Rule 5101:9-22-15 | Release of personal information held by the Ohio department of job and family services (ODJFS).
(1) "Personal information" means any information that describes anything about a person, or indicates action done by or to a person, or indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by a name, identifying number, symbol, or other identifier assigned to a person.
(a) Personal information includes, but is not limited to, the following:
(i) An individual's social security number, driver's license number, state identification number, state or federal tax identification number, financial account number, and credit or debit card number.
(ii) Identifying information about applicants for or recipients of ODJFS-administered benefits or services, including, but not limited to, their names, addresses, social security numbers, phone numbers, and social and economic status.
(iii) Information about ODJFS employees that does not meet the definition of "record" in section 149.011 of the Revised Code, which includes, but is not limited to, their home addresses, home or personal cell phone numbers, social security numbers, driver's license numbers, financial account numbers (especially personal identification numbers), and other non-work-related information.
(iv) Medical or health data about a particular person, including diagnosis and past history of disease or disability, past or current mental health status, and any reports or records pertaining to physical or mental health examinations status.
(b) As used in this rule, the term "personal information" excludes non-confidential and non-exempt (work-related) records about an individual that ODJFS or other public entities routinely make available to the general public, or ODJFS records that are required to be made available to the public pursuant to federal or state laws or regulations. An example is the public, work-related portion of an employee's personnel file. In addition, ODJFS staff assisting with responding to requests for aggregate data about applicants for, recipients of, and participants in ODJFS-administered or supervised programs, services, or benefits should review and comply with the masking requirement in Part VI, Section III of IPP 3002.
(2) "Records", per section 149.011 of the Revised Code, include any document, device, or item, regardless of physical form or characteristic, that is created or received by or coming under the jurisdiction of any public office of the state or its political subdivisions, which serves to document the organization, functions, policies, decisions, procedures, operations, or other activities of that office.
(3) "System" means any collection or group of related records that are kept in an organized manner, either manually or by any other method, and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. System does not include collected archival records in the custody of or administered under the authority of the Ohio history connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.
(B) Release of any personal information that is maintained by ODJFS is governed by federal and state laws and regulations, including but not limited to the following:
(1) Section 149.43 of the Revised Code, which lists records that are exempt from treatment as public record, and which therefore need not be disclosed to the general public upon their request;
(2) Chapter 1347. of the Revised Code, which pertains to personal information systems, including the duties and obligations of state and local government agencies in the collection, maintenance, protection, use, modification, and release of personal information.
(3) Laws specific to programs administered or supervised by ODJFS, such as sections 5101.27, 4141.22, and 3125.50 of the Revised Code, which, along with corresponding rules and regulations, specify what applicant, recipient and participant-identifying information can be released, to whom it can be released, and under what circumstances it can be released.
(C) An individual will be designated as the chief privacy officer for ODJFS. The chief privacy officer is responsible for helping ensure that access to and use of ODJFSs personal information systems conforms with applicable confidentiality and privacy requirements, and that all necessary privacy impact assessments are performed. The chief privacy officer shall work with the chief information security officer on ODJFS's implementation of data security measures. Any unauthorized modification, destruction, use, disclosure, or breach of a personal information system must be reported to the chief privacy officer and chief inspector of ODJFS; and, if a system breach occurs or is believed to have occurred, it must also be reported to the chief information security officer of ODJFS.
(D) Any person authorized to access, maintain, or use a personal information system shall take reasonable precautions, including but not limited to role-based and job-specific security and privacy training offered or arranged by ODJFS to protect personal information in the system from unauthorized modification, destruction, use, or disclosure. In determining what is reasonable, consideration will be given to the following:
(1) The nature and vulnerability of the personal information.
(2) The physical facilities where the personal information is maintained or used.
(3) The requirements of federal and state law governing use of the personal information.
(4) Applicable ODJFS rules and policies.
(E) Disciplinary action, including, but not limited to, suspension or removal, may be brought against any employee who does the following:
(1) Intentionally violates any provision of Chapter 1347. of the Revised Code or other law related to the release of records or personal information.
(2) Initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public evidence of unauthorized use of personal information.
(3) Releases personal information in violation of state or federal law or refuses or fails to release information as provided by state or federal law.
(F) The office of legal and acquisition services acts as a clearinghouse for information and consultation related to requests for public records and personal information. Any employee of ODJFS who is unable to determine whether a record or information can be released, should consult with legal counsel regarding this determination.
Last updated March 24, 2022 at 8:26 AM