Appendix B: Internal Policy & Procedure 8102 - Requests for Public Records
IPP.8102 Requests For Information From Personal Information Systems
IPPMTL 0352
February 1, 2018 - Revised
February 14, 2003 - Original

I.          PURPOSE/REASON:

To inform Ohio Department of Job and Family Services (ODJFS) employees/work units of the standards covering the release of personal information.

II.         REFERENCE/AUTHORITY:

A.        REFERENCES

Note:   ORC references can be accessed at LAWriter's Ohio Revised Code (http://codes.ohio.gov/) website.

1.         ODJFS IPP 8101

2.         ODJFS IPP 3925

3.         ORC 149.43

4.         ORC 5101.02

5.         ORC Chapter 1347

6.         OAC 5101:9-22-15 and 5101:9-22-16

B.        AUTHORITY

1.         This policy is established by order of the Director, ODJFS, hereinafter referred to as Director.

2.         Per ORC 5101.02, all duties conferred on the various work units of the department by law or by order of the Director shall be performed under such rules as the Director prescribes and shall be under the Director’s control.

III.        SUPERSEDES:

ODJFS IPP 8102 dated January 25, 2011

IV.       SCOPE:

Personal information systems maintained by ODJFS about specific individuals may contain information that is not public record. This information is accessible to the subject of the information, as well as to his/her guardian, authorized representative, and own attorney if the attorney has written permission from the subject of the information, unless the information falls within an exemption or exception contained in ORC Chapter 1347.

V.        DEFINITIONS:

A.        PERSONAL INFORMATION and PERSONALLY IDENTIFIABLE INFORMATION: Any information describing anything about a person, indicating actions done by or to a person, or indicating a person’s personal characteristics which can be retrieved from a system by a name, identifying number, symbol, or other identifier assigned to a person.

1.         Personal information held by ODJFS also includes but is not limited to:

a.         Information or records identifying an individual as an applicant for or a recipient of services or benefits administered or overseen by ODJFS, along with any other information or records maintained in ODJFS’s client databases or in ODJFS’s electronic or paper case files pertaining to the individual, such as the amounts and time periods that benefits or services were applied for, received, or denied.

b.         Identifying information about applicants for or recipients of ODJFS-administered benefits or services, including but not limited to their names, addresses, social security numbers, phone numbers, e-mail addresses, and social and economic status.

c.         Information about ODJFS employees that does not meet the ORC 149.011 definition of “record”, which includes, but is not limited to, their home addresses, home/personal cell phone numbers, social security numbers, driver’s license numbers, financial account numbers (especially personal identification numbers), personal e-mail addresses, and other non-work-related information.

d.         Medical/health data about a particular person, including diagnosis and past history of disease or disability, past/current mental health status, and any reports/records pertaining to physical/mental/health examinations/status.

2.         Personal information does not include non-confidential or non-exempt (work-related) information about an individual that ODJFS or other public entities make routinely available to the general public, or ODJFS records that are required to be made available to the public pursuant to federal/state laws or regulations.

B.        SYSTEM: Any collection or group of related records that are maintained by ODJFS in an organized manner, either manually or by any other means, from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. System does not include collected archival records in the custody of or administered under the authority of Ohio History Connection, published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person.

C.        USE OF PERSONAL INFORMATION: Any action which causes personal information in a personal information system to be referenced, processed, or disseminated. The disclosure of personal information is a use of personal information.

D.        CHIEF PRIVACY OFFICER: The person designated by ODJFS as being responsible for the personal information systems the agency maintains, including ODJFS’s implementation of data security measures and monitoring ODJFS compliance with ORC 1347 and OAC 5101:9-22-15. Any unauthorized modification, destruction, use, disclosure or breach of a personal information system must be reported to the chief privacy officer.

E.        RECORDS MANAGERS/LIAISONS: The designated person within each office/bureau in ODJFS who is assigned the responsibility of coordinating the response to records requests that are received by that office/bureau, and for helping to gather/review/redact records that are maintained by that office, in response to records requests.

F.         PERSON: As used in this IPP, “person” means an individual and does not include corporations, partnerships, or other types of business entities.

G.        MAINTAINS: Means ODJFS ownership, control over, responsibility for, or accountability for systems and includes, but is not limited to, the depositing of information with a data processing center for storage, processing, or dissemination. ODJFS maintains all systems of records which are mandated by law to be kept.

VI.       POLICY/PROCEDURES:

A.        RECEIPT OF REQUEST FOR PERSONAL RECORDS & ROLE OF RECORDS MANAGERS

1.         The individual from each ODJFS office or bureau that is designated by that office as the records manager/liaison shall coordinate the response to any request for personal information that the office/bureau receives.

2.         The records manager/liaison must ensure that the identity of the person seeking personal information is verified and must also verify that the person seeking personal information is actually entitled to it (i.e., that he/she is the subject of the CPI, or his/her attorney, guardian or authorized representative, or that disclosure of the information is essential for program administration). Each office/bureau must determine the types of verification or documentation that will be required, commensurate with the risk level associated with a particular request/transaction. Absent an alternative and equally reliable method of verifying an individual’s identity, an office/bureau must obtain from the requesting party a signed written request, along with whichever of the following is/are applicable:

a.         A photocopy of a driver’s license, passport, state identification, or other legally acceptable proof of identity from the subject of the information;

b.         A court order or other legally binding document issued by a court of law and signed by the judge, designating the requesting party as the legal guardian of the subject of the information;

c.         A properly executed power of attorney or other legally binding document designating the requesting party as the authorized representative of the subject of the information;

d.         A signed release authorization that meets the requirements of ORC 5101.272 or other applicable law, allowing the subject of the information’s attorney to obtain/access confidential personal information; and/or

e.         A signed release authorization that meets the requirements of ORC 5101.272 or other applicable law, allowing a third party to obtain/access confidential personal information, when specifically permitted by state law and rule for the program/benefit/service with which the subject of the personal information is connected.

3.         The records manager/liaison must also determine if the record exists, if ODJFS maintains the record, and if part or all of the record can be released to the requesting party. If a records manager/liaison is unable to determine whether a record exists or information can be released, then he/she must consult with legal counsel in the Office of Legal and Acquisition Services, and, if needed, the Chief Privacy Officer, to help determine what can be released.

B.        RELEASE OF PERSONAL INFORMATION AND EXCEPTIONS TO RELEASE

1.         Regardless of whether or not the provisions of section VI.A. above have been met, pursuant to ORC 1347.08 the following types of personal information, to the extent held by ODJFS, need NOT be released (and in many instances, are actually prohibited from being released), even to the subject of the information, or to his/her legal guardian, authorized representative or attorney:

a.         confidential law enforcement investigatory records, as defined in ORC 149.43(A)(2);

b.         trial preparation records, as defined in ORC 149.43(A)(4);

c.         medical, psychiatric or psychological information, if a physician, psychiatrist, or psychologist determines that the disclosure of the information is likely to have an adverse effect on the subject. In that case the information shall be released to a physician, psychiatrist, or psychologist designated either by the subject of the information or by his/her legal guardian;

d.         information in the statewide automated child welfare information system (SACWIS) and/or in public children services agency investigatory files, unless release of the information to the subject of the information, or his/her attorney, is expressly provided for in state statute or rule (see ORC 2151.421, and 5101.13 through 5101.134);

e.         information contained in the putative father registry, regardless of whether the information is held by the Department of Job and Family Services, The Office of Child Support, or the Child Support Enforcement Agency (see ORC 3107.062 and 3111.69);

f.          papers, records, and books that pertain to an adoption and that are subject to inspection in accordance with ORC 3107.17;

g.         adoption records listed in ORC 3107.52 and 3705.12;

h.         information identifying a nursing home resident, patient, complainant about a nursing home, person who provides the health department with information about a nursing home, and any other information that would reasonably tend to disclose the identity of the individuals mentioned previously, when collected and maintained by the Ohio Department of Health in connection with the investigation of nursing home (including long-term care and residential care facility) complaints and allegations of abuse and neglect of, or misappropriation of property belonging to, nursing home residents (see ORC 3721.031(A)(1) and 3721.25(A)(1));

i.          expunged files and records regarding alleged abuse/neglect and misappropriation of property of residents at long-term care and residential care facilities (see ORC 3721.23(D)(1) and (D)(2));

j.          information held by ODJFS and any contracting agency which identifies a resident of a nursing facility, the identity of any individual who submits a complaint about a nursing facility, a person providing information to ODJFS or contracting agency who requests confidentiality, and any information that would reasonably tend to disclose the identity of the individuals mentioned previously (see ORC 5165.88(A)(1));

k.         test materials, examinations, or evaluation tools used in an examination for licensure as a nursing home administrator that the board of executives of long term services administers under ORC 4751.04, or contracts under that section with a private or government entity to administer;

l.          information in the statewide automated adult protective services information system (See ORC 5101.612);

m.        any other personal information collected or maintained by ODJFS that is expressly identified in ORC 1347.08 as not being subject to release.

2.         If the identity of the person seeking personal information has been verified, and it has been determined that he/she is entitled to view the information being sought, as described in section VI.A. above, AND the information is not exempted or prohibited from release under section VI.B.1. above, then ODJFS shall:

a.         notify the person seeking personal information of the existence or non-existence of any personal information; and

b.         permit the person seeking personal information to either inspect or obtain copies of the personal information. The person seeking personal information under this section may be accompanied by another individual of the person’s choosing.

3.         When personal information is intertwined with information that is considered public record, release of information to third parties may also be governed by some of the provisions in ODJFS – IPP 8101, Requests for Public Records.

C.        COSTS

When release of personal information is authorized by law, charges for release of the information shall be the same cost as outlined in ODJFS-IPP 8101, Requests for Public Records, Section VI – F.

D.        TIMELINESS AND REQUESTS FOR RELEASE OF INFORMATION

Requests for personal information held by ODJFS shall be released in a timely manner to the subject of the information or to his/her legal guardian, authorized representative, or attorney with written permission from the subject of the information. Timely manner means a reasonable amount of time needed to locate, gather, review and determine if the requested information can be released under applicable law. Timeliness includes the time it would take to receive an opinion from the ODJFS Office of Legal and Acquisition Services in relation to whether information may be released, as well as the time needed to perform any required redactions.

E.        SECURITY

The person responsible for any personal information system shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, use, or disclosure. In determining what is reasonable, consideration will be given to the following:

1.         the nature and vulnerability of the personal information;

2.         the physical facilities where the personal information is maintained or used; and

3.         the requirements of federal and state law governing use of the personal information.

Any ODJFS employee who first discovers or learns of unauthorized modification, destruction, use, disclosure, or breach of a personal information system must report it to his/her immediate supervisor, as well as to the Chief Privacy Officer.

F.         DISCIPLINARY ACTION

Disciplinary action, including but not limited to suspension or removal, may be brought against any employee who does any of the following:

1.         intentionally violates any provision of ORC 149.43 or ORC 1347 or other law related to the release of records or personal information;

2.         initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public evidence of unauthorized use of personal information;

3.         releases personal information in violation of state or federal law or refuses or fails to release information as provided by state or federal law.

G.        DISPUTES CONCERNING INFORMATION IN A PERSONAL INFORMATION SYSTEM

1.         Any individual may dispute the accuracy, relevancy, timeliness, or completeness of personal information that pertains to him/her and that is maintained by ODJFS. In response to any dispute and upon the request of the subject of the information, ODJFS must do all of the following when appropriate:

a.         within 90 days, investigate the current status of the information regarding its accuracy, relevancy, timeliness, and completeness;

b.         notify the subject of the information about the results of the investigation and the action being planned as a result of the investigation; and

c.         delete any information that the investigation reveals to be inaccurate or that cannot be verified, with notification to the subject of the information.

2.         If ODJFS completes an investigation of personal information for the subject of the information and the subject of the information is not satisfied with the results of the investigation ODJFS shall:

a.         permit the subject of the information to include within the system a brief statement of his/her position regarding the disputed information. ODJFS may limit the statement to 100 or fewer words, if the agency assists the subject of the information in writing a clear summary of the dispute; and

b.         include the subject of the information’s statement or notation in any subsequent transfer, report, or dissemination of the disputed information. ODJFS may counter the subject of the information’s statement or notation with a departmental statement that it has reasonable grounds to believe that the dispute is frivolous or irrelevant giving the reasons for the determination.

3.         Following any deletion of information that is found to be inaccurate or that cannot be verified, or if a statement of dispute was filed by the subject of the information, ODJFS shall, at the written request of the subject of the information, furnish notification that the information has been deleted, or furnish a copy of the statement of dispute, to any person specifically designated by the subject of the information.

VII.     APPENDIXES:

A.        SUBJECT MATTER EXPERT

Owning

Entity

Address Name (SME)

Phone/Fax

E-mail

OLAS

30 E. Broad St.

31st Floor

Columbus, Ohio 43215

Ramesh Thambuswamy

or staff attorney responsible for program area

614-466-4605 - Telephone

614-752-8298 - Fax

legal@jfs.ohio.gov