5101:9-9-38 County electronic data usage.  

5101:9-9-38                 County electronic data usage.

(A)As used in this rule, "county agency" means a county department of job and family services, public children services agency, child support enforcement agency, workforce development agency, or other entity designated by a board of county commissioners in accordance with section 307.981 of the Revised Code.

(B)A county agency may download, match, scrape or extract data from an ODJFS system including but not limited to SETS, CRIS-E, SIS, SACWIS, SCOTI, ICMS, MAPS and MMIS if one of the following applies:

(1)A county agency employee may download, match, scrape or extract data from an ODJFS system to perform duties directly related to or required by his or her job functions or duties. Any such download, match, scrape or extraction of data shall be in compliance with data security requirements contained at rule 5101:9-9-37 of the Administrative Code and all other applicable federal and state confidentiality laws.

(2)A person under contract with a county agency may download, match, scrape or extract data from an ODJFS system if the deliverables set out in the contract are directly related to or required for administration of program (s) for which the county agency is responsible. The contract must contain appropriate confidentiality and data security language and the county agency must assume responsibility for the use and security of the data by the contractor. Recommended language for contract provisions related to confidentiality and data security requirements is available from the ODJFS Office of Contracts and Acquisitions.

(3)The county agency is providing data to a law enforcement agency, federal or state auditor or other entity as appropriate in accordance with a state or federal law requiring or permitting the county agency to provide data and the law requiring or permitting release is not in conflict with federal or state confidentiality laws, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA).

(C)Except when specifically authorized by division (B) of this rule, a county agency shall obtain the written approval of ODJFS prior to performing or authorizing any person or entity to perform any download, match, scraping or extraction of data from ODJFS systems that is migrated to a computer system, data base or application not under the control of ODJFS. To obtain approval from ODJFS, the county agency shall follow the following procedure:

(1)The county agency shall submit a written request to the ODJFS deputy director who is over the program that is related to the data. The county agency's request must specify the specific data, the business use of the data, why the data access through the Business Information Channel software (BIC) does not address the county needs, any potential impact upon ODJFS systems, the

technical details involved, the identification of each entity that exercises control over the computer system, application, or data base to which the data will be stored, and the data security controls that will be used by the county agency. The director of the county agency submitting the request shall sign the written request.

(2) If the ODJFS deputy director receiving the county agency request approves the county agency's proposed use of the data, the deputy director will promptly contact the deputy directors of MIS and Office of Legal Services at ODJFS. The three deputy directors or designees will review the county agency request to determine appropriateness, feasibility, and legality of the request. ODJFS may opt to have a representative from the requesting county agency attend a meeting, phone conference or videoconference to explain the request and answer any questions from ODJFS, including but not limited to, questions involving technical, legal, programmatic or confidentiality issues.

(3) If the three deputy directors approve the county agency request, the request will be forwarded to the ODJFS Office of Contracts and Acquistions for the preparation of a written Memorandum of Understanding (MOU) between directors of ODJFS and the county agency. The MOU shall specify the dates during which the MOU will be in effect which shall not be longer than two years, subject to renewal. The MOU shall identify the data business use(s) of the data, technical details, and the responsibility of the county agency to ensure that all federal and state data security and confidentiality requirements are met. The MOU shall not be effective prior to the date that it is signed by both directors.

(4) If the county agency wants to change any provisions of the MOU, including the business use of the data, the county agency shall seek amendment of the MOU. No changes are permitted until the MOU has been amended and signed by both directors.

(5) ODJFS will provide a tentative approval or disapproval within 60 days of the receipt of the county agency request. Final approval does not occur until the directors of ODJFS and the county agency sign the MOU.

Effective:                                12/01/2004

CERTIFIED ELECTRONICALLY

Certification

11/10/2004

Date

Promulgated Under:   111.15

Statutory Authority:   5101.02

Rule Amplifies:           5101.02