Chapter 5101:9-9 Federal Tax Return Information Safeguarding Procedures
(A) The SLA is a document of understanding provided by the Ohio department of job and family services (ODJFS) office of information services (OIS). ODJFS requires county agencies to enter into an SLA to delineate responsibilities for day-to-day information technology (IT) operations between the county agency and OIS to provide quality service to end users and to maintain the health and integrity of the ODJFS network.
(B) The SLA specifies what a county agency can expect from OIS concerning equipment supply, equipment standards, equipment servicing, delivery and availability, system response, information security, problem handling, and network management. As a condition of providing services, ODJFS requires the county agency elect a service level and enter into an SLA. All ODJFS commitments are subject to the availability of state and federal funds.
(C) In addition to the delineation of responsibilities between the county agency and OIS, the SLA, through the technology and service support policy (TSSP), as detailed in rule 5101:9-9-17 of the Administrative Code, includes the delineation of financial responsibility.
(D) A county agency wishing to assume more responsibility for the operation of its local network may do so, in accordance with the established SLA levels, provided the county agency can maintain eligibility and continues to fulfill the requirements.
(E) The signatories to the SLA are the county agency director and the deputy director of OIS utilizing the SLA signature document (SLA.13). The SLA incorporates, by reference, a number of additional supporting documents. Due to the ever-changing nature of the IT environment, the supporting documents may be updated on an ongoing basis by OIS.
(F) In the event of a disagreement regarding provisions of the executed SLA between OIS and the county agency, the initial attempt at resolution will commence at the county agency technical point of contact (TPOC) and OIS liaison level. If resolution is not possible at that level, the deputy director of OIS and the director of the county agency, or their designees, will work to resolve such issues and may utilize the methodology contained in the fiscal agreements if necessary.
(G) The most current version of the SLA is available on the OIS website.
(A) The negotiated service level agreement (SLA N) is a document of understanding between the Ohio department of job and family services (ODJFS) office of information services (OIS) and the county agency. A county that elects and is eligible for a SLA N is substantially different from other county agencies. Elected SLA N is available only to agencies having greater than five hundred filled, verifiable, full-time equivalent (FTE) employees and public children services agencies (PCSAs) that have never been on the ODJFS network.
While the SLA N allows for a high degree of flexibility, the universal provisions detailed in the SLA and rule 5101:9-9-15 of the Administrative Code apply to the SLA N.
(B) The intent of the SLA N is to address the flexibility required by county agencies while maintaining the integrity of the SLA program.
(C) The goal of the SLA N is to define the information technology (IT) expectations of ODJFS and the county agency and determine the appropriate level of service relative to service response, system availability, quantity of work processed, delineation of duties, and service support.
(D) Through SLA N, any ODJFS benefits, that is combinations of hardware, software, infrastructure, services, and network administration, may be negotiated as agreed upon by ODJFS and the county agency. Other county agency requirements may be negotiated as agreed upon by ODJFS and the county agency. Any state benefit is dependent on sufficient funding in the ODJFS OIS budget for the appropriate fiscal year.
(E) A county agency that elects a SLA N exercises considerable control of its county-based IT environment and the management of the county agency network.
(F) The SLA N supporting documentation identifies the scope of services performed either by ODJFS or the county agency and what is required to maintain the IT environment.
(G) In the event of a disagreement between ODJFS and the county agency regarding provisions of the executed SLA N, the initial attempt at resolution will begin at the county agency technical point of contact (TPOC) and OIS liaison level. If resolution is not possible at that level, the deputy director of OIS and the director of the county agency, or their designees, will work to resolve such issues utilizing the methodology contained in the SLA N.
(H) The most current version of the SLA N is available on the OIS website.
(A) The Ohio department of job and family services (ODJFS), in a continuing effort to improve the level of customer service and responsiveness to county agencies, developed the technology and service support policy (TSSP). The TSSP represents a commitment by ODJFS to provide quality, cost-effective networking products, services, and solutions to the county agencies throughout the state.
The TSSP operates within the framework of the service level agreement (SLA) as detailed in the SLA.04 and rule 5101:9-9-15 of the Administrative Code.
(B) The TSSP is the policy by which county agencies request information technology (IT) equipment and services from the ODJFS office of information services (OIS). All county agency requests for network equipment, installation of third-party software applications, or OIS assistance with equipment moves to new sites, require completion of the JFS 01321 "TSSP County Request."
(C) TSSP coordinators in OIS oversee the request process and are responsible for working with the county agencies to determine financial responsibilities and costs, verify staff levels, track the progress of requests, and serve as the ODJFS contact for county agency information related to the TSSP.
(D) As part of completing the JFS 01321, the county agency will estimate the financial responsibilities associated with its request and submit the information to the TSSP coordinator in OIS.
(E) Whenever financial responsibilities are determined to be greater than those estimated on the JFS 01321, OIS will contact the technical point of contact (TPOC) in the county agency. OIS will obtain the county agency's consent before continuing the fulfillment process.
(F) Financial responsibilities are enumerated in the TSSP. All ODJFS commitments relative to networking products, services, and solutions are subject to and contingent on the availability of state and federal funds. Whenever financial responsibilities are determined to be different from those estimated in the agency's original request, OIS will notify the county agency to obtain its consent before fulfilling the agency's request. Equipment acquisitions that may affect the ODJFS network, regardless of the cost or financial responsibility, must be approved by ODJFS before the agency purchases the equipment. Approval may be obtained through the TSSP request process.
(H) Through TSSP, ODJFS seeks to do the following:
(1) Ensure timely and efficient delivery of IT products and services to ODJFS's customers;
(2) Increase the flexibility for county agencies to select networking products, services, and solutions that best meet their needs;
(3) Maintain continuity of a safe, sound, and secure computer environment; and
(4) Ensure budgetary predictability and cost-effectiveness of networking solutions for ODJFS and county agencies.
(I) OIS continues to provide the workstations, software, and network access necessary for county employees to complete their state-required job functions pursuant to and in compliance with the signed and established SLA levels.
(J) ODJFS will provide the network infrastructure to enable local agency staff to connect to the ODJFS network.
(K) As a way for county agencies to have the flexibility to meet future needs, ODJFS will provide an additional allowance of workstations in an amount of up to ten per cent of the local agency's filled full-time equivalent (FTE) employees.
Beyond this baseline, counties are responsible for financing computing resources.
(L) County agencies will purchase service units from ODJFS, unless otherwise specified in the SLA for the individual county agency.
Service units include, but are not limited to, maintenance, service, and use of state owned equipment.
(M) Costs associated with TSSP equipment service units are determined by the initial equipment and warranty costs to ODJFS. On-going services are included as part of the service unit at the expense of ODJFS. On-going services include moves, customer support, software upgrades, and equipment services.
(N) The catalogue of network services section of the TSSP displays the networking products and services available to county agencies. The catalogue details the estimated costs a county agency will be subject to when it purchases service units and services that it specifies on the JFS 01321 that it submits to OIS.
(O) Following the fulfillment of a request, the ODJFS office of fiscal and monitoring services (OFMS) will generate an invoice from the Ohio administrative knowledge system (OAKS) for equipment and services rendered and e-mail it to the county agency for all requests determined to be the financial responsibility of the county agency. The service unit cost to the county agency will be the actual invoice cost for each piece of equipment used and warranty purchased. Available TSSP service units may be found in the catalogue of network services section of the TSSP.
(P) When a request involves recurring charges, such as monthly data line fees, the county will be invoiced on a recurring basis. These invoices will utilize the same payment process as the other TSSP invoices.
(Q) County agencies and one-stops will pay the invoice by sending a check, made payable to the "Treasurer, State of Ohio," and including a copy of the invoice with the check. Remit payments to the following address:
"Huntington National Bank
Columbus, Ohio 43260"
(R) If payment is not received within sixty calendar days, the ODJFS office of fiscal and monitoring services will notify the county agency via a memo.
(S) If payment is not received within ninety calendar days, the ODJFS office of fiscal and monitoring services will recover the funds via an adjustment to the county agency's advance.
(T) County agencies shall use the JFS 02750 "Child Support Enforcement Agency (CSEA) Quarterly Financial Statement" , JFS 02820 " Children Services Quarterly Financial Statement" , or JFS 02827 " Public Assistance (PA) Quarterly Financial Statement" to report TSSP expenditures.
(U) OIS will update the TSSP as dictated by changes in technology, service unit pricing, or available service offerings. The most current version of the TSSP is available on the OIS website.
(A) HIPAA is a federal law that, among other regulations, requires the protection of confidentiality and security of health data including the safeguarding, privacy, and release of protected health information (PHI).
(B) PHI includes, but is not limited to, the following individually identifiable health information of public assistance applicants, recipients, and former recipients:
(1) Information relating to past, present, or future physical or mental health or condition of an individual;
(2) Provision of health care to an individual;
(3) Past, present, or future payment for health care to an individual; and
(4) Eligibility information of an individual for the medicaid, disability medical assistance, or refugee medical assistance program, or any other plan or program that provides medical assistance or pays the cost of medical care.
(C) All current and future recipients of medicaid, disability medical assistance, refugee medical assistance, or any other plan or program that provides medical assistance or pays the cost of medical care, received or will receive a privacy notice outlining the following descriptions of uses and disclosures, and recipient procedures:
(1) A description of the types of uses and disclosures of PHI the Ohio department of job and family services (ODJFS) or its delegated entity is permitted to make, with examples to include payment, treatment, and healthcare operations;
(2) A description of other uses and disclosures permitted under HIPAA without written consent or authorization to include examples such as required by law;
(3) A statement that other uses and disclosures will be made only with the individual's written authorization;
(4) Complaint procedure;
(5) Request for restriction procedure;
(6) Request for amendment procedure; and
(7) Request for accounting procedure.
(D) If a recipient of benefits identified in paragraph (C) of this rule requests any of the procedures outlined in paragraphs (C)(4) to (C)(7) of this rule from the county agency or entity acting on behalf of ODJFS who collects and maintains the information identified in paragraph (B) of this rule through which the recipient participates, the county agency or entity acting on behalf of ODJFS shall do one of the following:
(1) Refer the recipient to the ODJFS privacy official by providing the recipient with the appropriate phone number; or
(2) Provide the recipient with a copy of the HIPAA privacy notice outlining the procedures set out in paragraphs (C)(4) to (C)(7) of this rule and notice identifying whom the recipient may contact to initiate those procedures .
(A) The following definitions are applicable to this rule:
(2) "Grant" means an award for one or more family services duties or workforce development duties of federal financial assistance that a federal agency provides in the form of money, or property in lieu of money, to the Ohio department of job and family services (ODJFS) and that ODJFS awards to a county family services agency or local area. Grant may include state funds ODJFS awards to a county family services agency or local area to match the federal financial assistance. Grant does not mean technical assistance that provides services instead of money and does not mean other assistance provided in the form of revenue sharing, loans, loan guarantees, interest subsidies, or insurance.
(3) "Inactive records" refers to closed case files and those records that are no longer used on a regular basis.
(5) "Pass-through entity" means a non-federal entity that provides a federal award and/or state funds to a subrecipient to carry out a federal and/or state program, function, or activity.
(7) "Record series" means records that are filed together or maintained as a unit because they relate to a particular subject or function, result from the same activity, have a particular form, or have some other relationship arising from their creation, receipt, or use.
(8) "Retention schedule" means a document that assigns a required retention period to a record series based on its fiscal, legal, historical or administrative value.
(9) "Subrecipient" means a non-federal entity that expends federal awards and/ or state funds received from a pass-through entity but does not include an individual that is a beneficiary of such program, function, or activity.
(B) Each county family services agency and local area shall comply with all applicable federal, state, and local records retention requirements for all records related to any program, function, or activity that is funded in whole or in part by state and/or federal funds. Local records retention requirements may be available through the county records commission in each county, which are established pursuant to section 149.38 of the Revised Code. The functions of the county records commission are to provide rules for the retention and disposal of county records, to review applications for one-time disposal of obsolete records, and to review schedules of records retention and disposal submitted by county offices.
(C) Each county family services agency and local area shall have a records retention schedule that governs each record series maintained by the agency and that includes the requirements set forth in this paragraph. Each such records retention schedule shall at a minimum do the following:
(1) Identify the name of the record series;
(2) Describe the use and purpose of the records;
(3) Assign a retention period based on the fiscal, legal, historical or administrative purpose value of the record series;
(4) Establish the method of disposition of the records when the retention period expires; and
(5) Comply with any minimum records retention requirements specified by applicable state law and regulations, applicable ODJFS records retention requirements, and applicable federal law and regulations, including, but not limited to, the following:
(a) 2 C.F.R. Part 200;
(b) 7 C.F.R. 272.1(f) applicable to the expenditure of food stamp program funds;
(c) 29 C.F.R. 95.53 applicable to non-profit organizations expending department of labor funds (DOL) funds;
(d) 29 C.F.R. 97.42 applicable to government units expending DOL funds;
(e) 45 C.F.R. 75.361 applicable to non-federal entities expending department of health and human services (HHS) funds; or
(f) Any other federal award requirements related to any program, function, or activity the county family services agency or local area administers that is funded in whole or in part by federal funds.
(D) In addition to having the records retention schedules required by paragraph (C) of this rule, each county family services agency and local area shall have a records retention schedule governing all records of its subrecipients that document a program, function, or activity for which the county family services agency's or local area's subrecipient receives state and/or federal funds. Each county family services agency and local area shall include in any contract or other type of agreement, including grant awards to subrecipients and subcontracts with service providers, all applicable minimum federal, state, and local records retention requirements for all records documenting a program, function, or activity for which the county family services agency's or local area's subrecipient, contractor or subcontractor receives state and/or federal funds. Any succeeding subrecipient or subcontractor of state and/or federal funds passed through from the county family services agency's or local area's subrecipient, contractor or subcontractor is subject to the same requirements stated in this paragraph.
(E) Each county family services agency and local area shall retain financial, programmatic, statistical, and recipient records and supporting documents relating or pertaining to a federal award passed through from ODJFS for a minimum of three years after submittal of the final expenditure report for the grant, or applicable ODJFS records retention requirements, whichever is longer, unless otherwise provided by any minimum records retention requirements specified by applicable state or federal law. A county family services agency or local area may establish a minimum records retention period that exceeds the minimum retention period provided by this paragraph.
(1) If any litigation, claim, investigation, criminal action, negotiation, audit, administrative review, or other action involving the records has been started before the expiration of the longer of the minimum retention period defined in paragraph (E) of this rule or before actual disposition of the records, the county family services agency or local area shall maintain the records until completion of the action and resolution of all issues that arise from it, or until the end of the longest applicable minimum retention period, whichever is later.
(2) If final payment after closeout of the federal award has not been made before the expiration of the longer of the minimum retention period defined in paragraph (E) of this rule or before actual disposition of the records, the county family services agency or local area shall maintain the records until final payment is made and resolution of all issues that arise from it, or until the end of the longest applicable minimum retention period provided in paragraph (E) of this rule, whichever is later.
(3) Each county family services agency and local area shall maintain a current file of all records that have been subject to a federal or state audit, administrative review, or other action, and must refer to that file before requesting approval from the county records commission to destroy any record.
(F) Each county family services agency and local area shall annually provide or make available to ODJFS the agency's records retention schedules, including any records retention schedule adopted pursuant to paragraph (D) of this rule. Each county family services agency and local area shall make its current records retention schedule readily available to the public.
(G) Each county family services agency and local area shall establish policies and procedures for the transfer and storage of inactive records that comply with all applicable state, federal, and local requirements. Secondary locations used for storing inactive records must provide adequate security and allow for the prompt and efficient retrieval of requested records.
(H) The requirements regarding access to records are as follows:
(1) Each county family services agency and local area shall adopt a public records policy for responding to public records requests in accordance with section 149.43 of the Revised Code. Public records do not include information or records specifically exempted from treatment as public records in division (A)(1) of section 149.43 of the Revised Code, or information or records that are expressly made confidential under other federal or state laws or regulations.
(2) All records documenting a program, function, or activity for which the county family services agency and local area receive state and/or federal funds must be made available to authorized governmental agencies, including, but not limited to, ODJFS, the auditor of state, and other Ohio funding sources and federal funding sources upon request. This access to records includes, but is not limited to, all financial and programmatic records, supporting documents, statistical records, and other records of recipients, subrecipients, contractors, and subcontractors. This right of access is not limited to any required minimum retention period if the records are still being retained and have not been disposed at the time of the request.
(3) All information and records concerning an applicant, a recipient, or a former recipient must be safe guarded from release as specified by applicable state and federal law and regulations, including, but not limited to, rules 5101:1-1-03, 5101:4-1-13, and 5160-1-32 of the Administrative Code, and section 5101.27 of the Revised Code, and are subject to all applicable intercounty transfer requirements, including, but not limited to, rules 5101:1-1-13 and 5101:4-8-19 of the Administrative Code.
(4) All public records as defined in division (A)(1) of section 149.43 of the Revised Code must also be made available for inspection or copying to any person at all reasonable times during regular business hours, as specified in division (B) of section 149.43 of the Revised Code.
(5) Each county family services agency and local area shall maintain its records in such a manner that the agency can fulfill its records access obligations promptly and efficiently.
(I) Each county family services agency and local area shall obtain approval from the county records commission before destruction of any records in accordance with section 149.38 of the Revised Code. Pursuant to section 149.38 of the Revised Code, the county records commission approval must in turn be reviewed by the Ohio history connection, and upon completion of the Ohio history connection's review of the request to dispose the records, the auditor of state must approve or disapprove the request.
(J) After permission to destroy the records has been obtained, each county family services agency and local area shall follow the requirements established by the county records commission for disposal of county records.
(K) Notwithstanding the provisions in this rule, each county family services agency and local area shall continue to follow any minimum applicable ODJFS, state, and federal records retention requirements requiring a longer minimum retention period than the general three-year retention period stated in paragraph (E) of this rule, such as children services case records retention requirements set forth in rule 5101:2-33-23 of the Administrative Code, and any other program-specific records retention requirements established by other state or federal law, unless directed to comply with the minimum records retention requirements provided in this rule.
(L) The retention, destruction and access provisions adopted or established by a local area pursuant to this rule will apply to every workforce development agency within that local area.
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 329.04, 329.05, 5101.27, 5101.28
Prior Effective Dates: 03/07/1982, 04/01/1988 (Emer.), 06/30/1988, 02/15/1996, 11/01/1996, 08/23/2008, 03/01/2015
(A) The following definitions are applicable to this rule:
(1) "Inactive records" means closed case files , where the assistance group (AG) is no longer receiving benefits, no administrative action, hearing or appeal is pending, and the county agency no longer has a legal duty to act on the case.
(2) "Public assistance record" means any record maintained in a case file related to an Ohio works first (OWF), food assistance, prevention, retention, and contingency (PRC), disability financial assistance, or refugee cash assistance group (AG).
(B) The minimum retention period for public assistance records is seven years, except as provided in paragraphs (C) and (D) of this rule.
(C) The following records may not be destroyed while the AG is active, and must be maintained for a minimum of three years from the date the AG becomes inactive:
(1) Enumeration verifications;
(2) Application forms and verifications that established initial program eligibility; and
(3) Documents that establish eligibility factors such as incapacity, limiting physical factors, and eligibility for supplemental security income (SSI).
(D) Notwithstanding the requirements in rule 5101:4-1-05 of the Administrative Code, any records existing in the AG file on the date the AG becomes inactive must be maintained for a minimum of three years from the date the AG becomes inactive, regardless of the age of the records.
(F) Counties that wish to selectively destroy documents from public assistance AG records in accordance with the requirements of this rule must specify the retention periods of the affected documents on the appropriate retention schedules.
(A) Federal tax information (FTI): definition, usage limitations and notification, and non-disclosure.
(1) FTI is any return or return information received from the internal revenue service (IRS) or secondary source, such as the social security administration (SSA), federal office of child support enforcement, or U.S. department of the treasury - bureau of the fiscal service, and also includes any information created and/or maintained by the Ohio department of job and family services (ODJFS) or a county agency that is derived from these sources.
(2) FTI is provided to federal, state, and local agencies by the IRS or the SSA for use in the cash assistance, food assistance, unemployment compensation, and child support programs as authorized by the Internal Revenue Code, and is provided solely for the purpose of performing the responsibilities of each program.
(3) 26 U.S.C. 6103 (section 6103 of the Internal Revenue Code) limits the usage of FTI to only those purposes explicitly defined. The IRS office of safeguards requires advance notification (at least forty-five days) prior to implementing certain operations or technological capabilities that require additional uses of the FTI, such as:
(a) Contractor access;
(b) Cloud computing;
(c) Consolidated data center;
(d) Data warehouse processing;
(e) Non-agency-owned information systems;
(f) Tax modeling;
(g) Test environment; and
(h) Virtualization of IT systems.
(4) Disclosure of FTI to any contractor is not permitted unless the agency notifies the IRS office of safeguards, in writing, per the IRS forty-five day notification reporting requirements and obtains approval prior to re-disclosing FTI to a specifically noted contractor.
(5) FTI associated with the treasury offset program (TOP) may not be disclosed to any contractor for any purpose, except for limited child support enforcement purposes, as specified in IRS publication 1075.
(C) Safeguarding procedures and controls ensure the confidential relationship between the taxpayer and the IRS. Safeguarding procedures and controls are derived from IRS publication 1075, "Tax Information Security Guidelines for Federal, State, and Local Agencies" prepared and updated by the IRS.
(D) The IRS conducts on-site safeguard reviews of ODJFS safeguard controls, at a minimum once every three years, which includes an evaluation of the use of FTI and the measures employed by the receiving agency to protect the data. An independent internal inspection of specific offices within ODJFS is required every eighteen months. In addition, periodic independent internal inspections of all local offices must be conducted to ascertain if the safeguarding controls that are in place meet the requirements of IRS publication 1075. Offices to be inspected include, but are not limited to those referenced in paragraph (A)(2) of this rule. Periodic inspections conducted by program offices of local offices occur every three years. A record will be made of each inspection, citing the findings (deficiencies) as well as recommendations and corrective actions to be implemented where appropriate.
(E) All program offices and their respective local agencies must ensure procedures are implemented governing the safeguarding of FTI as defined by IRS publication 1075. Procedures must be updated to reflect any significant program changes.
(F) Per section 6103 of the Internal Revenue Code, all agencies receiving FTI are required to provide a disclosure awareness training program for their employees and contractors. Disclosure awareness training is described in detail within IRS publication 1075. Employees and contractors must maintain their authorization to access FTI through annual training and recertification. Prior to granting an agency employee or contractor access to FTI, each employee or contractor must certify his or her understanding of the IRS's and the agency's security policy and procedures for safeguarding IRS information. Employees must be advised of the provisions of sections 7431, 7213, and 7213A of the Internal Revenue Code regarding the "Sanctions for Unauthorized Disclosure" and the "Civil Damages for Unauthorized Disclosure." Agencies must also comply with the requirements of rule 5101:9-9-25.1 of the Administrative Code.
(G) Additional FTI safeguarding procedures.
(1) FTI must be maintained separately from other information to the maximum extent possible to avoid inadvertent disclosures and to comply with the federal safeguards required by paragraph (p)(4) of section 6103 of the Internal Revenue Code. Agencies with FTI must also comply with all other requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code.
(2) All information obtained from the IRS must be safeguarded in accordance with the safeguarding requirements of paragraph (p)(4) of section 6103 of the Internal Revenue Code, as described in IRS publication 1075.
(H) Prohibition against public disclosure of safeguards reports and related communications.
(1) ) Safeguards reports and related communications, such as IRS official agency records that are the property of the IRS, and IRS records that are subject to disclosure restrictions under federal law and IRS rules and regulations, may not be released publicly under state sunshine or information sharing/open records provisions. Release of any IRS safeguards document requires the express permission of the IRS. Requests received through sunshine and/or information sharing/open records provisions must be referred to the federal Freedom of Information Act (FOIA) statute for processing. State and local agencies receiving such requests should refer the requestor to the instructions to file a FOIA request with the IRS. Additional guidance may be found at: http://www.irs.gov/uac/IRS-Freedom-of- Information and questions should be referred to the safeguards mailbox at Safeguardreports@irs.gov.
(2) If it is determined that it is necessary to share safeguarded IRS documents and related communications with another governmental function/branch for the purposes of operational accountability or to further facilitate protection of federal tax information, the recipient governmental function/branch must be made aware, in unambiguous terms, that the documents and related communications:
(a) Are the property of the IRS;
(b) Constitute IRS official agency records; and
(c) Are subject to disclosure restrictions under federal law and IRS rules and regulations.
(A) This supplemental rule provides general guidance to county agencies on the safeguarding of federal tax information (FTI), with the exception of child support enforcement agencies, which are required to comply with the requirements of rule 5101:12-1-20.2 of the Administrative Code. Individual program offices may, at their discretion, establish additional rules and/or additional training programs. County agencies should consult their respective program office for additional information regarding the safeguarding of FTI.
(B) Required employee awareness training:
Each county agency must provide disclosure awareness training to employees and contractors in accordance with guidelines set forth in internal revenue service (IRS) publication 1075, "Tax Information Security Guidelines for Federal, State and Local Agencies." Employees and contractors must maintain their authorization to access FTI through annual training and recertification. Prior to granting an agency employee or contractor access to FTI, each employee or contractor must certify his or her understanding of the IRS's and the agency's security policy and procedures for safeguarding IRS information. Employees must be advised of the provisions of sections 7431, 7213, and 7213A of the Internal Revenue Code regarding the "Sanctions for Unauthorized Disclosure" and the "Civil Damages for Unauthorized Disclosure." The disclosure awareness training records must be maintained for a minimum of five years or in accordance with the agency's applicable records retention schedule, whichever is longer.
(C) Proper record keeping of FTI:
County agencies must keep records detailing internal requests for FTI by agency employees as well as requests received from outside of the agency, except for child support enforcement agencies, which are required to follow rule 5101:12-1-20.2 of the Administrative Code.
A tracking log must be used to record all movement, storage, and destruction of both electronic and non-electronic FTI received by the agency from the IRS. The data elements of the tracking log shall comply with the guidelines set forth in IRS publication 1075 and those provided by the applicable ODJFS program office. FTI must not be recorded on any tracking log. The logs must be maintained for a minimum of five years or in accordance with the agency's applicable records retention schedule, whichever is longer.
(D) Secure storage and handling of FTI:
(1) FTI must be handled in such a manner that it does not become misplaced or available to unauthorized staff. When not in use, FTI must be secured via the required two barrier minimum pursuant to the "Minimum Protection Standards (MPS)" section of IRS publication 1075. Refer to table 2 in section 4.2 of IRS publication 1075 for further guidance.
(2) Minimum protection standards establish a uniform method of physically protecting data and systems as well as non-electronic forms of FTI. Local factors may require additional security measures, therefore, local county management must analyze local circumstances to determine location, container, and other physical security needs at individual facilities. The MPS have been designed to provide management with a basic framework of minimum security requirements. The objective of these standards is to prevent unauthorized access to FTI. MPS requires two barriers. Examples of two barrier minimum under the concept of MPS are outlined in IRS publication 1075.
(3) FTI should not be filed in areas used by employees not authorized to have access to FTI such as areas used for breaks, food preparation or any similar facilities. FTI files should not be maintained in areas that allow clients access. However, when this is not practical, caution must be exercised by the agency pursuant to the "Minimum Protection Standards (MPS)" section of IRS publication 1075. Refer to table 2 in section 4.2 of IRS publication 1075 for further guidance.
(E) Restricting access to FTI:
Access to file storage areas that contain FTI must be limited to the absolute minimum number of employees necessary. The following measures should be followed to adequately restrict access to the file storage areas containing FTI:
(1) Except where the state program office maintains records on access and training, a current list of employees who are authorized to have access to FTI shall be maintained by the county agency.
(2) Warning signs must be posted to identify restricted access areas and to give notice of the potential consequences for unauthorized disclosure or inspection of FTI.
(3) Cleaning, building inspections or maintenance of secured areas containing FTI, must be performed in the presence of an employee authorized to access FTI. An exception to this rule is during non-duty hours, when cleaning, inspection or maintenance personnel need access to locked buildings or rooms. This may be permitted as long as there is a second barrier to prevent access to FTI. Access may be granted to a locked building or a locked room if FTI is in a locked security container. If FTI is in a locked room but not a locked security container then access may be granted to the building but not the room.
(4) Each agency shall control physical access to areas where systems or files containing FTI are housed. The agency shall issue authorization credentials, including badges, identification cards, or smart cards pursuant to section 4.3.2 of IRS publication 1075.
(5) Access to file areas that contain FTI must be restricted to agency employees who have an established security profile that identifies the class-level and role-based rights that necessitate authorizing the employee to have such access.
(6) The location and physical layout of the file storage area should be such that unnecessary traffic is avoided.
(7) A visitor sign in/sign out log must be maintained and must be inspected at least monthly by agency security personnel. The data elements contained on the log must meet the guidelines outlined in IRS publication 1075.
(8) Keys to the files must be issued only to agency employees authorized to enter the secured area.
(9) If possible, security staff should be agency employees. Only authorized employees, or escorted individuals supervised by authorized employees, may have access to areas where FTI is located during working and nonworking hours.
(10) All records containing FTI, either open or closed, must be safeguarded pursuant to IRS publication 1075. FTI should not be commingled within any information system or within any physical files and documents. When commingling of agency documentation data and FTI is unavoidable, FTI must be labeled pursuant to IRS publication 1075, and access must be restricted to only authorized personnel.
(F) Proper disposal of FTI:
(1) Users of FTI are required by the Internal Revenue Code to take certain actions after using FTI, to protect its confidentiality. When FTI is no longer useful, agency officials and employees must either return the information, including any copies made, to the office from which it was originally obtained or destroy the FTI.
(2) An agency electing to return IRS information must use a receipt process and ensure that confidentiality is protected at all times during transport.
(3) FTI (non-electronic) furnished to any authorized agency employee or user and any paper material generated therefrom, such as copies, photo impressions, computer printouts, notes, and work papers, must be destroyed pursuant to IRS publication 1075 directives.
(4) FTI (electronic) stored in electronic format (e.g., hard drives, tapes, CDs, flash media, etc.) must be destroyed and/or disposed of pursuant to IRS publication 1075 directives. Electronic media containing FTI must not be made available for reuse by other offices or released for destruction without first being subjected to electromagnetic erasing (media sanitization).
(5) For county agencies, programs and records where contractors are permitted to be used, any destruction, sanitization, and/or disposal of FTI by a contractor must be witnessed by an agency official or employee. FTI destroyed or sanitized, pursuant to sections 8.0 to 8.4 of IRS publication 1075, is no longer considered FTI and can be disposed of in any manner the agency deems appropriate.
(G) Computer security controls:
If any local agency office stores FTI within a county owned information system, they must:
(1) Ensure the required agreements with ODJFS and the IRS have been established pursuant to IRS publication 1075.
(2) Ensure the local agency office's required policies, procedures, and information system meet the minimum computer system security controls detailed in IRS publication 1075.
Replaces: Part of 5101:9-9-25
(A) "Auditing" is the systematic application of procedures to compare historical data to established criteria to prepare an attestation as to the degree of correspondence between the two.
(B) "Historical data" consists of management representations, either explicit or implicit. Management representations include, but are not limited to, representations as to characteristics of information such as completeness or accuracy, the occurrence or non-occurrence of transactions or events, the existence or non-existence of tangibles, intangibles, rights and obligations, the valuation or allocation of tangibles and intangibles, rights and obligations, compliance or non-compliance with laws or regulations, and operational characteristics.
(C) "Criteria" may be financial or non-financial. Applicable criteria may include, but are not limited to, accounting and auditing standards and principles, state, federal and local laws, regulations, administrative rules, ordinances and court opinions, and generally accepted principles of accounting and administrative control.
(D) "Person" means an individual, corporation, business trust, estate, trust, partnership, or association as used in any statute, unless another definition is used in such statute or a related statute.
(E) "Public office" means any state agency, public institution, political subdivision, or other organized body, office, agency institution, or entity established by the laws of this state for the exercise of any function of government.
(F) Audits performed by ODJFS include, but are not limited to:
(1) Any examinations or review of books , records or any other evidence relating to the collection, receipt, accounting for use, claim, or expenditure of state or federal funds received from or through ODJFS.
(2) Any examination or review to determine whether any person, public office, vendor, sub-recipient, or provider of goods or services to ODJFS has complied or is in compliance with the federal statute or regulation, state statute or administrative rule, ordinances, or orders pertaining to the collection, receipt, accounting for, use, claim or expenditure of state or federal funds from or through ODJFS.
(3) Any examination or review of any person, public office, vendor, sub-recipient, or provider of goods or services to ODJFS; collecting, receiving, accounting for using, claiming, or expending state or federal funds from or through ODJFS; or submitting to the department data which serves as the basis for funding from or through the department.
(4) Any financial statement, financial-related, performance, economy and efficiency, or program results audits of organizations, agencies, programs, activities, or functions under the authority, aegis, or oversight of ODJFS.
(5) Any examination, review, investigation, or financial statement, financial-related, performance, economy and efficiency, or program results audits required or intended to address federal or state audit, monitoring, or review requirements.
(G) ODJFS may perform or provide for the performance of any audits within the scope of this rule. The timing, frequency, scope, and objectives of audits may vary with ODJFS' assessment of audit needs and the available resources of ODJFS.
(H) ODJFS may develop and implement policies and procedures at variance with the provisions of this rule as necessary to comply with the requirements of federal statute or regulation, or state statute or administrative rule.
(I) For the purpose of audits performed by or provided by ODJFS, auditees must maintain documentation conforming to all requirements prescribed by ODJFS, federal statute or regulation and state statute or administrative rule. Auditees must prepare and maintain documentation to support all transactions and to permit the reconstruction of all transactions and the proper completion of all reports required by state and federal law and regulations, and which substantiates compliance with all applicable federal statutes or regulations, state statutes or administrative rules.
(J) Auditees must make available to ODJFS personnel all records necessary to document all transactions. Records must include sufficient detail to disclose:
(1) Services provided to program participants;
(2) Administrative cost of services provided to program participants;
(3) Charges made and payments received for items identified in paragraphs (J) (1) and (J) (2) of this rule;
(4) Cost of operating the organizations, agencies, programs, activities, and functions.
(K) Auditees must maintain adequate systems of internal control to ensure:
(1) Accurate and reliable financial and administrative reports;
(2) Efficient and effective use of resources;
(3) Compliance with laws and regulations.
(L) Audits performed by other public or private audit organizations on behalf of ODJFS will be reviewed and released by ODJFS. Audit reports for audits performed by ODJFS or by other public or private audit organizations on behalf of ODJFS may be the basis for action by ODJFS as authorized by federal statute or regulation, state statute or administrative rule, including, but not limited to, section 5101.24 of the Revised Code.
(M) A certified copy of any portion of any audit report released by ODJFS containing factual information is prima facie evidence of the facts contained therein for the purpose of any administrative appeal or proceeding.
(N) At the conclusion of an audit, ODJFS will normally conduct an exit conference with the auditee. However, an exit conference is not required where the auditee fails to respond, within a reasonable period of time, to a request by ODJFS to schedule an audit, where an audit conference would impair, impede, or otherwise threaten the ability of ODJFS to satisfy legal requirements that it supervise the auditee or direct compliance with state and federal law, or where the subject matter of the audit is currently the subject of another state or federal audit or criminal investigation. Objectives of exit conferences include:
(1) To provide ODJFS with an opportunity to present the results of the audit and obtain the response of the auditees;
(2) To provide the auditee with an understanding of the audit findings;
(3) To obtain relevant information with respect to issues raised by the audit.
ODJFS will evaluate any written response of an auditee and will consider whether the proposed audit report should be revised based upon the response. When an auditee submits a written response and ODJFS concludes that no revision of the draft audit report is appropriate or warranted, the response shall be attached to or summarized in the final report.
Promulgated Under: 111.15
Statutory Authority: 5101.02
Rule Amplifies: 329.04, 329.042, 5101.16, 5101.161, 5103.07, 5107.02
Prior Effective Dates: 10/19/81, 7/20/86, 11/1/97, 10/1/03
The following requirements ensure the security of departmental data and must be followed by all county and state employees (hereafter referred to as 'user' or 'users') who access data systems maintained by the office of information services (OIS) and the Ohio department of job and family services (ODJFS) via the private or public network.
(A) Users are responsible for system inquiries and activities executed with their system user identification (USER-ID).
(B) Passwords must remain confidential and be eight characters or longer in length and have each of the following characteristics:
(1) At least one number.
(2) At least one special character.
(3) At least one upper case letter.
(4) At least one lower case letter.
(C) Passwords are valid for a maximum of sixty days and shall not be repeated for a twelve month period.
(D) Password resets executed by OIS support staff or county technical points of contacts (TPOCs) must require the user to change their password upon next login.
(E) Users must not change their passwords more than once per day.
(F) A terminal or personal computer must never be left unattended or unsecured when logged onto the network.
(G) Only the files or information that are required to perform one's own job duties, shall be accessed.
(H) Users must comply with all items included on the JFS 07078 " Code of Responsibility."
(I) An original signed (physical or electronic) JFS 07078 must be submitted to ODJFS with every county request for a USER-ID or user access to the OIS and ODJFS networks.
(J) The JFS 07078 is required for every new user accessing the system, and for making changes to an existing user's access.
(K) Counties must not modify the JFS 07078.
(A) As used in this rule, "county family services agency" means a county department of job and family services, public children services agency, child support enforcement agency, , or other entity designated by a board of county commissioners in accordance with section 307.981 of the Revised Code.
(B) The county family services agency shall not download, match, scrape or extract data, or data elements from within ODJFS systems where the data owner is the internal revenue service (IRS), social security administration (SSA) or other state or federal entity, without expressly getting written permission from the data owner, for the download, match, scrape or data extract. ODJFS can only authorize the download, scrape or extract of data where ODJFS is the data owner.
(C) A county family services agency may download, match, scrape or extract data, excluding the data elements outlined in paragraph (B) of this rule, from an ODJFS system including but not limited to SETS, CRIS-E, SIS, SACWIS, OWCMS, ICMS, MAPS and MMIS if one of the following applies:
(1) A county family services agency employee may download, match, scrape or extract data from an ODJFS system to perform duties directly related to or required by his or her job functions or duties if such job duties are directly related to administration of programs for which the county family services agency is responsible. Any such download, match, scrape or extraction of data shall be in compliance with data security requirements contained in rule 5101:9-9-37 of the Administrative Code and all other applicable federal and state confidentiality laws.
(2) A person under contract with a county family services agency may download, match, scrape or extract data from an ODJFS system if it is part of the deliverables set out in the contract , and it is directly related to or required for administration of program(s) for which the county family services agency is responsible. The contract must contain appropriate confidentiality and data security language and the county family services agency must assume responsibility for the use and security of the data by the contractor. Recommended language for contract provisions related to confidentiality and data security requirements is available from the ODJFS office of legal and acquisition services (OLAS).
(3) The county family services agency is providing data to a law enforcement agency, federal or state auditor or other entity as appropriate in accordance with an ODJFS program-related state or federal law requiring or permitting the county family services agency to provide data and the law requiring or permitting release is not in conflict with federal or state confidentiality laws, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), Internal Revenue Code (IRC) and the Social Security Act.
(D) Except when specifically authorized by paragraph (C) of this rule, a county family services agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. To obtain approval from ODJFS, the county family services agency shall follow the following procedure:
(1) The county family services agency shall submit a written request to the ODJFS deputy director who is over the program that is related to the data. The county family services agency's request must specify the specific data being sought; the business use of the data; why the data access through the "Business Information Channel" software (BIC) does not address the county's needs; any potential impact upon ODJFS systems; the technical details involved; the identification of each entity that exercises control over the computer system, application, or data base to which the data will be stored; and, the data security controls that will be used by the county agency. The director of the county family services agency submitting the request shall sign the written request.
(2) If the ODJFS deputy director receiving the county family services agency request approves the county family services agency's proposed use of the data, the deputy director will promptly contact the deputy directors of OIS and OLAS at ODJFS. The three deputy directors or designees will review the county family services agency request to determine appropriateness, feasibility, and legality of the request. ODJFS may opt to have a representative from the requesting county family services agency attend a meeting, phone conference or videoconference to explain the request and answer any questions from ODJFS, including but not limited to, questions involving technical, legal, programmatic or confidentiality issues.
(3) If the three deputy directors approve the county family services agency request, the request will be forwarded to the ODJFS office of OLAS for the preparation of a written "Memorandum of Understanding" (MOU) between the directors of ODJFS and the county family services agency. The MOU shall specify the dates during which the MOU will be in effect, which shall not be longer than two years, subject to renewal. The MOU shall identify the data, business use(s) of the data, technical details, and the responsibility of the county family services agency to ensure that all federal and state data security and confidentiality requirements are met. The MOU shall not be effective prior to the date that it is signed by both directors.
(4) If the county family services agency wants to change any provisions of the MOU, including the business use of the data, the county family services agency shall seek amendment of the MOU. No changes are permitted until the MOU has been amended and signed by both directors.
(5) ODJFS will provide a tentative approval or disapproval within sixty days of the receipt of the county family services agency request. Final approval does not occur until the directors of ODJFS and the county family services agency sign the MOU.
(A) Pursuant to federal and state law, and subject to rules 5101:9-22-15 and 5101:9-22-16 of the Administrative Code, the Ohio department of job and family services (ODJFS) may access and disclose information contained in systems controlled or maintained by the department, or controlled and maintained for the benefit of the department.
(B) The department's access and disclosure shall be in furtherance of ODJFS program administration, and such disclosure may be subject to a written agreement.
(C) Program administration includes, but is not limited to, ODJFS federal reporting and oversight requirements.
(D) Any release of information shall preserve the confidential nature of the information.
Promulgated Under: 111.15
Statutory Authority: 5101.134, Section 305.190 of Am. Sub. HB 64 of the 131st General Assembly
Rule Amplifies: 5101.13 , 5101. 131, 5101.132, 5101.133, Section 305.190 of Am. Sub. HB 64 of the 131st General Assembly