(1) "Personal information" means any information that describes anything about a person, or indicates action done by or to a person, or indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by a name, identifying number, symbol, or other identifier assigned to a person.
(a) Personal information includes, but is not limited to, the following:
(i) Identifying information about applicants for or recipients of ODJFS-administered benefits or services, including, but not limited to, their names, addresses, social security numbers, phone numbers, and social and economic status.
(ii) Information about ODJFS employees that does not meet the definition of "record" in section 149.011 of the Revised Code, which includes, but is not limited to, their home addresses, home or personal cell phone numbers, social security numbers, driver's license numbers, financial account numbers (especially personal identification numbers), and other non-work-related information.
(iii) Medical or health data about a particular person, including diagnosis and past history of disease or disability, past or current mental health status, and any reports or records pertaining to physical or mental health examinations status.
(b) Personal information does not include non-confidential and non-exempt (work-related) records about an individual that ODJFS or other public entities routinely make available to the general public, or ODJFS records that are required to be made available to the public pursuant to federal or state laws or regulations.
(2) "System" means any collection or group of related records that are kept in an organized manner, either manually or by any other method, and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. System does not include collected archival records in the custody of or administered under the authority of the Ohio historical society, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.
(B) Release of any ODJFS records to third parties (including personal information) is governed by section 149.43 , section 5101.27 , and Chapter 1347. of the Revised Code and any other state or federal law relating to the release of the information being sought.
(C) Release of personal information to the subject of the information, the subject's guardian, or an attorney with written authorization from the subject is governed by section 5101.27 and Chapter 1347. of the Revised Code, 45 C.F.R. parts 160 and 164, and any other state or federal law relating to the release of personal information to the subject of the information or the subject's guardian.
(D) An individual will be designated as the chief privacy officer for ODJFS. The chief privacy officer is responsible for the personal information systems, including ODJFS's implementation of data security measures. Any unauthorized modification, destruction, use, disclosure, or breach of a personal information system must be reported to the chief privacy officer.
(E) Any person authorized to access, maintain, or use a personal information system shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, use, or disclosure. In determining what is reasonable, consideration will be given to the following:
(1) The nature and vulnerability of the personal information.
(2) The physical facilities where the personal information is maintained or used.
(3) The requirements of federal and state law governing use of the personal information.
(4) Applicable ODJFS rules and policies.
(F) Disciplinary action, including, but not limited to, suspension or removal, may be brought against any employee who does the following:
(1) Intentionally violates any provision of Chapter 1347. of the Revised Code or other law related to the release of records or personal information.
(2) Initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public evidence of unauthorized use of personal information.
(3) Releases personal information in violation of state or federal law or refuses or fails to release information as provided by state or federal law.
(G) The office of legal and acquisition services acts as a clearinghouse for information and consultation related to requests for public records and personal information. Any employee of ODJFS who is unable to determine whether a record or information can be released, should consult with legal counsel regarding this determination.