(1) "Personal information" means any information that describes anything about a person, or indicates action done by or to a person, or indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by a name, identifying number, symbol, or other identifier assigned to a person.
(a) Personal information includes, but is not limited to, the following:
(i) An individual's social security number, driver's license number, state identification number, state or federal tax identification number, financial account number, and credit or debit card number.
(ii) Identifying information about applicants for or recipients of ODJFS-administered benefits or services, including, but not limited to, their names, addresses, social security numbers, phone numbers, and social and economic status.
(iii) Information about ODJFS employees that does not meet the definition of "record" in section 149.011 of the Revised Code, which includes, but is not limited to, their home addresses, home or personal cell phone numbers, social security numbers, driver's license numbers, financial account numbers (especially personal identification numbers), and other non-work-related information.
(iv) Medical or health data about a particular person, including diagnosis and past history of disease or disability, past or current mental health status, and any reports or records pertaining to physical or mental health examinations status.
(b) Personal information does not include non-confidential and non-exempt (work-related) records about an individual that ODJFS or other public entities routinely make available to the general public, or ODJFS records that are required to be made available to the public pursuant to federal or state laws or regulations.
(2) "Records", per section 149.011 of the Revised Code, include any document, device, or item, regardless of physical form or characteristic, that is created or received by or coming under the jurisdiction of any public office of the state or its political subdivisions, which serves to document the organization, functions, policies, decisions, procedures, operations, or other activities of that office.
(3) "System" means any collection or group of related records that are kept in an organized manner, either manually or by any other method, and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. System does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.
(B) Release of any personal information that is maintained by ODJFS is governed by federal and state laws and regulations, including but not limited to the following:
(1) Section 149.43 of the Revised Code, which lists records that are exempt from treatment as public record, and which therefore need not be disclosed to the general public upon their request;
(2) Chapter 1347 of the Revised Code, which pertains to personal information systems, including the duties and obligations of state and local government agencies in the collection, maintenance, protection, use, modification, and release of personal information.
(3) Laws specific to programs administered or supervised by ODJFS, such as sections 5101.27, 4141.22, and 3125.50 of the Revised Code, which, along with corresponding rules and regulations, specify what applicant, recipient and participant-identifying information can be released, to whom it can be released, and under what circumstances it can be released.
(C) An individual will be designated as the chief privacy officer for ODJFS. The chief privacy officer is responsible for the personal information systems, including ODJFS's implementation of data security measures. Any unauthorized modification, destruction, use, disclosure, or breach of a personal information system must be reported to the chief privacy officer.
(D) Any person authorized to access, maintain, or use a personal information system shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, use, or disclosure. In determining what is reasonable, consideration will be given to the following:
(1) The nature and vulnerability of the personal information.
(2) The physical facilities where the personal information is maintained or used.
(3) The requirements of federal and state law governing use of the personal information.
(4) Applicable ODJFS rules and policies.
(E) Disciplinary action, including, but not limited to, suspension or removal, may be brought against any employee who does the following:
(1) Intentionally violates any provision of Chapter 1347. of the Revised Code or other law related to the release of records or personal information.
(2) Initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public evidence of unauthorized use of personal information.
(3) Releases personal information in violation of state or federal law or refuses or fails to release information as provided by state or federal law.
(F) The office of legal and acquisition services acts as a clearinghouse for information and consultation related to requests for public records and personal information. Any employee of ODJFS who is unable to determine whether a record or information can be released, should consult with legal counsel regarding this determination.