Can I use third-party collaboration tools that collect personal information in Ohio? What are the requirements?

Personal Information Systems in Ohio

Ohio has strict rules regarding the collection, storage, and use of personal information in computerized personal information systems. Third-party collaboration tools that collect personal information must comply with these rules.

According to OHAC Rule 3706-3-05, personal information systems that are computer systems and contain confidential personal information must restrict access to confidential personal information that is kept electronically and require a password or other authentication measure. The Ohio air quality development authority must also include a mechanism for recording specific access by employees of the Ohio air quality development authority to confidential personal information in the system.

OHAC Rule 4725-13-01 states that personal information systems maintained by the Ohio vision professionals board must restrict the collection, maintenance, and use of personal information to only that which is necessary and relevant to functions of the board as required or authorized by statute, ordinance, code, or rule. The board must also investigate disputes concerning the accuracy, relevance, timeliness, or completeness of personal information and take all reasonable precautions to protect personal information from unauthorized modification, destruction, use, or disclosure.

Requirements for Third-Party Collaboration Tools

Third-party collaboration tools that collect personal information in Ohio must comply with the requirements outlined in OHAC Rule 3706-3-05 and OHAC Rule 4725-13-01. These requirements include:

• Restricting access to confidential personal information that is kept electronically and requiring a password or other authentication measure.
• Recording specific access by employees to confidential personal information in the system.
• Restricting the collection, maintenance, and use of personal information to only that which is necessary and relevant to functions of the board as required or authorized by statute, ordinance, code, or rule.
• Investigating disputes concerning the accuracy, relevance, timeliness, or completeness of personal information.
• Taking all reasonable precautions to protect personal information from unauthorized modification, destruction, use, or disclosure.

Third-party collaboration tools must also comply with any additional requirements outlined in other relevant Ohio laws and regulations.

Procedures for Accessing Confidential Personal Information

OHAC Rule 3706-3-02 outlines procedures for accessing confidential personal information. Personal information systems of the Ohio air quality development authority are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee of the Ohio air quality development authority to fulfill his/her job duties. The determination of access to confidential personal information shall be approved by the executive director or employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system. The Ohio air quality development authority shall establish procedures for determining a revision to an employee’s access to confidential personal information upon a change to that employee’s job duties including, but not limited to, transfer or termination. Whenever an employee’s job duties no longer require access to confidential personal information in a personal information system, the employee’s access to confidential personal information shall be removed.

Conclusion

Third-party collaboration tools that collect personal information in Ohio must comply with strict rules regarding the collection, storage, and use of personal information in computerized personal information systems. These tools must restrict access to confidential personal information, record specific access by employees to confidential personal information, restrict the collection, maintenance, and use of personal information, investigate disputes concerning the accuracy, relevance, timeliness, or completeness of personal information, and take all reasonable precautions to protect personal information from unauthorized modification, destruction, use, or disclosure. Additionally, procedures for accessing confidential personal information must be established and followed.

Jurisdiction

Ohio

• Privacy