Ohio Administrative Code Title 5913 - Personal Information Systems
Key Provisions of OAC Title 5913
1. Definitions (OAC § 5913-1-01)
This section provides essential definitions:
Access: Refers to copying, viewing, or otherwise perceiving personal information.
Confidential Personal Information (CPI): Personal data deemed confidential under federal or state laws, such as Social Security numbers or criminal records.
Computer System: A system that stores, maintains, or retrieves personal information using electronic data processing equipment.
Employee of the State Agency: Includes all individuals employed by a state agency, regardless of position.
Incidental Contact: Access to personal information that is secondary or tangential to the primary purpose of the activity.
2. Valid Reasons for Accessing CPI (OAC § 5913-1-04)
State agency employees may access CPI only for specific, authorized purposes, including:
Responding to public records requests.
Providing individuals with a list of CPI the agency maintains about them.
Administering constitutional, statutory, or administrative duties.
Complying with state or federal program requirements.
3. Confidentiality Statutes (OAC § 5913-1-05)
This rule identifies federal and state statutes that render personal information confidential, such as:
5 U.S.C. § 552a (Privacy Act of 1974).
Executive Order 13478 (Protection of Personal Identifying Information).
32 CFR Part 157 (Reduction of Use of Social Security Numbers).
Section 4776.04 of the Ohio Revised Code (Bureau of Criminal Investigation and Information criminal records check results).
4. Restricting and Logging Access to CPI in Computerized Systems (OAC § 5913-1-06)
Agencies must implement measures to control and monitor access to CPI:
Access Restrictions: Require passwords or other authentication methods for accessing CPI.
Acquisition of New Computer Systems: Ensure new systems include mechanisms to record employee access to CPI.
Upgrading Existing Systems: When modifying systems, determine if the change constitutes an upgrade and include access recording mechanisms.
Logging Requirements: Maintain logs of employee access to CPI, with exceptions for routine or incidental access.
Log Management: Establish policies detailing log maintenance, information captured, storage, and retention periods.
Case Law and Enforcement
While specific case law directly interpreting OAC Title 5913 is limited, the principles outlined in these regulations are supported by broader legal precedents concerning the protection of personal information. For instance, violations of confidentiality statutes identified in OAC § 5913-1-05 can lead to legal actions, including civil penalties and disciplinary measures against state employees. Additionally, breaches of access protocols as specified in OAC § 5913-1-06 may result in administrative sanctions, including termination of employment or legal consequences under Ohio's privacy laws.
Practical Implications
State agencies must adhere to these regulations to ensure the confidentiality and integrity of personal information. Employees are required to access CPI only for authorized purposes and must maintain accurate logs of such access. Agencies are also responsible for implementing appropriate security measures to protect CPI from unauthorized access.
Individuals concerned about the handling of their personal information by state agencies can request access to records under Ohio's public records laws and can seek legal remedies if they believe their information has been improperly accessed or disclosed.
0 comments