Section 4717-2-05 - Personal information system(A) For the purpose of this rule and in accordance with Chapter 1347. of the Revised Code: (1) "Personal information" means any information that describes anything about a person, or that indicates actions done by or to a person, or that indicates that a person possesses certain personal characteristics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person. Personal information shall not include, in accordance with division (A)(1)(e) of section 1347.04 of the Revised Code, personal information systems that are comprised of investigatory material compiled for law enforcement purposes by the board. (2) "System" means any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person. "System" includes both records that are manually stored and records that are stored using electronic data processing equipment. "System" does not include published directories, reference materials or newsletters, or routine information that is maintained for the purpose of internal office administration, the use of which would not adversely affect a person. (3) "Maintains" means board ownership of, control over, responsibility for, or accountability for systems and includes, but is not limited to, the board depositing of information with a data processing center for storage, processing, or dissemination. The board "maintains" all systems of records that are required by law to be kept by the agency. (B) The personal information system of the board shall be maintained in accordance with Chapter 1347. of the Revised Code. (C) The board shall collect, maintain, and use only personal information that is necessary and relevant to the functions that the board is required or authorized to perform by statute or rule. Personal information shall be eliminated from the system when it is no longer necessary and relevant to those functions in accordance with the board record retention policy established pursuant to section 149.34 of the Revised Code. (D) The board shall identify a privacy officer to be directly responsible for the personal information system of the board. The privacy officer shall develop procedures for purposes of monitoring the accuracy, relevance, timeliness, and completeness of the personal information in the system, and, in accordance with the procedures, maintain the personal information in the system with the accuracy, relevance, timeliness, and completeness that is necessary to assure fairness in any determination made with respect to a person on the basis of the information. (E) The board shall take reasonable precautions to protect personal information in the system from unauthorized modification, destruction, use, or disclosure. (F) The board shall specify disciplinary measures to be applied to any employee who initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public, evidence of unauthorized use of information contained in the system. (G) The board shall provide for the right of persons who are the subject of personal information to be informed about the personal information of which the person is the subject and to permit the person or the person's legal representative to inspect the personal information of which the person is the subject, in accordance with section 1347.08 of the Revised Code, including: If any person disputes the accuracy, relevance, timeliness, or completeness of personal information that pertains to the person and that is maintained by the board in a personal information system, that person may request the board to investigate the current status of the information. The board shall comply with section 1347.09 of the Revised Code when the board receives such a request.
(H) The board shall not place personal information into an interconnected and combined system, unless the system contributes to the efficiency of the board or agencies using the system or organizations authorized to use the system in implementing programs which are required or authorized by law. (I) The board shall not use personal information placed into an interconnected and combined system by another state or local agency or organization, unless the personal information is necessary and relevant to the performance of a lawful function of the board. Replaces: 4717-1-03
Ohio Admin. Code 4717-2-05
Five Year Review (FYR) Dates: 5/16/2022 and 05/01/2027
Promulgated Under: 119.03
Statutory Authority: 4717.04
Rule Amplifies: 4717.03
Prior Effective Dates: 12/23/1971, 01/01/1984, 01/01/2001, 04/10/2011Effective: 4/10/2011
Five Year Review (FYR) Dates: 03/27/2017 and 04/05/2017
Promulgated Under: 119.03
Statutory Authority: 4717.04
Rule Amplifies: 4717.03
Prior Effective Dates: 12/23/71, 1/1/84, 1/1/01