Can I share personal information about my customers with third parties in Ohio? What are the requirements?

Based on the information provided in the context documents, you cannot share personal information about your customers with third parties in Ohio unless you have obtained the individual’s signed written consent or unless it is otherwise authorized by law [Existing Response]^[3.1].

To access confidential personal information, OHAC Rule 3706-3-02 and OHAC Rule 991-9-01 provide procedures. Personal information systems of the Ohio air quality development authority and OEC are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee to fulfill his/her job duties. The determination of access to confidential personal information shall be approved by the executive director or employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system. The Ohio air quality development authority and OEC shall establish procedures for determining a revision to an employee’s access to confidential personal information upon a change to that employee’s job duties including, but not limited to, transfer or termination [Existing Response].

OHAC Rule 3706-3-05 provides procedures for restricting and logging access to confidential personal information in computerized personal information systems. For personal information systems that are computer systems and contain confidential personal information, the Ohio air quality development authority shall restrict access to confidential personal information that is kept electronically and require a password or other authentication measure. When the Ohio air quality development authority acquires a new computer system that stores, manages or contains confidential personal information, the Ohio air quality development authority shall include a mechanism for recording specific access by employees of the Ohio air quality development authority to confidential personal information in the system. When the Ohio air quality development authority modifies an existing computer system that stores, manages or contains confidential personal information, the Ohio air quality development authority shall make a determination whether the modification constitutes an upgrade. Any upgrades to a computer system shall include a mechanism for recording specific access by employees of the Ohio air quality development authority to confidential personal information in the system. The Ohio air quality development authority shall require employees of the Ohio air quality development authority who access confidential personal information within computer systems to maintain a log that records that access. Access to confidential information is not required to be entered into the log under certain circumstances ^[1.2].

Upon the signed written request of any individual for a list of confidential personal information about the individual maintained by the Ohio air quality development authority or OEC, the Ohio air quality development authority or OEC shall verify the identity of the individual by a method that provides safeguards commensurate with the risk associated with the confidential personal information. The Ohio air quality development authority or OEC shall provide to the individual the list of confidential personal information that does not relate to an investigation about the individual or is otherwise not excluded from the scope of section 1347.01 of the Revised Code. If all information relates to an investigation about that individual, the Ohio air quality development authority or OEC shall inform the individual that the Ohio air quality development authority or OEC has no confidential personal information about the individual that is responsive to the individual’s request [Existing Response].

Upon discovery or notification that confidential personal information of a person has been accessed by an employee for an invalid reason, the Ohio air quality development authority or OEC shall notify the person whose information was invalidly accessed as soon as practical and to the extent known at the time. However, the Ohio air quality development authority or OEC shall delay notification for a period of time necessary to ensure that the notification would not delay or impede an investigation or jeopardize homeland or national security. Additionally, the Ohio air quality development authority or OEC may delay the notification consistent with any measures necessary to determine the scope of the invalid access, including which individuals’ confidential personal information invalidly was accessed, and to restore the reasonable integrity of the system. Once the Ohio air quality development authority or OEC determines that notification would not delay or impede an investigation, the Ohio air quality development authority or OEC shall disclose the access to confidential personal information made for an invalid reason to the person [Existing Response].

Therefore, you should not share personal information about your customers with third parties in Ohio without obtaining the individual’s signed written consent or unless it is otherwise authorized by law. The Ohio air quality development authority and OEC have procedures for accessing confidential personal information, request for a list of confidential personal information, and notice of invalid access [Existing Response]^[1.2][3.1].

Source(s):

• [1.2] Restricting and logging access to confidential personal information in computerized personal information systems.
• [3.1] Confidential information.

Jurisdiction

Ohio

• Privacy