Privacy builds trust. Ohio’s state agencies have an opportunity to build trust with the public, whom they serve, by proactively identifying privacy risks and implementing privacy protections. And likewise, ignoring privacy presents a risk of significant loss of trust.
As state agencies carry out their work under Ohio law, they collect, use, and maintain a wide variety of personal information. Because those agencies are the collectors, holders and users of personal information, they are responsible for implementing appropriate privacy protections.
The enterprise privacy program advises agencies on assessing the risks and effects of collecting, using, and maintaining personal information. The program advises agencies on adopting privacy protection processes designed to mitigate potential risks to privacy.
Requirements for Personal Information Systems
Ohio Revised Code 1347, with the exception of ORC 1347.15, outlines the duties of state and local entities maintaining personal information systems, acceptable use of personal information, rights of persons who are the subjects of personal information, and breach notification.
Rules on Accessing Confidential Personal Information
ORC Section 1347.15 requires that certain state agencies put in place rules governing access and monitoring of access to confidential personal information. It should be read in the context of ORC 1347. The following documents have been developed to assist agencies in implementation of this section:
Personal Information Systems Definitions – Rule 123:3-2-01 of the Ohio Administrative Code
Model Rules Template (.doc)
- The Ohio Privacy Policies Framework PDF contains the templates below (provided in MS Word format for customization and use by agencies):
Privacy Impact Assessments
To ensure privacy is considered, state agencies are required to create privacy impact statements in accordance with Section 125.18 and Section 1347.15 of the Ohio Revised Code.
About the Enterprise Privacy Program
Ohio Revised Code Section 125.18 “Office of Information Technology” assigns privacy functions to the Department of Administrative Services and Office of Information Technology:
(B)(4) Establish policies and procedures for the security of personal information that is maintained and destroyed by state agencies;
(B)(6) Employ a chief privacy officer who is responsible for advising state agencies when establishing policies and procedures for the security of personal information and developing education and training programs regarding the state’s security procedures.
(C)(2) Prior to the implementation of any information technology data system, a state agency shall prepare or have prepared a privacy impact statement for that system.
Section 1347.15 of the Ohio Revised Code requires the Chief Privacy Officer to assist state agencies in their efforts to ensure that confidential personal information is properly protected and to comply with Ohio law and related administrative rules. The statute also requires the DAS Office of Information Technology to post a privacy impact assessment to help agencies:
comply with their related administrative rules,
assess the risks and effects of collecting, maintaining, and disseminating confidential personal information, and
adopt privacy protection processes designed to mitigate potential risks to privacy.
Chapter 1347, in general, establishes requirements for state agencies in managing personal information systems and gives the director of DAS authority to adopt rules to enforce the chapter.