Ohio Administrative Code (Last Updated: January 12, 2021) |
5101:9 ODJFS Practices |
Chapter5101:9-9. Federal Tax Return Information Safeguarding Procedures |
5101:9-9-38. County electronic data usage
-
(A) As used in this rule, "county family services agency" means a county department of job and family services, public children services agency, child support enforcement agency, or other entity designated by a board of county commissioners in accordance with section 307.981 of the Revised Code.
(B) The county family services agency shall not download, match, scrape or extract data, or data elements from any Ohio department of job and family services (ODJFS) system(s) where the data owner is the internal revenue service (IRS), social security administration (SSA) or other state or federal entity, without obtaining express written permission from the data owner, for the download, match, scrape or data extract. ODJFS can only authorize the download, scrape or extract of data where ODJFS is the data owner.
(C) Excluding the data and data elements described in paragraph (B) of this rule, the following are permissible uses of ODJFS systems including but not limited to SETS, Ohio Benefits, SACWIS, OWCMS, and CCIDS:
(1) A county family services agency employee may download, match, scrape or extract data from an ODJFS system to perform duties directly related to or required by his or her job functions or duties, but only if such job functions or duties are directly related to administration of programs overseen by ODJFS for which the county family services agency is responsible for administering on behalf of ODJFS. This includes utilizing data to fulfill federal or state program-related audit requirements, to the extent necessary and appropriate.
(2) A person or third party under contract with a county family services agency may download, match, scrape or extract data from an ODJFS system if:
(a) It is directly related to or required for administration of program(s) overseen by ODJFS, which the county family services agency is responsible for administering on behalf of ODJFS;
(b) The contract requires, at a minimum, that the contractor comply with the same confidentiality and data security provisions to which ODJFS and the county family services agency are subject; and,
(c) The county family services agency assumes full legal and financial responsibility, including for any litigation or adverse federal, state, or county audit findings resulting from the contractor's use, management, misuse or mismanagement of the data.
(d) Except as prohibited by law, nothing in paragraph (C)(2)(c) of this rule shall prevent the county family services agency from seeking and obtaining payment or other compensation or relief from its contractor, either as set forth in the county family services agency's contract with its contractor, or by way of legal, administrative, or other action.
(3) Any download, match, scrape or extraction of data under paragraph (C) of this rule shall be in compliance with data security requirements contained in rule 5101:9-9-37 of the Administrative Code and all other applicable federal and state confidentiality laws.
(D) Except when specifically authorized by paragraph (C) of this rule, a county family services agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. To obtain approval from ODJFS, the county family services agency shall utilize the following procedure:
(1) The director of the county family services agency or designee shall submit a data request, as outlined in ODJFS "Internal Policy and Procedure 3002 Data Stewardship and Managing Data Requests", to the ODJFS deputy director who is responsible for authorizing the use of the data. The county family services agency's request must identify:
(a) The specific data being sought;
(b) The business use of the data;
(c) The dates during which the data usage will be in effect;
(d) Why the data access through existing state supported reporting software does not address the county's needs;
(e) Any potential impact upon ODJFS systems;
(f) The technical details involved;
(g) Each entity that exercises control over the computer system, application, or data base to which the data will be migrated; and
(h) The data security controls that will be used by the county agency, including the completion of a "Privacy Impact Assessment" (PIA), as required by section 1347.15 of the Revised Code, when data is migrated to a computer system, data base or application not under the control of ODJFS.
(2) The authorizing ODJFS deputy director, in conjunction with the ODJFS chief legal counsel and ODJFS chief information officer, or their designees, will review the county family services agency request to determine the appropriateness, feasibility, and legality of the request. ODJFS may opt to have a representative from the requesting county family services agency explain the request and answer any questions from ODJFS, including but not limited to, technical, legal, programmatic or confidentiality issues.
(3) ODJFS will provide a tentative approval or disapproval within sixty days of the receipt of the county family services agency request, as well as ODJFS' receipt of any additional information it needs to make a tentative decision. Final approval does not occur until the supporting documentation, including the proposed "Data Sharing Agreement" (DSA) and completed PIA is reviewed by ODJFS and the authorizing deputy director notifies the county family services agency of the decision in writing.
(4) If the county family services agency data request is approved by ODJFS, the county family services agency must execute the DSA with any entity receiving and/or accessing the data. The DSA shall:
(a) Specify the dates during which the DSA will be in effect, which shall not be longer than two years, subject to renewal.
(b) Identify the data, business use(s) of the data, technical details, and the responsibility of the county family services agency to ensure that all federal and state data security and confidentiality requirements are met.
(c) Not be effective prior to the date that it is signed by both the county family services agency representative and any participating entity.
(5) If the county family services agency wants to change any provisions of the original request, including the business use of the data and/or the computer system, data base or application not under the control of ODJFS to which the data is being migrated, the county family services agency shall seek approval of the changes from ODJFS, following the requirements in paragraphs (D) (1) through (D) (4) of this rule. No changes are permitted until ODJFS approves the request.