(1) The records of the Office of Information Technology are public records and are open to public inspection during normal working hours. Notwithstanding the foregoing, the following records shall be held confidential as records concerning security plans, procedures, assessments, measures, or systems, or records the disclosure of which would be detrimental to the best interests of the public:
- (a) Information which is in the custody of OIT but which is owned by another public entity to which OIT provides services, and which can be disclosed via the owner entity. If such information is requested from OIT, OIT will redirect all such requests to the owner entity.
(b) Administrative or technical information regarding computer hardware, software, and networks which, if disclosed could aid or allow a security breach or any unauthorized access. This includes without limitation:
- 1. Software source code and configurations, whether developed by OIT or otherwise;
- 2. Login or authentication credentials for any electronic system, whether such credentials are administrative or individual;
- 3. Records pertaining to the administration of information technology systems, including cyber security plans; vulnerability testing, reports, and assessments materials; detailed network system designs, diagrams, and schematics; detailed hardware and software inventories, or other materials, the release of which would aid an attempted security breach or circumvention of law as to the items assessed;
- 4. Any audit, assessment, compliance report, work papers or any combination of these that if disclosed could allow unauthorized access to the state's information technology assets;
- (c) Procurement documents prior to the award of any request for bid, request for proposal, or similar solicitation except as otherwise directed under the authority of the Chief Procurement Officer of the State of Alabama. Procurement documents pursuant to a cancelled or unawarded request for bid, request for proposal, or similar solicitation shall not be available for inspection or release if there is a pending procurement related to such documents.
(d) Data which is protected as a matter of state or federal security or privacy statute, regulation, or policy, including without limitation:
- 1. Sensitive Personally Identifying Information as defined in Code of Ala. 1975, §8-28-2(6);
- 2. Protected Health Information as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule;
- 3. Federal Tax Information as defined and regulated by the US Internal Revenue Service Publication 1075;
- 4. Criminal Justice Information as defined and regulated by the Federal Bureau of Investigation Criminal Justice Information Services (CJIS) Security Policy; and
- 5. In addition to any statutory or regulatory definitions, any biometric data or geolocation data of any individual.
Author: Taylor Nichols
Statutory Authority: Code of Ala. 1975, §36-12-40.
History: New Rule: Published August 31, 2021; effective October 15, 2021.