CSPMTL 7 Safeguarding of Participant Information

SUPPLEMENT SEVENTEEN

CSPMTL 7 Safeguarding of Participant Information

5101:12-1-20.2 Safeguarding of participant information.

chor CSPMTL 7tmlResAnchor

Effective date: June 15, 2006

(A) This rule describes procedures an agency is required to follow in order to safeguard confidential information from participants in the support enforcement program received from the internal revenue service (IRS), Ohio department of taxation (ODT), the state parent locator service (SPLS), federal parent locator service (FPLS), and Ohio department of job and family services, office of unemployment compensation (UC). The safeguarding requirements of this rule apply to all paper, electronic, or imaged records.

(B) Failure to comply with the safeguarding requirements of this rule shall result in the revocation of access to the support enforcement tracking system (SETS) or any other application that contains information from the IRS, ODT, SPLS, FPLS, or UC.

(C) Each child support enforcement agency (CSEA) shall submit a JFS 07072, "Safeguarding of Internal Revenue Service (IRS), Ohio Department Of Taxation (ODT), Federal Parent Locator Service (FPLS), and Unemployment Compensation (UC) Information" (rev. 12/2005), to the deputy director of the office of child support (OCS) within the Ohio department of job and family services no later than the last day of January each year. The JFS 07072 must be signed and dated by the director of the CSEA.

(D) Each employee of an agency that has access to federal tax information (FTI) shall be required to sign and submit a JFS 07014,"Tax Information Safeguarding Authorization Agreement" (10/2005), to the OCS deputy director upon employment or re-employment and annually thereafter. A copy of the JFS 07014 shall be retained by the person who signed the form.

(E) Each agency shall submit a completed JFS 07078, "Ohio Department of Job and Family Services Code of Responsibility" (rev. 04/2005), for each agency employee with access to SETS. The agency shall send the JFS 07078 and a cover memo detailing the requested system access to the address or facsimile number listed on the JFS 07078 before access to SETS is permitted.

(F) Requirements for the safeguarding of FTI.

(1) For purposes of this rule, FTI is defined as federal tax returns and return information other than information provided by the taxpayer. This may include but is not limited to:

(a) Social security numbers obtained from the IRS;

(b) Address information obtained from the IRS; or

(c) The amount of any IRS tax refund offsets, regardless of the source from which it is obtained or the format in which it is found.

(2) In order to comply with the safeguarding requirements of the internal revenue code, the CSEA shall agree to the following:

(a) Establish and maintain a permanent system of standardized records with regard to all requests made by the CSEA for FTI from the IRS, that will include the reason for such requests, the date the requests are made and the FTI received, and the name of the employee having access to the information;

(b) Store FTI during non-duty hours in accordance with the security requirements described in IRS publication 1075 , "Tax Information Security Guidelines for Federal, State, and Local Agencies" (6/2000), section 4.7 guide 2 "Physical Security-Minimum Protection Standards" that may be accessed through the internet at the following web address; http://www.irs.gov/pub/irs-pdf/p1075.pdf;

(c) Limit access to file keys and safe combinations to the agency official responsible for safeguarding FTI and a maximum of two alternates who are permitted access to the FTI in the absence of such official;

(d) Limit access to FTI to those CSEA employees who are authorized to inspect and use information;

(e) Follow commingling requirements as described in IRS publication 1075 by maintaining the federal tax information obtained from the IRS either separately from CSEA case files or within the CSEA case files. If FTI is maintained within CSEA case files, each file containing the FTI shall have two layers of security; one inside the file and another on the outside jacket of the file;

(f) Assure that mail received containing FTI is not opened before delivery to the agency official responsible for safeguarding the information;

(g) Transmit FTI between the CSEA and OCS in double-sealed envelopes to be opened by the addressee only; and

(h) When use of the information is no longer required, return the FTI to OCS or destroy in accordance with IRS publication 1075 sections 8.3 and 8.4.

(3) If requested, the CSEA shall furnish a report that:

(a) Describes the procedures established and used for ensuring the confidentiality of FTI; and

(b) Identifies what FTI has been disposed of and the date and manner of disposal.

(4) Federal tax information safeguarding visits.

(a) Pursuant to IRS publication 1075, OCS shall conduct a federal tax information safeguarding visit with each CSEA at least once every three years. The purpose of the visit is to ensure that adequate safeguards and security measures are maintained by the CSEA.

(b) Visit procedures.

(i) OCS will send a letter to the CSEA director or administrator and tax offset coordinator advising of the time and date of the visit. The letter will include a JFS 07013, "FTI Safeguarding Questionnaire" (07/2005), and JFS 07014.

(ii) The CSEA shall complete the JFS 07013 and return it to OCS no later than Friday of the week prior to the visit.

(iii) The CSEA shall choose a sampling of at least ten cases on which an IRS offset payment has been received during the three years immediately prior to visit.

(iv) During the visit, OCS staff will review the completed JFS 07013 with the CSEA, review the cases chosen by the CSEA, and complete a physical walk-through of the CSEA's office and building.

(c) Visit follow up.

(i) OCS shall prepare an initial report documenting the visit and provide it to the CSEA within fifteen business days of the date of the visit.

(ii) Upon receipt of the initial report from OCS, the CSEA, if necessary shall prepare a response report describing any corrective actions required and including a timetable for the completion of those corrective actions. The CSEA shall send this report to OCS no later than fifteen business days after receipt of the initial report from OCS.

(iii) OCS will prepare a final report documenting the visit within fifteen business days of receipt of the response report from the CSEA. The final report may require further corrective action by the CSEA, if necessary.

(iv) If the CSEA fails to provide the response report, the initial report becomes final and a corrective action plan will be required from the CSEA.

(G) Requirements for safeguarding taxpayer information from the Ohio department of taxation.

(1) In order to comply with the safeguarding requirements of section 5747.18 of the Revised Code, each CSEA shall certify that taxpayer information concerning the residential address and income of taxpayers received by the CSEA is needed for the purpose of, and will be used only for, the following:

(a) Locating payors and establishing, enforcing, modifying and collecting child support obligations pursuant to Title IV-D of the Social Security Act; or

(b) Collecting overpaid child support from the state income tax refund of an payee in accordance with section 5747.123 of the Revised Code.

(2) None of the information so obtained will be disclosed to anyone except for official purposes as described in section 3125.43 of the Revised Code or in compliance with a court order.

(H) Requirements for safeguarding of information from SPLS or FPLS.

(1) The CSEA shall certify that information from SPLS or FPLS may be used only for the following purposes:

(a) Locating an individual for the purpose of establishing paternity or establishing, enforcing, or reviewing a support order for possible adjustment; or

(b) If an agreement exists as described in section 3125.06 of the Revised Code, for the purpose of locating an absent parent or a child in connection with a parental kidnapping or child custody case or the making or enforcing of a parenting time order.

(2) Any information obtained from SPLS or FPLS shall be used only for the purposes described in paragraph (H)(1) of this rule and shall be disclosed only to an authorized person.

-For purposes of this paragraph, an authorized person is any of the following:-

(a) A child support agency in another state;

(b) The OCS;

(c) A CSEA;

(d) A court or agent of a court having authority to issue a support order or act as a tribunal for the purpose of initiating an interstate support action as described in section 3115.01 of the Revised Code; or

(e) The resident parent, legal guardian, attorney or agent of a child not receiving Ohio works first (OWF) benefits.

(I) Requirements for the safeguarding of information from UC.

-The CSEA shall certify that, in accordance with sections 4141.21, 4141.22, and 4141.99 of the Revised Code and rule 4141-43-02 of the Administrative Code, all information and records received from UC shall be used only for the purposes of establishing and collecting child support obligations from and locating individuals owing such obligations. The CSEA shall establish and maintain security safeguards for location, wage, and benefit information.-

Replaces: 5101:12-10-25.4

Effective Date: 06/15/06

R.C. 119.032 review dates:

Certification

Promulgated Under: 119.03

Statutory Authority: 3125.08, 3125.25, 3125.51

Rule Amplifies: 3125.03, 3125.08, 3125.43, 3125.50, 4141.21, 4141.22, 4141.99, 5747.18

Prior Effective Dates: 8/1/82, 12/16/89, 10/1/90, 4/1/91, 1/1/92, 2/11/93, 9/1/94, 6/2/01, 7/1/02, 1/1/06