Rule 5101:9-9-38 | County electronic data usage.

(A) As used in this rule, "county family services agency" means a county department of job and family services, child support enforcement agency, public children services agency, or other entity designated by a board of county commissioners in accordance with section 307.981 of the Revised Code.

(B) The county family services agency shall not download, match, scrape or extract data, or data elements from any Ohio department of job and family services (ODJFS) system(s) where the data owner is the internal revenue service (IRS), social security administration (SSA) or other state or federal entity, without obtaining express written permission from the data owner, for the download, match, scrape or data extract. ODJFS can only authorize the download, scrape or extract of data where ODJFS is the data owner. Any data marked or labeled as federal tax information (FTI) or marked or labeled as having originated from the IRS, SSA or other federal or state entity, will be presumed to have come from that federal or state entity, and will require review and approval of both ODJFS and the federal or state entity that is believed to own the data, before the county family services agency is permitted to download, match, scrape, or extract that data. If data is not clearly marked or labeled as federal or state-owned data, and it is unclear which entity owns the data, the county family services agency must notify ODJFS prior to conducting any download, match, scrape, or extract, so that ODJFS can ascertain the identity of the data owner and any applicable restrictions on access, use and redisclosure.

(C) Excluding the data and data elements described in paragraph (B) of this rule, and so long as the notification requirements in paragraph (C)(4) of this rule are met,the following are permissible uses of ODJFS systems including but not limited to SETS, Ohio benefits, and ARIES:

(1) A county family services agency employee may download, match, scrape or extract data from an ODJFS system to perform duties directly related to or required by his or her job functions or duties, but only if such job functions or duties are directly related to administration of programs overseen by ODJFS for which the county family services agency is responsible for administering on behalf of ODJFS. This includes utilizing data to fulfill federal or state program-related audit requirements, to the extent necessary and appropriate.

(2) A person or third party under contract with a county family services agency may download, match, scrape or extract data from an ODJFS system if:

(a) It is directly related to or required for administration of program(s) overseen by ODJFS, which the county family services agency is responsible for administering on behalf of ODJFS;

(b) The contract requires, at a minimum, that the contractor comply with the same confidentiality and data security provisions to which ODJFS and the county family services agency are subject; and,

(c) The county family services agency assumes full legal and financial responsibility, including for any litigation or adverse federal, state, or county audit findings resulting from the contractor's use, management, misuse or mismanagement of the data.

(d) Except as prohibited by law, nothing in paragraph (C)(2)(c) of this rule shall prevent the county family services agency from seeking and obtaining payment or other compensation or relief from its contractor, either as set forth in the county family services agency's contract with its contractor, or by way of legal, administrative, or other action.

(3) Any download, match, scrape or extraction of data under paragraph (C) of this rule shall be in compliance with data security requirements contained in rule 5101:9-9-37 of the Administrative Code and all other applicable federal and state confidentiality laws.

(4) In accordance with ODJFS "Internal Policy and Procedure 3002 (Data Governance and Analytics)," the county family services agency must notify ODJFS of any data that is stored in a county system that has been downloaded, scraped or extracted from an ODJFS system under paragraph (C) of this rule. To initiate the notification process, the county family services agency (CFSA) must send an email to the data request management system (DRMS) email at drms_admin@jfs.ohio.gov indicating that the CFSA wishes to notify ODJFS of a data request covered under paragraph (C) of rule 5101:9-9-38 of the Administratice Code. The CFSA will then receive a reply email with a link to the DRMS system, so that the CFSA can enter the following additional details about the request:

(a) A list of the data elements or fields of data that will be downloaded, scraped, or extracted;

(b) The name of the system, application, or tool from which data will be downloaded, scraped or extracted;

(c) The name of the county, local, or third party system, application, or tool to which data will be moved, transferred or stored;

(d) A statement signed by the county agency director, technical point of contact, or local security coordinator indicating that all state and federal privacy, security, and other requirements, including those specified in this rule, are being met, or will be met prior to the transfer of data to the county, local, or third party system, application, or tool. The statement should expressly reference rule 5101:9-9-38 of the Administrative Code.

(D) Except when specifically authorized by paragraph (C) of this rule, a county family services agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. To obtain approval from ODJFS, the county family services agency shall utilize the following procedure:

(1) The director of the county family services agency or designee shall submit a data request, as outlined in ODJFS "Internal Policy and Procedure 3002 (Data Goverance and Analytics)," to the ODJFS deputy director who is responsible for authorizing the use of the data. The county family services agency's request must identify:

(a) The specific data being sought;

(b) The business use of the data;

(c) The dates during which the data usage will be in effect;

(d) Why the data access through existing state supported reporting software does not address the county's needs;

(e) Any potential impact upon ODJFS systems;

(f) The technical details involved;

(g) Each entity that exercises control over the computer system, application, or data base to which the data will be migrated; and

(h) The data security controls that will be used by the county agency, including the completion of a "Privacy Impact Assessment" (PIA), as required by section 1347.15 of the Revised Code, when data is migrated to a computer system, data base or application not under the control of ODJFS.

(2) The authorizing ODJFS deputy director, in conjunction with the ODJFS chief legal counsel and ODJFS chief information officer, or their designees, will review the county family services agency request to determine the appropriateness, feasibility, and legality of the request. ODJFS may opt to have a representative from the requesting county family services agency explain the request and answer any questions from ODJFS, including but not limited to, technical, legal, programmatic or confidentiality issues.

(3) ODJFS will provide a tentative approval or disapproval within sixty days of the receipt of the county family services agency request, as well as ODJFS' receipt of any additional information it needs to make a tentative decision. Final approval does not occur until the supporting documentation, including the proposed "Data Sharing Agreement" (DSA) and completed PIA is reviewed by ODJFS and the authorizing deputy director notifies the county family services agency of the decision in writing.

(4) If the county family services agency data request is approved by ODJFS, the county family services agency must execute the DSA with any entity receiving and/or accessing the data. The DSA shall:

(a) Specify the dates during which the DSA will be in effect, which shall not be longer than two years, subject to renewal.

(b) Identify the data, business use(s) of the data, technical details, and the responsibility of the county family services agency to ensure that all federal and state data security and confidentiality requirements are met.

(c) Not be effective prior to the date that it is signed by both the county family services agency representative and any participating entity.

(5) If the county family services agency wants to change any provisions of the original request, including the business use of the data and/or the computer system, data base or application not under the control of ODJFS to which the data is being migrated, the county family services agency shall seek approval of the changes from ODJFS, following the requirements in paragraphs (D)(1) to (D)(4) of this rule. No changes are permitted until ODJFS approves the request.

(E) For any data downloaded, matched, scraped, or extracted under this rule, the county family services agency must also agree to:

(1) Have the county agency director, technical point of contact, or local security coordinator submit a signed statement to ODJFS one year after the statement described in paragraph (C)(4)(d) of this rule, and each year thereafter, indicating that all state and federal privacy, security, and other requirements, including those specified in this rule, are being met;

(2) Promptly notify ODJFS of any data exposures, breaches, or incidents, involving ODJFS data that was transferred to or stored in the county, local, or third party system, application, or tool; and

(3) Submit to ODJFS oversight, including regular audits, and to timely remedy any legal or regulatory non-compliance.