|
|
| To amend section 1347.99 and to enact sections | 1 |
| 1347.15 and 5703.211 of the Revised Code to | 2 |
| require state agencies to adopt rules governing | 3 |
| access to the confidential personal information | 4 |
| that they keep, to create a civil action for harm | 5 |
| resulting from an intentional violation of these | 6 |
| rules, to impose a criminal penalty for such an | 7 |
| intentional violation, and to require the | 8 |
| Department of Taxation to adopt rules to require | 9 |
| the tracking of searches of any of the | 10 |
| Department's databases. | 11 |
| Section 1. That section 1347.99 be amended and sections | 12 |
| 1347.15 and 5703.211 of the Revised Code be enacted to read as | 13 |
| follows: | 14 |
| Sec. 1347.15. (A) As used in this section, "confidential | 15 |
| personal information" means personal information that is not a | 16 |
| public record for purposes of section 149.43 of the Revised Code. | 17 |
| (B) Each state agency shall adopt rules under Chapter 119. of | 18 |
| the Revised Code regulating access to the confidential personal | 19 |
| information the agency keeps. The rules shall include all the | 20 |
| following: | 21 |
| (1) Criteria for determining which employees of the state | 22 |
| agency may access, and which supervisory employees of the state | 23 |
| agency may authorize those employees to access, confidential | 24 |
| personal information; | 25 |
| (2) A list of the valid reasons, directly related to the | 26 |
| state agency's exercise of its powers or duties, for which only | 27 |
| employees of the state agency may access confidential personal | 28 |
| information; | 29 |
| (3) References to the applicable federal or state statutes or | 30 |
| administrative rules that make the confidential personal | 31 |
| information confidential; | 32 |
| (4) A procedure that requires the state agency to record each | 33 |
| specific access by employees of the state agency to confidential | 34 |
| personal information; | 35 |
| (5) A procedure that requires the state agency to comply with | 36 |
| a written request from an individual for a list of confidential | 37 |
| personal information about the individual that the state agency | 38 |
| keeps; | 39 |
| (6) A procedure that requires the state agency to notify each | 40 |
| person whose confidential personal information has been accessed | 41 |
| for an invalid reason by employees of the state agency of that | 42 |
| specific access; | 43 |
| (7) A requirement that the director of each state agency | 44 |
| designate an employee of the state agency to serve as the data | 45 |
| privacy point of contact within that state agency to work with the | 46 |
| chief privacy officer within the office of information technology | 47 |
| to ensure that confidential personal information is properly | 48 |
| protected and that the state agency complies with this section and | 49 |
| rules adopted thereunder; | 50 |
| (8) A requirement that the data privacy point of contact for | 51 |
| the state agency complete a privacy impact assessment form which | 52 |
| the office of information technology shall develop and post on its | 53 |
| internet web site by the first day of December of each year. The | 54 |
| form shall assist each state agency in complying with the rules | 55 |
| adopted under this section, in assessing the risks and effects of | 56 |
| collecting, maintaining, and disseminating confidential personal | 57 |
| information, and in adopting privacy protection processes designed | 58 |
| to mitigate potential risks to privacy; and | 59 |
| (9) A requirement that a password be used to access | 60 |
| confidential personal information. | 61 |
| (C) Each state agency shall establish a training program for | 62 |
| all employees of the state agency described in division (B)(1) of | 63 |
| this section so that these employees are made aware of all | 64 |
| applicable statutes, rules, and policies governing their access to | 65 |
| confidential personal information; | 66 |
| (D) Each state agency shall distribute the policies included | 67 |
| in the rules adopted under division (B) of this section to each | 68 |
| employee of the agency described in division (B)(1) of this | 69 |
| section and shall require that the employee acknowledge receipt of | 70 |
| the copy of the policies. The state agency shall create a poster | 71 |
| that describes these policies and post it in a conspicuous place | 72 |
| in the main office of the state agency and in all locations where | 73 |
| the state agency has branch offices. The state agency shall post | 74 |
| the policies on the internet web site of the agency if it | 75 |
| maintains such an internet web site. A state agency that has | 76 |
| established a manual or handbook of its general policies and | 77 |
| procedures shall include these policies in the manual or handbook. | 78 |
| (E) No collective bargaining agreement entered into under | 79 |
| Chapter 4117. of the Revised Code on or after the effective date | 80 |
| of this section shall prohibit disciplinary action against or | 81 |
| termination of an employee of a state agency who is found to have | 82 |
| accessed, disclosed, or used personal confidential information in | 83 |
| violation of a rule adopted under division (B) of this section or | 84 |
| as otherwise prohibited by law. | 85 |
| (F) The auditor of state shall review the procedures and | 86 |
| policies included in a rule adopted under division (B) of this | 87 |
| section, shall ensure compliance with this section, and may | 88 |
| include citations or recommendations relating to this section in | 89 |
| any audit report issued under section 117.11 of the Revised Code. | 90 |
| (G) A person who is harmed by an intentional violation of a | 91 |
| rule of a state agency described in division (B) of this section | 92 |
| has a cause of action to recover damages and attorney's fees from | 93 |
| any person who directly and proximately caused the harm. The | 94 |
| action may be commenced in the county where the violation | 95 |
| occurred, in the county where the person bringing the action | 96 |
| resides, or in Franklin county. | 97 |
| (H)(1) No person shall purposely access confidential personal | 98 |
| information in violation of a rule of a state agency described in | 99 |
| division (B) of this section. | 100 |
| (2) No person shall purposely use or disclose confidential | 101 |
| personal information in a manner prohibited by law. | 102 |
| (3) A state agency shall terminate the employment of an | 103 |
| employee of the state agency who is in the unclassified civil | 104 |
| service and who the state agency determines has violated division | 105 |
| (H)(1) or (2) of this section. | 106 |
| Sec. 1347.99. (A) No public official, public employee, or | 107 |
| other person who maintains, or is employed by a person who | 108 |
| maintains, a personal information system for a state or local | 109 |
| agency shall purposely refuse to comply with division (E), (F), | 110 |
| (G), or (H) of section 1347.05, section 1347.071, division (A), | 111 |
| (B), or (C) of section 1347.08, or division (A) or (C) of section | 112 |
| 1347.09 of the Revised Code. Whoever violates this section is | 113 |
| guilty of a minor misdemeanor. | 114 |
| (B) Whoever violates division (H)(1) or (2) of section | 115 |
| 1347.15 of the Revised Code is guilty of a misdemeanor of the | 116 |
| first degree. | 117 |
| Sec. 5703.211. The director of taxation shall adopt rules | 118 |
| under Chapter 119. of the Revised Code that require that any | 119 |
| search of any of the databases of the department of taxation be | 120 |
| tracked so that administrators of the database or investigators | 121 |
| can identify each account holder who conducted a search of the | 122 |
| database. | 123 |
| Section 2. That existing section 1347.99 of the Revised Code | 124 |
| is hereby repealed. | 125 |