RSC's Link Policy

The Ohio Rehabilitation Services Commission operates www.rsc.ohio.gov as a public service to Ohio residents and visitors worldwide. The site provides links to external Web sites that are not maintained or controlled by the RSC. The agency is not responsible for the content of external web sites. A link to a non-governmental web site does not constitute endorsement.

RSC Confidential Personal Information Policy (CPI)

I. AUTHORITY
This policy is issued in compliance with Ohio Revised Code (ORC) §3304.16 which establishes the power and authority of the Rehabilitation Services Commission and its administrator to develop all necessary rules and policy in furtherance of its statutory duties.

This policy is also issued in compliance with ORC Chapter 1347: et al, Personal Information Systems.

II. PURPOSE
The purpose of this policy is to instruct RSC staff about the requirements and responsibilities for accessing, collecting and maintaining confidential personal information in accordance with all federal and state laws, rules, regulations, guidelines and gubernatorial orders and directives.

III. APPLICABILITY
This policy applies to all employees and contractors of RSC.

IV. DEFINITIONS
Definitions for purposes of this policy are consistent with the definitions provided in ORC Chapter 1347, specifically 1347.01 and 1347.15. For purposes of this policy the most relevant definitions are:

1. Access  - means an opportunity to copy, view, or otherwise perceive, or the act of actually copying, viewing, or otherwise perceiving.

2. Confidential personal information – means personal information that is not a public record for purposes of section 149.43 of the Revised Code or is maintained as confidential pursuant to 3304-1-15 (G) of the Administrative Code. 

3.  Information Owner – means the individual appointed in accordance with division (A) of section 1347.05 of the Revised Code to be directly responsible for a system.

V. POLICY
It is the policy of RSC to assure that all employees and contractors comply with applicable state and federal statutes, rules, policies and directives as it relates to accessing confidential personal information. Confidential personal information shall only be accessed for authorized business reasons.

VI. PROCEDURES

A. General Provisions:

1. Each director of a bureau or office or the designee will identify business reasons and the level of access needed by employees under their supervision to fulfill job duties. These business reasons and the level of access will be maintained by the Information Owner identified by each bureau director. Each Information Owner will identify and list, by position, within the Information Owner's bureau or unit, the confidential personal information each position has the authority to access. These lists shall be forwarded to and maintained by RSC's Data Privacy Point of Contact, who has been identified as the Manager of Network and Security.
2. Each director of a bureau or office or the designee may make changes to access based on operational need. Each director of a bureau or office or designee will complete a 2050 form (Computer Network Account and Voice Services Request) for Information and Rehabilitation Technology to add or delete access to systems. Changes to access shall be requested immediately via a 2050 when a position no longer has a “need-to-know” business reason for access, or if an individual is transferred or terminated.
3. As position descriptions are created, updated or revised, or if job duties change, Human Resources shall modify the position descriptions to reflect which systems containing confidential personal information that particular position has authority to access.
4. Employees authorized to access systems containing confidential personal information will log and identify the information being accessed, the date accessed, and their name. On systems where this can be done with an electronic footprint, no action is needed by the employee. If the system does not log access or if the employee has been granted limited access to a system for which he or she does not normally have permission, then the employee will manually log the access on Form 2604. The form contains the name of the person accessing the information, the system being accessed, the date of access, and the time of access. These logs shall be maintained by the respective Information Owner and in compliance with the applicable record retention schedule.
5. A director of a bureau or office or the designee may authorize temporary or case by case access to a system containing confidential personal information for legitimate business reasons. Such authorization to electronic systems shall be documented pursuant to a service request to the Information and Rehabilitation Technology section and a copy of the authorization given to the Information Owner for record keeping purposes.
6. Employees and contractors will safeguard confidential personal information for which they have the authority to access by ensuring that the data is secure. The measures to secure the information include, but are not limited to, password protection, locked cabinet drawers, locked offices, logging off the computer, etc.
7. Any unauthorized access or inappropriate release or use of confidential personal information will be reported immediately to the RSC Chief Legal Counsel. Unauthorized access or misuse of confidential personal information is subject to discipline and possible criminal charges per state law.
8. Information Owners will work with the Office of Legal Services and the Records Program Manager to review all requests to release confidential personal information outside of RSC. Per Record Management policy, anyone inspecting records or documentation that may contain confidential personal information will only be able to view such information that is not redacted per ORC 149. 43 and or ORC 149.45, or non-releasable per other state and federal laws listed in 3304-1-15 of the administrative rule.
9. RSC's Office of Information and Rehabilitation Technology, in conjunction with the information owners, will review the level of access granted and determine if that access is appropriate. Such review will occur at least one time every twelve calendar months

B. BDD Access

      1.   BDD is contracted by the Social Security Administration to administer the Social Security Disability Program. Staff is authorized to access confidential personal information as it is relates to carrying out essential job functions in the administration of the disability program. BDD staff members shall not access a claim of an individual not assigned to their caseload or for which they are not required access as part of the essential functions of the job in carrying out the administration of the disability program. Authorization is obtained from SSA for each individual employee or contractor for whom access to confidential personal information is required. Valid business reasons for accessing the confidential personal information include, but are not limited to:

1. Processing a claim for which a staff member is assigned;
2. Contacting an individual or representative concerning an application for disability benefits;
3. Contacting medical providers and other sources for documentation related to the disability application;
4. Review of medical and other records to assess potential eligibility;
5. Review of files for quality assurance purposes.

      2.   In no case should a BDD staff member access a claim of an individual with whom the staff member has a personal relationship. Any unauthorized access or breach must be immediately reported to the employee’s immediate supervisor and the Chief Legal Counsel; or in the case of a contractor, to the designated BDD contact and the Chief Legal Counsel. If the immediate supervisor is not available, then another member of senior BDD administration is to be contacted immediately.  

1. If a claim is accessed without authorization or if confidential personal information is misused, the Office of Legal Services will report to the Governor’s Office and other entities as required by law. Appropriate action, including discipline and criminal charges, will be taken upon completion of an investigation.

C. VR Access

      1.   VR is comprised of both the Bureau of Vocational Rehabilitation and the Bureau of Services for the Visually Impaired. Staff is authorized to access confidential personal information as it is related to carrying out essential job functions in the administration of the VR program. Staff may only access cases for which they are assigned or for which they fall into the chain of command for access, or for which accessing the case is necessary to carry out the essential function of the job. Valid business reasons for accessing the confidential personal information include, but are not limited to:

1. Working a case for which a staff member is assigned;
2. Contacting medical providers or other entities to gather information to ascertain eligibility;
3. Review of files for quality assurance purposes.

      2.   In no case should a VR staff member access a case of an individual with whom the staff member has a personal relationship. Any unauthorized access or breach must be immediately reported to the employee’s immediate supervisor and Chief Legal Counsel; or in the case of a contractor, to the designated VR contact and Chief Legal Counsel. If the immediate supervisor is not available, then another member of VR senior administration is to be contacted immediately.

3.   If a case is accessed without authorization or if confidential personal information is misused, the Office of Legal Services will report to the Governor’s Office and other entities as required by law. Appropriate action, including discipline and criminal charges, will be taken upon completion of an investigation.

D. Access By Executive Staff

      1.   Executive staff, which includes RSC commissioners, the RSC administrator, and all staff that report directly to the RSC administrator, who accesses or directs an employee to access confidential personal information of a named individual or group of named individuals shall record the access on Form RSC 2604. Access to confidential personal information that occurs as a result of a request of the person whose information is being accessed is not required to be recorded pursuant to section 1347.15 of the Revised Code.

1. Executive Staff shall verify the information contained on their log by reviewing and initialing. The logs shall be turned into the RSC administrator or designee during the first week of each month. The RSC administrator or designee will maintain the logs for two years.

E. Notice of Invalid Access

1. Upon discovery of an invalid access or misuse of confidential personal information, the Office of Legal Services will notify the individual/s affected as soon as reasonably possible. The notice will include what confidential personal information was accessed and the date of the access.

2. The notification will be made by written, electronic or telephone notice, depending on the nature of the breach.

F. Procedure for individual to request a list of confidential personal information

1. Upon receipt of a written request from an individual asking disclosure of what confidential personal information RSC maintains on that individual, RSC shall forward such request to the Office of Legal Services Record Management Unit.
2. The Record Management Unit will verify the identity of the individual. Means to verify the identity may include using at least two of the following, but not be limited to: a valid driver’s license or state identification card; a social security card; a military identification card; a valid green card; a utility bill with a current address; other means that corroborates the name, social security number or legal alien status identifying number, and/or address of the requestor.
3. Once the identity of the person is verified, the Record Management Unit will provide the list of the maintained confidential personal information not excluded under Chapter 1347 of the revised code to the requestor.
4. If the requestor is making the request because of an investigation about that individual, and the confidential personal information relates to that investigation, RSC shall deny the request in accordance with 3304-1-15 of the administrative code.

Related Form(s):  Form 2604