Indiana Privacy & Data Ethics Program
- Office of the Indiana Chief Data Officer
- Current: Indiana Privacy & Data Ethics Program
Applying an Ethical Approach to Data in Government
Indiana State Government believes in enabling the efficient and ethical use of data to drive decision making, protecting and respecting the privacy of Hoosiers while catalyzing innovation. Indiana’s privacy program is unified under the State Chief Privacy Officer, or CPO, which partners with State agencies to enable innovation and the adoption of emerging technologies while maintaining privacy as a core component of these initiatives. This unified approach fosters a culture that values privacy through the awareness of individual Hoosiers and the State employees who serve them.
Our Privacy Mission
To enhance privacy and ethics as we improve the quality of life for Hoosiers with data, innovation, and collaboration.
Our Privacy Vision
To be a partner with government and civic organizations that empowers innovation, enables use of valuable open data, and maintains data privacy and stewardship at the highest level.
-
Governance
Fair Information Practices Act (FIPA)
FIPA is Indiana’s codification of “fair information practices” following the US Government’s “Federal Privacy Act of 1974.” It provides a host of protections to data subjects, which can be broadly described in four categories: individual rights, information controls, information lifecycle management, and privacy management. Each category includes specific components to further refine privacy obligations of state agencies.
State Information Privacy Policy
The state’s privacy policy applies to executive branch agencies and seeks to operationalize the fair information practices codified in FIPA.
The privacy policy enables State agencies to comply with FIPA’s requirements more effectively and efficiently.
Fair Information Practices in Agency Analytics Environments
The state’s analytics environment policy operationalizes controls governing the use of state data in agency analytics environments, ensuring that agencies meet FIPA principles and the Cloud Data Management Capabilities (CDMC) Framework, which has been adopted by the State CDO.
State Agency AI Systems
The state’s AI policy formalizes a human-centric approach to AI-enabled IT systems. The policy ensures that the planning, design, development, deployment, operation, and monitoring of AI implementations is formalized as a trustworthy program focused on realizing positive outcomes for Hoosiers. The policy is implemented through the State Agency AI Standard.
Read the Standard
Policies
Indiana's Management Performance Hub (MPH) seeks to improve the quality of life for Hoosiers with data, innovation, and collaboration. To this end, we partner with government and civic organizations to empower innovation and enable the use of valuable data, all while maintaining data privacy and stewardship at the highest level. A core component of this responsibility is the application of controls that enable the efficient and ethical use of data as we leverage it to deliver great government service to Hoosiers. MPH exercises its policymaking function through the OCDO. These OCDO documents should be used by Indiana state agencies as the policy 'floor,' meaning that agencies are free to institute more restrictive policies for their internal operations, so long as those restrictions do not otherwise conflict with applicable law or OCDO policy, standards, procedures, and guidance.
-
Resources
Privacy as-A-Service
Indiana created the State CPO role to unify privacy efforts in the executive branch of State government. As agencies encounter potential privacy risks, whether through a system implementation, use of cloud services, or otherwise, they can partner with the State CPO to advise on the issues that arise in these contexts.
Privacy Impact Assessments (PIA)
The PIA is an analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy. (NIST CSRC.) Indiana has implemented a NIST-based PIA methodology, empowering our agencies to evaluate, score, and ultimately mitigate privacy risks.
Read the PIA MethodologyDesignation of and Training for Agency Privacy Officers
In 2023, the OCDO is offering industry-recognized training and certification for APOs. Training and certification will be offered by the International Association of Privacy Professionals (IAPP), enhancing Indiana’s information privacy proficiency alongside the rapid expansion of data and AI technologies.
Enhanced Research Environment (ERE)
The Management Performance Hub’s ERE is the approved environment for agencies to make personal information available to researchers pursuant to the State Privacy Policy. The ERE is a secure collaboration environment built on Microsoft Azure that expedites research and analysis by bringing research teams, their code, and data together for the greater good. This environment enables the use of valuable data while limiting data movement, significantly enhancing the security of State data shared with researchers. Interested in State data for your research effort?
Alternatively, agencies must conduct a third-party risk assessment of the researcher’s hosting environment. Contact us for assistance with that process!
Enterprise Data Catalog
Following 2023’s planning, design, and development efforts, MPH will deploy an enterprise data catalog enabling the compilation of a robust list of the state’s data assets, incentivizing agencies to understand their data assets and providing for common metadata language across the executive branch.
Data Classification Standard
The Indiana Privacy Program’s Data Classifications Standard ensures the collection of several key attributes of a data source. These attributes include the following: automated decision-making; granularity; privacy impact risk; security risk; records retention designation; regulatory class; releasability; and storage location.
Responsible Data Sharing
Interagency information sharing has taken place for more than 40 years in Indiana State Government. In 2017, the Indiana Open Data Act and Management Performance Hub modernized the state’s data sharing process. Agencies now collaborate through a consistent data sharing agreement, which more uniformly protects personal information across the enterprise of State government.
• Internal Data Sharing Agreement• Internal Certificate of Destruction
External data requestors leverage our data sharing agreement too. Consistent agreements more uniformly protect personal information and streamline valuable data exchanges.
• External Data Sharing Agreement - Research• External Data Sharing Agreement - Non-Research• External Certificate of Destruction
To facilitate the release of sensitive information for uses outside of Indiana State Government, the OCDO has implemented the MPH Data Review Team and OCDO Privacy Board, a HIPAA Privacy Board. The Board has formalized data suppression and obfuscation guidance for use by State agencies.
Privacy in Procurement
Indiana contracts with numerous third parties to fulfill and enhance the services it provides to constituents. Today, many of those services involve personal information and by extension, our obligations to protect it. To ensure we meet those obligations, the Indiana Department of Administration (IDOA) and Indiana Office of Technology (IOT) have implemented cloud service provider (CSP) boilerplate terms for use by agencies in procurements that involve personal information. These CSP terms streamline the procurement process by bringing uniformity to privacy and data protection contract terms across the enterprise of State government and further ensure that CSPs maintain personal information with the same degree of care that State agencies do.
Standard: HIPAA-Compliant Deidentification Methodology
Government maintains vast quantities of data that can be valuable for research initiatives, but privacy regulations can often be misapplied as a barrier to making that data available to those that can make the highest and best use of it. We have enabled use of HIPAA-subject data by researchers through the development and implementation of a HIPAA-compliant “expert determination” deidentification methodology. The methodology works within the HIPAA framework to balance the interests of data usability—the degree to which data can help to answer a research question, which is often reliant on levels of granularity—with the individual privacy interests of those data subjects.
Additional Resources
Businesses: Report a Data Breach
Indiana Businesses: Submit a Breach Notification Form
Government: Report a Data Breach
Indiana Government Agencies: Submit an Incident Reporting Form
PII Guidebook for Businesses
Indiana Executive Council on Cybersecurity