Rule 173-13-05 | Confidential personal information: restricting and logging access to CPI in computerized personal information systems.
For personal information systems that are computer systems and contain CPI, ODA shall do the following:
(A) Access restrictions: Require a password or other authentication measure to access CPI that ODA keeps electronically.
(B) Acquisition of a new computer system: When ODA acquires a new computer system that stores, manages, or contains CPI, ODA shall include a mechanism for recording specific access by employees to CPI in the system.
(C) Upgrading existing computer systems: When ODA modifies an existing computer system that stores, manages, or contains CPI, ODA shall make a determination whether the modification constitutes an upgrade. Any upgrades to a computer system shall include a mechanism for recording specific access by employees to CPI in the system.
(D) Logging requirements regarding CPI in existing computer systems:
(1) ODA shall require employees who access CPI within computer systems to maintain a log that records that access.
(2) Employees do not need to record access to CPI under any one or more of the following circumstances:
(a) The employee is accessing CPI for official ODA purposes, including research, and the access is not specifically directed toward a specifically-named person or a group of specifically-named persons.
(b) The employee is accessing CPI for routine office procedures and the access is not specifically directed toward a specifically-named person or a group of specifically-named persons.
(c) The employee comes into incidental contact with CPI and the access of the information is not specifically directed toward a specifically-named person or a group of specifically-named persons.
(d) The employee accesses CPI about a person based upon a request made under either of the following circumstances:
(i) The person requests CPI about himself or herself.
(ii) The person makes a request that ODA take some action on that person's behalf and accessing the CPI is required in order to consider or process that request.
(3) For purposes of paragraph (D) of this rule, ODA may choose the form or forms of logging, whether in electronic or paper formats.