Can I ignore my obligations as a service provider with access to personal information in Indiana? What are the requirements?

Based on the context documents provided, as a service provider with access to personal information in Indiana, you cannot ignore your obligations. Indiana law requires that state agencies and data base owners maintain reasonable procedures to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the agency or data base owner ^[2.1][3.1].

Requirements for Service Providers and Joint Marketing

According to ^[1.1], the opt-out requirements in sections 6 and 9 of the rule do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with section 3 of the rule and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in section 13 or 14 of the rule in the ordinary course of business to carry out those purposes.

Exceptions to Notice and Opt-Out Requirements

^[1.2] provides other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information. The requirements for initial notice to consumers, the opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information with the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction. Additionally, there are several other situations in which the requirements do not apply, such as to protect the confidentiality or security of a licensee’s records pertaining to the consumer, to protect against or prevent actual or potential fraud or unauthorized transactions, or to comply with federal, state, or local laws, rules, and other applicable legal requirements.

Exceptions for Processing and Servicing Transactions

^[1.3] provides exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions. The requirements for initial notice, the opt-out, and service providers and joint marketing do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with servicing or processing an insurance product or service that a consumer requests or authorizes.

In summary, as a service provider with access to personal information in Indiana, you cannot ignore your obligations. Indiana law requires that state agencies and data base owners maintain reasonable procedures to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the agency or data base owner. However, there are exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information.

Source(s):

• [1.1] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing
• [2.1] Personal information system
• [1.2] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information
• [3.1] Duties of a data base owner; exceptions; health records; enforcement powers
• [1.3] Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions

Jurisdiction

Indiana

• Privacy