CHAPTER 6. FAIR INFORMATION PRACTICES; PRIVACY OF PERSONAL INFORMATION
IC 4-1-6
Chapter 6. Fair Information Practices; Privacy of PersonalInformation
IC 4-1-6-1
Definitions
Sec. 1. As used in this chapter, the term:
(a) "Personal information system" means any recordkeepingprocess, whether automated or manual, containing personalinformation and the name, personal number, or other identifyingparticulars of a data subject.
(b) "Personal information" means any information that describes,locates, or indexes anything about an individual or that affords abasis for inferring personal characteristics about an individualincluding, but not limited to, his education, financial transactions,medical history, criminal or employment records, finger and voiceprints, photographs, or his presence, registration, or membership inan organization or activity or admission to an institution.
(c) "Data subject" means an individual about whom personalinformation is indexed or may be located under his name, personalnumber, or other identifiable particulars, in a personal informationsystem.
(d) "State agency" means every agency, board, commission,department, bureau, or other entity of the administrative branch ofIndiana state government, except those which are the responsibilityof the auditor of state, treasurer of state, secretary of state, attorneygeneral, superintendent of public instruction, and excepting thedepartment of state police and state educational institutions.
(e) "Confidential" means information which has been sodesignated by statute or by promulgated rule or regulation based onstatutory authority.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,P.L.10, SEC.1; P.L.19-1983, SEC.1; P.L.2-2007, SEC.17.
IC 4-1-6-2
Personal information system
Sec. 2. Any state agency maintaining a personal informationsystem shall:
(a) collect, maintain, and use only that personal information as isrelevant and necessary to accomplish a statutory purpose of theagency;
(b) collect information to the greatest extent practicable from thedata subject directly when the information may result in adversedeterminations about an individual's rights, benefits and privilegesunder federal or state programs;
(c) collect no personal information concerning in any way thepolitical or religious beliefs, affiliations and activities of anindividual unless expressly authorized by law or by a rulepromulgated by the oversight committee on public records pursuantto IC 4-22-2; (d) assure that personal information maintained or disseminatedfrom the system is, to the maximum extent possible, accurate,complete, timely, and relevant to the needs of the state agency;
(e) inform any individual requested to disclose personalinformation whether that disclosure is mandatory or voluntary, bywhat statutory authority it is solicited, what uses the agency willmake of it, what penalties and specific consequences for theindividual, which are known to the agency, are likely to result fromnondisclosure, whether the information will be treated as a matter ofpublic record or as confidential information, and what rules ofconfidentiality will govern the information;
(f) insofar as possible segregate information of a confidentialnature from that which is a matter of public record; and, pursuant tostatutory authority, establish confidentiality requirements andappropriate access controls for all categories of personal informationcontained in the system;
(g) maintain a list of all persons or organizations having regularaccess to personal information which is not a matter of public recordin the information system;
(h) maintain a complete and accurate record of every access topersonal information in a system which is not a matter of publicrecord by any person or organization not having regular accessauthority;
(i) refrain from preparing lists of the names and addresses ofindividuals for commercial or charitable solicitation purposes exceptas expressly authorized by law or by a rule promulgated by theoversight committee on public records pursuant to IC 4-22-2;
(j) make reasonable efforts to furnish prior notice to an individualbefore any personal information on such individual is made availableto any person under compulsory legal process;
(k) establish rules and procedures to assure compliance with thischapter and instruct each of its employees having any responsibilityor function in the design, development, operation or maintenance ofsuch system or use of any personal information contained therein ofeach requirement of this chapter and of each rule and procedureadopted by the agency to assure compliance with this chapter;
(l) establish appropriate administrative, technical and physicalsafeguards to insure the security of the information system and toprotect against any anticipated threats or hazards to their security orintegrity; and
(m) exchange with other agencies official personal informationthat it has collected in the pursuit of statutory functions when:
(i) the information is requested for purposes authorized by lawincluding a rule promulgated pursuant to IC 4-22-2;
(ii) the data subject would reasonably be expected to benefitfrom the action for which information is requested;
(iii) the exchange would eliminate an unnecessary andexpensive duplication in data collection and would not tangibly,adversely affect the data subject; or
(iv) the exchange of information would facilitate the submission
of documentation required for various state agencies anddepartments to receive federal funding reimbursement forprograms which are being administered by the agencies anddepartments.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,P.L.10, SEC.2; Acts 1979, P.L.40, SEC.3.
IC 4-1-6-3
Right of inspection by data subject or agent; document search andduplication; standard charges
Sec. 3. Unless otherwise prohibited by law, any state agency thatmaintains a personal information system shall, upon request andproper identification of any data subject, or his authorized agent,grant such subject or agent the right to inspect and to receive atreasonable, standard charges for document search and duplication,in a form comprehensible to such individual or agent:
(a) all personal information about the data subject, unlessotherwise provided by statute, whether such information is a matterof public record or maintained on a confidential basis, except in thecase of medical and psychological records, where such records shall,upon written authorization of the data subject, be given to aphysician or psychologist designated by the data subject;
(b) the nature and sources of the personal information, exceptwhere the confidentiality of such sources is required by statute; and
(c) the names and addresses of any recipients, other than thosewith regular access authority, of personal information of aconfidential nature about the data subject, and the date, nature andpurpose of such disclosure.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-4
Disclosures limited to business hours; standard charges
Sec. 4. An agency shall make the disclosures to data subjectsrequired under this chapter during regular business hours. Copies ofthe documents containing the personal information sought by thedata subject shall be furnished to him or his representative atreasonable, standard charges for document search and duplication.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-5
Challenge of information by data subject; notice; minimumprocedures
Sec. 5. If the data subject gives notice that he wishes to challenge,correct or explain information about him in the personal informationsystem, the following minimum procedures shall be followed:
(a) the agency maintaining the information system shallinvestigate and record the current status of that personal information;
(b) if, after such investigation, such information is found to beincomplete, inaccurate, not pertinent, not timely or not necessary tobe retained, it shall be promptly corrected or deleted; (c) if the investigation does not resolve the dispute, the datasubject may file a statement of not more than two hundred (200)words setting forth his position;
(d) whenever a statement of dispute is filed, the agencymaintaining the data system shall supply any previous recipient witha copy of the statement and, in any subsequent dissemination or useof the information in question, clearly mark that it is disputed andsupply the statement of the data subject along with the information;
(e) the agency maintaining the information system shall clearlyand conspicuously disclose to the data subject his rights to makesuch a request;
(f) following any correction or deletion of personal informationthe agency shall, at the request of the data subject, furnish to pastrecipients notification delivered to their last known address that theitem has been deleted or corrected and shall require said recipientsto acknowledge receipt of such notification and furnish the datasubject the names and last known addresses of all past recipients ofthe uncorrected or undeleted information.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-6
Securing of confidential information protected
Sec. 6. The securing by any individual of any confidentialinformation which such individuals may obtain through the exerciseof any right secured under the provisions of this chapter shall notcondition the granting or withholding of any right, privilege, orbenefit, or be made a condition of employment.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-7
State agencies maintaining one or more systems; requirements
Sec. 7. (a) Any state agency maintaining one (1) or more personalinformation systems shall file an annual report on the existence andcharacter of each system added or eliminated since the last reportwith the governor on or before December 31.
(b) The agency shall include in such report at least the followinginformation:
(1) The name or descriptive title of the personal informationsystem and its location.
(2) The nature and purpose of the system and the statutory oradministrative authority for its establishment.
(3) The categories of individuals on whom personal informationis maintained including the approximate number of allindividuals on whom information is maintained and thecategories of personal information generally maintained in thesystem including identification of those which are stored incomputer accessible records and those which are maintainedmanually.
(4) All confidentiality requirements, specifically:
(A) those personal information systems or parts thereof
which are maintained on a confidential basis pursuant to astatute, contractual obligation, or rule; and
(B) those personal information systems maintained on anunrestricted basis.
(5) In the case of subdivision (4)(A) of this subsection, theagency shall include detailed justification of the need forstatutory or regulatory authority to maintain such personalinformation systems or parts thereof on a confidential basis and,in making such justification, the agency shall make reference tosection 8 of this chapter.
(6) The categories of sources of such personal information.
(7) The agency's policies and practices regarding theimplementation of section 2 of this chapter relating toinformation storage, duration of retention of information, andelimination of information from the system.
(8) The uses made by the agency of personal informationcontained in the system.
(9) The identity of agency personnel, other agencies, andpersons or categories of persons to whom disclosures ofpersonal information are made or to whom access to the systemmay be granted, together with the purposes therefor and therestriction, if any, on such disclosures and access, including anyrestrictions on redisclosure.
(10) A listing identifying all forms used in the collection ofpersonal information.
(11) The name, title, business address, and telephone number ofthe person immediately responsible for bringing and keepingthe system in compliance with the provisions of this chapter.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,P.L.10, SEC.3; P.L.19-1983, SEC.2.
IC 4-1-6-8
Policy of access; restricted access as condition for receipt ofdonated materials
Sec. 8. (a) All state agencies subject to the provisions of thischapter shall adhere to the policy that all persons are entitled toaccess to information regarding the affairs of government and theofficial acts of those who represent them as public servants, suchaccess being required to enable the people to freely and fully discussall matters necessary for the making of political judgments. To thatend, the provisions of this chapter shall be construed to provideaccess to public records to the extent consistent with the dueprotection of individual privacy.
(b) Where such assurance is needed to obtain valuableconsiderations or gifts (which may include information) for the state,any agency, with the prior written approval of the oversightcommittee on public records, may allow restrictions upon publicaccess to be imposed upon it as a specific condition of a contract,with a time limit not to exceed fifty (50) years or the lifetime of theindividual, whichever is less. In order to promote the preservation of
historical, cultural, natural, and other irreplaceable resources, thedepartment of natural resources or the Indiana state library mayextend, beyond the lifetime of the individual, restrictions upondisclosure of information received, providing that such restrictionsdo not exceed fifty (50) years from the date of the donation in thecase of the Indiana state library.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,P.L.10, SEC.4; Acts 1979, P.L.40, SEC.4; P.L.19-1983, SEC.3.
IC 4-1-6-8.5
Consistent handling of information among and between agencies;principles and procedures
Sec. 8.5. In order to establish consistent handling of the same orsimilar personal information within and among agencies, each stateagency collecting, maintaining, or transmitting such informationshall apply the following principles and procedures:
(1) Information collected after December 31, 1978, which isclassified as confidential must be clearly and uniformlydesignated as confidential in any form or other document inwhich it appears.
(2) When an agency which holds information classified asconfidential disseminates that information to another agency,the receiving agency shall treat it in the same manner as theoriginating agency.
As added by Acts 1978, P.L.10, SEC.5. Amended by P.L.19-1983,SEC.4.
IC 4-1-6-8.6
Requests for access to confidential records; improper disclosure;actions
Sec. 8.6. (a) In cases where access to confidential recordscontaining personal information is desired for research purposes, theagency shall grant access if:
(1) the requestor states in writing to the agency the purpose,including any intent to publish findings, the nature of the datasought, what personal information will be required, and whatsafeguards will be taken to protect the identity of the datasubjects;
(2) the proposed safeguards are adequate to prevent the identityof an individual data subject from being known;
(3) the researcher executes an agreement on a form, approvedby the oversight committee on public records, with the agency,which incorporates such safeguards for protection of individualdata subjects, defines the scope of the research project, andinforms the researcher that failure to abide by conditions of theapproved agreement constitutes a breach of contract and couldresult in civil litigation by the data subject or subjects;
(4) the researcher agrees to pay all direct or indirect costs of theresearch; and
(5) the agency maintains a copy of the agreement or contract for
a period equivalent to the life of the record.
(b) Improper disclosure of confidential information by a stateemployee is cause for action to dismiss the employee.
As added by Acts 1978, P.L.10, SEC.6. Amended by Acts 1979,P.L.40, SEC.5; P.L.19-1983, SEC.5.
IC 4-1-6-9
Annual report to general assembly; specific statutory authorizationfor confidentiality; recommendations
Sec. 9. (a) Under the authority of the governor, a report shall beprepared, on or before December 1 annually, advising the generalassembly of the personal information systems, or parts thereof, ofagencies subject to this chapter, which are recommended to bemaintained on a confidential basis by specific statutory authorizationbecause their disclosure would constitute an invasion of personalprivacy and there is no compelling, demonstrable and overridingpublic interest in disclosure. Such recommendations may include, butnot be limited to, specific personal information systems or partsthereof which can be categorized as follows:
(1) Personal information maintained with respect to studentsand clients, patients or other individuals receiving social,medical, vocational, supervisory or custodial care or servicesdirectly or indirectly from public bodies.
(2) Personal information, excepting salary information,maintained with respect to employees, appointees or electedofficials of any public body or applicants for such positions.
(3) Information required of any taxpayer in connection with theassessment or collection of any income tax.
(4) Information revealing the identity of persons who filecomplaints with administrative, investigative, law enforcementor penology agencies.
(b) In addition, such report may list records or categories ofrecords, which are recommended to be exempted from publicdisclosure by specific statutory authorization for reasons other thanthat their disclosure would constitute an unwarranted invasion ofpersonal privacy, along with justification therefor.
(c) A report described in this section must be in an electronicformat under IC 5-14-6.
As added by Acts 1977, P.L.21, SEC.1. Amended by P.L.28-2004,SEC.13.