Can I use third-party customer service tools that collect personal information in Ohio? What are the requirements?

Third-Party Customer Service Tools and Personal Information Collection in Ohio

If you are using third-party customer service tools that collect personal information in Ohio, you must ensure that you comply with the relevant regulations.

The Ohio Administrative Code (OAC) contains rules that regulate the accessing of confidential personal information ^[3.1](^[3.1]). These rules apply to personal information systems, whether manual or computer systems, that contain confidential personal information.

Accessing Confidential Personal Information

According to OAC Rule 991-9-01, personal information systems of Ohio Expositions Commission (OEC) are managed on a “need-to-know” basis whereby the information owner determines the level of access required for an employee of OEC to fulfill his or her job duties ^[3.1](^[3.1]). The determination of access to confidential personal information shall be approved by the employee’s supervisor and the information owner prior to providing the employee with access to confidential personal information within a personal information system.

Restricting and Logging Access to Confidential Personal Information in Computerized Personal Information Systems

Access to confidential personal information that is kept electronically shall require a password or other authentication measure ^[6.1](^[6.1]). When the agency acquires a new computer system that stores, manages, or contains confidential personal information, the agency shall include a mechanism for recording specific access by employees of the agency to confidential personal information in the system ^[6.1](^[6.1]).

Location Tools

Ohio Administrative Code Rule 5101:12-20-05.1 requires that the child support enforcement agency (CSEA) shall interact with the support enforcement tracking system (SETS) to perform all location functions when those location functions are available in SETS ^[2.1](^[2.1]).

Valid Reasons for Accessing Confidential Personal Information

Ohio Administrative Code Rule 4501-55-03 contains a list of valid reasons, directly related to the “Department’s” exercise of its powers or duties, for which only employees of the “Department” may access confidential personal information (CPI) regardless of whether the personal information system is a manual system or computer system ^[5.1](^[5.1]).

Conclusion

Based on the available information, it is important to ensure that any third-party customer service tools you use comply with the relevant regulations in Ohio. You must ensure that access to confidential personal information is restricted and logged, and that any new computer systems that store, manage, or contain confidential personal information include a mechanism for recording specific access by employees of the agency to confidential personal information in the system.

Therefore, it is recommended that you consult with a legal professional to ensure that you are in compliance with all relevant regulations.

Source(s):

• [2.1] Location tools.
• [3.1] Accessing Confidential Personal Information.
• [5.1] Valid reasons for accessing confidential personal information.
• [6.1] Restricting and logging access to confidential personal information in computerized personal information systems.

Jurisdiction

Ohio

• Privacy