Skip to main content
Back To Top Top Back To Top
This website publishes administrative rules on their effective dates, as designated by the adopting state agencies, colleges, and universities.

Chapter 123-2 | Personal Information Systems

 
 
 
Rule
Rule 123-2-01 | Definitions.
 

(A) "Combination of systems" means a unification of systems that belong to more than one agency, or to an agency and another organization, into a single system in which the records that belong to each agency or organization may or may not be obtainable by the others.

(B) "Computer readable" means in a form capable of being sensed by optical, electronic, or some other mechanical means which is used in connection with electronic data processing equipment. Computer readable includes storage in magnetic core memories, punched cards, paper tape, magnetic media, and specifically marked forms capable of being decoded by optical scanners or other similar devices. Computer readable does not include typed material, unless such typed material is on a form specifically used for optical scanners or similar devices.

(C) "Data subject" means the person who is the subject of the record.

(D) "Director" means the director of the department of administrative services.

(E) "Department" means the department of administrative services.

(F) "Disclosure of personal information" is any action which reveals personal information in a personal information system to any individual or organization other than employees of the state agency who must use the personal information in the performance of their assigned duties.

(G) "Electronic data processing equipment" means a machine or group of interconnected machines, consisting of input, storage, computing, control and output devices where electronic circuitry is used to perform arithmetic and logical operations, using internally stored or externally controlled programmed instructions. Electronic data processing equipment does not include accounting and bookkeeping machines, office calculators, magnetic card typewriters, and other similar devices. Electronic data processing equipment includes terminals which are linked to computers.

(H) "Interconnection of systems" means a linking of systems that belong to more than one agency or to an agency and other organizations, which linking of systems results in a system that permits each agency involved in the linking to have unrestricted access to the systems of the other agencies and organizations.

(I) "Maintains" means state agency ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, state agency depositing of information with a data processing center for storage, processing, or dissemination. An agency maintains all systems of records which are required by law to be kept by the agency.

(J) "Person" includes any individual, corporation, business trust, estate, trust, partnership, or association.

(K) "Personal information" means any information that describes anything about a person, or indicates actions done by or to a person, or indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by a name, identifying number, symbol, or other identifier assigned to a person.

(L) "System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. System includes both records that are manually stored and records that are stored using electronic data processing equipment. System does not include collected archival records in the custody of or administered under the authority of the Ohio historical society, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.

(M) "Use of personal information" is any action which causes personal information in a personal information system to be referenced, processed or disseminated. The disclosure of personal information is a use of personal information.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-02 | Personal information systems.
 

(A) Rules 123-2-01 to 123-2-13 of the Administrative Code shall apply to all personal information systems maintained by the department unless exempted in paragraph (C) or (D) of this rule. A "personal information system" is any group of organized records that contains personal information which can be retrieved by a name, identifying number, symbol, or other identifier assigned to a person.

(B) The department maintains a personal information system which it deposits or stores in a record center or stores in or has processed by a data center. The department does not maintain a personal information system, belonging to another state agency, which is stored in or processed by the state data center.

(C) The following types of personal information systems are exempted from the provisions of Chapter 1347. of the Revised Code, rules 123:3-1-01 to 123:3-1-07 and 123:3-1-99 of the Administrative Code and rules 123-2-01 to 123-2-13 of the Administrative Code.

(1) Collected archival records in the custody of or administered under the authority of the Ohio historical society;

(2) Published directories;

(3) Reference materials;

(4) Newsletters; or

(5) Routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.

(D) Personal information systems that are comprised of investigatory material compiled for law enforcement purposes are exempt from the provisions of Chapter 1347. of the Revised Code, rules 123:3-1-01 to 123:3-1-07 and 123:3-1-99 of the Administrative Code and rules 123-2-01 to 123-2-13 of the Administrative Code, except for section 1347.03 of the Revised Code and rules 123:3-1-03 and 123-2-04 of the Administrative Code.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-03 | Privacy officer.
 

(A) The director shall appoint a privacy officer to be responsible for agency compliance with Chapter 1347. of the Revised Code and rules 123:3-1-01 to 123:3-1-07 and 123:3-1-99 of the Administrative Code and rules 123-2-01 to 123-2-13 of the Administrative Code.

(B) The coordinator, or his designee, shall oversee the staff instruction required by rule 123-2-12 of the Administrative Code. He shall also provide interpretation and guidance relative to specific compliance questions.

(C) The coordinator shall be designated to receive all correspondence or inquiries relative to privacy matters unless otherwise indicated in rules 123-2-01 to 123-2-13 of the Administrative Code.

(D) The coordinator shall be responsible for monitoring policies and procedures established by rules 123-2-01 to 123-2-13 of the Administrative Code and modifying such policies and procedures when appropriate.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-04 | Notice of personal information systems.
 

(A) Notices of personal information systems shall be filed with the Ohio privacy office prior to the first day of December of each year.

(B) If a new personal information system is established or an existing personal information system is enlarged, notice shall be filed with the Ohio privacy office within thirty days.

(1) Supplemental notice shall be filed when an existing, previously reported system is enlarged.

(2) Notice of a new system shall be filed when a new, previously unreported system is established.

(C) A supplemental or amended notice may be filed at any time after the original notice has been filed.

(D) All notices of personal information systems shall be submitted on form ADM-6109, except annual notice submitted pursuant to paragraph (A) of this rule may be validated by submitting form ADM-6110 if no change has occurred since the preceding filing period.

(E) Each notice of personal information system shall be prepared by the supervisor of the functional unit which maintains the record. In instances when duplicate records exist, the functional unit having primary responsibility shall complete the notice, including the identification of the location of duplicate records.

(F) The supervisor of the functional unit which maintains the system shall be designated the responsible individual as required by division (A) of section 1347.05 of the Revised Code.

(G) The responsible individual shall also prepare a listing of any users usually granted access to the system.

(H) The responsible individual shall retain a copy of the notice of personal information system and the listing of users and submit the originals and one copy of the notice to the privacy officer.

(I) The privacy officer shall review all notices for accuracy and determine if duplicate systems have been filed.

(J) The security-privacy coordinator shall retain copies of all notices and listings of users and file the original notices with the Ohio Privacy Office.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-05 | Collection, maintenance and use of only personal information which is necessary and relevant.
 

The department shall collect, maintain and use only personal information which is necessary and relevant to the functions it is required or authorized to perform by statute, ordinance, code or rule and eliminate such information when it is no longer necessary to those functions.

(A) During the preparation of the annual notice of personal information system, or within three months after any change in the purpose of the system, the responsible individual shall review a random sampling of records to determine if personal information in the system is necessary for and relevant to the performance of lawful functions. Personal information which does not meet these requirements shall no longer be collected.

(B) When an existing personal information system is substantially enlarged or a new personal information system is established, the privacy officer shall examine:

(1) The function for which the personal information system is being enlarged or created to ensure that it is required or authorized by statute, ordinance, code or rule and

(2) The personal information to be collected and maintained to ensure that it is necessary and relevant to the function to be performed.

The privacy officer shall approve or disapprove the enlargement or establishment of a personal information system.

(C) Retention periods shall be established to ensure the deletion of personal information which is no longer necessary for or relevant to the performance of lawful functions. The establishment of retention periods shall conform to sections 121.21, 122.211, 121.212, and 149.34 of the Revised Code.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-06 | Maintenance of personal information which is accurate, relevant, timely and complete.
 

(A) Employees who use a personal information system shall monitor the contents of the records and report to the privacy officer the existence of personal information which appears inaccurate, irrelevant, untimely or incomplete.

(B) The privacy officer shall keep a record of the reported incidence of error in each personal information system. If it appears the reported errors are characteristic of the system as a whole, the privacy officer shall establish procedures to correct existing records and record-keeping methods.

(C) In order to maintain personal information which is accurate, relevant, timely and complete, employees of the department shall:

(1) Verify the accuracy of personal information which does not appear reasonable or is doubtful, vague, or inconsistent.

(2) Correct inaccurate personal information.

(3) Limit the collection and maintenance of subjective personal information to only that information which is required to accomplish the purpose of the system and, when feasible, verify such information.

(4) When feasible, collect personal information from the data subject rather than a third-party source or verify with the data subject information provided by a third party.

(5) Not include in, or allow to remain in, a personal information system personal information known to be inaccurate, untimely, unnecessary, or irrelevant.

(6) Update personal information systems which provide an historical account or for which an outcome is anticipated.

(7) Make no determination based on personal information in a personal information system if the data is not complete.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-07 | Notice to persons asked to supply personal information.
 

(A) Any person asked to supply personal information for a personal information system shall be advised whether he is legally required, or may refuse, to supply the information. A statement to this effect shall be provided with any written or verbal request for information and included on all forms.

(B) Any person asked to supply personal information that will be placed in an interconnected or combined system shall be provided with information relevant to the system, including the identity of the other agencies or organizations that have access to the personal information in the system.

(C) If personal information is requested from the same source on a continuous basis, the person may be advised, as required under paragraph (A) or (B) of this rule, one time, in writing, rather than prior to each request.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-08 | Data subject's right to inspect personal information.
 

(A) Upon the request and proper identification of any person who is the subject of personal information in a personal information system, the department shall:

(1) Inform the person of any personal information in the system of which he is the subject;

(2) Except as provided in paragraph (C) or (D) of this rule, permit the person, his legal guardian, or an attorney with a signed written authorization made by the person to inspect all personal information in the system of which he is the subject; and

(3) Inform the person about the types of uses made of the personal information, including the identity of any users usually granted access to the system.

(B) Any person who wishes to exercise a right provided by this rule may be accompanied by another individual of his choice.

(C) Upon request, medical, psychiatric or psychological information shall be disclosed to the person who is the subject of the information or to his legal guardian, unless a physician, psychiatrist, or psychologist determines for the agency that the disclosure of the information is likely to have an adverse effect on the person, in which case the information shall be released to a physician, psychiatrist, or psychologist who is designated by the person or by his legal guardian.

(D) A person who is the subject of personal information in a personal information system, his legal guardian, or an attorney authorized by the person, does not have the right to inspect or have copied, or require the department to permit the inspection of or to copy, a confidential law enforcement investigatory record or trial preparation record as those terms are defined in divisions (A)(2) and (A)(4) of section 149.43 of the Revised Code.

(E) Upon the request of an individual who is authorized to inspect personal information, the department shall provide, at cost, copies of personal information he is authorized to inspect that is maintained in a personal information system by the department.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-09 | Investigation of data subject's dispute of the accuracy, relevance, timeliness or completeness of personal information.
 

(A) If a person who is the subject of personal information in a personal information system maintained by the department disputes the accuracy, relevance, timeliness or completeness of the personal information, he may request the department to investigate the current status of the information.

(B) Requests to investigate personal information shall be made to the privacy officer or the individual who is responsible for the system.

(C) Within ninety days after receiving the request from the disputant, the department shall make a reasonable investigation to determine whether the disputed information is accurate, relevant, timely and complete and shall notify the disputant of the results of the investigation and of the action that the department plans to take with respect to the disputed information. The department shall delete any information that it cannot verify or that it finds to be inaccurate.

(D) If after the department's determination, the disputant is not satisfied, the department shall do either of the following:

(1) Permit the disputant to include within the system a brief statement of his position on the disputed information, or

(2) Permit the disputant to include within the system a notation that the disputant protests that the information is inaccurate, irrelevant, outdated, or incomplete. The agency shall maintain a copy of the disputant's statement of the dispute.

The department may limit the statement to not more than one hundred words if the department assists the disputant to write a clear summary of the dispute.

(E) The department shall include the statement or notation in any subsequent transfer, report, or dissemination of the disputed information and may include with the statement or notation of the disputant a statement by the department that it has reasonable grounds to believe that the dispute is frivolous or irrelevant and of the reasons for its belief.

(F) The presence of contradictory information in the person's file does not alone constitute reasonable grounds to believe that the dispute is frivolous or irrelevant.

(G) Following any deletion of information that is found to be inaccurate or the accuracy of which can no longer be verified, or if a statement of dispute was filed by the disputant, the department shall, at the written request of the disputant, furnish notification that the information has been deleted, or furnish a copy of the disputant's statement of the dispute, to any person specifically designated by the disputant. The department shall specifically disclose to the disputant that he has the right to make such a request.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-10 | Participation in interconnected or combined systems.
 

(A) The department shall not place personal information in an interconnected or combined system, or use personal information that is placed in an interconnected or combined system by another state or local agency or another organization, unless the interconnected or combined system will contribute to the efficiency of the involved agencies in implementing programs that are authorized by law.

(B) The department shall not use personal information placed in an interconnected or combined system by another state or local agency or another organization, unless the personal information is necessary and relevant to the performance of a lawful function of the department.

(C) The participation in an interconnected or combined system or the use of personal information in an interconnected or combined system shall be approved by the privacy officer.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-11 | Security precautions.
 

(A) The department shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, use, or disclosure of personal information. In determining what is reasonable, consideration shall be given to the following:

(1) The nature and vulnerability of the personal information.

(2) The physical facilities where the personal information is maintained or used.

(3) The need for the feasibility of keeping personal information in a secure place, considering paragraphs (A)(1) and (A)(2) of this rule, the cost of providing a secure place and the need for access to the place where information is kept by personnel of the agency and the general public.

(B) The department shall adopt, implement and enforce a security plan for the protection of personal information. This plan shall include the following:

(1) A statement of the security precautions for each personal information system determined appropriate from the analysis conducted in accordance with paragraph (A) of this rule. When electronic data processing equipment is used the requirements of rule 123:3-1-06 of the Administrative Code shall be included in the statement of security precautions.

(2) A method of informing agency employees concerning appropriate and inappropriate uses, disclosure and access to the personal information, as well as penalties and sanctions, civil or criminal, for the unlawful use or disclosure of personal information and the failure to take reasonable precautions to protect the security of personal information.

(3) A method for reporting violations of the security plan to responsible officials or employees of the agency.

(4) A method for monitoring the effectiveness of the security plan.

A copy of the security plan shall be kept in the office of the privacy officer.

(C) The department may require a background investigation of any individual who has access to confidential personal information or to computer equipment used to process such information.

(D) The requirements of Chapter 1347. of the Revised Code and of rules 123:3-1-01 to 123:3-1-07 and 123:3-1-99 of the Administrative Code shall apply to personal information stored, processed, or disseminated under contract with the department by any contractor. Any such contract shall contain covenants that the contract will:

(1) Use the information only as specified in the contract;

(2) Not disclose information except with the express permission of the agency; and

(3) Protect the security of the information.

This paragraph shall apply only to contracts entered into after the effective date of rule 123:3-1-05 of the Administrative Code.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-12 | Privacy instruction for department employees.
 

(A) Each division shall adopt written policies and procedures which inform employees of the applicable provisions of Chapter 1347. of the Revised Code and of all rules adopted in accordance with the chapter.

(B) The responsible individual shall inform each employee of the department who has responsibility for the operation or maintenance of the personal information system of the policies and procedures adopted in paragraph (A) of this rule and of the specific application of these policies and procedures to the personal information system.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date:
Rule 123-2-13 | Disciplinary measures.
 

(A) Any employee who intentionally violates any provision of Chapter 1347. of the Revised Code or any rule adopted in accordance with this chapter shall be subject to disciplinary action. Disciplinary action shall be determined in accordance with section 124.34 of the Revised Code.

(B) Any employee who initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public evidence of unauthorized use of personal information shall be subject to suspension or possible removal. Disciplinary action shall be determined in accordance with section 124.34 of the Revised Code.

Supplemental Information

Authorized By:
Amplifies:
Five Year Review Date: