HB628 revised sections of ORC§1347. It requires State Agencies, including the University of Cincinnati, to adopt new rules for governing access to confidential personal information. The ORC now refers to confidential personal information as being any personal information that is not a public record. The new rules create a civil action for harm resulting from an intentional violation of rules, impose a criminal penalty for such an intentional violation, and require agencies to track all access to databases holding confidential personal information.
This legislation forces the University to monitor closely who has access to confidential personal information. Each employee and department that currently has access to confidential personal information has to present a valid business reason for their access and go through mandatory training on new policies and procedures. The university is required to password protect and to log all access to systems containing confidential personal information. Each time an authorized employee accesses personal information they are required to present a valid business reason. Invalid access will result in immediate termination, and an automatic misdemeanor conviction.
The University is required to designate an employee to serve as the data privacy point of contact. This employee works with the chief privacy officer within the office of information technology to ensure systems containing confidential personal information are properly protected. The data privacy point of contact is also required to complete a privacy impact assessment form, developed by the Office of Information Technology, and post it on the University website by December 1st of each year.
The university's procedures and policies in accordance to the proposed bill will be open to review by the state auditor. The state auditor will ensure compliance, and may include citations or recommendations relating to the proposed bill.
For more information, visit: