(B) Whoever violates division (H)(1) or (2) of section 1347.15 of the Revised Code is guilty of a misdemeanor of the first degree.
Sec. 5703.211. The tax commissioner shall adopt rules under Chapter 119. of the Revised Code that require that any search of any of the databases of the department of taxation be tracked so that administrators of the database or investigators can identify each account holder who conducted a search of the database.
Section 2. That existing section 1347.99 of the Revised Code is hereby repealed.
Please send questions and comments to the Webmaster.
© 2024 Legislative Information Systems | Disclaimer