(A) As used in this rule, "county family services agency" means a county department of job and family services, public children services agency, child support enforcement agency, , or other entity designated by a board of county commissioners in accordance with section 307.981 of the Revised Code.
(B) The county family services agency shall not download, match, scrape or extract data, or data elements from within ODJFS systems where the data owner is the internal revenue service (IRS), social security administration (SSA) or other state or federal entity, without expressly getting written permission from the data owner, for the download, match, scrape or data extract. ODJFS can only authorize the download, scrape or extract of data where ODJFS is the data owner.
(C) A county family services agency may download, match, scrape or extract data, excluding the data elements outlined in paragraph (B) of this rule, from an ODJFS system including but not limited to SETS, CRIS-E, SIS, SACWIS, OWCMS, ICMS, MAPS and MMIS if one of the following applies:
(1) A county family services agency employee may download, match, scrape or extract data from an ODJFS system to perform duties directly related to or required by his or her job functions or duties if such job duties are directly related to administration of programs for which the county family services agency is responsible. Any such download, match, scrape or extraction of data shall be in compliance with data security requirements contained in rule 5101:9-9-37 of the Administrative Code and all other applicable federal and state confidentiality laws.
(2) A person under contract with a county family services agency may download, match, scrape or extract data from an ODJFS system if it is part of the deliverables set out in the contract , and it is directly related to or required for administration of program(s) for which the county family services agency is responsible. The contract must contain appropriate confidentiality and data security language and the county family services agency must assume responsibility for the use and security of the data by the contractor. Recommended language for contract provisions related to confidentiality and data security requirements is available from the ODJFS office of legal and acquisition services (OLAS).
(3) The county family services agency is providing data to a law enforcement agency, federal or state auditor or other entity as appropriate in accordance with an ODJFS program-related state or federal law requiring or permitting the county family services agency to provide data and the law requiring or permitting release is not in conflict with federal or state confidentiality laws, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA), Internal Revenue Code (IRC) and the Social Security Act.
(D) Except when specifically authorized by paragraph (C) of this rule, a county family services agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. To obtain approval from ODJFS, the county family services agency shall follow the following procedure:
(1) The county family services agency shall submit a written request to the ODJFS deputy director who is over the program that is related to the data. The county family services agency's request must specify the specific data being sought; the business use of the data; why the data access through the "Business Information Channel" software (BIC) does not address the county's needs; any potential impact upon ODJFS systems; the technical details involved; the identification of each entity that exercises control over the computer system, application, or data base to which the data will be stored; and, the data security controls that will be used by the county agency. The director of the county family services agency submitting the request shall sign the written request.
(2) If the ODJFS deputy director receiving the county family services agency request approves the county family services agency's proposed use of the data, the deputy director will promptly contact the deputy directors of OIS and OLAS at ODJFS. The three deputy directors or designees will review the county family services agency request to determine appropriateness, feasibility, and legality of the request. ODJFS may opt to have a representative from the requesting county family services agency attend a meeting, phone conference or videoconference to explain the request and answer any questions from ODJFS, including but not limited to, questions involving technical, legal, programmatic or confidentiality issues.
(3) If the three deputy directors approve the county family services agency request, the request will be forwarded to the ODJFS office of OLAS for the preparation of a written "Memorandum of Understanding" (MOU) between the directors of ODJFS and the county family services agency. The MOU shall specify the dates during which the MOU will be in effect, which shall not be longer than two years, subject to renewal. The MOU shall identify the data, business use(s) of the data, technical details, and the responsibility of the county family services agency to ensure that all federal and state data security and confidentiality requirements are met. The MOU shall not be effective prior to the date that it is signed by both directors.
(4) If the county family services agency wants to change any provisions of the MOU, including the business use of the data, the county family services agency shall seek amendment of the MOU. No changes are permitted until the MOU has been amended and signed by both directors.
(5) ODJFS will provide a tentative approval or disapproval within sixty days of the receipt of the county family services agency request. Final approval does not occur until the directors of ODJFS and the county family services agency sign the MOU.