Chapter 4123-16 Personal Information Systems
(A) "Combination of systems" means a unification of systems that belong to more than one agency, or to an agency and another organization, into a single system in which the records that belong to each agency or organization may or may not be obtainable by the others.
(B) "Computer readable" means in a form capable of being sensed by optical, electronic, or some other mechanical means which is used in connection with electronic data processing equipment. Computer readable includes storage in magnetic cord memories, punched cards, paper tape, magnetic media, and specifically marked forms capable of being decoded by optical scanners or other similar devices.
(C) "Data subject" means the person who is the subject of the record.
(D) "Administrator" means the administrator of the bureau of workers' compensation.
(E) "Bureau" means the bureau of workers' compensation.
(F) "Disclosure of personal information" is any action which reveals personal information in a personal information system to any individual or organization other than employees of the state agency who must use the personal information in the performance of their assigned duties.
(G) "Electronic data processing equipment" means a machine or group of interconnected machines, consisting of input, storage, computing, control and output devices where electronic circuitry is used to perform arithmetic and logical operations, using internally stored or externally controlled programmed instructions. Electronic data processing equipment does not include accounting and bookkeeping machines, office calculators, magnetic card typewriters, and other similar devices. Electronic data processing equipment includes terminals which are linked to computers.
(H) "Interconnection of systems" means a linking of systems that belong to more than one agency or to an agency and other organizations, which linking of systems results in a system that permits each agency or organization involved in the linking to have unrestricted access to the systems of the other agencies and organizations.
(I) "Maintains" means state agency ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, state agency depositing of information with a data processing center for storage, processing, or dissemination. An agency maintains all systems of records which are required by law to be kept by the agency.
(J) "Person" includes any individual, corporation, business trust, estate, trust, partnership, or association.
(K) "Personal information" means any information that describes anything about a person, or indicates actions done by or to a person, or indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by a name, identifying number, symbol, or other identifier assigned to a person.
(L) "System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. System includes both records that are manually stored and records that are stored using electronic data processing equipment. System does not include collected archival records in the custody of or administered under the authority of the Ohio historical society, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.
(M) "Use of personal information" is any action which causes personal information in a personal information system to be referenced, processed, or disseminated. The disclosure of personal information is a use of personal information.
(A) Chapter 4123-16 of the Administrative Code shall apply to all personal information systems maintained by the bureau unless exempted in paragraph (C) or (D) of this rule.
(B) The bureau maintains a personal information system which it deposits or stores in a record center or stores in or has processed by a data center. The bureau does not maintain a personal information system belonging to another state agency, which is stored in or processed by the state data center.
(C) The following types of personal information systems are exempted from the provisions of Chapter 1347. of the Revised Code, and Chapter 4123-16 of the Administrative Code.
(1) Collected archival records in the custody of or administered under the authority of the Ohio historical society:
(2) Published directories:
(3) Reference materials;
(4) Newsletters; or
(5) Routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.
(D) Personal information systems that are comprised of investigatory material compiled for law enforcement purposes are exempt from the provisions of Chapter 1347. of the Revised Code, and Chapters 123:3-1 and 4123-16 of the Administrative Code.
(A) The administrator shall appoint a privacy officer to be responsible for agency compliance with Chapter 1347. of the Revised Code and Chapter 4123-16 of the Administrative Code.
(B) The privacy officer, or the privacy officer's designee, shall oversee the staff instruction required by rule 4123-16-12 of the Administrative Code. The privacy officer shall also provide interpretation and guidance relative to specific compliance questions.
(C) The privacy officer shall be designated to receive all correspondence or inquiries relative to privacy matters unless otherwise indicated in Chapter 4123-16 of the Administrative Code.
(D) The privacy officer shall be responsible for monitoring policies and procedures established under Chapter 4123-16 of the Administrative Code and modifying such policies and procedures when appropriate.
The bureau shall collect, maintain and use only personal information which is necessary and relevant to the functions it is required or authorized to perform by statute, ordinance, code or rule and eliminate such information when it is no longer necessary to those functions.
(A) Within three months after any change in the purpose of the personal information system, the privacy officer shall review a random sampling of records to determine if personal information in the system is necessary for and relevant to the performance of lawful functions. Personal information which does not meet these requirements shall no longer be collected.
(B) When an existing personal information system is substantially enlarged or a new personal information system is established, the privacy officer shall examine:
(1) The function for which the personal information system is being enlarged or created to ensure that it is required or authorized by statute, ordinance, code or rule; and
(2) The personal information to be collected and maintained to ensure that it is necessary and relevant to the function to be performed.
(C) Retention periods shall be established to ensure the deletion of personal information which is no longer necessary for or relevant to the performance of lawful functions. The establishment of retention periods shall conform to sections 121.211 and 149.34 of the Revised Code.
(A) Employees who use a personal information system shall monitor the contents of the records and report to the privacy officer the existence of personal information which appears inaccurate, irrelevant, untimely or incomplete.
(B) The privacy officer shall keep a record of the reported incidence of error in each personal information system. If it appears the reported errors are characteristic of the system as a whole, the privacy officer shall establish procedures to correct existing records and record-keeping methods.
(C) In order to maintain personal information which is accurate, relevant, timely and complete, employees of the bureau shall:
(1) Verify the accuracy of personal information which does not appear reasonable or is doubtful, vague, or inconsistent.
(2) Correct inaccurate personal information.
(3) Limit the collection and maintenance of subjective personal information to only that information which is required to accomplish the purpose of the system and, when feasible, verify such information.
(4) When feasible, collect personal information from the data subject rather than a third-party source or verify with the data subject information provided by a third party.
(5) Not include in, or allow to remain in, a personal information system personal information known to be inaccurate, untimely, unnecessary, or irrelevant.
(6) Update personal information systems which provide an historical account or for which an outcome is anticipated.
(7) Make no determination based on personal information in a personal information system if the data is known or suspected to be incomplete.
(A) Any person asked to supply personal information for a personal information system shall be advised whether he or she is legally required, or may refuse, to supply the information. A statement to this effect shall be provided with any written or verbal request for information and included on all forms.
(B) Any person asked to supply personal information that will be placed in an interconnected or combined system shall be provided with information relevant to the system, including the identity of the other agencies or organizations that have access to the personal information in the system.
(C) If personal information is requested from the same source on a continuous basis, the person may be advised, as required under paragraph (A) or (B) of this rule, one time, in writing, rather than prior to each request.
(A) Upon the request and proper identification of any person who is the subject of personal information in a personal information system, the bureau shall:
(1) Inform the person of any personal information in the system of which the person is the subject;
(2) Except as provided in paragraph (C) or (D) of this rule, permit the person, his or her legal guardian, or an attorney with a signed written authorization made by the person, or his or her guardian, to inspect all personal information in the system of which the person is the subject; and
(3) Inform the person about the types of uses made of the personal information, including the identity of any users usually granted access to the system.
(B) Any person who wishes to exercise a right provided by this rule may be accompanied by another individual of the person's choice.
(C) Upon request, medical, psychiatric or psychological information shall be disclosed to the person who is the subject of the information or to the person's legal guardian, unless a physician, psychiatrist, or psychologist determines for the agency that the disclosure of the information is likely to have an adverse effect on the person, in which case the information shall be released to a physician, psychiatrist, or psychologist who is designated by the person or by his or her legal guardian.
(D) Upon the request of an individual who is authorized to inspect personal information, the bureau shall provide, at cost, copies of personal information the data subject is authorized to inspect that is maintained in a personal information system by the bureau.
(E) The bureau of workers' compensation or officer or employee thereof shall not deny to any person or his or her legal guardian the person's rights to inspect and correct personal information pursuant to sections 1347.08 and 1347.09 of the Revised Code.
(A) If a person who is the subject of personal information in a personal information system maintained by the bureau disputes the accuracy, relevance, timeliness or completeness of the personal information, the person may request the bureau to investigate the current status of the information.
(B) Requests to investigate personal information shall be made to the privacy officer or the director who is responsible for the system.
(C) Within ninety days after receiving the request from the disputant, the bureau shall make a reasonable investigation to determine whether the disputed information is accurate, relevant, timely and complete and shall notify the disputant of the results of the investigation and of the action that the bureau plans to take with respect to the disputed information. The bureau shall delete any information that it cannot verify or that it finds to be inaccurate.
(D) If after the bureau's determination, the disputant is not satisfied, the bureau shall do either of the following:
(1) Permit the disputant to include within the system a brief statement of his or her position on the disputed information, or
(2) Permit the disputant to include within the system a notation that the disputant protests that the information is inaccurate, irrelevant, outdated, or incomplete. The agency shall maintain a copy of the disputant's statement of the dispute.
The department may limit the statement to not more than one hundred words if the bureau assists the disputant to write a clear summary of the dispute.
(E) The bureau shall include the statement or notation in any subsequent transfer, report or dissemination of the disputed information and may include with the statement or notation of the disputant a statement by the bureau that it has reasonable grounds to believe that the dispute is frivolous or irrelevant and of the reasons for its belief.
(F) The presence of contradictory information in the person's file does not alone constitute reasonable grounds to believe that the dispute is frivolous or irrelevant.
(G) Following any deletion of information that is found to be inaccurate or the accuracy of which can no longer be verified, or if a statement of dispute was filed by the disputant, the bureau shall, at the written request of the disputant, furnish notification that the information has been deleted, or furnish a copy of the disputant's statement of the dispute, to any person specifically designated by the disputant. The bureau shall specifically disclose to the disputant that he or she has the right to make such a request.
(A) The bureau shall not place personal information in an interconnected or combined system, or use personal information that is placed in an interconnected or combined system by another state or local agency or another organization, unless the interconnected or combined system will contribute to the efficiency of the involved agencies in implementing programs that are authorized by law.
(B) The bureau shall not use personal information placed in an interconnected or combined system by another state or local agency or another organization unless the personal information is necessary and relevant to the performance of a lawful function of the bureau.
(C) The participation in an interconnected or combined system or the use of personal information in an interconnected or combined system shall be approved by the privacy officer.
(A) The bureau shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, or disclosure of personal information. In determining what is reasonable, consideration shall be given to the following:
(1) The nature and vulnerability of the personal information.
(2) The physical facilities where the personal information is maintained or used.
(3) The need for the feasibility of keeping personal information in a secure place, considering paragraphs (A)(1) and (A)(2) of this rule, the cost of providing a secure place and the need for access to the place where information is kept by personnel of the agency and the general public.
(B) The bureau shall adopt, implement and enforce a security plan for the protection of personal information. This plan shall include the following:
(1) A statement of the security precautions for each personal information system determined appropriate from the analysis conducted in accordance with paragraph (A) of this rule. When electronic data processing equipment is used, the requirements of rule 123:3-1-01 of the Administrative Code shall be included in the statement of security precautions.
(2) A method of informing agency employees concerning appropriate and inappropriate uses, disclosure and access to the personal information as well as penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information.
(3) A method for reporting violations of the security plan to responsible officials or employees of the agency.
(4) A method for monitoring the effectiveness of the security plan.
A copy of the security plan shall be kept in the office of the privacy officer.
(C) The bureau may require a background investigation of any individual who has access to confidential personal information or to computer equipment used to process such information.
(D) The requirements of Chapter 1347. of the Revised Code and of Chapter 4123-16 of the Administrative Code shall apply to personal information stored, processed, or disseminated under contract with the bureau by any contractor. Any such contract shall contain covenants that the contract will:
(1) Use the information only as specified in the contract;
(2) Not disclose information except with the express permission of the bureau; and
(3) Protect the security of the information.
This paragraph shall apply only to contracts entered into after the effective date of Chapter 4123-16 of the Administrative Code.
(A) The bureau shall adopt written policies and procedures which inform employees of the applicable provisions of Chapter 1347. of the Revised Code and of all rules adopted in accordance with the chapter.
(B) The privacy officer shall inform each employee of the bureau who has responsibility for the operation or maintenance of the personal information system of the policies and procedures adopted under Chapter 4123-16 and of the specific application of these policies and procedures to the personal information system.
(A) Any employee who intentionally violates any provision of Chapter 1347. of the Revised Code or any rule adopted in accordance with this chapter shall be subject to disciplinary action.
(B) Any employee who initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public evidence of unauthorized use of personal information shall be subject to suspension or possible removal.