The department shall collect, maintain and use only personal information which is necessary and relevant to the functions it is required or authorized to perform by statute, ordinance, code or rule and eliminate such information when it is no longer necessary to those functions.
(A) Annually, the responsible individual shall review a random sampling of records to determine if personal information in the system is necessary for and relevant to the performance of lawful functions. Personal information which does not meet these requirements shall no longer be collected.
(B) When an existing personal information system is substantially enlarged or a new personal information system is established, the personal systems security coordinator shall examine:
(1) The function for which the personal information system is being enlarged or created to ensure that it is required or authorized by statute, ordinance, code or rule; and
(2) The personal information to be collected and maintained to ensure that it is necessary and relevant to the function to be performed.
The personal systems security coordinator shall approve or disapprove the enlargement or establishment of a personal information system.
(C) Retention periods shall be established to ensure the deletion of personal information which is no longer necessary for or relevant to the performance of lawful functions. The establishment of retention periods shall conform to sections 121.211 and 149.34 of the Revised Code.