Can I store personal information about my customers in Ohio? What are the requirements?

Yes, you can store personal information about your customers in Ohio, but you must comply with the Ohio Administrative Code (OAC) rules regarding the protection of confidential personal information.

Requirements for Storing Personal Information in Ohio

OHAC Rule 3706-3-05 requires that personal information systems that are computer systems and contain confidential personal information must restrict access to the information by requiring a password or other authentication measure. Additionally, any new computer system that stores, manages, or contains confidential personal information must include a mechanism for recording specific access by employees to confidential personal information in the system. If an existing computer system is modified, the Ohio air quality development authority must determine whether the modification constitutes an upgrade. Any upgrades to a computer system must include a mechanism for recording specific access by employees to confidential personal information in the system. Employees who access confidential personal information within computer systems must maintain a log that records that access. The Ohio air quality development authority must issue a policy that specifies who shall maintain the log, what information shall be captured in the log, how the log is to be stored, and how long information kept in the log is to be retained.

OHAC Rule 991-9-01 regulates employee access to confidential personal information that OEC retains. Personal information systems of OEC are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee of OEC to fulfill his or her job duties. The determination of access to confidential personal information shall be approved by the employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system. OEC shall establish procedures for determining a revision to an employee’s access to confidential personal information upon a change to that employee’s job duties including, but not limited to, transfer or termination. Whenever an employee’s job duties no longer require access to confidential personal information in a personal information system, the employee’s access to confidential personal information shall be removed.

OHAC Rule 3706-3-02 establishes procedures for accessing confidential personal information. Personal information systems of the Ohio air quality development authority are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee of the Ohio air quality development authority to fulfill his/her job duties. The determination of access to confidential personal information shall be approved by the executive director or employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system. The Ohio air quality development authority shall establish procedures for determining a revision to an employee’s access to confidential personal information upon a change to that employee’s job duties including, but not limited to, transfer or termination. Whenever an employee’s job duties no longer require access to confidential personal information in a personal information system, the employee’s access to confidential personal information shall be removed.

Conclusion

In summary, you can store personal information about your customers in Ohio, but you must comply with the OHAC rules regarding the protection of confidential personal information. You must restrict access to confidential personal information by requiring a password or other authentication measure, and you must maintain a log that records employee access to confidential personal information. Additionally, you must establish procedures for determining employee access to confidential personal information and remove access when it is no longer required. ^{[1.2][3.1][4.1]}

Source(s):

• [1.2] Procedures for accessing confidential personal information.
• [3.1] Confidential information.
• [4.1] Access to confidential personal information.

Jurisdiction

Ohio

• Privacy