H.B.
648
127th General Assembly
(As Introduced)
Reps. Jones, Batchelder, Hottinger, Stebelton, Bubp, Nero, Grady, Setzer, Adams, Schindel, Wachtmann, Gardner, Widener, Brinkman, Zehringer, Uecker, Mecklenborg, Wagner, R. McGregor, J. McGregor, Combs, Sears, Goodwin
BILL SUMMARY
· Requires state agencies to adopt rules governing access to the confidential personal information they keep.
· Creates a civil action to recover damages for harm resulting from an intentional violation of these rules and imposes a criminal penalty for such a violation.
· Requires the Tax Commissioner to adopt rules to require the tracking of searches of any of the Department of Taxation's databases.
CONTENT AND OPERATION
The bill requires each state agency to adopt rules in accordance with the Administrative Procedure Act that regulate access to the confidential personal information[1] the agency keeps. The rules must include all of the following:
· Criteria for determining which employees of the state agency may access, and which supervisory employees of the state agency may authorize those employees to access, confidential personal information.
· A list of the valid reasons, directly related to the state agency's exercise of its powers or duties, for which only employees of the state agency may access confidential personal information.
· References to the applicable federal or state statutes or administrative rules that make the confidential personal information confidential.
· A procedure that requires the state agency to record each specific access by employees of the state agency to confidential personal information.
· A procedure that requires the state agency to comply with a written request from an individual for a list of confidential personal information about the individual that the state agency keeps.
· A procedure that requires the state agency to notify each person whose confidential personal information has been accessed for an invalid reason by employees of the state agency of that specific access.
· A requirement that the director of each state agency designate an employee of the state agency to serve as the data privacy point of contact within that state agency to work with the Chief Privacy Officer within the Office of Information Technology to ensure that confidential personal information is properly protected and that the state agency complies with the bill and rules adopted under it.
· A requirement that the data privacy point of contact for the state agency complete a privacy impact assessment form which the Office of Information Technology annually must develop and post on its Internet web site by December 1. The form is to assist each state agency in complying with the rules it must adopt under the bill, in assessing the risks and effects of collecting, maintaining, and disseminating confidential personal information, and in adopting privacy protection processes designed to mitigate potential risks to privacy.
· A requirement that a password be used to access confidential personal information. (R.C. 1347.15(B).)
The bill does not apply to any of the following:
· Any state agency or part thereof that performs as its principal function any activity relating to the enforcement of the criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals.
· The criminal courts.
· Prosecutors.
· Any state agency or part thereof that is a correction, probation, pardon, or parole authority.
· Personal information systems that are comprised of investigatory material compiled for law enforcement purposes that are not described above.
The bill, however, does apply to a part of a state agency that does not perform, as its principal function, an activity relating to the enforcement of criminal laws. (R.C. 1347.04(A), not in the bill.)
Under the bill, each state agency must establish a training program for all employees of the state agency who have or who are authorized to approve access to confidential personal information so that these employees are made aware of all applicable statutes, rules, and policies governing their access to confidential personal information (R.C. 1347.15(C)).
Each state agency must distribute the policies included in the rules adopted under the bill to each employee of the agency who has or who is authorized to approve access to confidential personal information and must require that the employee acknowledge receipt of the copy of the policies. The state agency must create a poster that describes the policies and post it in a conspicuous place in the main office of the state agency and in all locations where the state agency has branch offices. The state agency must post the policies on its Internet web site if it maintains such a web site. A state agency that has established a manual or handbook of its general policies and procedures must include the policies in the manual or handbook. (R.C. 1347.15(D).)
No collective bargaining agreement entered into under the Public Employee Collective Bargaining Law on or after the bill's effective date can prohibit disciplinary action against or termination of an employee of a state agency who is found to have accessed, disclosed, or used personal confidential information in violation of a rule adopted under the bill or as otherwise prohibited by law. (R.C. 1347.15(E).)
The Auditor of State must review the procedures and policies included in a rule adopted under the bill, must ensure compliance with the bill, and may include citations or recommendations relating to the bill in any audit report the Auditor of State issues (R.C. 1347.15(F)).
A person who is harmed by an intentional violation of a rule of a state agency adopted under the bill may recover damages and attorney's fees in a civil action from any person who directly and proximately caused the harm. The action may be commenced in the county where the violation occurred, in the county where the person bringing the action resides, or in Franklin County. (R.C. 1347.15(G).)
The bill prohibits any person from purposely accessing confidential personal information in violation of a rule of a state agency adopted under the bill, and prohibits any person from purposely using or disclosing confidential personal information in a manner prohibited by law (R.C. 1347.15(H)(1) and (2)). A violation of either of these prohibitions is a first degree misdemeanor (R.C. 1347.99(B)). The bill requires a state agency to terminate the employment of an employee of the state agency who is in the unclassified civil service[2] and who the state agency determines has violated either of these prohibitions (R.C. 1347.15(H)(3)).
The bill requires the Director of Taxation[3] to adopt rules under the Administrative Procedure Act that require that any search of any of the databases of the Department of Taxation be tracked so that administrators of the database or investigators can identify each account holder who conducted a search of the database (R.C. 5703.211).
HISTORY
|
ACTION |
DATE |
|
|
|
|
Introduced |
12-02-08 |
H0648-I-127.doc/jc
[1] "Confidential personal information"
means personal information that is not a public record for purposes of the
Public Records Act (R.C. 149.43), and "personal information" means
any information that describes anything about a person, or that indicates
actions done by or to a person, or that indicates that a person possesses
certain personal characteristics, and that contains, and can be retrieved from
a system by, a name, identifying number, symbol, or other identifier assigned
to a person (R.C. 1347.01(E), not in the bill, and 1347.15(A)).
[2] Employees in the classified civil service (1)
must be hired and promoted through competitive and noncompetitive examinations
(R.C. 124.23, 124.26, 124.27, 124.30, and 124.31), (2) have appeal rights when
they are suspended, demoted, removed, reduced in pay or position, reclassified,
or laid off (R.C. 124.03(A), 124.14(D), 124.328, and 124.34), and (3) cannot
participate in partisan political activities (R.C. 124.57 to 124.61). These provisions do not apply to unclassified
employees, who serve at the pleasure of their appointing authorities.
[3] The bill refers to the "Director of Taxation," but the name of the head of the Department of Taxation actually is the "Tax Commissioner."