120-3-05 Restricting and logging access to confidential personal information in computerized personal inforamtion systems.  

120-3-05                      Restricting   and   logging   access   to   confidential   personal information in computerized personal information systems.

(A)Access  restrictions.  Access  to  confidential  personal  information  that  is  kept electronically shall require a password or other authentication measure.

(B)Acquisition of a new computer system. When the agency acquires a new computer system that stores, manages, or contains confidential personal information, the agency shall include a mechanism for recording specific access by employees of the agency to confidential personal information in the system.

(C)Upgrading existing computer systems. When the agency modifies an existing computer system that stores, manages, or contains confidential personal information, the agency shall make a determination whether the modification constitutes an upgrade. Any upgrades to a computer system shall include a mechanism for recording specific access by employees of the agency to confidential personal information in the system.

(D)Logging  requirements  regarding  confidential  personal  information  in  existing computer systems.

(1)The agency shall require employees of the agency who access confidential personal information within computer systems to maintain a log that records that access.

(2)Access to confidential information is not required to be entered into the log under the following circumstances:

(a) The employee of the agency is accessing confidential  personal information for official agency purposes, including research, and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.

(b) The employee of the agency is accessing confidential  personal information for routine office procedures and the access is not specifically directed toward a specifically named individual or a group of specifically named individuals.

(c) The employee of the agency comes into incidental contact with confidential personal information and the access of the information is not specifically directed toward a specifically named individual or a group of specifically named individuals.

(d)The employee of the agency accesses confidential personal information about an individual based upon a request made under either of the following circumstances:

(i) The individual requests confidential personal information about him

or herself.

(ii) The individual makes a request that the agency take some action on that individual's behalf and accessing the confidential personal information is required in order to consider or process that request.

(3) The agency may choose the form or forms of logging, whether in electronic or paper formats.

(E) Log management. The agency shall issue a policy that specifies who shall maintain the log, what information is to be captured in the log, how the log is to be stored, and how long information kept in the log is to be retained.

(F) Nothing in this rule limits the agency from requiring logging in any circumstance that it deems necessary.

Effective:                                                             12/01/2015

Five Year Review (FYR) Dates:                         12/01/2020

CERTIFIED ELECTRONICALLY

Certification

11/19/2015

Date

Promulgated Under:                           111.15

Statutory Authority:                           R.C. 120.03, R.C. 120.04

Rule Amplifies:                                  R.C. 1347.15