Personal information system
Sec. 2. Any state agency maintaining a personal information system shall:
(a) collect, maintain, and use only that personal information as is relevant and necessary to accomplish a statutory purpose of the agency;
(b) collect information to the greatest extent practicable from the data subject directly when the information may result in adverse determinations about an individual's rights, benefits and privileges under federal or state programs;
(c) collect no personal information concerning in any way the political or religious beliefs, affiliations and activities of an individual unless expressly authorized by law or by a rule promulgated by the oversight committee on public records pursuant to IC 4-22-2;
of documentation required for various state agencies and
departments to receive federal funding reimbursement for
programs which are being administered by the agencies and
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.2; Acts 1979, P.L.40, SEC.3.
Right of inspection by data subject or agent; document search and duplication; standard charges
Sec. 3. Unless otherwise prohibited by law, any state agency that maintains a personal information system shall, upon request and proper identification of any data subject, or his authorized agent, grant such subject or agent the right to inspect and to receive at reasonable, standard charges for document search and duplication, in a form comprehensible to such individual or agent:
(a) all personal information about the data subject, unless otherwise provided by statute, whether such information is a matter of public record or maintained on a confidential basis, except in the case of medical and psychological records, where such records shall, upon written authorization of the data subject, be given to a physician or psychologist designated by the data subject;
(b) the nature and sources of the personal information, except where the confidentiality of such sources is required by statute; and
(c) the names and addresses of any recipients, other than those with regular access authority, of personal information of a confidential nature about the data subject, and the date, nature and purpose of such disclosure.
As added by Acts 1977, P.L.21, SEC.1.
Disclosures limited to business hours; standard charges
Sec. 4. An agency shall make the disclosures to data subjects required under this chapter during regular business hours. Copies of the documents containing the personal information sought by the data subject shall be furnished to him or his representative at reasonable, standard charges for document search and duplication.
As added by Acts 1977, P.L.21, SEC.1.
Challenge of information by data subject; notice; minimum procedures
Sec. 5. If the data subject gives notice that he wishes to challenge, correct or explain information about him in the personal information system, the following minimum procedures shall be followed:
(a) the agency maintaining the information system shall investigate and record the current status of that personal information;
(b) if, after such investigation, such information is found to be incomplete, inaccurate, not pertinent, not timely or not necessary to be retained, it shall be promptly corrected or deleted;
Securing of confidential information protected
Sec. 6. The securing by any individual of any confidential information which such individuals may obtain through the exercise of any right secured under the provisions of this chapter shall not condition the granting or withholding of any right, privilege, or benefit, or be made a condition of employment.
As added by Acts 1977, P.L.21, SEC.1.
State agencies maintaining one or more systems; requirements
Sec. 7. (a) Any state agency maintaining one (1) or more personal information systems shall file an annual report on the existence and character of each system added or eliminated since the last report with the governor on or before December 31.
(b) The agency shall include in such report at least the following information:
(1) The name or descriptive title of the personal information system and its location.
(2) The nature and purpose of the system and the statutory or administrative authority for its establishment.
(3) The categories of individuals on whom personal information is maintained including the approximate number of all individuals on whom information is maintained and the categories of personal information generally maintained in the system including identification of those which are stored in computer accessible records and those which are maintained manually.
(4) All confidentiality requirements, specifically:
(A) those personal information systems or parts thereof
which are maintained on a confidential basis pursuant to a
statute, contractual obligation, or rule; and
(B) those personal information systems maintained on an unrestricted basis.
(5) In the case of subdivision (4)(A) of this subsection, the agency shall include detailed justification of the need for statutory or regulatory authority to maintain such personal information systems or parts thereof on a confidential basis and, in making such justification, the agency shall make reference to section 8 of this chapter.
(6) The categories of sources of such personal information.
(7) The agency's policies and practices regarding the implementation of section 2 of this chapter relating to information storage, duration of retention of information, and elimination of information from the system.
(8) The uses made by the agency of personal information contained in the system.
(9) The identity of agency personnel, other agencies, and persons or categories of persons to whom disclosures of personal information are made or to whom access to the system may be granted, together with the purposes therefor and the restriction, if any, on such disclosures and access, including any restrictions on redisclosure.
(10) A listing identifying all forms used in the collection of personal information.
(11) The name, title, business address, and telephone number of the person immediately responsible for bringing and keeping the system in compliance with the provisions of this chapter.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.3; P.L.19-1983, SEC.2.
Policy of access; restricted access as condition for receipt of donated materials
Sec. 8. (a) All state agencies subject to the provisions of this chapter shall adhere to the policy that all persons are entitled to access to information regarding the affairs of government and the official acts of those who represent them as public servants, such access being required to enable the people to freely and fully discuss all matters necessary for the making of political judgments. To that end, the provisions of this chapter shall be construed to provide access to public records to the extent consistent with the due protection of individual privacy.
(b) Where such assurance is needed to obtain valuable considerations or gifts (which may include information) for the state, any agency, with the prior written approval of the oversight committee on public records, may allow restrictions upon public access to be imposed upon it as a specific condition of a contract, with a time limit not to exceed fifty (50) years or the lifetime of the individual, whichever is less. In order to promote the preservation of
historical, cultural, natural, and other irreplaceable resources, the
department of natural resources or the Indiana state library may
extend, beyond the lifetime of the individual, restrictions upon
disclosure of information received, providing that such restrictions
do not exceed fifty (50) years from the date of the donation in the
case of the Indiana state library.
As added by Acts 1977, P.L.21, SEC.1. Amended by Acts 1978, P.L.10, SEC.4; Acts 1979, P.L.40, SEC.4; P.L.19-1983, SEC.3.
Consistent handling of information among and between agencies; principles and procedures
Sec. 8.5. In order to establish consistent handling of the same or similar personal information within and among agencies, each state agency collecting, maintaining, or transmitting such information shall apply the following principles and procedures:
(1) Information collected after December 31, 1978, which is classified as confidential must be clearly and uniformly designated as confidential in any form or other document in which it appears.
(2) When an agency which holds information classified as confidential disseminates that information to another agency, the receiving agency shall treat it in the same manner as the originating agency.
As added by Acts 1978, P.L.10, SEC.5. Amended by P.L.19-1983, SEC.4.
Requests for access to confidential records; improper disclosure; actions
Sec. 8.6. (a) In cases where access to confidential records containing personal information is desired for research purposes, the agency shall grant access if:
(1) the requestor states in writing to the agency the purpose, including any intent to publish findings, the nature of the data sought, what personal information will be required, and what safeguards will be taken to protect the identity of the data subjects;
(2) the proposed safeguards are adequate to prevent the identity of an individual data subject from being known;
(3) the researcher executes an agreement on a form, approved by the oversight committee on public records, with the agency, which incorporates such safeguards for protection of individual data subjects, defines the scope of the research project, and informs the researcher that failure to abide by conditions of the approved agreement constitutes a breach of contract and could result in civil litigation by the data subject or subjects;
(4) the researcher agrees to pay all direct or indirect costs of the research; and
(5) the agency maintains a copy of the agreement or contract for
a period equivalent to the life of the record.
(b) Improper disclosure of confidential information by a state employee is cause for action to dismiss the employee.
As added by Acts 1978, P.L.10, SEC.6. Amended by Acts 1979, P.L.40, SEC.5; P.L.19-1983, SEC.5.
Annual report to general assembly; specific statutory authorization for confidentiality; recommendations
Sec. 9. (a) Under the authority of the governor, a report shall be prepared, on or before December 1 annually, advising the general assembly of the personal information systems, or parts thereof, of agencies subject to this chapter, which are recommended to be maintained on a confidential basis by specific statutory authorization because their disclosure would constitute an invasion of personal privacy and there is no compelling, demonstrable and overriding public interest in disclosure. Such recommendations may include, but not be limited to, specific personal information systems or parts thereof which can be categorized as follows:
(1) Personal information maintained with respect to students and clients, patients or other individuals receiving social, medical, vocational, supervisory or custodial care or services directly or indirectly from public bodies.
(2) Personal information, excepting salary information, maintained with respect to employees, appointees or elected officials of any public body or applicants for such positions.
(3) Information required of any taxpayer in connection with the assessment or collection of any income tax.
(4) Information revealing the identity of persons who file complaints with administrative, investigative, law enforcement or penology agencies.
(b) In addition, such report may list records or categories of records, which are recommended to be exempted from public disclosure by specific statutory authorization for reasons other than that their disclosure would constitute an unwarranted invasion of personal privacy, along with justification therefor.
(c) A report described in this section must be in an electronic format under IC 5-14-6.
As added by Acts 1977, P.L.21, SEC.1. Amended by P.L.28-2004, SEC.13.