CPI Policy

CONFIDENTIAL PERSONAL INFORMATION – Policy 312

The TOS remains committed to ensuring the privacy and security of information of Ohio’s citizens. ORC §1347.15 requires the TOS and all other state agencies to treat certain personal information as confidential, and to limit employee non-incidental CPI access. Confidential personal information (CPI) will only be collected when directly related to specific and legitimate objectives of TOS operations. This policy implements procedures and practices that safeguard CPI in accordance with OAC Chapter 113-25. This policy applies to data systems maintained by the TOS containing CPI and employees requiring access to data systems containing CPI. 

Definition

CPI is specific identification information exclusively assigned to an individual including, but not limited to, driver’s license, SSN, bank account or credit card number, and license plate number.

Incidental CPI shall be defined as CPI accessed pursuant to OAC Chapter 113-25 (E) (4) (b). There is no logging requirement for Incidental CPI.  

Data Systems

Data Privacy Point of Contact

The Treasurer or his/her designee shall designate an employee to serve as the data privacy point of contact (DPPOC) to work with the State Chief Privacy Officer to ensure that CPI is properly protected and in compliance with State of Ohio laws and statutes regarding CPI.

CPI Documentation

Privacy Threshold Analysis: The TOS DPPOC shall maintain documentation for each data system to identify CPI in a given information system known as a Privacy Threshold Analysis. This document is based on a standard template provided by the DAS Office of Information Technology (OIT). If the data system is found to contain CPI, then a Privacy Impact Assessment must also be completed. Privacy Impact Assessment: The purpose of a PIA is to determine the privacy implications of collecting CPI. This document is based on a standard template provided by OIT.

Data System Access Criteria

Personal information systems of the TOS are managed on a “need to know” basis whereby the information owner determines the level of access required for an employee to fulfill his/her job duties. The determination of access to CPI shall be approved by the employee’s supervisor and the information owner prior to providing the employee with access to CPI. The DPPOC shall have a list of all people authorized to access CPI. An employee’s entitlement to access CPI shall be reviewed upon the transfer or termination of his/her position.

Access Documentation

All CPI owned by the TOS that is stored electronically will require username and password verification for access.

System access: Many newer computer data systems containing CPI will maintain a historical record each time a user logs on including computer identification number, login username, network login name, and time and date of login. For systems that contain CPI that do not include such a mechanism, required logging of CPI access shall be carried out manually.

Specific file(s) access: When CPI belonging to a specific individual is accessed, the data system shall maintain a historical record each time a user views or updates any CPI including the identification number of the individual whose CPI is accessed, reason for the access, computer identification number, login username, network login name, and time and date of access. If the data system is unable to create and maintain such a historical record, and such system is subject to a valid exception, then, employees required to log CPI shall manually log the CPI access in accordance with this Policy. An exception is approved by the Deputy Treasurer when a data system does not automatically log access to CPI.

CPI shall not be stored on removable media devices unless required to support TOS functions and approved by the DPPOC. All employees approved to save CPI on a removable media device shall be assigned an encrypted device for this purpose.

When non-incidental CPI, which is required to be logged, is not received or maintained electronically, access to CPI shall be manually recorded using the Department Log of Access of Confidential Personal Information. The following information is required on the log: name of the TOS employee accessing CPI, name of the person whose CPI was accessed, and the time and date. The TOS employee accessing CPI must also initial an acknowledgment that the information on the log is true and complete and that said employee has accessed CPI only for purposes relating to his/her job duties or the TOS’s governmental function. The log shall be sent monthly to the DPPOC and maintained in a location designated by the DPPOC. The information in the log shall be retained in accordance with the TOS Records Retention Policy 412.

Data System Upgrade

Any upgrades performed on an existing TOS computer system that stores, manages, or contains CPI will, when possible, include a mechanism for recording specific access by TOS employees to CPI in the system.

Compliance

Awareness

Posters summarizing the policies with respect to accessing CPI are posted in common areas utilized by TOS employees.

The TOS is obligated to inform any individual whose CPI has been accessed for an invalid reason. If CPI is accessed for an invalid reason, TOS management will evaluate the situation and notify the person whose CPI was accessed invalidly as soon as practical, and to the extent known at the time.

Training

TOS employees entitled to access CPI are required to receive training. This training shall be conducted by the DPPOC, and shall include comprehension of ORC §1347.15, as well as OAC Chapter 113-25, and any future regulations regarding CPI. Those trained employees will be expected to retain all information relating to the responsibilities of having access to CPI and be held accountable for following TOS procedures regarding CPI. Any new employees who will be entitled to access CPI must undergo training before access to CPI is granted. Once CPI training is completed, all employees with access to CPI shall receive copies of the TOS CPI Policies and the relevant laws and regulations pertaining to CPI access. Upon receipt, employees must sign an acknowledgement that they have received and understood those materials. Notwithstanding the foregoing, management, at its sole discretion, may determine to provide CPI training to other TOS employees.

Discipline

Any TOS employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. All CPI trained employees will be aware of the potential consequences for improperly accessing and/or disseminating CPI.

Inquires

An individual, whether a party regulated by the TOS or otherwise, has the right to inquire whether the TOS has CPI relating to said individual. Any individual who wishes to inquire if the TOS has CPI about himself/herself should submit such inquiry by mail, fax, or email. The TOS shall send a complete response to such an inquiry in accordance with the laws, rules, and regulations governing public records requests and CPI.

________________________________________________________
Please direct questions about this policy to the Legal Department
________________________________________________________