(A) The department of administrative services may establish an enterprise data management and analytics program to gather, combine, and analyze data provided by one or more agencies to measure the outcome of state-funded programs, develop policies to promote the effective, efficient, and best use of state resources, and to identify, prevent, or eliminate the fraudulent use of state funds, state resources, or state programs. Participating state agencies may use data gathered under the program for these purposes.
(B) A state agency shall provide data for use under the program. A state agency that provides data under the program shall comply with the data-sharing protocol adopted under division (D) of this section. Notwithstanding any other provision of the Revised Code, a state agency's provision of data under the program is considered a permitted use of the data under the Revised Code and the state agency is not in violation of any contrary provision of the Revised Code by providing the data.
(C)
(1) A state agency that provides data under the program retains ownership over the data. Notwithstanding any other provision of the Revised Code, only the state agency that provides data under the program may be required under the law of this state to respond to requests for records or information regarding the provided data, including public records requests, subpoenas, warrants, and investigatory requests.
(2) Participating state agencies shall maintain the confidentiality of data gathered under the program in accordance with confidentiality laws applicable to the data when in the possession of the state agency that provided the data. Employees of the department of administrative services or another state agency who gain access to another state agency's confidential data under the program are subject to any confidentiality requirements or duty to maintain confidentiality of the data established by law applicable to the state agency that provided the data. The results of the data analysis shall be compared against the confidentiality laws applicable to the source data to determine if the results retain any attributes of the source data that bring the results within the scope of any of the confidentiality obligations that applied to the source data. If so, the data analysis results are subject to those applicable confidentiality obligations and, in the event of a conflict between applicable confidentiality obligations, the most stringent of those obligations shall control.
(D) In consultation with state agencies participating under the program, the department of administrative services shall develop a data-sharing protocol and a security plan for the program. The security plan shall state how the data is to be protected. The data-sharing protocol shall include at least the following:
(1) How participating state agencies may use confidential data in accordance with confidentiality laws applicable to the provided data;
(2) Who has authority to access data gathered under the program; and
(3) How participating state agencies shall make, verify, and retain corrections to personal information gathered under the program.
Any collection of data derived under the program that is a "system" with "personal information" as defined in section 1347.01 of the Revised Code shall comply with Chapter 1347. of the Revised Code.
Added by 132nd General Assembly File No. TBD, HB 49, §101.01, eff. 9/29/2017.