Introduced Version






HOUSE BILL No. 1198

_____


DIGEST OF INTRODUCED BILL



Citations Affected: IC 2-2.1-1-10.1 ; IC 4-22-2-28.

Synopsis: Privacy impact analysis. Requires the legislative services agency to perform an analysis of the impact that a filed bill or a proposed rule that provides for collection or release of personally identifiable information by the state or a political subdivision will have on the privacy of individuals affected by the bill or proposed rule.

Effective: July 1, 2003.





Koch




    January 8, 2003, read first time and referred to Committee on Technology, Research and Development.







Introduced

First Regular Session 113th General Assembly (2003)


PRINTING CODE. Amendments: Whenever an existing statute (or a section of the Indiana Constitution) is being amended, the text of the existing provision will appear in this style type, additions will appear in this style type, and deletions will appear in this style type.
Additions: Whenever a new statutory provision is being enacted (or a new constitutional provision adopted), the text of the new provision will appear in this style type. Also, the word NEW will appear in that style type in the introductory clause of each SECTION that adds a new provision to the Indiana Code or the Indiana Constitution.
Conflict reconciliation: Text in a statute in this style type or this style type reconciles conflicts between statutes enacted by the 2002 Regular or Special Session of the General Assembly.

HOUSE BILL No. 1198



    A BILL FOR AN ACT to amend the Indiana Code concerning general provisions.

Be it enacted by the General Assembly of the State of Indiana:

SOURCE: IC 2-2.1-1-10.1; (03)IN1198.1.1. -->     SECTION 1. IC 2-2.1-1-10.1 IS ADDED TO THE INDIANA CODE AS A NEW SECTION TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2003]: Sec. 10.1. (a) As used in this section, "personally identifiable information" refers to information that would allow a person with access to the information to identify a particular individual, including the individual's name, address, Social Security number, date of birth, health history, or personal financial information.
    (b) The legislative services agency shall perform a privacy impact analysis of each filed bill that authorizes or requires the collection or release of personally identifiable information by the state or a political subdivision (as defined in IC 3-5-2-38 ).
    (c) A privacy impact analysis described in subsection (b) must be included in the digest of the bill and consist of a statement as to whether the proposed legislation:
        (1) provides for notice to an individual that the individual's personally identifiable information will be collected, including

notice regarding:
            (A) the personally identifiable information that will be collected; and
            (B) the method of collection, use, and disclosure of the personally identifiable information;
        (2) provides an individual with an opportunity to correct inaccuracies in the personally identifiable information that has been collected about the individual;
        (3) prevents personally identifiable information that is collected for one (1) purpose from being used for another purpose;
        (4) prevents the maintenance of personally identifiable information beyond the period in which the personally identifiable information is necessary;
        (5) provides for public disclosure of personally identifiable information; and
        (6) provides for security of personally identifiable information.

SOURCE: IC 4-22-2-28; (03)IN1198.1.2. -->     SECTION 2. IC 4-22-2-28 IS AMENDED TO READ AS FOLLOWS [EFFECTIVE JULY 1, 2003]: Sec. 28. (a) The Indiana economic development council may review and comment on any proposed rule and may suggest alternatives to reduce any regulatory burden that the proposed rule imposes on businesses. The agency that intends to adopt the proposed rule shall respond in writing to the Indiana economic development council concerning the council's comments or suggested alternatives before adopting the proposed rule under section 29 of this chapter.
    (b) The agency shall also submit a proposed rule with an estimated economic impact greater than five hundred thousand dollars ($500,000) on the regulated entities to the legislative services agency after the preliminary adoption of the rule. Before the adoption of the rule, the legislative services agency shall prepare, not more than forty-five (45) days after receiving a proposed rule, a fiscal analysis concerning the effect that compliance with the proposed rule will have on the:
        (1) state; and
        (2) entities regulated by the proposed rule.
The fiscal analysis must contain an estimate of the economic impact of the proposed rule and a determination concerning the extent to which the proposed rule creates an unfunded mandate on a state agency or political subdivision. The fiscal analysis is a public document. The legislative services agency shall make the fiscal analysis available to

interested parties upon request. The agency proposing the rule shall consider the fiscal analysis as part of the rulemaking process and shall provide the legislative services agency with the information necessary to prepare the fiscal analysis. The legislative services agency may also receive and consider applicable information from the regulated entities affected by the rule in preparation of the fiscal analysis.
     (c) After the preliminary adoption of a proposed rule that the agency has determined authorizes or requires the collection or release of personally identifiable information (as defined in IC 2-2.1-1-10.1 (a)) by the state or a political subdivision (as defined in IC 3-5-2-38 ), the agency shall submit the proposed rule to the legislative services agency. Before the adoption of the rule, the legislative services agency shall prepare, not more than forty-five (45) days after receiving the proposed rule, a privacy impact analysis that consists of a statement as to whether the proposed rule:
        (1) provides for notice to an individual that the individual's personally identifiable information will be collected, including notice regarding:
            (A) the personally identifiable information that will be collected; and
            (B) the method of collection, use, and disclosure of the personally identifiable information;
        (2) provides an individual with an opportunity to correct inaccuracies in the personally identifiable information that has been collected about the individual;
        (3) prevents personally identifiable information that is collected for one (1) purpose from being used for another purpose;
        (4) prevents the maintenance of personally identifiable information beyond the period in which the personally identifiable information is necessary;
        (5) provides for public disclosure of personally identifiable information; and
        (6) provides for security of personally identifiable information.
The privacy impact analysis is a public document. The legislative services agency shall make the privacy impact analysis available to interested parties upon request. The agency proposing the rule shall consider the privacy impact analysis as part of the rulemaking process and shall provide the legislative services agency with the information necessary to prepare the privacy

impact analysis. The legislative services agency may also receive and consider applicable information from the regulated entities affected by the rule in preparation of the privacy impact analysis.