CHAPTER 6. FAIR INFORMATION PRACTICES; PRIVACY OF PERSONAL INFORMATION

IC 4-1-6
     Chapter 6. Fair Information Practices; Privacy of Personal Information

IC 4-1-6-1
Definitions
    
Sec. 1. As used in this chapter, the term:
    (a) "Personal information system" means any recordkeeping process, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.
    (b) "Personal information" means any information that describes, locates, or indexes anything about an individual or that affords a basis for inferring personal characteristics about an individual including, but not limited to, his education, financial transactions, medical history, criminal or employment records, finger and voice prints, photographs, or his presence, registration, or membership in an organization or activity or admission to an institution.
    (c) "Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in a personal information system.
    (d) "State agency" means every agency, board, commission, department, bureau, or other entity of the administrative branch of Indiana state government, except those which are the responsibility of the auditor of state, treasurer of state, secretary of state, attorney general, superintendent of public instruction, and excepting the department of state police and state educational institutions.
    (e) "Confidential" means information which has been so designated by statute or by promulgated rule or regulation based on statutory authority.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.1; P.L.19-1983, SEC.1; P.L.2-2007, SEC.17.

IC 4-1-6-2
Personal information system
    
Sec. 2. Any state agency maintaining a personal information system shall:
    (a) collect, maintain, and use only that personal information as is relevant and necessary to accomplish a statutory purpose of the agency;
    (b) collect information to the greatest extent practicable from the data subject directly when the information may result in adverse determinations about an individual's rights, benefits and privileges under federal or state programs;
    (c) collect no personal information concerning in any way the political or religious beliefs, affiliations and activities of an individual unless expressly authorized by law or by a rule promulgated by the oversight committee on public records pursuant to IC 4-22-2;     (d) assure that personal information maintained or disseminated from the system is, to the maximum extent possible, accurate, complete, timely, and relevant to the needs of the state agency;
    (e) inform any individual requested to disclose personal information whether that disclosure is mandatory or voluntary, by what statutory authority it is solicited, what uses the agency will make of it, what penalties and specific consequences for the individual, which are known to the agency, are likely to result from nondisclosure, whether the information will be treated as a matter of public record or as confidential information, and what rules of confidentiality will govern the information;
    (f) insofar as possible segregate information of a confidential nature from that which is a matter of public record; and, pursuant to statutory authority, establish confidentiality requirements and appropriate access controls for all categories of personal information contained in the system;
    (g) maintain a list of all persons or organizations having regular access to personal information which is not a matter of public record in the information system;
    (h) maintain a complete and accurate record of every access to personal information in a system which is not a matter of public record by any person or organization not having regular access authority;
    (i) refrain from preparing lists of the names and addresses of individuals for commercial or charitable solicitation purposes except as expressly authorized by law or by a rule promulgated by the oversight committee on public records pursuant to IC 4-22-2;
    (j) make reasonable efforts to furnish prior notice to an individual before any personal information on such individual is made available to any person under compulsory legal process;
    (k) establish rules and procedures to assure compliance with this chapter and instruct each of its employees having any responsibility or function in the design, development, operation or maintenance of such system or use of any personal information contained therein of each requirement of this chapter and of each rule and procedure adopted by the agency to assure compliance with this chapter;
    (l) establish appropriate administrative, technical and physical safeguards to insure the security of the information system and to protect against any anticipated threats or hazards to their security or integrity; and
    (m) exchange with other agencies official personal information that it has collected in the pursuit of statutory functions when:
        (i) the information is requested for purposes authorized by law including a rule promulgated pursuant to IC 4-22-2;
        (ii) the data subject would reasonably be expected to benefit from the action for which information is requested;
        (iii) the exchange would eliminate an unnecessary and expensive duplication in data collection and would not tangibly, adversely affect the data subject; or
        (iv) the exchange of information would facilitate the submission

of documentation required for various state agencies and departments to receive federal funding reimbursement for programs which are being administered by the agencies and departments.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.2; Acts 1979, P.L.40, SEC.3.

IC 4-1-6-3
Right of inspection by data subject or agent; document search and duplication; standard charges
    
Sec. 3. Unless otherwise prohibited by law, any state agency that maintains a personal information system shall, upon request and proper identification of any data subject, or his authorized agent, grant such subject or agent the right to inspect and to receive at reasonable, standard charges for document search and duplication, in a form comprehensible to such individual or agent:
    (a) all personal information about the data subject, unless otherwise provided by statute, whether such information is a matter of public record or maintained on a confidential basis, except in the case of medical and psychological records, where such records shall, upon written authorization of the data subject, be given to a physician or psychologist designated by the data subject;
    (b) the nature and sources of the personal information, except where the confidentiality of such sources is required by statute; and
    (c) the names and addresses of any recipients, other than those with regular access authority, of personal information of a confidential nature about the data subject, and the date, nature and purpose of such disclosure.
As added by Acts 1977, P.L.21, SEC.1.

IC 4-1-6-4
Disclosures limited to business hours; standard charges
    
Sec. 4. An agency shall make the disclosures to data subjects required under this chapter during regular business hours. Copies of the documents containing the personal information sought by the data subject shall be furnished to him or his representative at reasonable, standard charges for document search and duplication.
As added by Acts 1977, P.L.21, SEC.1.

IC 4-1-6-5
Challenge of information by data subject; notice; minimum procedures
    
Sec. 5. If the data subject gives notice that he wishes to challenge, correct or explain information about him in the personal information system, the following minimum procedures shall be followed:
    (a) the agency maintaining the information system shall investigate and record the current status of that personal information;
    (b) if, after such investigation, such information is found to be incomplete, inaccurate, not pertinent, not timely or not necessary to be retained, it shall be promptly corrected or deleted;     (c) if the investigation does not resolve the dispute, the data subject may file a statement of not more than two hundred (200) words setting forth his position;
    (d) whenever a statement of dispute is filed, the agency maintaining the data system shall supply any previous recipient with a copy of the statement and, in any subsequent dissemination or use of the information in question, clearly mark that it is disputed and supply the statement of the data subject along with the information;
    (e) the agency maintaining the information system shall clearly and conspicuously disclose to the data subject his rights to make such a request;
    (f) following any correction or deletion of personal information the agency shall, at the request of the data subject, furnish to past recipients notification delivered to their last known address that the item has been deleted or corrected and shall require said recipients to acknowledge receipt of such notification and furnish the data subject the names and last known addresses of all past recipients of the uncorrected or undeleted information.
As added by Acts 1977, P.L.21, SEC.1.

IC 4-1-6-6
Securing of confidential information protected
    
Sec. 6. The securing by any individual of any confidential information which such individuals may obtain through the exercise of any right secured under the provisions of this chapter shall not condition the granting or withholding of any right, privilege, or benefit, or be made a condition of employment.
As added by Acts 1977, P.L.21, SEC.1.

IC 4-1-6-7
State agencies maintaining one or more systems; requirements
    
Sec. 7. (a) Any state agency maintaining one (1) or more personal information systems shall file an annual report on the existence and character of each system added or eliminated since the last report with the governor on or before December 31.
    (b) The agency shall include in such report at least the following information:
        (1) The name or descriptive title of the personal information system and its location.
        (2) The nature and purpose of the system and the statutory or administrative authority for its establishment.
        (3) The categories of individuals on whom personal information is maintained including the approximate number of all individuals on whom information is maintained and the categories of personal information generally maintained in the system including identification of those which are stored in computer accessible records and those which are maintained manually.
        (4) All confidentiality requirements, specifically:
            (A) those personal information systems or parts thereof

which are maintained on a confidential basis pursuant to a statute, contractual obligation, or rule; and
            (B) those personal information systems maintained on an unrestricted basis.
        (5) In the case of subdivision (4)(A) of this subsection, the agency shall include detailed justification of the need for statutory or regulatory authority to maintain such personal information systems or parts thereof on a confidential basis and, in making such justification, the agency shall make reference to section 8 of this chapter.
        (6) The categories of sources of such personal information.
        (7) The agency's policies and practices regarding the implementation of section 2 of this chapter relating to information storage, duration of retention of information, and elimination of information from the system.
        (8) The uses made by the agency of personal information contained in the system.
        (9) The identity of agency personnel, other agencies, and persons or categories of persons to whom disclosures of personal information are made or to whom access to the system may be granted, together with the purposes therefor and the restriction, if any, on such disclosures and access, including any restrictions on redisclosure.
        (10) A listing identifying all forms used in the collection of personal information.
        (11) The name, title, business address, and telephone number of the person immediately responsible for bringing and keeping the system in compliance with the provisions of this chapter.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.3; P.L.19-1983, SEC.2.

IC 4-1-6-8
Policy of access; restricted access as condition for receipt of donated materials
    
Sec. 8. (a) All state agencies subject to the provisions of this chapter shall adhere to the policy that all persons are entitled to access to information regarding the affairs of government and the official acts of those who represent them as public servants, such access being required to enable the people to freely and fully discuss all matters necessary for the making of political judgments. To that end, the provisions of this chapter shall be construed to provide access to public records to the extent consistent with the due protection of individual privacy.
    (b) Where such assurance is needed to obtain valuable considerations or gifts (which may include information) for the state, any agency, with the prior written approval of the oversight committee on public records, may allow restrictions upon public access to be imposed upon it as a specific condition of a contract, with a time limit not to exceed fifty (50) years or the lifetime of the individual, whichever is less. In order to promote the preservation of

historical, cultural, natural, and other irreplaceable resources, the department of natural resources or the Indiana state library may extend, beyond the lifetime of the individual, restrictions upon disclosure of information received, providing that such restrictions do not exceed fifty (50) years from the date of the donation in the case of the Indiana state library.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.4; Acts 1979, P.L.40, SEC.4; P.L.19-1983, SEC.3.

IC 4-1-6-8.5
Consistent handling of information among and between agencies; principles and procedures
    
Sec. 8.5. In order to establish consistent handling of the same or similar personal information within and among agencies, each state agency collecting, maintaining, or transmitting such information shall apply the following principles and procedures:
        (1) Information collected after December 31, 1978, which is classified as confidential must be clearly and uniformly designated as confidential in any form or other document in which it appears.
        (2) When an agency which holds information classified as confidential disseminates that information to another agency, the receiving agency shall treat it in the same manner as the originating agency.
As added by Acts 1978, P.L.10, SEC.5. Amended by P.L.19-1983, SEC.4.

IC 4-1-6-8.6
Requests for access to confidential records; improper disclosure; actions
    
Sec. 8.6. (a) In cases where access to confidential records containing personal information is desired for research purposes, the agency shall grant access if:
        (1) the requestor states in writing to the agency the purpose, including any intent to publish findings, the nature of the data sought, what personal information will be required, and what safeguards will be taken to protect the identity of the data subjects;
        (2) the proposed safeguards are adequate to prevent the identity of an individual data subject from being known;
        (3) the researcher executes an agreement on a form, approved by the oversight committee on public records, with the agency, which incorporates such safeguards for protection of individual data subjects, defines the scope of the research project, and informs the researcher that failure to abide by conditions of the approved agreement constitutes a breach of contract and could result in civil litigation by the data subject or subjects;
        (4) the researcher agrees to pay all direct or indirect costs of the research; and
        (5) the agency maintains a copy of the agreement or contract for

a period equivalent to the life of the record.
    (b) Improper disclosure of confidential information by a state employee is cause for action to dismiss the employee.
As added by Acts 1978, P.L.10, SEC.6. Amended by Acts 1979, P.L.40, SEC.5; P.L.19-1983, SEC.5.

IC 4-1-6-9
Annual report to general assembly; specific statutory authorization for confidentiality; recommendations
    
Sec. 9. (a) Under the authority of the governor, a report shall be prepared, on or before December 1 annually, advising the general assembly of the personal information systems, or parts thereof, of agencies subject to this chapter, which are recommended to be maintained on a confidential basis by specific statutory authorization because their disclosure would constitute an invasion of personal privacy and there is no compelling, demonstrable and overriding public interest in disclosure. Such recommendations may include, but not be limited to, specific personal information systems or parts thereof which can be categorized as follows:
        (1) Personal information maintained with respect to students and clients, patients or other individuals receiving social, medical, vocational, supervisory or custodial care or services directly or indirectly from public bodies.
        (2) Personal information, excepting salary information, maintained with respect to employees, appointees or elected officials of any public body or applicants for such positions.
        (3) Information required of any taxpayer in connection with the assessment or collection of any income tax.
        (4) Information revealing the identity of persons who file complaints with administrative, investigative, law enforcement or penology agencies.
    (b) In addition, such report may list records or categories of records, which are recommended to be exempted from public disclosure by specific statutory authorization for reasons other than that their disclosure would constitute an unwarranted invasion of personal privacy, along with justification therefor.
    (c) A report described in this section must be in an electronic format under IC 5-14-6.
As added by Acts 1977, P.L.21, SEC.1. Amended by P.L.28-2004, SEC.13.