Chapter 5101:9-9 | Federal Tax Return Information Safeguarding Procedures

(A) The MSA is a document of understanding provided by the Ohio department of job and family services (ODJFS) office of information services (OIS). ODJFS requires county agencies to enter into an MSA to delineate responsibilities for day-to-day information technology (IT) operations between the county agency and OIS to provide quality service to end users and to maintain the health and integrity of the ODJFS network.

(B) The MSA outlines expectations between the county agencies and OIS including the IT resources supply and management, standards, support efforts, information security, and service provider alignment. A county agency shall elect a service level as part of the MSA program. All ODJFS commitments are subject to the availability of state and federal funds.

(C) The technology and service support policy (TSSP) also details the delineation of responsibilities, including financial responsibilities as shown in rule 5101:9-9-17 of the Administrative Code.

(D) The county agency director and the deputy director of OIS shall utilize the MSA signature document to show acceptance of the MSA, and all related levels and support documentation. Due to the ever- changing nature of the IT environment, OIS may update the supporting documentation as needed.

(E) In the event of a disagreement regarding provisions of the executed MSA between OIS and the county agency, the initial attempt at resolution will commence at the county agency technical point of contact (TPOC) and OIS liaison level. If resolution is not possible at that level, the deputy director of OIS and the director of the county agency, or their designees, will work to resolve such issues and may utilize the methodology contained in the fiscal agreements if necessary.

(F) The most current version of the MSA is available on the county operations user experience (UX) sharepoint portal.

(A) The Ohio department of job and family services (ODJFS), in a continuing effort to improve the level of customer service and responsiveness to county agencies, developed the technology and service support policy (TSSP). The TSSP represents a commitment by ODJFS to provide quality, cost-effective networking products, services, and solutions to the county agencies throughout the state.

The TSSP operates within the framework of the master service agreement (MSA) as detailed in the MSA and rule 5101:9-9-15 of the Administrative Code.

(B) The TSSP is the policy by which county agencies request information technology (IT) equipment and services from the ODJFS office of information services (OIS). All county agency requests for network equipment, installation of third-party software applications, or OIS assistance with equipment moves to new sites, require completion of the JFS 01321 "TSSP County Request."

(C) TSSP coordinators in OIS oversee the request process and are responsible for working with the county agencies to determine financial responsibilities and costs, verify staff levels, track the progress of requests, and serve as the ODJFS contact for county agency information related to the TSSP.

(D) As part of completing the JFS 01321, the county agency will estimate the financial responsibilities associated with its request and submit the information to the TSSP coordinators in OIS.

(E) Whenever financial responsibilities are determined to be greater than those estimated on the JFS 01321, OIS will contact the technical point of contact (TPOC) in the county agency. OIS will obtain the county agency's consent before continuing the fulfillment process.

(F) Financial responsibilities are enumerated in the TSSP. All ODJFS commitments relative to networking products, services, and solutions are subject to and contingent on the availability of state and federal funds. Whenever financial responsibilities are determined to be different from those estimated in the agency's original request, OIS will notify the county agency to obtain its consent before fulfilling the agency's request. Equipment acquisitions that may affect the ODJFS network, regardless of the cost or financial responsibility, must be approved by ODJFS before the agency purchases the equipment. Approval may be obtained through the TSSP request process.

(G) ODJFS retains ownership of networking products unless ODJFS specifically transfers ownership in accordance with procedures in rule 123:5-2-01 of the Administrative Code.

(H) Through TSSP, ODJFS seeks to do the following:

(1) Ensure timely and efficient delivery of IT products and services to ODJFS's customers;

(2) Increase the flexibility for county agencies to select networking products, services, and solutions that best meet their needs;

(3) Maintain continuity of a safe, sound, and secure computer environment; and

(4) Ensure budgetary predictability and cost-effectiveness of networking solutions for ODJFS and county agencies.

(I) OIS continues to provide the workstations, software, and network access necessary for county employees to complete their state-required job functions pursuant to and in compliance with the signed and established MSA levels.

(J) ODJFS will provide the network infrastructure to enable local agency staff to connect to the ODJFS network.

(K) As a way for county agencies to have the flexibility to meet future needs, ODJFS will provide an additional allowance of workstations in an amount of up to ten per cent of the local agency's filled full-time equivalent (FTE) employees.

Beyond this baseline, counties are responsible for financing computing resources.

(L) County agencies will purchase service units from ODJFS, unless otherwise specified in the MSA for the individual county agency.

Service units include, but are not limited to, maintenance, service, and use of state owned equipment.

(M) Costs associated with TSSP equipment service units are determined by the initial equipment and warranty costs to ODJFS. On-going services are included as part of the service unit at the expense of ODJFS. On-going services include moves, customer support, software upgrades, and equipment services.

(N) The catalog of network services section of the TSSP displays the networking products and services available to county agencies. The catalog details the estimated costs a county agency will be subject to when it purchases service units and services that it specifies on the JFS 01321 that it submits to OIS.

(O) Following the fulfillment of a request, the ODJFS office of fiscal and monitoring services (OFMS) will generate an invoice from the Ohio administrative knowledge system (OAKS) for equipment and services rendered. The county contact is notified that the invoice has been placed on the county user experience (UX) sharepoint portal for retrieval. The service unit cost to the county agency will be the actual invoice cost for each piece of equipment used and warranty purchased. Available TSSP service units may be found in the catalog of network services section of the TSSP.

(P) When a request involves recurring charges, the county will be invoiced on a recurring basis. These invoices will utilize the same payment process as the other TSSP invoices.

(Q) County agencies will pay the invoice by sending a check, made payable to the "Treasurer, State of Ohio," and including a copy of the invoice with the check. Remit payments to the following address:

"Huntington National Bank

ODJFS

L-3659

Columbus, Ohio 43260"

(R) If payment is not received within sixty calendar days, the ODJFS office of fiscal and monitoring services will notify the county agency.

(S) If payment is not received within ninety calendar days, the ODJFS office of fiscal and monitoring services will recover the funds via an adjustment to the county agency's advance.

(T) County agencies shall use the JFS 02750 "Child Support Enforcement Agency (CSEA) Quarterly Financial Statement", JFS 02820 " Children Services Quarterly Financial Statement", or JFS 02827 "Public Assistance (PA) Quarterly Financial Statement" to report TSSP expenditures.

(U) OIS will update the TSSP as dictated by changes in technology, service unit pricing, or available service offerings. The most current version of the TSSP is available on the county user experience (UX) sharepoint portal.

(A) HIPAA is a federal law requiring the protection of confidentiality and security of health data including the safeguarding, privacy, and release of protected health information (PHI).

(B) PHI includes, but is not limited to, the following individually identifiable health information of public assistance applicants, recipients, and former recipients:

(1) Information relating to past, present, or future physical or mental health or condition of an individual;

(2) Provision of health care to an individual;

(3) Past, present, or future payment for health care to an individual; and

(4) Eligibility information of an individual for the medicaid, disability medical assistance, or refugee medical assistance program, or any other plan or program that provides medical assistance or pays the cost of medical care.

(C) All current and future recipients of medicaid, disability medical assistance, refugee medical assistance, or any other plan or program that provides medical assistance or pays the cost of medical care, received or will receive a privacy notice outlining the following descriptions of uses and disclosures, and recipient procedures:

(1) A description of the types of uses and disclosures of PHI the Ohio department of job and family services (ODJFS) or its delegated entity is permitted to make, with examples to include payment, treatment, and healthcare operations;

(2) A description of other uses and disclosures permitted under HIPAA without written consent or authorization to include examples such as required by law;

(3) A statement that other uses and disclosures will be made only with the individual's written authorization;

(4) Complaint procedure;

(5) Request for restriction procedure;

(6) Request for amendment procedure; and

(7) Request for accounting procedure.

(D) If a recipient of benefits identified in paragraph (C) of this rule requests any of the procedures outlined in paragraphs (C)(4) to (C)(7) of this rule from the county agency or entity acting on behalf of ODJFS who collects and maintains the information identified in paragraph (B) of this rule through which the recipient participates, the county agency or entity acting on behalf of ODJFS shall do one of the following:

(1) Refer the recipient to the ODJFS privacy official by providing the recipient with the appropriate phone number; or

(2) Provide the recipient with a copy of the HIPAA privacy notice outlining the procedures set out in paragraphs (C)(4) to (C)(7) of this rule and notice identifying whom the recipient may contact to initiate those procedures.

http://medicaid.ohio.gov/FOROHIOANS/AlreadyCovered/NoticeofPrivacyPractices.aspx

(A) The following definitions are applicable to this rule:

(1) "County family services agency" has the same meaning as defined in section 307.981 of the Revised Code.

(2) "Grant" means an award for one or more family services duties or workforce development duties of federal financial assistance that a federal agency provides in the form of money, or property in lieu of money, to the Ohio department of job and family services (ODJFS) and that ODJFS awards to a county family services agency or local area. Grant may include state funds ODJFS awards to a county family services agency or local area to match the federal financial assistance. Grant does not mean technical assistance that provides services instead of money and does not mean other assistance provided in the form of revenue sharing, loans, loan guarantees, interest subsidies, or insurance.

(3) "Inactive records" refers to closed case files and those records that are no longer used on a regular basis.

(4) "Local area," has the same meaning as defined in section 6301.01 of the Revised Code.

(5) "Pass-through entity" means a non-federal entity that provides a federal award and/or state funds to a subrecipient to carry out a federal and/or state program, function, or activity.

(6) "Record" has the same meaning as defined in section 149.011 of the Revised Code.

(7) "Record series" means records that are filed together or maintained as a unit because they relate to a particular subject or function, result from the same activity, have a particular form, or have some other relationship arising from their creation, receipt, or use.

(8) "Retention schedule" means a document that assigns a required retention period to a record series based on its fiscal, legal, historical or administrative value.

(9) "Subrecipient" means a non-federal entity that expends federal awards and/or state funds received from a pass-through entity but does not include an individual that is a beneficiary of such program, function, or activity.

(10) "Workforce development agency" has the same meaning as defined in section 5116.01 of the Revised Code.

(B) Each county family services agency and local area shall comply with all applicable federal, state, and local records retention requirements for all records related to any program, function, or activity that is funded in whole or in part by state and/or federal funds. Local records retention requirements may be available through the county records commission in each county, which are established pursuant to section 149.38 of the Revised Code. The functions of the county records commission are to provide rules for the retention and disposal of county records, to review applications for one-time disposal of obsolete records, and to review schedules of records retention and disposal submitted by county offices.

(C) Each county family services agency and local area shall have a records retention schedule that governs each record series maintained by the agency and that includes the requirements set forth in this paragraph. Each such records retention schedule shall at a minimum do the following:

(1) Identify the name of the record series;

(2) Describe the use and purpose of the records;

(3) Assign a retention period based on the fiscal, legal, historical or administrative purpose value of the record series;

(4) Establish the method of disposition of the records when the retention period expires; and

(5) Comply with any minimum records retention requirements specified by applicable state law and regulations, applicable ODJFS records retention requirements, and applicable federal law and regulations, including, but not limited to, the following:

(a) 2 C.F.R. Part 200;

(b) 7 C.F.R. 272.1(f) applicable to the expenditure of food stamp program funds;

(c) 29 C.F.R. 95.53 applicable to non-profit organizations expending department of labor funds (DOL) funds;

(d) 29 C.F.R. 97.42 applicable to government units expending DOL funds;

(e) 45 C.F.R. 75.361 applicable to non-federal entities expending department of health and human services (HHS) funds; or

(f) Any other federal award requirements related to any program, function, or activity the county family services agency or local area administers that is funded in whole or in part by federal funds.

(D) In addition to having the records retention schedules required by paragraph (C) of this rule, each county family services agency and local area shall have a records retention schedule governing all records of its subrecipients that document a program, function, or activity for which the county family services agency's or local area's subrecipient receives state and/or federal funds. Each county family services agency and local area shall include in any contract or other type of agreement, including grant awards to subrecipients and subcontracts with service providers, all applicable minimum federal, state, and local records retention requirements for all records documenting a program, function, or activity for which the county family services agency's or local area's subrecipient, contractor or subcontractor receives state and/or federal funds. Any succeeding subrecipient or subcontractor of state and/or federal funds passed through from the county family services agency's or local area's subrecipient, contractor or subcontractor is subject to the same requirements stated in this paragraph.

(E) Each county family services agency and local area shall retain financial, programmatic, statistical, and recipient records and supporting documents relating or pertaining to a federal award passed through from ODJFS for a minimum of three years after submittal of the final expenditure report for the grant, or applicable ODJFS records retention requirements, whichever is longer, unless otherwise provided by any minimum records retention requirements specified by applicable state or federal law. A county family services agency or local area may establish a minimum records retention period that exceeds the minimum retention period provided by this paragraph.

(1) If any litigation, claim, investigation, criminal action, negotiation, audit, administrative review, or other action involving the records has been started before the expiration of the longer of the minimum retention period defined in paragraph (E) of this rule or before actual disposition of the records, the county family services agency or local area shall maintain the records until completion of the action and resolution of all issues that arise from it, or until the end of the longest applicable minimum retention period, whichever is later.

(2) If final payment after closeout of the federal award has not been made before the expiration of the longest applicable minimum retention period defined in paragraph (E) of this rule or before actual disposition of the records, the county family services agency or local area shall maintain the records until final payment is made and resolution of all issues that arise from it, or until the end of the longest applicable minimum retention period provided in paragraph (E) of this rule, whichever is later.

(3) Each county family services agency and local area shall maintain a current file of all records that have been subject to a federal or state audit, administrative review, or other action, and must refer to that file before requesting approval from the county records commission to destroy any record.

(F) Each county family services agency and local area shall annually provide or make available to ODJFS the agency's records retention schedules, including any records retention schedule adopted pursuant to paragraph (D) of this rule. Each county family services agency and local area shall make its current records retention schedule readily available to the public.

(G) Each county family services agency and local area shall establish policies and procedures for the transfer and storage of inactive records that comply with all applicable state, federal, and local requirements. Secondary locations used for storing inactive records must provide adequate security and allow for the prompt and efficient retrieval of requested records.

(H) The requirements regarding access to records are as follows:

(1) Each county family services agency and local area shall adopt a public records policy for responding to public records requests in accordance with section 149.43 of the Revised Code. Public records do not include information or records specifically exempted from treatment as public records in division (A)(1) of section 149.43 of the Revised Code, or information or records that are expressly made confidential under other federal or state laws or regulations.

(2) All records documenting a program, function, or activity for which the county family services agency and local area receive state and/or federal funds must be made available to authorized governmental agencies, including, but not limited to, ODJFS, the auditor of state, and other Ohio funding sources and federal funding sources upon request. This access to records includes, but is not limited to, all financial and programmatic records, supporting documents, statistical records, and other records of recipients, subrecipients, contractors, and subcontractors. This right of access is not limited to any required minimum retention period if the records are still being retained and have not been disposed at the time of the request.

(3) All information and records concerning an applicant, a recipient, or a former recipient must be safe guarded from release as specified by applicable state and federal law and regulations, including, but not limited to, rules 5101:1-1-03, 5101:4-1-13, and 5160-1-32 of the Administrative Code, and section 5101.27 of the Revised Code, and are subject to all applicable intercounty transfer requirements, including, but not limited to, rules 5101:1-1-13 and 5101:4-8-19 of the Administrative Code.

(4) All public records as defined in division (A)(1) of section 149.43 of the Revised Code must also be made available for inspection or copying to any person at all reasonable times during regular business hours, as specified in division (B) of section 149.43 of the Revised Code.

(5) Each county family services agency and local area shall maintain its records in such a manner that the agency can fulfill its records access obligations promptly and efficiently.

(I) Each county family services agency and local area shall obtain approval from the county records commission before destruction of any records in accordance with section 149.38 of the Revised Code. Pursuant to section 149.38 of the Revised Code, the county records commission approval must in turn be reviewed by the Ohio history connection, and upon completion of the Ohio history connection's review of the request to dispose the records, the auditor of state must approve or disapprove the request.

(J) After permission to destroy the records has been obtained, each county family services agency and local area shall follow the requirements established by the county records commission for disposal of county records.

(K) Notwithstanding the provisions in this rule, each county family services agency and local area shall continue to follow any minimum applicable ODJFS, state, and federal records retention requirements requiring a longer minimum retention period than the general three-year retention period stated in paragraph (E) of this rule, such as children services case records retention requirements set forth in rule 5101:2-33-23 of the Administrative Code, and any other program-specific records retention requirements established by other state or federal law, unless directed to comply with the minimum records retention requirements provided in this rule.

(L) The retention, destruction and access provisions adopted or established by a local area pursuant to this rule will apply to every workforce development agency within that local area.

(A) The following definitions are applicable to this rule:

(1) "Inactive records" means closed case files, where the assistance group (AG):

(a) Is no longer receiving benefits;

(b) Has no pending administrative action, hearing or appeal; and

(c) The county agency no longer has a legal duty to act on the case.

(2) "Public assistance record" means any record maintained in a case file related to an Ohio works first (OWF), food assistance, prevention, retention, and contingency (PRC), disability financial assistance, or refugee cash assistance group (AG).

(3) "Record" has the same meaning as defined in section 149.011 of the Revised Code.

(B) The minimum retention period for public assistance records is seven years, except as provided in paragraphs (C) and (D) of this rule.

(C) The following records may not be destroyed while the AG is active, and must be maintained for a minimum of three years from the date the AG becomes inactive:

(1) Enumeration verifications;

(2) Application forms and verifications that established initial program eligibility; and

(3) Documents that establish eligibility factors such as incapacity, limiting physical factors, and eligibility for supplemental security income (SSI).

(D) Notwithstanding the requirements outlined in rule 5101:4-1-05 of the Administrative Code, any records existing in the AG file on the date the AG becomes inactive must be maintained for a minimum of three years from the date the AG becomes inactive, regardless of the age of the records.

(E) Rule 5101:4-1-05 of the Administrative Code governs the retention of food assistance records and must be followed in conjunction with the requirements of this rule.

(F) Counties that wish to selectively destroy documents from public assistance AG records in accordance with the requirements of this rule must specify the retention periods of the affected documents on the appropriate retention schedules.

(A) Federal tax information (FTI): definition, usage limitations and notification, and non-disclosure.

(1) FTI is any return or return information received from the internal revenue service (IRS) or secondary source, such as the social security administration (SSA), federal office of child support enforcement, or U.S. department of the treasury - bureau of the fiscal service, and also includes any information created and/or maintained by the Ohio department of job and family services (ODJFS) or a county agency that is derived from these sources.

(2) FTI is provided to federal, state, and local agencies by the IRS or the SSA for use in the cash assistance, food assistance, unemployment compensation, and child support programs as authorized by the Internal Revenue Code, and is provided solely for the purpose of performing the responsibilities of each program.

(3) 26 U.S.C. 6103 (section 6103 of the Internal Revenue Code) limits the usage of FTI to only those purposes explicitly defined. The IRS office of safeguards requires advance notification (at least forty-five days) prior to implementing certain operations or technological capabilities that require additional uses of the FTI, such as:

(a) Contractor access;

(b) Cloud computing;

(c) Consolidated data center;

(d) Data warehouse processing;

(e) Non-agency-owned information systems;

(f) Tax modeling;

(g) Test environment; and

(h) Virtualization of IT systems.

(4) Disclosure of FTI to any contractor is not permitted unless the agency notifies the IRS office of safeguards, in writing, per the IRS forty-five day notification reporting requirements and obtains approval prior to re-disclosing FTI to a specifically noted contractor.

(5) FTI associated with the treasury offset program (TOP) may not be disclosed to any contractor for any purpose, except for limited child support enforcement purposes, as specified in IRS publication 1075, "Tax Information Security Guidelines for Federal, State, and Local Agencies."

(B) Confidential personal information (CPI) is defined in section 1347.15 of the Revised Code, and does include FTI, but FTI must meet additional safeguards as outlined by the IRS.

(C) Safeguarding procedures and controls ensure the confidential relationship between the taxpayer and the IRS. Safeguarding procedures and controls are derived from IRS publication 1075, prepared and updated by the IRS.

(D) The IRS conducts on-site safeguard reviews of ODJFS safeguard controls, at a minimum once every three years, which includes an evaluation of the use of FTI and the measures employed by the receiving agency to protect the data. An independent internal inspection of specific offices within ODJFS is required every eighteen months. In addition, periodic independent internal inspections of all local offices must be conducted to ascertain if the safeguarding controls that are in place meet the requirements of IRS publication 1075. Offices to be inspected include, but are not limited to those referenced in paragraph (A)(2) of this rule. Periodic inspections conducted by program offices of local offices occur every three years. A record will be made of each inspection, citing the findings (deficiencies) as well as recommendations and corrective actions to be implemented where appropriate.

(E) All program offices and their respective local agencies must ensure procedures are implemented governing the safeguarding of FTI as defined by IRS publication 1075. Procedures must be updated to reflect any significant program changes.

(F) Per section 6103 of the Internal Revenue Code, all agencies receiving FTI are required to provide a disclosure awareness training program for their employees and contractors. Disclosure awareness training is described in detail within IRS publication 1075. Employees and contractors must maintain their authorization to access FTI through annual training and recertification. Prior to granting an agency employee or contractor access to FTI, each employee or contractor must certify his or her understanding of the IRS's and the agency's security policy and procedures for safeguarding IRS information. Employees must be advised of the provisions of sections 7431, 7213, and 7213A of the Internal Revenue Code regarding the "Sanctions for Unauthorized Disclosure" and the "Civil Damages for Unauthorized Disclosure." Agencies must also comply with the requirements of rule 5101:9-9-25.1 of the Administrative Code.

(G) Additional FTI safeguarding procedures.

(1) FTI must be maintained separately from other information to the maximum extent possible to avoid inadvertent disclosures and to comply with the federal safeguards required by paragraph (p)(4) of section 6103 of the Internal Revenue Code. Agencies with FTI must also comply with all other requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code.

(2) All information obtained from the IRS must be safeguarded in accordance with the safeguarding requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code, as described in IRS publication 1075.

(H) Prohibition against public disclosure of safeguards reports and related communications.

(1) ) Safeguards reports and related communications, such as IRS official agency records that are the property of the IRS, and IRS records that are subject to disclosure restrictions under federal law and IRS rules and regulations, may not be released publicly under state sunshine or information sharing/open records provisions. Release of any IRS safeguards document requires the express permission of the IRS. Requests received through sunshine and/or information sharing/open records provisions must be referred to the federal Freedom of Information Act (FOIA) statute for processing. State and local agencies receiving such requests should refer the requestor to the instructions to file a FOIA request with the IRS. Additional guidance may be found at: http://www.irs.gov/uac/IRS-Freedom-of- Information and questions should be referred to the safeguards mailbox at Safeguardreports@irs.gov.

(2) If it is determined that it is necessary to share safeguarded IRS documents and related communications with another governmental function/branch for the purposes of operational accountability or to further facilitate protection of federal tax information, the recipient governmental function/branch must be made aware, in unambiguous terms, that the documents and related communications:

(a) Are the property of the IRS;

(b) Constitute IRS official agency records; and

(c) Are subject to disclosure restrictions under federal law and IRS rules and regulations.

(A) This supplemental rule provides general guidance to county agencies on the safeguarding of federal tax information (FTI), with the exception of child support enforcement agencies, which are required to comply with the requirements of rule 5101:12-1-20.2 of the Administrative Code. Individual program offices may, at their discretion, establish additional rules and/or additional training programs. County agencies should consult their respective program office for additional information regarding the safeguarding of FTI.

(B) Required employee awareness training:

Each county agency must provide disclosure awareness training to employees and contractors in accordance with guidelines set forth in internal revenue service (IRS) publication 1075, "Tax Information Security Guidelines for Federal, State and Local Agencies." Employees and contractors must maintain their authorization to access FTI through annual training and recertification. Prior to granting an agency employee or contractor access to FTI, each employee or contractor must certify his or her understanding of the IRS's and the agency's security policy and procedures for safeguarding IRS information. Employees must be advised of the provisions of sections 7431, 7213, and 7213A of the Internal Revenue Code regarding the "Sanctions for Unauthorized Disclosure" and the "Civil Damages for Unauthorized Disclosure." The disclosure awareness training records must be maintained for a minimum of five years or in accordance with the agency's applicable records retention schedule, whichever is longer.

(C) Proper record keeping of FTI:

County agencies must keep records detailing internal requests for FTI by agency employees as well as requests received from outside of the agency, except for child support enforcement agencies, which are required to follow rule 5101:12-1-20.2 of the Administrative Code.

A tracking log must be used to record all movement, storage, and destruction of both electronic and non-electronic FTI received by the agency from the IRS. The data elements of the tracking log shall comply with the guidelines set forth in IRS publication 1075 and those provided by the applicable ODJFS program office. FTI must not be recorded on any tracking log. The logs must be maintained for a minimum of five years or in accordance with the agency's applicable records retention schedule, whichever is longer.

(D) Secure storage and handling of FTI:

(1) FTI must be handled in such a manner that it does not become misplaced or available to unauthorized staff. When not in use, FTI must be secured via the required two barrier minimum pursuant to the "Minimum Protection Standards (MPS)" section of IRS publication 1075. Refer to table 3 in section 4.2 of IRS publication 1075 for further guidance.

(2) Minimum protection standards establish a uniform method of physically protecting data and systems as well as non-electronic forms of FTI. Local factors may require additional security measures, therefore, local county management must analyze local circumstances to determine location, container, and other physical security needs at individual facilities. The MPS have been designed to provide management with a basic framework of minimum security requirements. The objective of these standards is to prevent unauthorized access to FTI. MPS requires two barriers. Examples of two barrier minimum under the concept of MPS are outlined in IRS publication 1075.

(3) FTI should not be filed in areas used by employees not authorized to have access to FTI such as areas used for breaks, food preparation or any similar facilities. FTI files should not be maintained in areas that allow clients access. However, when this is not practical, caution must be exercised by the agency pursuant to the "Minimum Protection Standards (MPS)" section of IRS publication 1075. Refer to table 3 in section 4.2 of IRS publication 1075 for further guidance.

(E) Restricting access to FTI:

Access to file storage areas that contain FTI must be limited to the absolute minimum number of employees necessary. The following measures should be followed to adequately restrict access to the file storage areas containing FTI:

(1) Except where the state program office maintains records on access and training, a current list of employees who are authorized to have access to FTI shall be maintained by the county agency.

(2) Warning signs must be posted to identify restricted access areas and to give notice of the potential consequences for unauthorized disclosure or inspection of FTI.

(3) Cleaning, building inspections or maintenance of secured areas containing FTI, must be performed in the presence of an employee authorized to access FTI. An exception to this rule is during non-duty hours, when cleaning, inspection or maintenance personnel need access to locked buildings or rooms. This may be permitted as long as there is a second barrier to prevent access to FTI. Access may be granted to a locked building or a locked room if FTI is in a locked security container. If FTI is in a locked room but not a locked security container then access may be granted to the building but not the room.

(4) Each agency shall control physical access to areas where systems or files containing FTI are housed. The agency shall issue authorization credentials, including badges, identification cards, or smart cards pursuant to section 4.3.2 of IRS publication 1075.

(5) Access to file areas that contain FTI must be restricted to agency employees who have an established security profile that identifies the class-level and role-based rights that necessitate authorizing the employee to have such access.

(6) The location and physical layout of the file storage area should be such that unnecessary traffic is avoided.

(7) A visitor sign in/sign out log must be maintained and must be inspected at least monthly by agency security personnel. The data elements contained on the log must meet the guidelines outlined in IRS publication 1075.

(8) Keys to the files must be issued only to agency employees authorized to enter the secured area.

(9) If possible, security staff should be agency employees. Only authorized employees, or escorted individuals supervised by authorized employees, may have access to areas where FTI is located during working and nonworking hours.

(10) All records containing FTI, either open or closed, must be safeguarded pursuant to IRS publication 1075. FTI should not be commingled within any information system or within any physical files and documents. When commingling of agency documentation data and FTI is unavoidable, FTI must be labeled pursuant to IRS publication 1075, and access must be restricted to only authorized personnel.

(F) Proper disposal of FTI:

(1) Users of FTI are required by the Internal Revenue Code to take certain actions after using FTI, to protect its confidentiality. When FTI is no longer useful, agency officials and employees must either return the information, including any copies made, to the office from which it was originally obtained or destroy the FTI.

(2) An agency electing to return IRS information must use a receipt process and ensure that confidentiality is protected at all times during transport.

(3) FTI (non-electronic) furnished to any authorized agency employee or user and any paper material generated therefrom, such as copies, photo impressions, computer printouts, notes, and work papers, must be destroyed pursuant to IRS publication 1075 directives.

(4) FTI (electronic) stored in electronic format (e.g., hard drives, tapes, CDs, flash media, etc.) must be destroyed and/or disposed of pursuant to IRS publication 1075 directives. Electronic media containing FTI must not be made available for reuse by other offices or released for destruction without first being subjected to electromagnetic erasing (media sanitization).

(5) For county agencies, programs and records where contractors are permitted to be used, any destruction, sanitization, and/or disposal of FTI by a contractor must be witnessed by an agency official or employee. FTI destroyed or sanitized, pursuant to sections 8.0 to 8.4 of IRS publication 1075, is no longer considered FTI and can be disposed of in any manner the agency deems appropriate.

(G) Computer security controls:

If any local agency office stores FTI within a county owned information system, they must:

(1) Ensure the required agreements with ODJFS and the IRS have been established pursuant to IRS publication 1075.

(2) Ensure the local agency office's required policies, procedures, and information system meet the minimum computer system security controls detailed in IRS publication 1075.

(A) Definitions used in this rule.

(1) "Federal Tax Information" (FTI) is any return or return information received from the internal revenue service (IRS), or secondary source, such as the social security administration (SSA), federal office of child support enforcement (OCSE), or U.S. department of the treasury, including the bureau of the fiscal service, centers for medicare and medicaid services (CMS) and also includes any information created and/or maintained by the Ohio department of job and family services (ODJFS) or a county agency that is derived from these sources.

(2) "Return and Return Information." A return is any tax or information return, estimated tax declaration, or refund claim (including amendments, supplements, supporting schedules, attachments or lists) required by or permitted under the internal revenue code (IRC) and filed with the IRS by, on behalf of, or with respect to any person or agency. Return information includes:

(a) The potential liability of any person under the IRC for any tax, penalty, interest, fine, forfeiture, or other imposition or offense.

(b) The taxpayer's name, address and identification number.

(c) Personally identifiable information (PII), including:

(i) The name of a person with respect to whom a return is filed.

(ii) The taxpayer mailing address.

(iii) The taxpayer identification number.

(iv) Email addresses.

(v) Telephone number(s).

(vi) Social security number(s).

(vii) The date and place of birth.

(viii) The mother's maiden name.

(ix) The biometric data (e.g. height, weight, eye color, fingerprints).

(x) Bank account information.

(xi) Any combination of the PII identified in this paragraph.

(3) "County Agency" means the county department of job and family services, the public children services agency, and the child support enforcement agency. This definition is intended to be the same as "County Family Services Agency" used in section 307.981 of the Revised Code.

(4) "County Agency Contractor" means any governmental or non-governmental entity, which can include an individual, that receives funds from the county agency, whether directly or indirectly, to provide services, assistance, or benefits to individuals or that performs duties or activities for the county agency pursuant to a contract, grant, or other agreement. County agencies authorized to receive FTI to administer temporary assistance for needy families (TANF), supplemental nutrition assistance program (SNAP) and medicaid are prohibited from contracting for services that allow disclosure of or access to FTI in those programs.

(5) A "final candidate" is an individual, whether or not currently employed by a county agency, who has submitted an application for employment at the county agency and who has received an offer of employment conditioned upon a favorable adjudication of an FBI and BCI fingerprint background check.

(B) Safeguarding FTI using background investigations; general provisions.

(1) All final candidates, current employees, current and prospective intermittent employees, county agency contractors/contract employees, subcontractors, or temporary service personnel that have access to or use FTI shall be subject to a background check that meets the requirements of IRS publication 1075, "Tax Information Security Guidelines for Federal, State and Local Agencies." Once an initial background check has been successfully completed and the final candidate, current employee, current or prospective intermittent employee, county agency contractor/contract employee, subcontractor, or temporary service personnel is found to be suitable for access to FTI, reinvestigation shall occur at least every five years, at a minimum, from the date it was initially determined that the individual is suitable for access to FTI, if remaining in a position with access to FTI.

(2) Effective September 30, 2019, to maintain access to systems containing FTI, all current employees, intermittent employees, county agency contractors/contract employees and temporary service personnel that have access to or use FTI shall have submitted to an FBI and BCI fingerprint background check.

(3) Effective October 1, 2019, prior to being granted access to FTI, all final candidates, prospective intermittent employees, prospective county agency contractors/contract employees, subcontractors, and prospective temporary service personnel shall complete an FBI and BCI fingerprint background check and investigation that is favorably adjudicated in accordance with the written policy developed by the county agency pursuant to paragraph (B)(5) of this rule.

(4) Effective December 31, 2019, to maintain access to systems containing FTI, all current employees, intermittent employees, county agency contractors/contract employees, subcontractors, and temporary service personnel that have access to or use FTI shall have submitted to an FBI and BCI fingerprint background check and investigation that is favorably adjudicated in accordance with the written policy developed by the county agency pursuant to paragraph (B)(5) of this rule.

(5) Effective September 3, 2019, county agencies shall develop a written policy requiring all final candidates, employees, current and prospective intermittent employees, county agency contractors/contract employees, subcontractors, and temporary service personnel with access to FTI to submit to an FBI and BCI fingerprint background check and investigation that is favorably adjudicated.

(6) Background investigations conducted by the county agencies for final candidates, employees, current and prospective intermittent employees, county agency contractors/contract employees, subcontractors, and temporary services personnel who are or will be granted access to FTI shall include, at a minimum:

(a) FBI finger printing (FD-258), a review of federal bureau of investigation (FBI) fingerprint results conducted to identify possible suitability issues.

(b) Ohio bureau of criminal investigation (BCI) finger printing, a review of the BCI fingerprint results conducted to identify possible suitability issues.

(c) Citizenship/residency. Validate the individual's eligibility to legally work in the United States (e.g., a United States citizen or foreign citizen with the necessary authorization.)

(C) Safeguarding FTI using background investigations; policy guidance.

(1) County agencies are required to have a policy that requires final candidates, employees, current and prospective intermittent employees, county agency contractors/contract employees, subcontractors, and temporary services personnel, who will use or have access to FTI to complete an FBI and BCI fingerprint background check and investigation that is favorably adjudicated. This policy will identify the process, steps, timeframes, and favorability standards that the county agency has adopted. The policy shall establish the criteria upon which final candidates, employees, current and prospective intermittent employees, county agency contractors/contract employees, subcontractors, and temporary services personnel, would have access to FTI denied or withdrawn. County agencies may use ODJFS' model background check policy, as outlined in the appendix to this rule, or design their own substantial equivalent.

(2) A county agency shall identify in its policy any criminal convictions that may disqualify final candidates, employees, current and prospective intermittent employees, county agency contractors/contract employees, subcontractors, and temporary services personnel from having access to FTI based upon the criminal record, the nature of the duties of the position held or applied for, and the nature of the access to FTI. County agencies should consult, at a minimum, sections 2921.02, 2921.41, 2921.43 and 2961.02 of the Revised Code, when identifying potentially disqualifying offenses.

(3) A county agency shall set forth in its policy or procedure the factors it will consider when determining if an individual with a criminal record should be adjudicated favorably. Factors that county agencies may want to consider are:

(a) Relationship of the criminal record to access to the type of FTI used or accessible in the position.

(b) Nature of work to be performed.

(c) The time that has lapsed since the conviction.

(d) The age of the individual at the time of the offense.

(e) The seriousness and specific circumstances of the offense, including the type of harm that the individual caused, and/or the legal elements involved in the specific crime committed.

(f) The number of offenses on the criminal record.

(g) Whether the individual has pending charges.

(h) Any evidence of rehabilitation or contrition.

(i) Any other relevant information, including that submitted by or on behalf of the individual, or other information obtained by the county agency.

(4) A county agency shall set forth in its policy or procedure the notification, appeal, and final determination process that it will offer to final candidates, current and prospective employees, intermittent employees, county agency contractors/contract employees, subcontractors and temporary service personnel, for those with convictions who are not favorably adjudicated as being eligible for access to FTI.

(D) Remedial action.

A county agency found to have failed to conduct background investigations in accordance with this rule and IRS publication 1075, or who has failed to create a policy as described in paragraph (B) of this rule, shall be notified of these failures by ODJFS in writing within thirty days after completion of the investigation or review. Any action taken by ODJFS to bring the county agency into compliance with this rule and IRS publication 1075 shall be done pursuant to section 5101.24 of the Revised Code. Examples of remedial action include corrective action plans or the withholding of funds. The county agency is responsible to ensure that county agency contractors or subcontractors that currently have or will have access to FTI or who provide contract employees to county agencies who currently have or will have access to FTI to secure FBI and BCI fingerprint checks that are favorably adjudicated. ODJFS may take action against the county agency pursuant to section 5101.24 of the Revised Code if the county agency fails to obtain compliance by the county agency contractor.

View Appendix

(A) "Auditing" is the systematic application of procedures to compare historical data to established criteria to prepare an attestation as to the degree of correspondence between the two.

(B) "Historical data" consists of management representations, either explicit or implicit. Management representations include, but are not limited to:

(1) Representations as to characteristics of information such as completeness or accuracy.

(2) The occurrence or non-occurrence of transactions or events.

(3) The existence or non-existence of tangibles, intangibles, rights and obligations.

(4) The valuation or allocation of tangibles and intangibles.

(5) Rights and obligations.

(6) Compliance or non-compliance with laws or regulations.

(7) Operational characteristics.

(C) "Criteria" may be financial or non-financial. Applicable criteria may include, but are not limited to:

(1) Accounting and auditing standards and principles.

(2) State, federal and local laws, regulations, administrative rules, ordinances and court opinions.

(3) Generally accepted principles of accounting and administrative control.

(D) "Person" means an individual, corporation, business trust, estate, trust, partnership, or association as used in any statute, unless another definition is used in such statute or a related statute.

(E) "Public office" means any state agency, public institution, political subdivision, or other organized body, office, agency institution, or entity established by the laws of this state for the exercise of any function of government.

(F) Audits performed by ODJFS include, but are not limited to:

(1) Any examinations or review of books, records or any other evidence relating to the collection, receipt, accounting for use, claim, or expenditure of state or federal funds received from or through ODJFS.

(2) Any examination or review to determine whether any person, public office, vendor, sub-recipient, or provider of goods or services to ODJFS has complied or is in compliance with the federal statute or regulation, state statute or administrative rule, ordinances, or orders pertaining to the collection, receipt, accounting for, use, claim or expenditure of state or federal funds from or through ODJFS.

(3) Any examination or review of any person, public office, vendor, sub-recipient, or provider of goods or services to ODJFS; collecting, receiving, accounting for using, claiming, or expending state or federal funds from or through ODJFS; or submitting to the department data which serves as the basis for funding from or through the department.

(4) Any financial statement, financial-related, performance, economy and efficiency, or program results audits of organizations, agencies, programs, activities, or functions under the authority, aegis, or oversight of ODJFS.

(5) Any examination, review, investigation, or financial statement, financial-related, performance, economy and efficiency, or program results audits required or intended to address federal or state audit, monitoring, or review requirements.

(G) ODJFS may perform or provide for the performance of any audits within the scope of this rule. The timing, frequency, scope, and objectives of audits may vary with ODJFS' assessment of audit needs and the available resources of ODJFS.

(H) ODJFS may develop and implement policies and procedures at variance with the provisions of this rule as necessary to comply with the requirements of federal statute or regulation, or state statute or administrative rule.

(I) For the purpose of audits performed by or provided by ODJFS, auditees must maintain documentation conforming to all requirements prescribed by ODJFS, federal statute or regulation and state statute or administrative rule. Auditees must prepare and maintain documentation to support all transactions and to permit the reconstruction of all transactions and the proper completion of all reports required by state and federal law and regulations, and which substantiates compliance with all applicable federal statutes or regulations, state statutes or administrative rules.

(J) Auditees must make available to ODJFS personnel all records necessary to document all transactions. Records must include sufficient detail to disclose:

(1) Services provided to program participants.

(2) Administrative cost of services provided to program participants.

(3) Charges made and payments received for items identified in paragraphs (J)(1) and (J)(2) of this rule.

(4) Cost of operating the organizations, agencies, programs, activities, and functions.

(K) Auditees must maintain adequate systems of internal control to ensure:

(1) Accurate and reliable financial and administrative reports.

(2) Efficient and effective use of resources.

(3) Compliance with laws and regulations.

(L) Audits performed by other public or private audit organizations on behalf of ODJFS will be reviewed and released by ODJFS. Audit reports for audits performed by ODJFS or by other public or private audit organizations on behalf of ODJFS may be the basis for action by ODJFS as authorized by federal statute or regulation, state statute or administrative rule, including, but not limited to, section 5101.24 of the Revised Code.

(M) A certified copy of any portion of any audit report released by ODJFS containing factual information is prima facie evidence of the facts contained therein for the purpose of any administrative appeal or proceeding.

(N) At the conclusion of an audit, ODJFS will normally conduct an exit conference with the auditee. However, an exit conference is not required where the auditee fails to respond, within a reasonable period of time, to a request by ODJFS to schedule an audit, where an audit conference would impair, impede, or otherwise threaten the ability of ODJFS to satisfy legal requirements that it supervise the auditee or direct compliance with state and federal law, or where the subject matter of the audit is currently the subject of another state or federal audit or criminal investigation. Objectives of exit conferences include:

(1) To provide ODJFS with an opportunity to present the results of the audit and obtain the response of the auditees.

(2) To provide the auditee with an understanding of the audit findings.

(3) To obtain relevant information with respect to issues raised by the audit.

ODJFS will evaluate any written response of an auditee and will consider whether the proposed audit report should be revised based upon the response. When an auditee submits a written response and ODJFS concludes that no revision of the draft audit report is appropriate or warranted, the response shall be attached to or summarized in the final report.

The following requirements ensure the security of departmental data and must be followed by all county and state employees (hereafter referred to as 'user' or 'users') who access data systems maintained by the office of information services (OIS) and the Ohio department of job and family services (ODJFS) via the private or public network.

(A) Users are responsible for system inquiries and activities executed with their system user identification (USER-ID, also know as an Ohio ID, or OH|ID.)

(B) Users shall follow DAS password standards found at https://das.ohio.gov/portals/0/dasdivisions/employeeservices/pdf/das-its-2100-01-a das password standard organizational users.pdf.

(C) A terminal or personal computer must never be left unattended or unsecured when logged onto the ODJFS network or device.

(D) Only the files or information that are required to perform one's own job duties, shall be accessed.

(E) Users must comply with all items included on the user attestation, JFS 07078 " Code of Responsibility" form, and review and sign, electronically, on an annual basis.

(F) An original signed (physical or electronic) JFS 07078 hardcopy form, or digital JFS 07078 submission must be submitted to ODJFS with every county request for a USER-ID or user access to the OIS and ODJFS networks.

(G) The JFS 07078 (paper or digital form) is required for every new user accessing the system, and for making changes to an existing user's access.

(H) Counties must not modify the JFS 07078 form.

(I) County users shall also abide by the data security provisions contained in IPP 3001 found at ipp.odjfs.state.oh.us/IPP03000/.

(A) As used in this rule, "county family services agency" means a county department of job and family services, public children services agency, child support enforcement agency, or other entity designated by a board of county commissioners in accordance with section 307.981 of the Revised Code.

(B) The county family services agency shall not download, match, scrape or extract data, or data elements from any Ohio department of job and family services (ODJFS) system(s) where the data owner is the internal revenue service (IRS), social security administration (SSA) or other state or federal entity, without obtaining express written permission from the data owner, for the download, match, scrape or data extract. ODJFS can only authorize the download, scrape or extract of data where ODJFS is the data owner.

(C) Excluding the data and data elements described in paragraph (B) of this rule, the following are permissible uses of ODJFS systems including but not limited to SETS, Ohio benefits, SACWIS, OWCMS, and CCIDS:

(1) A county family services agency employee may download, match, scrape or extract data from an ODJFS system to perform duties directly related to or required by his or her job functions or duties, but only if such job functions or duties are directly related to administration of programs overseen by ODJFS for which the county family services agency is responsible for administering on behalf of ODJFS. This includes utilizing data to fulfill federal or state program-related audit requirements, to the extent necessary and appropriate.

(2) A person or third party under contract with a county family services agency may download, match, scrape or extract data from an ODJFS system if:

(a) It is directly related to or required for administration of program(s) overseen by ODJFS, which the county family services agency is responsible for administering on behalf of ODJFS;

(b) The contract requires, at a minimum, that the contractor comply with the same confidentiality and data security provisions to which ODJFS and the county family services agency are subject; and,

(c) The county family services agency assumes full legal and financial responsibility, including for any litigation or adverse federal, state, or county audit findings resulting from the contractor's use, management, misuse or mismanagement of the data.

(d) Except as prohibited by law, nothing in paragraph (C)(2)(c) of this rule shall prevent the county family services agency from seeking and obtaining payment or other compensation or relief from its contractor, either as set forth in the county family services agencys contract with its contractor, or by way of legal, administrative, or other action.

(3) Any download, match, scrape or extraction of data under paragraph (C) of this rule shall be in compliance with data security requirements contained in rule 5101:9-9-37 of the Administrative Code and all other applicable federal and state confidentiality laws.

(D) Except when specifically authorized by paragraph (C) of this rule, a county family services agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. To obtain approval from ODJFS, the county family services agency shall utilize the following procedure:

(1) The director of the county family services agency or designee shall submit a data request, as outlined in ODJFS "Internal Policy and Procedure 3002 Data Stewardship and Managing Data Requests," to the ODJFS deputy director who is responsible for authorizing the use of the data. The county family services agency's request must identify:

(a) The specific data being sought;

(b) The business use of the data;

(c) The dates during which the data usage will be in effect;

(d) Why the data access through existing state supported reporting software does not address the county's needs;

(e) Any potential impact upon ODJFS systems;

(f) The technical details involved;

(g) Each entity that exercises control over the computer system, application, or data base to which the data will be migrated; and

(h) The data security controls that will be used by the county agency, including the completion of a "Privacy Impact Assessment" (PIA), as required by section 1347.15 of the Revised Code, when data is migrated to a computer system, data base or application not under the control of ODJFS.

(2) The authorizing ODJFS deputy director, in conjunction with the ODJFS chief legal counsel and ODJFS chief information officer, or their designees, will review the county family services agency request to determine the appropriateness, feasibility, and legality of the request. ODJFS may opt to have a representative from the requesting county family services agency explain the request and answer any questions from ODJFS, including but not limited to, technical, legal, programmatic or confidentiality issues.

(3) ODJFS will provide a tentative approval or disapproval within sixty days of the receipt of the county family services agency request, as well as ODJFS' receipt of any additional information it needs to make a tentative decision. Final approval does not occur until the supporting documentation, including the proposed "Data Sharing Agreement" (DSA) and completed PIA is reviewed by ODJFS and the authorizing deputy director notifies the county family services agency of the decision in writing.

(4) If the county family services agency data request is approved by ODJFS, the county family services agency must execute the DSA with any entity receiving and/or accessing the data. The DSA shall:

(a) Specify the dates during which the DSA will be in effect, which shall not be longer than two years, subject to renewal.

(b) Identify the data, business use(s) of the data, technical details, and the responsibility of the county family services agency to ensure that all federal and state data security and confidentiality requirements are met.

(c) Not be effective prior to the date that it is signed by both the county family services agency representative and any participating entity.

(5) If the county family services agency wants to change any provisions of the original request, including the business use of the data and/or the computer system, data base or application not under the control of ODJFS to which the data is being migrated, the county family services agency shall seek approval of the changes from ODJFS, following the requirements in paragraphs (D)(1) to (D)(4) of this rule. No changes are permitted until ODJFS approves the request.

(A) Pursuant to federal and state law, and subject to rules 5101:9-22-15 and 5101:9-22-16 of the Administrative Code, the Ohio department of job and family services (ODJFS) may access and disclose information contained in systems controlled or maintained by the department, or controlled and maintained for the benefit of the department.

(B) The department's access and disclosure shall be in furtherance of ODJFS program administration, and such disclosure may be subject to a written agreement.

(C) Program administration includes, but is not limited to, ODJFS federal reporting and oversight requirements.

(D) Any release of information shall preserve the confidential nature of the information.