Language Translation
  Close Menu

Indiana Privacy & Data Ethics Program

Applying an Ethical Approach to Data in Government


Indiana State Government believes in enabling the efficient and ethical use of data to drive decision making, protecting and respecting the privacy of Hoosiers while catalyzing innovation. Indiana’s privacy program is unified under the State Chief Privacy Officer, or CPO, which partners with State agencies to enable innovation and the adoption of emerging technologies while maintaining privacy as a core component of these initiatives. This unified approach fosters a culture that values privacy through the awareness of individual Hoosiers and the State employees who serve them.

Our Privacy Mission

To enhance privacy and ethics as we improve the quality of life for Hoosiers with data, innovation, and collaboration.

Our Privacy Vision

To be a partner with government and civic organizations that empowers innovation, enables use of valuable open data, and maintains data privacy and stewardship at the highest level.

Fair Information Practices Act (FIPA)

FIPA is Indiana’s codification of “fair information practices” following the US Government’s “Federal Privacy Act of 1974.” It provides a host of protections to data subjects, which can be broadly described in four categories: individual rights, information controls, information lifecycle management, and privacy management. Each category includes specific components to further refine privacy obligations of state agencies.

Read FIPA

State Information Privacy Policy

The state’s privacy policy applies to executive branch agencies and seeks to operationalize the fair information practices codified in FIPA.

The privacy policy enables State agencies to comply with FIPA’s requirements more effectively and efficiently.

Read the Policy

Fair Information Practices in Agency Analytics Environments

The state’s analytics environment policy operationalizes controls governing the use of state data in agency analytics environments, ensuring that agencies meet FIPA principles and the Cloud Data Management Capabilities (CDMC) Framework, which has been adopted by the State CDO.

Read the Policy

State Agency AI Systems


The state’s AI policy formalizes a human-centric approach to AI-enabled IT systems. The policy ensures that the planning, design, development, deployment, operation, and monitoring of AI implementations is formalized as a trustworthy program focused on realizing positive outcomes for Hoosiers. The policy is implemented through the State Agency AI Standard.

Read the Standard

Read the Policy

Policies

Indiana's Management Performance Hub (MPH) seeks to improve the quality of life for Hoosiers with data, innovation, and collaboration. To this end, we partner with government and civic organizations to empower innovation and enable the use of valuable data, all while maintaining data privacy and stewardship at the highest level. A core component of this responsibility is the application of controls that enable the efficient and ethical use of data as we leverage it to deliver great government service to Hoosiers. MPH exercises its policymaking function through the OCDO. These OCDO documents should be used by Indiana state agencies as the policy 'floor,' meaning that agencies are free to institute more restrictive policies for their internal operations, so long as those restrictions do not otherwise conflict with applicable law or OCDO policy, standards, procedures, and guidance.

Read OCDO Policies

Privacy as-A-Service

Indiana created the State CPO role to unify privacy efforts in the executive branch of State government. As agencies encounter potential privacy risks, whether through a system implementation, use of cloud services, or otherwise, they can partner with the State CPO to advise on the issues that arise in these contexts.

Contact the State CPO

Privacy Impact Assessments (PIA)

The PIA is an analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy. (NIST CSRC.) Indiana has implemented a NIST-based PIA methodology, empowering our agencies to evaluate, score, and ultimately mitigate privacy risks.

Read the PIA Methodology

Read PIA Executive Summary

Designation of and Training for Agency Privacy Officers

In 2023, the OCDO is offering industry-recognized training and certification for APOs. Training and certification will be offered by the International Association of Privacy Professionals (IAPP), enhancing Indiana’s information privacy proficiency alongside the rapid expansion of data and AI technologies.

Review the APO Job Description Standard

Enhanced Research Environment (ERE)

The Management Performance Hub’s ERE is the approved environment for agencies to make personal information available to researchers pursuant to the State Privacy Policy. The ERE is a secure collaboration environment built on Microsoft Azure that expedites research and analysis by bringing research teams, their code, and data together for the greater good. This environment enables the use of valuable data while limiting data movement, significantly enhancing the security of State data shared with researchers. Interested in State data for your research effort?

Alternatively, agencies must conduct a third-party risk assessment of the researcher’s hosting environment. Contact us for assistance with that process!

Request Data

Enterprise Data Catalog

Following 2023’s planning, design, and development efforts, MPH will deploy an enterprise data catalog enabling the compilation of a robust list of the state’s data assets, incentivizing agencies to understand their data assets and providing for common metadata language across the executive branch.

Data Classification Standard

The Indiana Privacy Program’s Data Classifications Standard ensures the collection of several key attributes of a data source. These attributes include the following: automated decision-making; granularity; privacy impact risk; security risk; records retention designation; regulatory class; releasability; and storage location.

Data Classification Standard Document

Responsible Data Sharing

Interagency information sharing has taken place for more than 40 years in Indiana State Government. In 2017, the Indiana Open Data Act and Management Performance Hub modernized the state’s data sharing process. Agencies now collaborate through a consistent data sharing agreement, which more uniformly protects personal information across the enterprise of State government.

• Internal Data Sharing Agreement• Internal Certificate of Destruction

External data requestors leverage our data sharing agreement too. Consistent agreements more uniformly protect personal information and streamline valuable data exchanges.

• External Data Sharing Agreement - Research• External Data Sharing Agreement - Non-Research• External Certificate of Destruction

To facilitate the release of sensitive information for uses outside of Indiana State Government, the OCDO has implemented the MPH Data Review Team and OCDO Privacy Board, a HIPAA Privacy Board. The Board has formalized data suppression and obfuscation guidance for use by State agencies.

Access the Guidance Document

Privacy in Procurement

Indiana contracts with numerous third parties to fulfill and enhance the services it provides to constituents. Today, many of those services involve personal information and by extension, our obligations to protect it. To ensure we meet those obligations, the Indiana Department of Administration (IDOA) and Indiana Office of Technology (IOT) have implemented cloud service provider (CSP) boilerplate terms for use by agencies in procurements that involve personal information. These CSP terms streamline the procurement process by bringing uniformity to privacy and data protection contract terms across the enterprise of State government and further ensure that CSPs maintain personal information with the same degree of care that State agencies do.

Access the Indiana CSP Terms

Standard: HIPAA-Compliant Deidentification Methodology

Government maintains vast quantities of data that can be valuable for research initiatives, but privacy regulations can often be misapplied as a barrier to making that data available to those that can make the highest and best use of it. We have enabled use of HIPAA-subject data by researchers through the development and implementation of a HIPAA-compliant “expert determination” deidentification methodology. The methodology works within the HIPAA framework to balance the interests of data usability—the degree to which data can help to answer a research question, which is often reliant on levels of granularity—with the individual privacy interests of those data subjects.

Coming Soon

Additional Resources

Businesses: Report a Data Breach

Indiana Businesses: Submit a Breach Notification Form

Click Here

Government: Report a Data Breach

Indiana Government Agencies: Submit an Incident Reporting Form

Click Here

PII Guidebook for Businesses

Indiana Executive Council on Cybersecurity

Click Here