Sub.
H.B. 648*
127th General Assembly
(As Reported by H. State Government and Elections)
Reps. Jones, Batchelder, Hottinger, Stebelton, Bubp, Nero, Grady, Setzer, Adams, Schindel, Wachtmann, Gardner, Widener, Brinkman, Zehringer, Uecker, Mecklenborg, Wagner, R. McGregor, J. McGregor, Combs, Sears, Goodwin
BILL SUMMARY
· Requires state agencies to adopt rules governing access to the confidential personal information they keep.
· Creates a civil action to recover damages for harm resulting from an intentional violation of these rules and imposes a criminal penalty for such a violation.
· Requires the Tax Commissioner to adopt rules to require the tracking of searches of any of the Department of Taxation's databases.
CONTENT AND OPERATION
The bill requires each state agency[1] to adopt rules in accordance with the Administrative Procedure Act that regulate access to the confidential personal information[2] the agency keeps, whether electronically or on paper. The rules must include all of the following:
· Criteria for determining which employees of the state agency may access, and which supervisory employees of the state agency may authorize those employees to access, confidential personal information.
· A list of the valid reasons, directly related to the state agency's exercise of its powers or duties, for which only employees of the state agency may access confidential personal information.
· References to the applicable federal or state statutes or administrative rules that make the confidential personal information confidential.
· A procedure that requires the state agency to provide that any upgrades to an existing computer system, or the acquisition of any new computer system, that stores, manages, or contains confidential personal information include a mechanism for recording specific access by employees of the state agency to confidential personal information and that until such an upgrade or new acquisition occurs, the state agency keep a log that records specific access by employees of the state agency to confidential personal information.
· A procedure that requires the state agency to comply with a written request from an individual for a list of confidential personal information about the individual that the state agency keeps, unless the confidential personal information relates to an investigation based upon specific statutory authority by the state agency about the individual.
· A procedure that requires the state agency to notify each person whose confidential personal information has been accessed for an invalid reason by employees of the state agency of that specific access.
· A requirement that the director of the state agency designate an employee of the state agency to serve as the data privacy point of contact within the state agency to work with the Chief Privacy Officer within the Office of Information Technology to ensure that confidential personal information is properly protected and that the state agency complies with the bill and rules adopted under it.
· A requirement that a password or other authentication measure be used to access confidential personal information that is kept electronically. (R.C. 1347.15(B).)
The Office of Information Technology annually must develop the privacy impact form and post it on its Internet web site by each December 1. The form is to assist each state agency in complying with the rules it must adopt under the bill, in assessing the risks and effects of collecting, maintaining, and disseminating confidential personal information, and in adopting privacy protection processes designed to mitigate potential risks to privacy.
The bill does not apply to any of the following:
· Any state agency or part thereof that performs as its principal function any activity relating to the enforcement of the criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals.
· The criminal courts.
· Prosecutors.
· Any state agency or part thereof that is a correction, probation, pardon, or parole authority.
· Personal information systems that are comprised of investigatory material compiled for law enforcement purposes that are not described above.
The bill, however, does apply to a part of a state agency that does not perform, as its principal function, an activity relating to the enforcement of criminal laws. (R.C. 1347.04(A), not in the bill.)
Under the bill, each state agency must establish a training program for all employees of the state agency who have or who are authorized to approve access to confidential personal information so that these employees are made aware of all applicable statutes, rules, and policies governing their access to confidential personal information (R.C. 1347.15(C)).
Each state agency must distribute the policies included in the rules adopted under the bill to each employee of the agency who has or who is authorized to approve access to confidential personal information and must require that the employee acknowledge receipt of the copy of the policies. The state agency must create a poster that describes the policies and post it in a conspicuous place in the main office of the state agency and in all locations where the state agency has branch offices. The state agency must post the policies on its Internet web site if it maintains such a web site. A state agency that has established a manual or handbook of its general policies and procedures must include the policies in the manual or handbook. (R.C. 1347.15(D).)
No collective bargaining agreement entered into under the Public Employee Collective Bargaining Law on or after the bill's effective date can prohibit disciplinary action against or termination of an employee of a state agency who is found to have accessed, disclosed, or used personal confidential information in violation of a rule adopted under the bill or as otherwise prohibited by law. (R.C. 1347.15(E).)
The Auditor of State must review the procedures and policies included in a rule adopted under the bill, must ensure compliance with the bill, and may include citations or recommendations relating to the bill in any audit report the Auditor of State issues (R.C. 1347.15(F)).
A person who is harmed by a violation of a rule of a state agency adopted under the bill may recover damages and reasonable attorney's fees in a civil action from any person who directly and proximately caused the harm. The action may be commenced in the county where the violation occurred, in the county where the person bringing the action resides, or in Franklin County. (R.C. 1347.15(G).)
The bill prohibits any person from knowingly accessing confidential personal information in violation of a rule of a state agency adopted under the bill, and prohibits any person from knowingly using or disclosing confidential personal information in a manner prohibited by law (R.C. 1347.15(H)(1) and (2)). A violation of either of these prohibitions is a first degree misdemeanor (R.C. 1347.99(B)). The bill prohibits a state agency from employing a person who has been convicted of or pleaded guilty to a violation of either of these prohibitions (R.C. 1347.15(H)(3)).
The bill specifies that a violation of either of these prohibitions is a violation of a state statute for purposes of the State Employee Whistleblower Law, which authorizes state employees to report alleged wrongdoing without fear of retaliation (R.C. 124.341 (not in the bill) and R.C. 1347.15(H)(4)).
The bill requires the Tax Commissioner to adopt rules under the Administrative Procedure Act that require that any search of any of the databases of the Department of Taxation be tracked so that administrators of the database or investigators can identify each account holder who conducted a search of the database (R.C. 5703.211).
HISTORY
|
ACTION |
DATE |
|
|
|
|
Introduced |
12-02-08 |
|
Reported, H. State Gov't & Elections |
--- |
h0648-rh-127.doc/kl
* This analysis was
prepared before the report of the House State Government and Elections Committee
appeared in the House Journal. Note that
the list of co-sponsors and the legislative history may be incomplete.
[1] "State agency" does not include the courts
or any judicial agency, any state-assisted institution of higher education, or
any local agency (R.C. 1347.15(A)(2)).
[2] "Confidential personal information"
means personal information that is not a public record for purposes of the
Public Records Act (R.C. 149.43), and "personal information" means
any information that describes anything about a person, or that indicates
actions done by or to a person, or that indicates that a person possesses
certain personal characteristics, and that contains, and can be retrieved from
a system by, a name, identifying number, symbol, or other identifier assigned
to a person (R.C. 1347.01(E), not in the bill, and 1347.15(A)(1)).