CHAPTER 6. FAIR INFORMATION PRACTICES; PRIVACY OF PERSONAL INFORMATION
IC 4-1-6
Chapter 6. Fair Information Practices; Privacy of Personal
Information
IC 4-1-6-1
Definitions
Sec. 1. As used in this chapter, the term:
(a) "Personal information system" means any recordkeeping
process, whether automated or manual, containing personal
information and the name, personal number, or other identifying
particulars of a data subject.
(b) "Personal information" means any information that describes,
locates, or indexes anything about an individual or that affords a
basis for inferring personal characteristics about an individual
including, but not limited to, his education, financial transactions,
medical history, criminal or employment records, finger and voice
prints, photographs, or his presence, registration, or membership in
an organization or activity or admission to an institution.
(c) "Data subject" means an individual about whom personal
information is indexed or may be located under his name, personal
number, or other identifiable particulars, in a personal information
system.
(d) "State agency" means every agency, board, commission,
department, bureau, or other entity of the administrative branch of
Indiana state government, except those which are the responsibility
of the auditor of state, treasurer of state, secretary of state, attorney
general, superintendent of public instruction, and excepting the
department of state police and state educational institutions.
(e) "Confidential" means information which has been so
designated by statute or by promulgated rule or regulation based on
statutory authority.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,
P.L.10, SEC.1; P.L.19-1983, SEC.1; P.L.2-2007, SEC.17.
IC 4-1-6-2
Personal information system
Sec. 2. Any state agency maintaining a personal information
system shall:
(a) collect, maintain, and use only that personal information as is
relevant and necessary to accomplish a statutory purpose of the
agency;
(b) collect information to the greatest extent practicable from the
data subject directly when the information may result in adverse
determinations about an individual's rights, benefits and privileges
under federal or state programs;
(c) collect no personal information concerning in any way the
political or religious beliefs, affiliations and activities of an
individual unless expressly authorized by law or by a rule
promulgated by the oversight committee on public records pursuant
to IC 4-22-2;
(d) assure that personal information maintained or disseminated
from the system is, to the maximum extent possible, accurate,
complete, timely, and relevant to the needs of the state agency;
(e) inform any individual requested to disclose personal
information whether that disclosure is mandatory or voluntary, by
what statutory authority it is solicited, what uses the agency will
make of it, what penalties and specific consequences for the
individual, which are known to the agency, are likely to result from
nondisclosure, whether the information will be treated as a matter of
public record or as confidential information, and what rules of
confidentiality will govern the information;
(f) insofar as possible segregate information of a confidential
nature from that which is a matter of public record; and, pursuant to
statutory authority, establish confidentiality requirements and
appropriate access controls for all categories of personal information
contained in the system;
(g) maintain a list of all persons or organizations having regular
access to personal information which is not a matter of public record
in the information system;
(h) maintain a complete and accurate record of every access to
personal information in a system which is not a matter of public
record by any person or organization not having regular access
authority;
(i) refrain from preparing lists of the names and addresses of
individuals for commercial or charitable solicitation purposes except
as expressly authorized by law or by a rule promulgated by the
oversight committee on public records pursuant to IC 4-22-2;
(j) make reasonable efforts to furnish prior notice to an individual
before any personal information on such individual is made available
to any person under compulsory legal process;
(k) establish rules and procedures to assure compliance with this
chapter and instruct each of its employees having any responsibility
or function in the design, development, operation or maintenance of
such system or use of any personal information contained therein of
each requirement of this chapter and of each rule and procedure
adopted by the agency to assure compliance with this chapter;
(l) establish appropriate administrative, technical and physical
safeguards to insure the security of the information system and to
protect against any anticipated threats or hazards to their security or
integrity; and
(m) exchange with other agencies official personal information
that it has collected in the pursuit of statutory functions when:
(i) the information is requested for purposes authorized by law
including a rule promulgated pursuant to IC 4-22-2;
(ii) the data subject would reasonably be expected to benefit
from the action for which information is requested;
(iii) the exchange would eliminate an unnecessary and
expensive duplication in data collection and would not tangibly,
adversely affect the data subject; or
(iv) the exchange of information would facilitate the submission
of documentation required for various state agencies and
departments to receive federal funding reimbursement for
programs which are being administered by the agencies and
departments.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,
P.L.10, SEC.2; Acts 1979, P.L.40, SEC.3.
IC 4-1-6-3
Right of inspection by data subject or agent; document search and
duplication; standard charges
Sec. 3. Unless otherwise prohibited by law, any state agency that
maintains a personal information system shall, upon request and
proper identification of any data subject, or his authorized agent,
grant such subject or agent the right to inspect and to receive at
reasonable, standard charges for document search and duplication,
in a form comprehensible to such individual or agent:
(a) all personal information about the data subject, unless
otherwise provided by statute, whether such information is a matter
of public record or maintained on a confidential basis, except in the
case of medical and psychological records, where such records shall,
upon written authorization of the data subject, be given to a
physician or psychologist designated by the data subject;
(b) the nature and sources of the personal information, except
where the confidentiality of such sources is required by statute; and
(c) the names and addresses of any recipients, other than those
with regular access authority, of personal information of a
confidential nature about the data subject, and the date, nature and
purpose of such disclosure.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-4
Disclosures limited to business hours; standard charges
Sec. 4. An agency shall make the disclosures to data subjects
required under this chapter during regular business hours. Copies of
the documents containing the personal information sought by the
data subject shall be furnished to him or his representative at
reasonable, standard charges for document search and duplication.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-5
Challenge of information by data subject; notice; minimum
procedures
Sec. 5. If the data subject gives notice that he wishes to challenge,
correct or explain information about him in the personal information
system, the following minimum procedures shall be followed:
(a) the agency maintaining the information system shall
investigate and record the current status of that personal information;
(b) if, after such investigation, such information is found to be
incomplete, inaccurate, not pertinent, not timely or not necessary to
be retained, it shall be promptly corrected or deleted;
(c) if the investigation does not resolve the dispute, the data
subject may file a statement of not more than two hundred (200)
words setting forth his position;
(d) whenever a statement of dispute is filed, the agency
maintaining the data system shall supply any previous recipient with
a copy of the statement and, in any subsequent dissemination or use
of the information in question, clearly mark that it is disputed and
supply the statement of the data subject along with the information;
(e) the agency maintaining the information system shall clearly
and conspicuously disclose to the data subject his rights to make
such a request;
(f) following any correction or deletion of personal information
the agency shall, at the request of the data subject, furnish to past
recipients notification delivered to their last known address that the
item has been deleted or corrected and shall require said recipients
to acknowledge receipt of such notification and furnish the data
subject the names and last known addresses of all past recipients of
the uncorrected or undeleted information.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-6
Securing of confidential information protected
Sec. 6. The securing by any individual of any confidential
information which such individuals may obtain through the exercise
of any right secured under the provisions of this chapter shall not
condition the granting or withholding of any right, privilege, or
benefit, or be made a condition of employment.
As added by Acts 1977, P.L.21, SEC.1.
IC 4-1-6-7
State agencies maintaining one or more systems; requirements
Sec. 7. (a) Any state agency maintaining one (1) or more personal
information systems shall file an annual report on the existence and
character of each system added or eliminated since the last report
with the governor on or before December 31.
(b) The agency shall include in such report at least the following
information:
(1) The name or descriptive title of the personal information
system and its location.
(2) The nature and purpose of the system and the statutory or
administrative authority for its establishment.
(3) The categories of individuals on whom personal information
is maintained including the approximate number of all
individuals on whom information is maintained and the
categories of personal information generally maintained in the
system including identification of those which are stored in
computer accessible records and those which are maintained
manually.
(4) All confidentiality requirements, specifically:
(A) those personal information systems or parts thereof
which are maintained on a confidential basis pursuant to a
statute, contractual obligation, or rule; and
(B) those personal information systems maintained on an
unrestricted basis.
(5) In the case of subdivision (4)(A) of this subsection, the
agency shall include detailed justification of the need for
statutory or regulatory authority to maintain such personal
information systems or parts thereof on a confidential basis and,
in making such justification, the agency shall make reference to
section 8 of this chapter.
(6) The categories of sources of such personal information.
(7) The agency's policies and practices regarding the
implementation of section 2 of this chapter relating to
information storage, duration of retention of information, and
elimination of information from the system.
(8) The uses made by the agency of personal information
contained in the system.
(9) The identity of agency personnel, other agencies, and
persons or categories of persons to whom disclosures of
personal information are made or to whom access to the system
may be granted, together with the purposes therefor and the
restriction, if any, on such disclosures and access, including any
restrictions on redisclosure.
(10) A listing identifying all forms used in the collection of
personal information.
(11) The name, title, business address, and telephone number of
the person immediately responsible for bringing and keeping
the system in compliance with the provisions of this chapter.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,
P.L.10, SEC.3; P.L.19-1983, SEC.2.
IC 4-1-6-8
Policy of access; restricted access as condition for receipt of
donated materials
Sec. 8. (a) All state agencies subject to the provisions of this
chapter shall adhere to the policy that all persons are entitled to
access to information regarding the affairs of government and the
official acts of those who represent them as public servants, such
access being required to enable the people to freely and fully discuss
all matters necessary for the making of political judgments. To that
end, the provisions of this chapter shall be construed to provide
access to public records to the extent consistent with the due
protection of individual privacy.
(b) Where such assurance is needed to obtain valuable
considerations or gifts (which may include information) for the state,
any agency, with the prior written approval of the oversight
committee on public records, may allow restrictions upon public
access to be imposed upon it as a specific condition of a contract,
with a time limit not to exceed fifty (50) years or the lifetime of the
individual, whichever is less. In order to promote the preservation of
historical, cultural, natural, and other irreplaceable resources, the
department of natural resources or the Indiana state library may
extend, beyond the lifetime of the individual, restrictions upon
disclosure of information received, providing that such restrictions
do not exceed fifty (50) years from the date of the donation in the
case of the Indiana state library.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978,
P.L.10, SEC.4; Acts 1979, P.L.40, SEC.4; P.L.19-1983, SEC.3.
IC 4-1-6-8.5
Consistent handling of information among and between agencies;
principles and procedures
Sec. 8.5. In order to establish consistent handling of the same or
similar personal information within and among agencies, each state
agency collecting, maintaining, or transmitting such information
shall apply the following principles and procedures:
(1) Information collected after December 31, 1978, which is
classified as confidential must be clearly and uniformly
designated as confidential in any form or other document in
which it appears.
(2) When an agency which holds information classified as
confidential disseminates that information to another agency,
the receiving agency shall treat it in the same manner as the
originating agency.
As added by Acts 1978, P.L.10, SEC.5. Amended by P.L.19-1983,
SEC.4.
IC 4-1-6-8.6
Requests for access to confidential records; improper disclosure;
actions
Sec. 8.6. (a) In cases where access to confidential records
containing personal information is desired for research purposes, the
agency shall grant access if:
(1) the requestor states in writing to the agency the purpose,
including any intent to publish findings, the nature of the data
sought, what personal information will be required, and what
safeguards will be taken to protect the identity of the data
subjects;
(2) the proposed safeguards are adequate to prevent the identity
of an individual data subject from being known;
(3) the researcher executes an agreement on a form, approved
by the oversight committee on public records, with the agency,
which incorporates such safeguards for protection of individual
data subjects, defines the scope of the research project, and
informs the researcher that failure to abide by conditions of the
approved agreement constitutes a breach of contract and could
result in civil litigation by the data subject or subjects;
(4) the researcher agrees to pay all direct or indirect costs of the
research; and
(5) the agency maintains a copy of the agreement or contract for
a period equivalent to the life of the record.
(b) Improper disclosure of confidential information by a state
employee is cause for action to dismiss the employee.
As added by Acts 1978, P.L.10, SEC.6. Amended by Acts 1979,
P.L.40, SEC.5; P.L.19-1983, SEC.5.
IC 4-1-6-9
Annual report to general assembly; specific statutory authorization
for confidentiality; recommendations
Sec. 9. (a) Under the authority of the governor, a report shall be
prepared, on or before December 1 annually, advising the general
assembly of the personal information systems, or parts thereof, of
agencies subject to this chapter, which are recommended to be
maintained on a confidential basis by specific statutory authorization
because their disclosure would constitute an invasion of personal
privacy and there is no compelling, demonstrable and overriding
public interest in disclosure. Such recommendations may include, but
not be limited to, specific personal information systems or parts
thereof which can be categorized as follows:
(1) Personal information maintained with respect to students
and clients, patients or other individuals receiving social,
medical, vocational, supervisory or custodial care or services
directly or indirectly from public bodies.
(2) Personal information, excepting salary information,
maintained with respect to employees, appointees or elected
officials of any public body or applicants for such positions.
(3) Information required of any taxpayer in connection with the
assessment or collection of any income tax.
(4) Information revealing the identity of persons who file
complaints with administrative, investigative, law enforcement
or penology agencies.
(b) In addition, such report may list records or categories of
records, which are recommended to be exempted from public
disclosure by specific statutory authorization for reasons other than
that their disclosure would constitute an unwarranted invasion of
personal privacy, along with justification therefor.
(c) A report described in this section must be in an electronic
format under IC 5-14-6.
As added by Acts 1977, P.L.21, SEC.1. Amended by P.L.28-2004,
SEC.13.