Indiana Privacy & Data Ethics Program

Indiana created the State CPO role to unify privacy efforts in the executive branch of State government. As agencies encounter potential privacy risks, whether through a system implementation, use of cloud services, or otherwise, they can partner with the State CPO to advise on the issues that arise in these contexts.

The PIA is an analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy. (NIST CSRC.) Indiana has implemented a NIST-based PIA methodology, empowering our agencies to evaluate, score, and ultimately mitigate privacy risks.

Read the PIA Methodology

In 2023, the OCDO is offering industry-recognized training and certification for APOs. Training and certification will be offered by the International Association of Privacy Professionals (IAPP), enhancing Indiana’s information privacy proficiency alongside the rapid expansion of data and AI technologies.

The Management Performance Hub’s ERE is the approved environment for agencies to make personal information available to researchers pursuant to the State Privacy Policy. The ERE is a secure collaboration environment built on Microsoft Azure that expedites research and analysis by bringing research teams, their code, and data together for the greater good. This environment enables the use of valuable data while limiting data movement, significantly enhancing the security of State data shared with researchers. Interested in State data for your research effort?

Alternatively, agencies must conduct a third-party risk assessment of the researcher’s hosting environment. Contact us for assistance with that process!

Following 2023’s planning, design, and development efforts, MPH will deploy an enterprise data catalog enabling the compilation of a robust list of the state’s data assets, incentivizing agencies to understand their data assets and providing for common metadata language across the executive branch.

Data Classification Standard

The Indiana Privacy Program’s Data Classifications Standard ensures the collection of several key attributes of a data source. These attributes include the following: automated decision-making; granularity; privacy impact risk; security risk; records retention designation; regulatory class; releasability; and storage location.

Interagency information sharing has taken place for more than 40 years in Indiana State Government. In 2017, the Indiana Open Data Act and Management Performance Hub modernized the state’s data sharing process. Agencies now collaborate through a consistent data sharing agreement, which more uniformly protects personal information across the enterprise of State government.

• Internal Data Sharing Agreement• Internal Certificate of Destruction

External data requestors leverage our data sharing agreement too. To facilitate the release of sensitive information for research use, the OCDO has implemented the MPH Data Review Team and OCDO Privacy Board, a HIPAA Privacy Board. The Board has formalized data suppression and obfuscation guidance for use by State agencies.

• External Data Sharing Agreement• External Certificate of Destruction

Indiana contracts with numerous third parties to fulfill and enhance the services it provides to constituents. Today, many of those services involve personal information and by extension, our obligations to protect it. To ensure we meet those obligations, the Indiana Department of Administration (IDOA) and Indiana Office of Technology (IOT) have implemented cloud service provider (CSP) boilerplate terms for use by agencies in procurements that involve personal information. These CSP terms streamline the procurement process by bringing uniformity to privacy and data protection contract terms across the enterprise of State government and further ensure that CSPs maintain personal information with the same degree of care that State agencies do.

Government maintains vast quantities of data that can be valuable for research initiatives, but privacy regulations can often be misapplied as a barrier to making that data available to those that can make the highest and best use of it. We have enabled use of HIPAA-subject data by researchers through the development and implementation of a HIPAA-compliant “expert determination” deidentification methodology. The methodology works within the HIPAA framework to balance the interests of data usability—the degree to which data can help to answer a research question, which is often reliant on levels of granularity—with the individual privacy interests of those data subjects.

Indiana Businesses: Submit a Breach Notification Form

Indiana Government Agencies: Submit an Incident Reporting Form

Indiana Executive Council on Cybersecurity