Sub.
H.B. 648*
127th General Assembly
(As Reported by S. Judiciary - Criminal Justice)
Reps. Jones, Batchelder, Hottinger, Stebelton, Bubp, Nero, Grady, Setzer, Adams, Schindel, Wachtmann, Gardner, Widener, Brinkman, Zehringer, Uecker, Mecklenborg, Wagner, R. McGregor, J. McGregor, Combs, Sears, Goodwin, Daniels, Hite, Collier, Domenick, Reinhard, Schlichter, Aslanides, Bacon, Blessing, Carmichael, Ciafardini, Coley, Core, DeWine, Dolan, Evans, Flowers, Gibbs, J. Hagan, Huffman, Hughes, Schneider, J. Stewart, Webster, White, Wolpert
BILL SUMMARY
· Requires state agencies to adopt rules governing access to the confidential personal information they keep.
· Provides that a person harmed by a violation of a rule of a state agency adopted under the bill may bring an action in the Court of Claims against any person who directly and proximately caused the harm, and imposes a criminal penalty for such a violation.
· Requires the Tax Commissioner to adopt rules to generally require the tracking of searches of any of the Department of Taxation's databases.
CONTENT AND OPERATION
The bill requires each "state agency" (see "Determination of state agencies to which the bill applies," below) to adopt rules in accordance with the Administrative Procedure Act that regulate access to the confidential personal information[1] the agency keeps, whether electronically or on paper. The rules must include all of the following (R.C. 1347.15(B) and (C)(1)):
(1) Criteria for determining which employees of the state agency may access, and which supervisory employees of the state agency may authorize those employees to access, confidential personal information;
(2) A list of the valid reasons, directly related to the state agency's exercise of its powers or duties, for which only employees of the state agency may access confidential personal information;
(3) References to the applicable federal or state statutes or administrative rules that make the confidential personal information confidential;
(4) A procedure that requires the state agency to do all of the following: (a) provide that any upgrades to an existing computer system, or the acquisition of any new computer system, that stores, manages, or contains confidential personal information include a mechanism for recording specific access by employees of the state agency to confidential personal information, (b) until an upgrade or new acquisition of the type described in clause (a) of this paragraph occurs, except as described in the next sentence, keep a log that records specific access by employees of the state agency to confidential personal information. A procedure adopted under this provision is not to require a state agency to record in the log it keeps under clause (b) of this paragraph any specific access by any employee of the agency to confidential personal information in any of the following circumstances: (i) the access occurs as a result of research performed for official agency purposes, routine office procedures, or incidental contact with the information, unless the conduct resulting in the access is specifically directed toward a specifically named individual or a group of specifically named individuals, or (ii) the access is to confidential personal information about an individual, and the access occurs as a result of a request by that individual for confidential personal information about that individual.
(5) A procedure that requires the state agency to comply with a written request from an individual for a list of confidential personal information about the individual that the state agency keeps, unless the confidential personal information relates to an investigation about the individual based upon specific statutory authority by the state agency;
(6) A procedure that requires the state agency to notify each person whose confidential personal information has been accessed for an invalid reason by employees of the state agency of that specific access;
(7) A requirement that the director of the state agency designate an employee of the state agency to serve as the data privacy point of contact within the state agency to work with the Chief Privacy Officer within the Office of Information Technology to ensure that confidential personal information is properly protected and that the state agency complies with the bill and rules adopted under it;
(8) A requirement that the data privacy point of contact for the state agency complete a privacy impact assessment form;
(9) A requirement that a password or other authentication measure be used to access confidential personal information that is kept electronically.
The Office of Information Technology annually must develop the privacy impact assessment form referred to in (8) above and post it on its Internet web site by each December 1. The form must assist each state agency in complying with the rules it must adopt under the bill, in assessing the risks and effects of collecting, maintaining, and disseminating confidential personal information, and in adopting privacy protection processes designed to mitigate potential risks to privacy. (R.C. 1347.15(C)(2).)
Existing R.C. 1347.01, not in the bill, provides that, as used in R.C. Chapter 1347., except as otherwise provided: (1) "state agency" means the office of any elected state officer and any agency, board, commission, department, division, or educational institution of the state, and (2) "local agency" means any municipal corporation, school district, special purpose district, or township of the state or any elected officer or board, bureau, commission, department, division, institution, or instrumentality of a county.
The bill specifies that, as used in all of its provisions other than the provisions described below in "Access to databases of the Department of Taxation," "state agency" does not include the courts or any judicial agency, any state-assisted institution of higher education, or any local agency (R.C. 1347.15(A)(2)).
Thus, under the resulting composite definition of the term, as used in all of the bill's provisions other than the provisions described below in "Access to databases of the Department of Taxation," "state agency" means the office of any elected state officer and any agency, board, commission, department, division, or educational institution of the state, but it does not include the courts or any judicial agency, any state-assisted institution of higher education, or any municipal corporation, school district, special purpose district, or township of the state or any elected officer or board, bureau, commission, department, division, institution, or instrumentality of a county (R.C. 1347.15(A)(2) and existing R.C. 1347.01, which is not in the bill).
Existing R.C. 1347.04, not in the bill, specifies that, except as described in the next sentence, all of the following are exempt from the provisions of R.C. Chapter 1347.: (1) any state agency or part thereof that performs as its principal function any activity relating to the enforcement of the criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, (2) the criminal courts, (3) prosecutors, (4) any state agency or part thereof that is a correction, probation, pardon, or parole authority, or (5) personal information systems that are comprised of investigatory material compiled for law enforcement purposes that are not described above. The provisions of the Chapter do apply, though, to a part of a state agency that does not perform, as its principal function, an activity relating to the enforcement of criminal laws. Under the terms of existing R.C. 1347.04, the exemptions described above apply regarding the bill's provisions other than the provisions described below in "Access to databases of the Department of Taxation."
Under the bill, each state agency must establish a training program for all employees of the state agency who have or who are supervisory employees who may authorize employees to access confidential personal information so that these employees are made aware of all applicable statutes, rules, and policies governing their access to confidential personal information (R.C. 1347.15(C)(2)).
Each state agency must distribute the policies included in the rules adopted under the bill to each employee of the agency who has or who is a supervisory employee who may authorize access to confidential personal information and must require that the employee acknowledge receipt of the copy of the policies. The state agency must create a poster that describes the policies and post it in a conspicuous place in the main office of the state agency and in all locations where the state agency has branch offices. The state agency must post the policies on its Internet web site if it maintains such a web site. A state agency that has established a manual or handbook of its general policies and procedures must include the policies in the manual or handbook. (R.C. 1347.15(D).)
No collective bargaining agreement entered into under the Public Employee Collective Bargaining Law on or after the bill's effective date can prohibit disciplinary action against or termination of an employee of a state agency who is found to have accessed, disclosed, or used personal confidential information in violation of a rule adopted under the bill or as otherwise prohibited by law. (R.C. 1347.15(E).)
The Auditor of State must obtain evidence that state agencies adopted the procedures and policies in a rule under the bill, must obtain evidence supporting whether the agency is complying with those policies and procedures, and may include citations or recommendations relating to those provisions in any audit report the Auditor of State issues (R.C. 1347.15(F)).
A person who is harmed by a violation of a rule of a state agency adopted under the bill may bring an action in the Court of Claims, as described in R.C. 2743.02(F), against any person who directly and proximately caused the harm. (R.C. 1347.15(G).)
The bill prohibits any person from knowingly accessing confidential personal information in violation of a rule of a state agency adopted under the bill's provisions described above, and prohibits any person from knowingly using or disclosing confidential personal information in a manner prohibited by law (R.C. 1347.15(H)(1) and (2)). A violation of either of these prohibitions is a first degree misdemeanor (R.C. 1347.99(B)). The bill prohibits a state agency from employing a person who has been convicted of or pleaded guilty to a violation of either of these prohibitions (R.C. 1347.15(H)(3)).
The bill specifies that a violation of either of these prohibitions is a violation of a state statute for purposes of the State Employee Whistleblower Law, which authorizes state employees to report alleged wrongdoing without fear of retaliation (R.C. 124.341 (not in the bill) and R.C. 1347.15(H)(4)).
The bill requires the Tax Commissioner to adopt rules under the Administrative Procedure Act that, except as otherwise described in the next sentence, require that any search of any of the databases of the Department of Taxation be tracked so that administrators of the database or investigators can identify each account holder who conducted a search of the database. The rules adopted under this provision are not to require the tracking of any search of any of the databases of the Department conducted by an account holder in any of the following circumstances: (1) the search occurs as a result of research performed for official agency purposes, routine office procedures, or incidental contact with the information, unless the search is specifically directed toward a specifically named individual or a group of specifically named individuals, or (2) the search is for information about an individual, and it is performed as a result of a request by that individual for information about that individual. (R.C. 5703.211.)
COMMENT
R.C. 149.43 sets forth the state's Public Records Law. The section specifies that, as used in its provisions:
(1) "Public record" means records kept by any public office, including, but not limited to, state, county, city, village, township, and school district units, and records pertaining to the delivery of educational services by an alternative school in Ohio kept by the nonprofit or for profit entity operating the alternative school pursuant to R.C. 3313.533. "Public record" does not mean any of the following (R.C. 149.43(A)):
(a) "Medical records" (see below);
(b) Records pertaining to probation and parole proceedings or to proceedings related to the imposition of "community control sanctions" and "post-release control sanctions" (see below);
(c) Records pertaining to actions under R.C. 2151.85 and R.C. 2919.121(C) and to appeals of actions arising under those sections;
(d) Records pertaining to adoption proceedings, including the contents of an adoption file maintained by the Department of Health under R.C. 3705.12;
(e) Information in a record contained in the putative father registry established by R.C. 3107.062, regardless of whether the information is held by the Department of Job and Family Services or, pursuant to R.C. 3111.69, the Office of Child Support in the Department or a child support enforcement agency;
(f) Records listed in R.C. 3107.42(A) or specified in R.C. 3107.52(A);
(g) "Trial preparation records" (see below);
(h) "Confidential law enforcement investigatory records" (see below);
(i) Records containing information that is confidential under R.C. 2710.03 or 4112.05;
(j) DNA records stored in the DNA database pursuant to R.C. 109.573;
(k) Inmate records released by the Department of Rehabilitation and Correction to the Department of Youth Services or a court of record pursuant to R.C. 5120.21(E);
(l) Records maintained by the Department of Youth Services pertaining to children in its custody released by the Department to the Department of Rehabilitation and Correction pursuant to R.C. 5139.05;
(m) "Intellectual property records" (see below);
(n) "Donor profile records" (see below);
(o) Records maintained by the Department of Job and Family Services pursuant to R.C. 3121.894;
(p) "Peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT residential and familial information" (see below);
(q) In the case of a county hospital operated pursuant to R.C. Chapter 339. or a municipal hospital operated pursuant to R.C. Chapter 749., information that constitutes a trade secret, as defined in R.C. 1333.61;
(r) "Information pertaining to the recreational activities of a person under the age of 18" (see below);
(s) Records provided to, statements made by review board members during meetings of, and all work products of a child fatality review board acting under R.C. 307.621 to 307.629, other than the report prepared pursuant to R.C. 307.626;
(t) Records provided to and statements made by the executive director of a public children services agency or a prosecuting attorney acting pursuant to R.C. 5153.171 other than the information released under that section;
(u) Test materials, examinations, or evaluation tools used in an examination for licensure as a nursing home administrator that the board of examiners of nursing home administrators administers under R.C. 4751.04 or contracts under that section with a private or government entity to administer;
(v) Records the release of which is prohibited by state or federal law;
(w) Proprietary information of or relating to any person that is submitted to or compiled by the Ohio Venture Capital Authority created under R.C. 150.01;
(x) Information reported and evaluations conducted pursuant to R.C. 3701.072;
(y) Financial statements and data any person submits for any purpose to the Ohio housing finance agency or the controlling board in connection with applying for, receiving, or accounting for financial assistance from the agency, and information that identifies any individual who benefits directly or indirectly from financial assistance from the agency;
(z) Records listed in R.C. 5101.29.
(2) "Confidential law enforcement investigatory record" means any record that pertains to a law enforcement matter of a criminal, quasi-criminal, civil, or administrative nature, but only to the extent that the release of the record would create a high probability of disclosure of any of the following: (a) the identity of a suspect who has not been charged with the offense to which the record pertains, or of an information source or witness to whom confidentiality has been reasonably promised, (b) information provided by an information source or witness to whom confidentiality has been reasonably promised, which information would reasonably tend to disclose the source's or witness's identity, (c) specific confidential investigatory techniques or procedures or specific investigatory work product, or (d) information that would endanger the life or physical safety of law enforcement personnel, a crime victim, a witness, or a confidential information source.
(3) "Medical record" means any document or combination of documents, except births, deaths, and the fact of admission to or discharge from a hospital, that pertains to the medical history, diagnosis, prognosis, or medical condition of a patient and that is generated and maintained in the process of medical treatment.
(4) "Trial preparation record" means any record that contains information that is specifically compiled in reasonable anticipation of, or in defense of, a civil or criminal action or proceeding, including the independent thought processes and personal trial preparation of an attorney.
(5) "Intellectual property record" means a record, other than a financial or administrative record, that is produced or collected by or for faculty or staff of a state institution of higher learning in the conduct of or as a result of study or research on an educational, commercial, scientific, artistic, technical, or scholarly issue, regardless of whether the study or research was sponsored by the institution alone or in conjunction with a governmental body or private concern, and that has not been publicly released, published, or patented.
(6) "Donor profile record" means all records about donors or potential donors to a public institution of higher education except the names and reported addresses of the actual donors and the date, amount, and conditions of the actual donation.
(7) "Peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT residential and familial information" means any information that discloses any of the following about a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT: (a) the address of the actual personal residence of a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT, except for the state or political subdivision in which the peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT resides, (b) information compiled from referral to or participation in an employee assistance program, (c) the Social Security number, the residential telephone number, any bank account, debit card, charge card, or credit card number, or the emergency telephone number of, or any medical information pertaining to, a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT, (d) the name of any beneficiary of employment benefits, including, but not limited to, life insurance benefits, provided to a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT by the peace officer's, parole officer's, prosecuting attorney's, assistant prosecuting attorney's, correctional employee's, youth services employee's, firefighter's, or EMT's employer, (e) the identity and amount of any charitable or employment benefit deduction made by the peace officer's, parole officer's, prosecuting attorney's, assistant prosecuting attorney's, correctional employee's, youth services employee's, firefighter's, or EMT's employer from the peace officer's, parole officer's, prosecuting attorney's, assistant prosecuting attorney's, correctional employee's, youth services employee's, firefighter's, or EMT's compensation unless the amount of the deduction is required by state or federal law, (f) the name, the residential address, the name of the employer, the address of the employer, the social security number, the residential telephone number, any bank account, debit card, charge card, or credit card number, or the emergency telephone number of the spouse, a former spouse, or any child of a peace officer, parole officer, prosecuting attorney, assistant prosecuting attorney, correctional employee, youth services employee, firefighter, or EMT, or (g) a photograph of a peace officer who holds a position or has an assignment that may include undercover or plain clothes positions or assignments as determined by the peace officer's appointing authority.
(8) "Information pertaining to the recreational activities of a person under the age of 18" means information that is kept in the ordinary course of business by a public office, that pertains to the recreational activities of a person under the age of 18 years, and that discloses any of the following: (a) the address or telephone number of a person under the age of 18 or the address or telephone number of that person's parent, guardian, custodian, or emergency contact person, (b) the Social Security number, birth date, or photographic image of a person under the age of 18, (c) any medical record, history, or information pertaining to a person under the age of 18, or (d) any additional information sought or required about a person under the age of 18 for the purpose of allowing that person to participate in any recreational activity conducted or sponsored by a public office or to use or obtain admission privileges to any recreational facility owned or operated by a public office.
(9) "Community control sanction" has the same meaning as in R.C. 2929.01.
(10) "Post-release control sanction" has the same meaning as in R.C. 2967.01.
HISTORY
|
ACTION |
DATE |
|
|
|
|
Introduced |
12-02-08 |
|
Reported, H. State Gov't & Elections |
12-10-08 |
|
Passed House (69-26) |
12-10-08 |
|
Reported, S. Judiciary - Criminal Justice |
--- |
H0648-RS-127.doc/jc
* This analysis was prepared before the report of the Senate Judiciary - Criminal Justice Committee appeared in the Senate Journal. Note that the list of co-sponsors and the legislative history may be incomplete.
[1] "Confidential personal information"
means personal information that is not a public record for purposes of the
Public Records Law; see COMMENT, and
"personal information" means any information that describes anything
about a person, or that indicates actions done by or to a person, or that
indicates that a person possesses certain personal characteristics, and that
contains, and can be retrieved from a system by, a name, identifying number,
symbol, or other identifier assigned to a person (R.C. 1347.01(E), not in the
bill, and 1347.15(A)(1)).