[OAC 5101-9-25]
CDHS must have written procedures governing the security of federal tax return information. These procedures must include employee awareness, storage and handling, access, facility security and disposal as addressed in the following subsections regarding safeguarding requirements.
ODHS staff will review these procedures for compliance with the "Tax Information Security Guidelines" and ODHS safeguard requirements. The written procedures must be updated periodically to reflect significant program changes.
APM.9243.1Employee Awareness
[OAC 5101-9-25]
Employees must be advised at least annually that unauthorized disclosure of FTI is a crime that may be punishable by $5,000 fine, five years imprisonment, or both. Employees must also be advised annually that a taxpayer may bring suit for civil damages in a United States district court for unauthorized disclosure of returns and return information. There are punitive damages in case of willful disclosure or gross negligence, as well as the cost of the action.
Employees should be made aware that these civil and criminal penalties apply even if the unauthorized disclosure was made after their employment with the CDHS terminated. Employees should also be briefed annually on FTI security procedures.
APM.9243.2Storage and Handling
[OAC 5101-9-25]
Federal tax data should be handled in such a manner that it does not become misplaced or available to unauthorized staff. Confidential federal tax information must be placed either in a locked container or in locked desks when not in use. Further information on locked containers is included in IRS Publication 1075, "Tax Information Security Guidelines."
The two major types of locking devices are key locks and combination locks. Combinations to locks must be changed 1) when the safe or lock is originally received, 2) at least once a year, 3) when an employee who knows the combination leaves, or 4) whenever the combination is compromised in any way. Keys should only be issued to persons needing to access the files and duplicate keys should be kept to a minimum.
FTI file storage areas require more than normal security. Access to these areas must be limited to the absolute minimum number of employees necessary. The following principles should be followed to adequately restrict access to the files area.
(1)There should be written procedures identifying employees who have access to FTI;
(2)Signs must be posted to restrict access;
(3)Cleaning must be performed in the presence of a secured employee;
(4)Personnel identification system is recommended in all locations where files contain FTI;
(5)Access to file areas which contain FTI must be restricted to workers who have a security profile;
(6)The location and physical layout of the files area should be such that unnecessary traffic is avoided;
(7)A sign in/out register should be maintained; and
(8)Keys to the files must only be issued to persons authorized to enter area.
APM.9243.3Access
[OAC 5101-9-25]
FTI must be handled in such a manner that it does not become misplaced or available to unauthorized personnel. Good safeguarding practice is that access to FTI must be strictly on a need-to-know basis. The potential for improper disclosure is minimized by restricting access to designated personnel. Staff must not be given more information than needed to do their work.
Any federal tax information which is provided through CRIS-E or on paper must not be commingled with other information. FTI should not be filed in areas used for breaks, food preparation or any similar facilities which would be used by employees not authorized to have access to FTI. FTI files also must not be in areas that clients have access to.
APM.9243.4Facility Security
[OAC 5101-9-25]
If possible, security staff should be CDJFS employees. Only authorized employees can have access to areas with FTI during nonworking hours.
APM.9243.5Case Records and CRIS-E Running Records
[OAC 5101-9-25]
There must not be any FTI in case records, open or closed,that is not safeguarded. FTI must not be on the CRIS-E running records. FTI must not be on the comments screen orany other screen that can be accessed by persons not connected to the case through inquiry on a need-to-know basis.