Can I ignore my obligations as a service provider with access to personal information in Ohio? What are the requirements?

Obligations as a Service Provider with Access to Personal Information in Ohio

As a service provider with access to personal information in Ohio, you cannot ignore your obligations. The Ohio Administrative Code (OHAC) Rule 122-6-01 outlines the procedures for accessing confidential personal information, while OHAC Rule 5501-4-05 and OHAC Rule 120-3-05 specify the requirements for restricting and logging access to confidential personal information in computerized personal information systems.

According to OHAC Rule 122-6-01, personal information systems of the agency are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee of the agency to fulfill his/her job duties. The determination of access to confidential personal information shall be approved by the employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system. The agency shall establish procedures for determining a revision to an employee’s access to confidential personal information upon a change to that employee’s job duties including, but not limited to, transfer or termination. Whenever an employee’s job duties no longer require access to confidential personal information in a personal information system, the employee’s access to confidential personal information shall be removed.

Moreover, OHAC Rule 5501-4-05 and OHAC Rule 120-3-05 require that access to confidential personal information that is kept electronically shall require a password or other authentication measure. When the department acquires a new computer system that stores, manages or contains confidential personal information, the department shall include a mechanism for recording specific access by employees of the department to confidential personal information in the system. When the department modifies an existing computer system that stores, manages or contains confidential personal information, the department shall make a determination whether the modification constitutes an upgrade. Any upgrades to a computer system shall include a mechanism for recording specific access by employees of the department to confidential personal information in the system. The agency shall require employees of the agency who access confidential personal information within computer systems to maintain a log that records that access. The agency may choose the form or forms of logging, whether in electronic or paper formats. The agency shall issue a policy that specifies who shall maintain the log, what information is to be captured in the log, how the log is to be stored, and how long information kept in the log is to be retained.

Therefore, as a service provider with access to personal information in Ohio, you must comply with these rules and ensure that you have appropriate procedures in place to restrict and log access to confidential personal information. Failure to comply with these rules may result in legal consequences.

^{[1.1][3.1][4.1][5.1]}

Source(s):

• [1.1] Access to confidential personal information.
• [3.1] Restricting and logging access to confidential personal information in computerized personal information systems.
• [4.1] Restricting and logging access to confidential personal information in computerized personal information systems.
• [5.1] Restricting and logging access to confidential personal information in computerized personal information systems.

Jurisdiction

Ohio

• Privacy