Privacy Impact Assessments - Indianapolis City Projects

Technology and Data Indiana 3 Minutes Read · published February 06, 2026 Flag of Indiana

In Indianapolis, Indiana, city departments evaluate privacy risks for projects that handle personal data to protect residents and comply with municipal policies and legal obligations. Privacy impact assessments (PIAs) are typically prepared by the project lead with technical input from information technology or data teams and legal review by the city attorney or Office of Corporation Counsel. For city policy and guidance, see the city privacy statement and administrative guidance.[1] Many procedural and legal obligations derive from the municipal code and administrative rules rather than a single published PIA form.[2]

Start PIA planning early in project design to reduce rework.

What a Privacy Impact Assessment covers

A PIA documents the data lifecycle for a city project and assesses necessity, minimization, lawful basis, retention, access controls, sharing, and disclosure risks. It should identify technical safeguards, roles with access, and whether state or federal rules apply.

Who is responsible

  • Project lead or program manager — initiates and compiles the PIA.
  • Department IT or Chief Information Office staff — provide technical review and risk mitigation recommendations.
  • Office of Corporation Counsel — provides legal review and advice on compliance and disclosures.[3]
  • Data or privacy officers where assigned — maintain records and oversee PIA publication and follow-up.

Penalties & Enforcement

Enforcement for privacy or data-handling violations involving municipal systems may be undertaken by the department that operates the system in coordination with the Office of Corporation Counsel; specific monetary fines or administrative penalty schedules for PIAs are not specified on the cited municipal pages.[2]

If you suspect improper data use, report it promptly to the department and Office of Corporation Counsel.
  • Monetary fines: not specified on the cited page.
  • Escalation: first, corrective directions; repeat or continuing violations may lead to administrative or legal action as handled by the city attorney — specific ranges are not specified on the cited page.
  • Non-monetary sanctions: orders to cease data processing, corrective action plans, contract suspension, or referral to courts.
  • Enforcer: department owning the project and the Office of Corporation Counsel; complaints and legal referrals are handled through official city channels.[3]
  • Inspection and complaint pathways: submit concerns to the responsible department and the Office of Corporation Counsel or use city reporting services.
  • Appeals/review: mechanisms and time limits for administrative review are not specified on the cited municipal pages and are handled according to city administrative practice and applicable ordinance; consult the Office of Corporation Counsel for deadlines and process.[2]

Applications & Forms

No single standardized PIA form is published on the cited city pages; departments commonly use internal templates or IT intake forms. For specific project intake forms, contact the department IT team or Office of Corporation Counsel for guidance.[1]

Practical steps to manage PIAs

  • Plan PIA at project conception to identify privacy needs early.
  • Document data categories, sources, retention, access, third-party sharing, and legal basis.
  • Implement technical safeguards: encryption, access controls, and logging.
  • Obtain legal review from the Office of Corporation Counsel before launch.[3]
Document decisions and training so audits show the city followed a reasonable process.

FAQ

Who conducts a privacy impact assessment for city projects?
The project lead compiles the PIA with technical input from department IT and legal review from the Office of Corporation Counsel.
How do I request a PIA for a new city system?
Contact your department IT intake or the Office of Corporation Counsel to begin intake and review; departments may require internal intake forms.
What if I find a privacy violation?
Report the issue to the responsible department and the Office of Corporation Counsel; follow departmental complaint procedures for records requests or data concerns.

How-To

  1. Identify a project that collects or processes personal data and notify your department IT lead.
  2. Gather documentation: data types, data flows, retention schedules, and third-party access.
  3. Perform risk assessment and list technical and organizational safeguards.
  4. Request legal review from the Office of Corporation Counsel and make required changes.
  5. Record decisions and publish any required redacted summary or disclosures according to department practice.
Keep a single project file with PIA records, decisions, and training evidence.

Key Takeaways

  • Start PIAs early to reduce privacy risk and rework.
  • Engage IT and the Office of Corporation Counsel for technical and legal review.
  • Document decisions and maintain a PIA record for audits and accountability.

Help and Support / Resources

  1. [1] City of Indianapolis privacy statement and guidance
  2. [2] Indianapolis Code of Ordinances (municipal code)
  3. [3] Office of Corporation Counsel - City of Indianapolis

Categories

General Governance and Administration Public Safety Public Health and Welfare Land Use and Zoning Housing and Building Standards Transportation Environmental Protection Parks and Public Spaces Business and Consumer Protection Taxation and Finance Labor and Employment Education Civil Rights and Equity Elections and Campaign Finance Events and Special Uses Signs and Advertising Utilities and Infrastructure Technology and Data