The City's employees and contractors as outlined in 149.02, 149.03, 149.04 must follow these rules on handling all personally identifiable information and handling sensitive personally identifiable information whenever they know or have reason to know that the information is personally identifiable information or sensitive personally identifiable information. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their supervisor. In the event that the City cannot resolve a conflict between this policy and the Ohio Public Records Act, the City will contact the Law Director.
(a) Handling All Personally Identifiable Information.
(1) Use personally identifiable information only for official, lawful purposes.
(2) Do not access systems with personally identifiable information - whether electronic or paper - if you have not been authorized to do so. Contact your supervisor if you need access.
(3) Enter personally identifiable information accurately. Make a good faith effort to correctly enter data. Never intentionally enter false data.
(4) Take reasonable precautions to protect personally identifiable information from unauthorized modification, destruction, use or disclosure. Follow the City's information security policies and procedures.
(5) Whenever an individual requests information that the City maintains about that individual, employees and contractors shall follow the City's Standard Operating Procedure - Request to inspect personally Identifiable Information.
(6) Only collect personally identifiable information when you have been authorized to do so by the proper authority. Do not create an electronic or paper system of record with personally identifiable information unless you have the City's authorization and follow the City's mandated privacy and security requirements.
(7) Destroy personally identifiable information securely in accordance with records retention schedules and following the City's data destruction procedures for particular systems or records.
(8) Do not initiate or otherwise contribute to any disciplinary or other punitive action against any individual who reports evidence of unauthorized use of personally identifiable information.
(9) The City monitors its information, systems, other IT assets, employees and contractors for compliance with this policy, therefore, employees and contractors have no expectation of privacy when they use City information, systems and IT assets.
(b) Handling Sensitive Personal Information.
(1) Only access sensitive personally identifiable information for a valid reason directly related to the exercise of a City power or duty. Valid reasons include:
A. Responding to a public records request;
B. Responding to a request from an individual for the list of personally identifiable information the agency maintains on that individual;
C. Administering a constitutional provision or duty;
D. Administering a statutory provision or duty;
E. Administering an administrative rule provision or duty;
F. Complying with any state or federal program requirements;
G. Processing or payment of claims or otherwise administering a program with individual participants or beneficiaries;
H. Auditing purposes;
I. Carrying out licensure, permit, eligibility, filing, certifications or other similar processes;
J. Carrying out or assisting with an authorized investigation or law enforcement purposes;
K. Conducting or preparing for administrative hearings;
L. Responding to or preparing for litigation, or complying with a court order or subpoena;
M. Administering human resources, including but not limited to hiring, promotion, demotion, discharge, salary and compensation issues, leave requests and related issues, time card approvals and related issues;
N. Administering an information system;
O. Complying with an executive order or policy;
P. Complying with a collective bargaining agreement provision.
(2) Do not access sensitive personally identifiable information for any reason other than those listed above. For example, do NOT access sensitive personally identifiable information:
A. For gain or personal profit for yourself or someone else,
B. Out of simple curiosity or personal interest,
C. To commit a crime,
D. For retribution, use in a personal conflict, or promotion of a personal point of view, or
E. To harass or embarrass.
(3) You always have a duty not to disclose sensitive personally identifiable information without proper agency authorization. As you do your work, you may inadvertently or unintentionally come in contact with information that you know or have reason to believe is sensitive personally identifiable information. In those circumstances, you have a duty not to disclose that sensitive personally identifiable information to anyone except properly authorized persons.
(4) If you suspect that sensitive personally identifiable information has been improperly accessed or disclosed, you shall report the incident to your supervisor.
A. Report quickly and do not disturb evidence.
B. Allow the City's response team to preserve evidence, eliminate any ongoing risks and make a determination that violations have occurred.
C. To ensure that any investigation is not compromised and that an accurate evaluation of the incident is conducted, only the Mayor, director, assistant directors of the City may authorize notifications to affected individuals.
D. Upon a finding that confidential personal information has been accessed for an invalid reason in violation of a confidentiality statute, Section 1347.15 of the Ohio Revised Code or rules 123-4-01 through 123-4-05 of the Administrative Code, the Mayor, or Department Director, of the City will notify affected individuals.
(c) Document Destruction. City documents may only be destroyed in accordance with the City's records retention policy. When documents containing sensitive information are discarded, they shall be shredded using a mechanical shredding device.
(d) Electronic Distribution. Each employee and contractor performing work for the City that deals with the records that are the subject of this policy will comply with the following policies:
(1) Internally, sensitive information may be transmitted using approved municipal email.
(2) A statement such as this should be included in the e-mail:
"This message may contain confidential and/or proprietary information and is intended for the person/entitiy to whom it was originally addressed. Any use by others is strictly prohibited." (Ord. 65-2018. Passed 3-11-19.)