When a record is not public:
It is no surprise that Ohio maintains a strong commitment to open government. Each year the offices of the Auditor of State and Attorney General release an updated manual on open records and open meetings.
However, this commitment to giving the public access to records comes with the responsibility for public officials to secure confidential information. Below are some examples of exceptions to the required release of public records.
For complete information on what may and must be kept confidential, see the 2010 Sunshine Laws Manual
Personal Information Systems Act:
Many state agencies maintain databases that contain confidential personal information. In the past, these databases have been susceptible to unauthorized use by people within agencies. As you may recall, the Ohio Department of Job and Family Services had a very public instance when a database was accessed to obtain information on “Joe the Plumber” for unauthorized reasons.
Because these systems can be vulnerable, the Ohio Revised Code now has a section outlining the safeguards state agencies must take to potect these databases. Below are a few elements that must be in place:
Find out more on how confidential information is being protected.
When CBS aired a segment on 60 Minutes regarding copy machine security, government agencies across the country were put on notice to secure confidential information that might otherwise fall into the wrong hands. The report outlined how a copier can maintain information on its hard drive long after an agency has finished using the machine. That’s a scary proposition for every public organization that has reason to copy confidential information.
Copiers manufactured after 2002 generally have a hard drive device that stores images of every document that is copied. For multipurpose devices, this also includes documents that are scanned, printed, faxed or e-mailed from a copier machine.
When it comes time to salvage machines, these hard drives can become gold mines for individuals seeking out confidential information. The images stored on hard drives can be removed, so when an agency retires a machine from service, they may be releasing thousands of documents without ever considering the potential for misuse.
This is an alarming proposition for any government agency or official, but there are ways to protect both yourself and your office from unknowingly distributing documents or information that should be kept confidential. Each agency is different and use of copier machines may vary. Because of this, there is no set best practice to safeguard against images being removed from copier hard drives. However, there are some practices that can help you assess your organization’s risk and ensure the policy you have in place is right for your particular situation.
There are multiple options available to public offices for removing equipment based on Ohio Revised Code regulations. It is first important that you ensure your agency is disposing of unwanted equipment in an approved manner.
Once you have determined how you will remove an old copier machine, you can then determine how best to protect information stored on the hard drive.
The following are a few options that may be available to you:
• Determine if your copier can be equipped with a security erase function. This function is available on newer machines, and in some cases can be added to machines already in use. The security erase function allows a public office to erase the hard drive in-house without specialized skills.
• Contract with an outside technician to wipe the hard drive before you dispose of a machine. This can be a good option for offices that send equipment to salvage. By choosing this option, the machine has been stripped of sensitive data before it leaves the office.
• Ask your vendor if they are able to physically remove a hard drive from the device. If this is possible, you can retain the storage device and dispose of it as you see fit.
As you upgrade copy machines in your office and invest in the purchase or lease of new machines, ask your vendor questions about machine security. This is a proactive step you can take to identify what security options are available and best fit the needs of your office.
An “out of sight, out of mind” security philosophy might be a tempting proposition, especially if added costs are avoided but confidential information can remain on equipment long after it’s out of your control. A little added effort and expense now can spare your organization from a big headache later.