|(a) The department shall designate in writing an individual having the responsibility for control of ingredient information as the Information Control Officer. The Information Control Officer shall be the department's Bureau Chief, Bureau of Disease and Injury Prevention, or his/her designee. The Information Control Officer shall be responsible for maintaining and verifying the operation of an effective information control system and assuring adherence to the information protection requirements contained in this section. The department shall also designate in writing an individual to assume the responsibilities for control of ingredient information in case of the absence of unavailability of the Information Control Officer. (b) Each manufacturer providing ingredient information pursuant to Health and Safety Code, Chapter 161, Subchapter N, relating to Disclosure of Ingredients in Cigarettes and Tobacco Products (hereinafter "ingredient information"), shall have the option of providing such information in electronic form. Electronic form shall include, without limitation, providing access to the ingredient information on a computer system established and maintained by the manufacturer and accessible by the department as provided in these rules. (c) The Information Control Officer shall cause to be prepared, and shall personally approve, a list of individuals with demonstrated need to have access to the room where the ingredient information contained in reports submitted pursuant to Health and Safety Code, Chapter 161, Subchapter N, who have satisfied the requirements of this subsection (hereinafter "authorized individuals"). The Information Control Officer is responsible for keeping the list current, adding individuals, and immediately deleting any individual who no longer has a need to have access to the information, or who no longer satisfies the criteria for access. (1) No individual is authorized to have access to reported ingredient information unless that individual has executed and provided to the Information Control Officer a Confidentiality Agreement emphasizing the law and the individual's obligations to keep sensitive information confidential. (2) Individuals authorized to have access to reported ingredient information who are not full-time employees or contractors of the department must have satisfactorily undergone a thorough background check (including credit, criminal record, and civil litigation) by a qualified organization selected by the Information Control Officer, the results of which have been provided to and approved by the Information Control Officer. (3) No authorized individual shall have access to reported ingredient information at any time or in any manner unless another authorized individual is present during the entire period of access. (4) The Information Control Officer shall personally approve, in advance, all entries into any area in which report ingredient information is accessible or potentially accessible for purposes of cleaning, maintenance, computer maintenance, refurbishing, repair of such area, or similar activities, and shall maintain a list of all such entries, including time of entry and exit and identification of any individual present in such area who is not an authorized individual including the signature of each such person. An authorized individual shall be present during the entire period of any such entry, and shall be responsible for ensuring that no reported ingredient information is visible, and that any such unauthorized individual is properly identified and legitimately performing such activities. (d) No copies of any brand-specific reported ingredient information shall be made by any means, including, without limitation, by photocopier, by camera, or electronically, typing on a typewriter, word processor or computer, scanning, or using a dictaphone or a telephone except by pen and paper, nor shall any reported ingredient information be otherwise or further transmitted or communicated by any means. With the exception of a computer terminal for the receipt or review of reported ingredient information supplied electronically, no such device, other than pen and paper, shall be permitted in any area in which reported ingredient information is accessible or potentially accessible, nor shall packages and briefcases be brought into any such area, and the Information Control Officer shall take all steps necessary to ensure that these requirements have been met and that no reported brand-specific ingredient information has been removed from such area, or transmitted or communicated. Authorized individuals shall take all precautions necessary to ensure that no unauthorized person overhears or otherwise intentionally or inadvertently receives such information. (e) Storage Room. (1) Information identified by the manufacturer as confidential ingredient information in a report pursuant to Health and Safety Code, Chapter 161, Subchapter N, that is submitted in hard paper copy or in electronic form shall be secured and maintained in a secure storage room. (2) Computer workstation(s) to be used to access information in reports submitted electronically in accordance with the procedures provided in these rules shall also be kept in a secure storage room. (3) The storage room shall be located in an interior space that does not share a perimeter wall with an adjacent space occupied by a person or organization other than the department. (4) The storage room walls shall be of substantial construction, and the walls shall not contain any windows or any mechanical openings larger than 90 square inches. (5) There shall be only one door in the storage room, with a double cylinder deadbolt lock. The door shall be kept locked at all times when the room is not in use. (A) There shall be no more than two keys to the door lock, which shall be kept in a locked key container under the direct control of the Information Control Officer and shall not be removed from the premises. (B) The Information Control Officer shall insure that all keys issued shall be logged out and logged in and the log shall indicate the date, time and the person whom the key was issued and the date and time the key was returned. (C) The keys shall be issued to only those persons who are authorized to be in the storage room, as determined by the Information Control Officer in accordance with subsection (c) of this section. (f) Computer Security. (1) The computer used for purposes of accessing ingredient information reported electronically pursuant to Health and Safety Code, Chapter 161, Subchapter N, not be used for any other purpose. The computer screen shall be aligned in such a manner that it is not viewable from the outside of the secure storage room when the door is open. The computer shall be turned off when not in use. (2) The computer shall have a CD-ROM drive, and shall be connected to the internet and to a dedicated telephone line, which connections the department shall be responsible for maintaining. The computer shall not have a printer or other peripherals (other than a fingerprint reader), including removable magnetic or optical storage devices attached to it. (3) An entity that reports ingredient information electronically under Chapter 161, Subchapter N of the Health and Safety Code shall provide the department with a CD-ROM containing electronic encryption software to enable an authorized user at the department to obtain access to the reported information on the department's computer. This information must be in the form of a searchable data base, with fields for brand name, ingredient, and year. The Information Control Officer shall be responsible for maintaining the CD-ROM in a locked container under the direct control of the Information Control Officer, and shall ensure that it shall not be provided to any person who is not an authorized individual pursuant to subsection (c) of this section. (4) Access to ingredient information shall be initiated by an authorized individual at the department during business hours by inserting the CD-ROM provided by the reporting entity into the department's designated computer and establishing a connection to a computer system linked to the reporting entity. The reporting entity shall be responsible for: (A) determining a means of connection to the department, whether by private network, Internet connection or otherwise; and (B) providing on the CD-ROM given to the department the protocol for making the connection. (5) After the connection has been made, the identity of the authorized users at the department who will be present when the information is displayed shall be authenticated by means of a fingerprint reader attached to the computer. The Information Control Officer shall ensure that each authorized individual completes the necessary procedures to obtain access. (6) After the identity of the users at the department has been properly authenticated, access to the data files of the reporting entity containing the ingredient information reported pursuant to Health and Safety Code, Chapter 161, Subchapter N, will be provided. (7) A session of reviewing data files shall terminate when either an authorized individual logs off in accordance with the protocol on the CD-ROM, or following a predetermined time period with no user activity.