RC Chapter 1347 is the Ohio Personal Information Systems Act, which
is sometimes also referred to as the Ohio Privacy Act. This chapter regulates the
use of personal information maintained by state and local governments as well as
establishing an additional right of access to personal information (RC §1347.08)
by the person who is the subject of the information, the subject's guardian or an
attorney with written authorization from the subject. Therefore, this chapter must
be analyzed when a record is sought by a person who is the subject of the information,
the subject's guardian or an attorney with written authorization from the subject
but the document is not a "public record" pursuant to RC §149.43 of the
Revised Code. OAC rule 5101:9-22-15 is the ODJFS internal management rule
related to RC Chapter 1347, and IPP 8102 is ODJFS’ internal policy regarding requests
for information from personal information systems.
Personal information systems subject to RC Chapter 1347 are any collection
or group of related records kept in an organized manner manually or electronically
stored which contain information describing anything about a person or concerning
acts of a person or that indicate that a person possesses certain personal characteristics.
This information must have the capacity to be retrieved from the system by a name,
identifying number, symbol or other identifier assigned to a person. The state or
local agency must have ownership, control over, responsibility for, accountability
for, or be required by law to keep the information (see RC §1347.01).
RC §1347.04(A)(1) sets out exemptions to the provisions
of RC Chapter 1347. They include:
a.Any state or local
agency, or part of a state or local agency, that performs as its principal function
any activity relating to the enforcement of the criminal laws, including police
efforts to prevent, control, or reduce crime or to apprehend criminals;
b.The criminal courts;
c.Prosecutors;
d.Any state or local
agency or part thereof that is a correction, probation, pardon, or parole authority;
and
e.Personal information
systems that are comprised of investigatory material compiled for law enforcement
purposes by agencies that are not described in divisions (A)(1)(a) and (d) of this
section. A part of a state or local agency that does not perform, as its principal
function, an activity relating to the enforcement of the criminal laws is not exempt
under this section.
Section 1347.04 of the Revised Code also makes it clear at section
(B) that RC Chapter 1347 cannot be construed to prohibit the release of public records
required to be released by RC §149.43 nor will proper release of public records
pursuant to RC §149.43 be considered an improper use of personal information under
RC Chapter 1347.
Most county departments of job and family services, public children
services agencies, county child support enforcement agencies, workforce development
agencies, and one-stops retain client information that is not public record pursuant
to RC §149.43 (due to state and federal laws) and are part of personal information
systems pursuant to RC Chapter 1347, but do not fall within any of the exemptions
contained in RC §1347.04. RC §1347.08 gives rights to inspection of this information
to the person who is the subject of the personal information system, his/her guardian,
or an attorney with written permission from the subject. Any person who wishes to
exercise a right provided by this section may be accompanied by another individual
of his choice. RC §1347.08(D) allows each state and local agency to establish
reasonable fees for the service of copying records pursuant to the statute. Limitations
on this right to inspection include:
1.Medical,
Psychiatric or Psychological Information - A physician, psychiatrist or psychologist
may determine for the agency that disclosure of the information is likely to have
an adverse effect on the person who is the subject of the information. If this is
the case, the information must be released to a physician, psychiatrist or psychologist
designated by the subject of the information in question (see RC §1347.08(C)(1)).
Upon the signed written request of either a licensed attorney at
law or a licensed physician designated by the inmate, together with the signed written
request of an inmate of a correctional institution under the administration of the
department of rehabilitation and correction, the department shall disclose medical
information to the designated attorney or physician as provided in division (C)
of RC §5120.21.
(See RC
§1347.08(C)(2))
2.Confidential
Law Enforcement Investigation Records - The same definition as contained
in RC §149.43. (See Part I of this memorandum & RC §1347.08(E)(2))
3.Trial
Preparation Records - The same records as covered under RC §149.43. (See
Part I of this memorandum & RC §1347.08(E)(2))
4.Contents
of Certain Adoption Files Maintained by the Ohio Department
of Health - This exemption refers to contents of adoption files maintained
by the department of health pursuant to RC §§3705.12to 3705.124. (See RC §1347.08(F)(1))
5.Information
contained in the Putative Father Registry established by
RC §3107.062,
regardless of whether the information is held by ODJFS or, pursuant to RC §3111.69,
the ODJFS Office of Child Support or a County CSEA. (See RC §1347.08(F)(2))
6.Other
Adoption Records - Adoption records covered by RC §3107.17
and §3107.52(A). (See RC §1347.08(F)(3) and (F)(4))
7.Records
Related to Investigations of Complaints about Nursing Homes and Residential
Care Facilities maintained by the Ohio Department of Health (namely, info
identifying patients, complainants and witnesses) are confidential, pursuant to
RC §3721.031(A)(1)
through (C), and can only be released pursuant to court order, written permission
of the complainant or for administrative purposes. (See RC §1347.08(F)(5))
8.Records of Investigations of Long-Term Care Facilities or Residential
Care Facilities by the Ohio Department of Health - may be expunged/destroyed
when the alleged abuse/neglect or misappropriation of property of the resident is
unsubstantiated (RC §3721.23(D)(1)); and any
Information that would Identify, or tend to disclose the Identity of,
Individuals who Report or Provide Information regarding suspected abuse,
neglect, or exploitation of a resident, or misappropriation of the resident’s
property to the facility or the Dept. of Health - is prohibited from disclosure,
except for purposes of investigation and administration, and as required by law
(§3721.25(A)(1)).
(See RC
§1347.08(F)(6) and (F)(7))
9.Identities
and Records of Nursing Facility residents, those who file Complaints against
Nursing facilities, and those who provide Information about Nursing facilities
- cannot be released by ODJFS pursuant to RC §5165.88(A)(1)). (See RC §1347.08(F)(8))
10.Test
materials, examination, or evaluation tools used in an examination for
licensure as a nursing home administrator that the board of executives of
long-term services administers under RC §4751.15 or contracts under that section
with a private or government entity to administer. (See RC §1347.08(F)(9))
11.Statewide
Automated Child Welfare Information System (SACWIS) data (See RC
§1347.08(F)(10)).
12.Statewide
Automated Adult Protective Services Information System (SAAPSIS) data (See RC
1347.08(F)(11)).
Each state and local agency may establish reasonable fees for the
service of copying, upon request, personal information that is maintained by the
agency and required to be provided under the statute.
In reviewing RC §149.43 and RC Chapter 1347, with respect to accessibility
of records by members of the public, Ohio law recognizes four distinct classes of
records:
1.Records
pertaining to confidential law enforcement investigations and trial preparation
are not subject to release under RC §149.43 or RC §1347.08 but may be released at
the discretion of the agency that has the records. However, release of the records
through this discretion, in some cases, may result in a waiver of the confidentiality
of the records;
2.Records
pertaining to adoptions, some medical, psychiatric or psychological information,
certain records containing information related to long term care residents, and
child abuse and/or neglect records under RC §2151.421 are not subject to disclosure
to the public at large pursuant to RC §149.43 or to the person who is the subject
of the information pursuant to RC §1347.08. Specific statutes or rules set out under
what circumstances these records may be released.
3.Records
that fit within the exceptions in RC §149.43 but are subject to the provisions of
RC §1347.08. Release of these records to the general public cannot be enforced through
mandamus actions under RC §149.43(C) but the state or local governmental agency
may choose to release the records at their discretion, unless release of the records
is specifically prohibited by some other Ohio or federal law. However, the information
must be released upon request to the subject of the information, the subject's legal
guardian, or an attorney with written permission from the subject; and
4."Public
records" which must, upon request, be disclosed to any member of the public
who need not express or disclose a reason why the inspection is being requested.
ODJFS Employee Access to Confidential Personal
Information
RC §1347.15 requires each state agency (this statute does
NOT apply to county agencies or their employees) to adopt rules under RC Chapter
119, regulating access to the "confidential personal information" (CPI)
the agency keeps, whether electronically or on paper.
The law requires ODJFS and other state agencies that collect and
maintain CPI to adopt one or more rules containing:
(1)criteria for determining
which state employees may access, and which supervisory employees may authorize
an employee to access, CPI;
In general, any access to information about recipients of ODJFS benefits
or services, or about ODJFS employees, that is collected and maintained on ODJFS
or state computer systems is strictly limited to those purposes authorized by ODJFS,
and as directly related to the system user's official job duties and work assignments
for, and on behalf of, ODJFS and/or a federal oversight agency (from IPP 3922 and
JFS 7078).
(2)a list of valid
reasons for accessing CPI that is directly related to the state agency's exercise
of its powers & duties;
(3)a procedure for
notifying any person whose CPI has been accessed for an invalid reason;
(4)references to any
applicable federal/state confidentiality laws and rules that apply to that state
agency's records (e.g., RC §§5101.27 and 4141.21-see Part III of this manual for
detailed list);
(5)a procedure for
providing an individual with his/her own CPI upon written request from the individual
(see provisions above in this part of the manual, as well as IPP 8102);
(6)a provision that
(a)any computer system
that the state agency acquires or upgrades, include a mechanism for recording state
employee access to CPI; or that
(b)state employee access
to CPI be manually logged, until such new or upgraded computer systems are put in
place that allow for automated logging;
Exceptions to manual logging are:
(i)when the subject
of the CPI asks for his/her own CPI
(ii)general research
not aimed at individual CPI, but which results in identification of individuals
and their CPI.
(7)a requirement that
each state agency designate a 'data privacy point of contact' to work with the Office
of Information Technology's (OIT's) chief privacy officer, to:
(a)ensure that CPI
is protected;
(b)ensure compliance
with RC §1347.15 and any related rules, and
(c)complete a privacy
impact assessment, using the form created and posted by OIT; &
(8)a requirement that
electronically-maintained CPI be password protected.
Ohio Administrative Code Rule 5101:9-22-16, "Employee Access to
Confidential Personal Information," and Internal Policy and Procedure (IPP)
3925, "ODJFS Data Access Policy," incorporate and implement the RC 1347.15
requirements listed above.