II. Ohio's Personal Information Systems Act

RC Chapter 1347 "The Ohio Personal Information Systems Act", is also known as the "The Ohio Privacy Act." This chapter regulates the use of personal information maintained by state and local governments as well as establishing an additional right of access to personal information (RC §1347.08) by the person who is the subject of the information, the subject's guardian or an attorney with written authorization from the subject. Therefore, this chapter must be analyzed when a record is sought by a person who is the subject of the information, the subject's guardian or an attorney with written authorization from the subject but the document is not a "public record" pursuant to RC §149.43 of the Revised Code. OAC rule 5101:9-22-15 is the ODJFS internal management rule related to RC Chapter 1347. (See also IPP 8102).

Personal information systems subject to RC Chapter 1347 are any collection or group of related records kept in an organized manner manually or electronically stored which contain information describing anything about a person or concerning acts of a person or that indicate that a person possesses certain personal characteristics. This information must have the capacity to be retrieved from the system by a name, identifying number, symbol or other identifier assigned to a person. The state or local agency must have ownership, control over, responsibility for, accountability for, or be required by law to keep the information (see RC §1347.01).

RC §1347.04(A)(1)sets out exemptions to the provisions of RC Chapter 1347. They include:

a.       Any state or local agency, or part of a state or local agency, that performs as its principal function any activity relating to the enforcement of the criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals;

b.       The criminal courts;

c.       Prosecutors;

d.       Any state or local agency or part thereof that is a correction, probation, pardon, or parole authority; and

e.       Personal information systems that are comprised of investigatory material compiled for law enforcement purposes by agencies that are not described in divisions (A)(1)(a) and (d) of this section. A part of a state or local agency that does not perform, as its principal function, an activity relating to the enforcement of the criminal laws is not exempt under this section.

Section 1347.04 of the Revised Code also makes it clear at section (B) that RC Chapter 1347 cannot be construed to prohibit the release of public records required to be released by RC §149.43 nor will proper release of public records pursuant to RC §149.43 be considered an improper use of personal information under RC Chapter 1347.

Most county departments of job and family services, public children services agencies, county child support enforcement agencies, workforce development agencies, and one-stops retain client information that is not public record pursuant to RC §149.43 (due to state and federal laws) and are part of personal information systems pursuant to RC Chapter 1347, but do not fall within any of the exemptions contained in RC §1347.04. RC §1347.08 gives rights to inspection of this information to the person who is the subject of the personal information system, his/her guardian, or an attorney with written permission from the subject. Any person who wishes to exercise a right provided by this section may be accompanied by another individual of his choice. RC §1347.08(D) allows each state and local agency to establish reasonable fees for the service of copying records pursuant to the statute. Limitations on this right to inspection include:

1.       Medical, Psychiatric or Psychological Information - A physician, psychiatrist or psychologist may determine for the agency that disclosure of the information is likely to have an adverse effect on the person who is the subject of the information. If this is the case, the information must be released to a physician, psychiatrist or psychologist designated by the subject of the information in question (see RC §1347.08(C)(1)).

Upon the signed written request of either a licensed attorney at law or a licensed physician designated by the inmate, together with the signed written request of an inmate of a correctional institution under the administration of the department of rehabilitation and correction, the department shall disclose medical information to the designated attorney or physician as provided in division (C) of .

2.       Confidential Law Enforcement Investigation Records - The same definition as contained in RC §149.43. (See Part I of this memorandum & RC §1347.08(E)(2))

3.       Trial Preparation Records - The same records as covered under RC §149.43. (See Part I of this memorandum & RC §1347.08(E)(2))

4.       Contents of Certain Adoption Files Maintained by the Ohio Department of Health - This exemption refers to contents of adoption files maintained by the department of health pursuant to RC §§3705.12 to 3705.124. (See RC §1347.08(F)(1))

5.       Information contained in the Putative Father Registry established by RC §3107.062, regardless of whether the information is held by ODJFS or, pursuant to RC §3111.69, the ODJFS Office of Child Support or a County CSEA. (See RC §1347.08(F)(2))

6.       Other Adoption Records - Adoption records covered by RC §3107.17§3107.42(A) and §3107.52(A). (See RC §1347.08(F)(3) and (F)(4))

7.       Records Related to Investigations of Complaints about Nursing Homes and Rest Homes maintained by the Ohio Department of Health (namely, info identifying patients, complainants and witnesses) are confidential, pursuant to RC §3721.031(A)(1) through (C), and can only be released pursuant to court order, written permission of the complainant or for administrative purposes. (See RC §1347.08(F)(5))

8.       Records of Investigations of Long-Term Care Facilities by the Ohio Department of Health - may be expunged/destroyed when the alleged abuse/neglect or misappropriation of property of the resident is unsubstantiated (RC §3721.23(D)(1)), and Records regarding the Identity of Complainants Maintained by the Dept. of Health - cannot be disclosed, except pursuant to court order, written permission of the complainant, or for administrative purposes (§3721.25(A)(1)). (See RC §1347.08(F)(6) and (F)(7))

9.       Identities and Records of Nursing Facility residents, those who file Complaints against Nursing facilities, and those who provide Information about Nursing facilities - cannot be released by ODJFS pursuant to RC §5111.61(A)(1)). (See RC §1347.08(F)(8))

10.     Test materials, examination, or evaluation tools used in an examination for licensure as a nursing home administrator that the board of examiners of nursing home administrators administers under RC §4751.04 or contracts under that section with a private or government entity to administer. (See RC §1347.08(F)(9))

11.     SACWIS records (See RC §1347.08(F)(10)).

Each state and local agency may establish reasonable fees for the service of copying, upon request, personal information that is maintained by the agency and required to be provided under the statute.

In reviewing RC §149.43 and RC Chapter 1347, with respect to accessibility of records by members of the public, Ohio law recognizes four distinct classes of records:

1.       Records pertaining to confidential law enforcement investigations and trial preparation are not subject to release under RC §149.43 or RC §1347.08 but may be released at the discretion of the agency that has the records. However, release of the records through this discretion, in some cases, may result in a waiver of the confidentiality of the records;

2.       Records pertaining to adoptions, some medical, psychiatric or psychological information, certain records containing information related to long term care residents, and child abuse and/or neglect records under RC §2151.421 are not subject to disclosure to the public at large pursuant to RC §149.43 or to the person who is the subject of the information pursuant to RC §1347.08. Specific statutes or rules set out under what circumstances these records may be released.

3.       Records that fit within the exceptions in RC §149.43 but are subject to the provisions of RC §1347.08. Release of these records to the general public cannot be enforced through mandamus actions under RC §149.43(C) but the state or local governmental agency may choose to release the records at their discretion, unless release of the records is specifically prohibited by some other Ohio or federal law. However, the information must be released upon request to the subject of the information, the subject's legal guardian, or an attorney with written permission from the subject; and

4.       "Public records" which must, upon request, be disclosed to any member of the public who need not express or disclose a reason why the inspection is being requested.

ODJFS Employee Access to Confidential Personal Information

RC §1347.15 requires each state agency (the bill does NOT apply to county agencies or their employees) to adopt rules under RC Chapter 119, regulating access to the "confidential personal information" (CPI) the agency keeps, whether electronically or on paper.

The law requires ODJFS and other state agencies that collect and maintain CPI to adopt one or more rules containing:

(1)      criteria for determining which state employees may access, and which supervisory employees may authorize an employee to access, CPI;

In general, any access to information about recipients of ODJFS benefits or services, or about ODJFS employees, that is collected and maintained on ODJFS or state computer systems is strictly limited to those purposes authorized by ODJFS, and as directly related to the system user's official job duties and work assignments for, and on behalf of, ODJFS and/or a federal oversight agency (from IPP 3922 and JFS 7078).

(2)      a list of valid reasons for accessing CPI that is directly related to the state agency's exercise of its powers & duties;

(3)      a procedure for notifying any person whose CPI has been accessed for an invalid reason;

(4)      references to any applicable federal/state confidentiality laws and rules that apply to that state agency's records (e.g., RC §§5101.27 and 4141.21-see Part III of this manual for detailed list);

(5)      a procedure for providing an individual with his/her own CPI upon written request from the individual (see provisions above in this part of the manual, as well as IPP 8102);

(6)      a provision that

(a)      any computer system that the state agency acquires or upgrades, include a mechanism for recording state employee access to CPI; or that

(b)      state employee access to CPI be manually logged, until such new or upgraded computer systems are put in place that allow for automated logging;

Exceptions to manual logging are:

(i)       when the subject of the CPI asks for his/her own CPI

(ii)      general research not aimed at individual CPI, but which results in identification of individuals and their CPI.

(7)      a requirement that each state agency designate a 'data privacy point of contact' to work with the Office of Information Technology's (OIT's) chief privacy officer, to:

(a)      ensure that CPI is protected;

(b)      ensure compliance with RC §1347.15 and any related rules, and

(c)      complete a privacy impact assessment, using the form created and posted by OIT; &

(8)      a requirement that electronically-maintained CPI be password protected.

ODJFS has promulgated Ohio Administrative Code Rule 5101:9-22-16, "Employee Access to Confidential Personal Information", and Internal Policy and Procedure (IPP) 3925, "ODJFS Data Access Policy", to meet its obligations under state law, and to incorporate and implement the requirements listed above.