CONFIDENTIAL PERSONAL INFORMATION – Policy 312
The TOS remains committed to ensuring the privacy and security of information of Ohio’s citizens that is stored within the agency data systems. This policy was created in accordance with OAC Chapter 113-25. This policy implements procedures and practices that safeguard Ohio’s citizens’ personal information.
Confidential personal information (CPI) is specific identification information exclusively assigned to an individual including, but not limited to, driver’s license, SSN, bank account or credit card number, and license plate number. This policy applies to all data systems maintained by the TOS containing CPI and employees requiring access to data systems containing CPI. ORC § 1347.15 requires the TOS and all other state agencies to treat certain personal information as confidential, and to limit employee access to such personal information.
Data Privacy Point of Contact
The TOS Deputy Legal Counsel shall serve as the data privacy point of contact (DPPOC) to work with the State Chief Privacy Officer to ensure that CPI is properly protected and in compliance with State of Ohio laws and statutes regarding CPI.
Collection of Confidential Personal Information
The basis of collection of CPI will be directly related to specific and legitimate objectives of TOS operations.
Confidential Personal Information Documentation
- Privacy Threshold Analysis: The TOS DPPOC shall maintain documentation for each data system to identify CPI in a given information system known as a Privacy Threshold Analysis (PTA). This document is based on a standard template provided by the DAS Office of Information Technology (OIT). If the data system is found to contain CPI, then a Privacy Impact Assessment (PIA) must also be completed.
- Privacy Impact Assessment: The purpose of a PIA is to determine the privacy implications of collecting CPI. This document is based on a standard template provided by OIT
Data System Access Criteria
Personal information systems of the TOS are managed on a “need to know” basis whereby the information owner determines the level of access required for an employee to fulfill his/her job duties. The determination of access to CPI shall be approved by the employee’s supervisor and information owner prior to providing the employee with access to CPI. The DPPOC shall have a list of all people authorized to access CPI. An employee’s entitlement to access CPI shall be reviewed upon the transfer or termination of his/her position.
Data System Access Documentation
All CPI owned by the TOS that is stored electronically will require username and password verification for access.
- System access: All computer data systems containing CPI shall maintain a historical record each time a user logs on including computer identification number, login username, network login name, and time and date of login.
- Specific file(s) access: When CPI belonging to a specific individual is accessed, the computer data system shall maintain a historical record each time a user views or updates any CPI including the identification number of the individual whose CPI is accessed, reason for the access, computer identification number, login username, network login name, and time and date of access.
- CPI shall not be stored on removable media devices unless required to support TOS functions and approved by the DPPOC. All employees approved to save CPI on a removable media device shall be assigned an encrypted device for this purpose.
When CPI is not maintained electronically, access to CPI shall be manually recorded using the Department Log of Access of Confidential Personal Information. The following information is required on the log: name of the TOS employee accessing CPI, name of the person whose CPI was accessed, and the time and date. The TOS employee accessing CPI must also initial an acknowledgment that the information on the log is true and complete and that said employee has accessed CPI only for purposes relating to his/her job duties or his/her agency’s governmental function. The log shall be sent monthly to the DPPOC and maintained in that department. The information in the log shall be retained for seven (7) years in accordance with the TOS Records Retention Policy 412.
Data System Upgrade
Any upgrades performed on an existing TOS computer system that stores, manages, or contains CPI will include a mechanism for recording specific access by TOS employees to CPI in the system.
A poster summarizing the policies with respect to accessing CPI is posted in common areas occupied by TOS employees.
The TOS is obligated to inform any individual whose CPI has been accessed for an invalid reason. If CPI is accessed for an invalid reason, TOS management will evaluate the situation and notify the person whose CPI was accessed invalidly as soon as practical, and to the extent known at the time.
TOS employees entitled to access CPI are required to receive training. This training shall be conducted by the DPPOC, and shall include comprehension of ORC § 1347.15, as well as OAC Chapter 113-25, and any future regulations regarding CPI. Those trained employees will be expected to retain all information relating to the responsibilities of having access to CPI and be held accountable for following TOS procedures regarding CPI. Any new employees who will be entitled to access CPI must undergo training before access to CPI is granted.
Once CPI training is completed, all employees with access to CPI shall receive copies of the TOS CPI Policies and the relevant laws and regulations pertaining to CPI access. Upon receipt, employees must sign an acknowledgement that they have received and understood those materials.
Any TOS employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. All CPI trained employees will be aware of the potential consequences for improperly accessing and/or disseminating CPI.
No collective bargaining agreement entered into on or after April 7, 2009 shall prohibit disciplinary action against or the termination of a TOS employee who is found to have accessed, disclosed, or used CPI in violation of this policy.
An individual, whether a party regulated by the TOS or otherwise, has the right to inquire whether the TOS has CPI relating to said individual. Any individual who wishes to inquire if the TOS has CPI about himself/herself should submit such inquiry by mail, fax, or email. The TOS shall send a complete response to such an inquiry in accordance with the laws, rules, and regulations governing public records requests and CPI.