This PowerPoint presentation provides in-depth data practices information and should be used as a guide to educate government entity employees who have specific data practices related duties under the Minnesota Government Data Practices Act, Chapter 13 and related laws and rules. These employees may include supervisors, managers, or directors who have the responsibility to make sure their employees are provided with the proper information about data practices as related to their jobs. (Government entities subject to Chapter 13, are defined in Minnesota Statutes, Chapter 13, section 13.02, subdivisions 7a, 11, 17, and 18.) The slides can used as a starting point in creating a presentation and users are encouraged to modify the slides to highlight the key data practices duties as they relate to the needs of applicable government entity employees. The speaker’s notes throughout this presentation are meant to be a guide and will provide suggestions as to what can be discussed with each slide. The slides from this presentation can also be used as a handout. This PowerPoint presentation is a work-in-progress and IPAD will continue to revise it as necessary. Before using the presentation, users should download the most current version from IPAD’s website.
First bullet – discussion of the three MN laws relevant to data practices, which will be addressed in first few slides Second bullet – discussion of the classification scheme in the Data Practices Act Third bullet – entities have specific data practices responsibilities and those responsibilities will be discussed Fourth bullet – the rights of members of the public and data subjects to access government data will be discussed Fifth bullet – the additional rights of data subjects under the Data Practices Act will be discussed Sixth bullet – information about making requests for government data and the responses entities must provide Seventh bullet – some specific provisions related to not public data in the Data Practices Act are highlighted. (This slide can be expanded upon with additional provisions that relate specifically to the work of entity employees, or not discussed if without relevance.)
Government entities rely on various data to operate their programs [ discuss examples of data maintained by the entity ]. In maintaining the various data government needs to operate, entities must balance: The government’s need to have and use data to do its work The public’s right to know about the activities of their government Individual privacy rights The Data Practices Act provides the framework in balancing these rights and responsibilities. Additional note: Chapter 13 is the statute called the “Minnesota Government Data Practices Act” – or commonly known as the Data Practices Act. The slides will refer to the Data Practices Act or “data practices.”
These are the three laws that contain general guidance and form the basic legal framework governing Minnesota public sector systems of data practices common across all government levels. These laws impose specific duties on government entities relative to: Access to government data requested by members of the public Access to government data requested by data subjects and their additional rights as data subjects The classification of government data Collecting, creating and maintaining, using, disseminating, and properly disposing government data to comply with each law
The Official Records Act, Minnesota Statutes, section 15.17, is important because it requires government entities to “make and preserve all records necessary to a full and accurate knowledge of their official activities.” This means that government entities must create and maintain official records so that the public can understand what the government is doing and why. This also means that official records must be created and maintained to be passed on to successors in office. In other words, government entity employees must be able to understand why actions were taken in the past to make decisions about future actions. As mentioned in the third bullet point on the slide – official records can be stored in any media, not just paper – including email, photographs, videotapes, CD ROMs, and DVDs. The definition of an official record depends on the mission and responsibilities of a particular government entity and how it documents its official activities. Government entities may have statutory duties to create specific records. Beyond specific statutory duties, entities also hire employees, may enter into contracts, pay vendors, etc. So official records should detail an entity’s principal as well as any administrative functions. Additional notes: It may be helpful to discuss examples of official records within specific entities. This will help employees understand what documents they have that may be official records (reports, memos, letters, etc.)
Government entities must establish or adopt a records retention schedule to dispose of government data that are official records. A records retention schedule is a plan for the management of government records and it lists the official records and how long they should be kept. When records are disposed of according to an entity’s retention schedule, it is important to document each destruction in a records destruction report and maintain the destruction reports. More information about records retention is available on the Minnesota State Archives website: www.mnhs.org/preserve/records/index.htm An important factor in the ease and efficiency of responding to requests for government data is to regularly use and update records retention schedules. Additional notes: IPAD no longer provides records management services. For more information about general records retention schedules, government entities should check with their records manager. Another resource is MN GRIN (Minnesota Government Records and Information Network). This group meets monthly and provides a forum for the exchange of information among individuals and agencies interested in government records and information management. MN GRIN also has an email list open to anyone interested in government records. More information and instructions about subscribing to the email list are available on MN GRIN’s website: www.mnhs.org/preserve/records/mngrin.html
It is important to note when discussing the Data Practices Act that it also has administrative rules – Minnesota Rules, Chapter 1205. The Rules provide guidance in interpreting certain sections of the Data Practices Act relating to data on individuals. This slide highlights only a few important aspects of the Data Practices Act. Specific requirements in the Act will be discussed throughout the presentation. First bullet – the Data Practices Act presumes that all government data are public unless otherwise classified. (For specific language of the presumption, see Minnesota Statutes, section 13.03, subdivision 1.) Second bullet – the MN Legislature makes the policy decisions to classify certain data as not public and may amend Chapter 13 during each legislative session. There are also other state statutes and federal laws that may classify data. Third bullet – the Data Practices Act provides for rights of access to certain government data and gives additional protections to the subjects of government data. (These rights will be discussed in more detail in future slides.) Third bullet – the Data Practices Act requires government entities to “(1) establish procedures to assure that all data on individuals is accurate, complete, and current … and (2) establish appropriate security safeguards for all records containing data on individuals.” (Minnesota Statutes, section 13.05, subdivision 5). Fourth bullet – the Data Practices Act defines government data – leads into next slide for discussion
Like official records, government data can be stored in any media. In other words, government data is everything the government has, in any form (paper, email, CDs, DVDs, audiotape, videotape, photographs, etc.). Additional notes: There is a 1992 Minnesota Court of Appeals case that discusses government data ( Keezer v. Spickard , 493 N.W.2d 614). In this case, the court held that mental impressions are not government data if they did not originate from some type of recorded information.
As mentioned before, the presumption in the Data Practices Act is that all government data are public unless the data are otherwise classified. The Act contains some of the not public classifications the “otherwise classified” language references. Other state statutes and federal laws also contain data classifications. Government data are classified within two categories: (1) data on individuals and (2) data not on individuals. These categories are listed in the first column of the chart. The difference between data on individuals and data not on individuals is: Data on individuals are data in which any individual is, or can be identified as, the subject of the data (for example, data maintained about government employees are data on individuals) Data not on individuals are all other data a government entity may have that are not data on individuals (for example, data the Department of Transportation maintains about its snowplows, data about businesses or organizations) The second column in the chart lists the different classifications of government data in the Data Practices Act. The third column explains who has access to the data depending on the classification. The first row shows that one classification for both data on individuals and data not on individuals is public. As the chart indicates in the third column, public data are available to anyone for any reason. The second row of the chart shows that data on individuals may be classified as private and data not on individuals may be classified as nonpublic. As this second row illustrates, data classified as private or nonpublic share the same characteristic in terms of who can gain access to the data. In other words, the data are not available to the public but are available to the data subject, individuals within the entity whose work assignments require access, other entities authorized by law, and entities or individuals to whom the data subject has authorized access to the data. The third row of the chart shows that data on individuals may be classified as confidential and data not on individuals may be classified as protected nonpublic. Data classified as confidential or protected nonpublic share the same access characteristics. These data are not available to the public or to the data subject, but are available to certain individuals within the entity and to entities authorized by law. One additional term to add when discussing data classifications is “not public” data. Not public data includes all data that are private, nonpublic, confidential, or protected nonpublic. Thus, everything in the last two rows of the chart falls under the broader category of “not public” data.
There is not a specific classification for data on human beings after a person dies; rather, “data on decedents” is a subset of the “data on individuals” classification. The classification categories are the same as data on individuals – public, private, and confidential. In creating the classifications for data on decedents, the MN Legislature recognized that there are data about human beings created during their lifetimes that are not public and should remain classified after death for a specified period of time.
Some of the government entity responsibilities in the Data Practices Act are listed on this slide. First bullet – Minnesota Rules 1205.0200, subparts 12-15, provide detailed information about identifying responsible authorities in government entities. If an entity is required to appoint a responsible authority, it is necessary to maintain adequate documentation of the appointment, which may include a delegation or resolution. The responsible authority is the person in a government entity who is ultimately responsible for collecting, maintaining, using, and disseminating government data within the entity and for all of the entity’s data practices decisions. This person is responsible for establishing the entity’s data practices policies and procedures, communicating with entity employees and citizens, and ensuring that citizens do not encounter unreasonable delays or hurdles in exercising their rights under the Data Practices Act. Responsible authorities may also appoint one or more designees to assist in meeting their obligations. Second bullet – The data practices compliance official, or DPCO, is appointed by the responsible authority. The DPCO is the entity employee who receives and responds to questions or concerns about data practices problems, including issues around gaining access to data the entity maintains. The responsible authority may also choose to serve as the entity’s DPCO. Third bullet – Entities are required to create a data inventory of records about data on individuals and update the inventory every year. (For specific language, see Minnesota Statutes, section 13.05, subdivision 1.) Fourth bullet – The Data Practices Act requires government entities to create policies to facilitate access to data for members of the public and policies to facilitate access to data for data subjects, as well as their additional rights. (For specific language, see Minnesota Statutes, section 13.03, subdivision 2, and section 13.05, subdivision 8.) The policies may include forms established by the entity to use when making data practices requests. Other information about what entities are encouraged to consider when developing policies will be discussed with the slides related to requests for government data.
The phrase “members of the public” and the phrase “data subject” will be used throughout the presentation to describe people who request access to government data. A data subject is a person about whom a government entity collects and maintains data. A member of the public is a person who is not a data subject. The Data Practices Act gives members of the public and data subjects the right to access certain government data while providing additional rights to data subjects. Generally, Minnesota Statutes, section 13.03, addresses issues relating to rights of members of the public while section 13.04, addresses issues relating to rights of data subjects.
The bullets on this slide cover some general elements about access to government data. First bullet – Both members of the public and data subjects have rights to access certain data under the Data Practices Act. Members of the public have the right to inspect and/or get copies of public government data within a reasonable time. Data subjects have the following rights: To find out what data a government entity has about them To inspect and/or get copies of data (public and private) about them within 10 business days To challenge the accuracy and completeness of data about them To receive specific information from the government about the collection and uses of data collected about them (known as the Tennessen warning – discussed in later slides). Second bullet – When government entities collect, create, or maintain government data, they must keep the data so that they are “easily accessible for convenient use.” (For specific language, see Minnesota Statutes, section 13.03, subdivision 1.) Third bullet – If requested data cannot be legally provided to the requesting party based on the data’s classification, the government entity must deny the request and inform requesting party of the specific statutory section, temporary classification or federal law that denies access. (See Minnesota Statutes, section 13.03, subdivision 3(f).) Fourth bullet – Upon request, members of the public and data subjects must be informed of the meaning of data. (See Minnesota Statutes, section 13.03, subdivision 3 and section 13.04, subdivision 3.) This means that an entity must explain abbreviations, acronyms, computer coding, or other undefined terms within a document. Fifth bullet – Government entities are not required to create data if a request is for data that do not exist, or for data that the entity does not have or maintain. If the entity decides it is willing to create data to respond to a request, the parties are free to work out the details regarding cost and time of completion. Government entities are also not required to provide access to data in an electronic format different than the format in which the data are maintained by the entity. (See Minnesota Statutes, section 13.03, subdivision 3(e).) The entity must still allow free inspection in the format that the data are maintained by the entity. For example, an entity would not be required to create an Excel spreadsheet in response to a request if the data are maintained by the entity in a Word document.
Government entities will generally have three possible responses in responding to a request for government data from a member of the public. If the entity determines by looking at all applicable statutes that there is nothing that would classify the requested data as anything but public, the entity must provide the data to the requestor. (Time frames in responding and charges for copies will be discussed in later slides.) If the entity determines that the data are classified as not public, it cannot release the data. In denying this request, the entity must provide the statutory citation, federal law, or temporary classification that the denial is based upon. (See Minnesota Statutes, section 13.03, subdivision 3(f).) It is possible that the entity does not have or maintain the requested data. If the entity does not have or maintain the requested data, it must notify the requestor of that fact. Entities should always provide some response to data requests, even if it is informing the requestor that there is no data to provide. As discussed in the previous slide, entities are not required to create data in response to a request.
Government entities will generally have three possible responses in responding to a request for government data from a data subject. If the entity has determined by looking at all applicable statutes that the data it maintains about the data subject are either public or private/nonpublic, the entity must provide the data. The entity may determine based on review of the applicable statutes that the requested data are classified as confidential/protected nonpublic, or the data are not public data about another data subject. If the entity makes this determination, it cannot release the data to the requestor. In denying this request, the entity must provide the proper citation for denial. (See Minnesota Statutes, section 13.03, subdivision 3(f).) As discussed on the previous slide, it is possible that the entity does not have or maintain the requested data. If the entity does not have or maintain the requested data, it must notify the requestor of that fact. Entities should always provide some response to data requests, even if it is informing the requestor that there is no data to provide. As discussed in the previous slide, entities are not required to create data in response to a request.
In reviewing any requests for government data, entities should consider the following questions: Is the requestor asking for data, or is the requestor asking a question? Only requests for data are governed by Chapter 13 – questions fall outside the scope of Chapter 13. For example, the question – “Why did the city decide to end the park program” – is a question that falls outside the scope of Chapter 13. However, the city would be required to respond under Chapter 13 for this request for data – “I would like all of the data documenting why the city ended the park program.” Is the request for government data? Only requests for government data are within the scope of Chapter 13. Information about “personal” data will be discussed in future slides. Is the request clear and understandable? If a request is confusing or complex, the entity should contact the requestor and seek clarification. (See Minnesota Statutes, section 13.05, subdivision 12.) Clarification should be sought as soon as reasonably possible – it would not be appropriate for the entity to wait several weeks before seeking clarification. Entities may also require that data requests be in writing, if this is stated in their policy on data requests. Was the request submitted to the right person? Data requests should be made to the “responsible authority”, unless the entity has a specific policy directing data requestors to another individual. The responsible authority is the person within the government entity that is ultimately responsible for all of the entity’s data practices issues and decisions. Who is making the request (member of the public vs. data subject)? Generally, government entities may not require an individual to identify himself/herself, state a reason for a request, or justify the request. However, if a data subject has asked for data that are private/nonpublic, an entity must require some type of identification to prevent an inappropriate disclosure of not public data. It is helpful for entities to have an established policy as to what can be used as proper identification. As will be discussed in later slides, the time in responding to data requests and the amount that may be charged for copies of government data will vary depending on who is requesting the data. Is the requestor asking to inspect the data or for copies? It is important to clarify this fact with the data requestor. An entity may not ever charge a data requestor to inspect government data, but the entity may charge for copies of the data. The specifics regarding copy charges will be discussed in later slides. Additional notes: Another type of request that government entities may receive is known as a “standing request.” A standing request is made when a requestor asks for data on a particular topic and specifies a desire to receive any new data on that topic that the entity may collect or create. For example, a requestor may have a standing request with a city to receive a copy of the city council minutes after each meeting. Chapter 13 does not explicitly address the issue of standing requests for access to data, but it does set forth broad obligations imposed &quot;upon a request to a responsible authority.&quot; (See Minnesota Statutes, section 13.03, subdivision 3, and section 13.04, subdivision 3.) Based on these obligations, the Commissioner of Administration has opined in advisory opinions that a standing request is similar to a singular request, regardless of whether it arrives, for example, in person, by mail, by fax, or by telephone, and regardless of whether a person makes a standing request or chooses to make her/his requests one at a time. When a standing request is made to a government entity, it is reasonable for the entity to limit the duration of a standing request, or require the requestor to confirm the desire to continue the request after a period of time.
The time requirements for responding to requests for government data are different depending on who is requesting the data. When a member of the public requests data, the Data Practices Act and its Rules require a government entity to respond in an “appropriate and prompt” manner and within a reasonable amount of time. A “reasonable amount of time” depends on the request. Is it a large or complex request, or is it a simple request that the entity gets all the time (such as copies of meeting minutes)? If the request is large or complex and will take a significant amount of time to complete, the entity should inform the requestor of this fact and work with the requestor in negotiating the specifics of the response. When a data subject requests data, the entity must respond immediately (if possible) or within 10 business days. In other words, the requestor must be allowed to inspect the data, or receive copies of the data, within 10 days of the data request. Important to note – even though data subjects cannot access confidential data about themselves, they do have the right to know whether confidential data are maintained by the entity. After a data subject has reviewed data about her/himself, the entity is not required to show the same data to the subject for six months unless either of the two following things has happened: The entity collects or creates more data about the subject before six months have elapsed. If more data have been collected or created during that time, the subject has the right to inspect the newly-collected or created data; or The data subject has challenged the accuracy and/or completeness of the data, or is appealing the results of such a challenge – in other words, the data are in dispute.
The different time frames in responding to data requests were discussed on the last slide. The chart on this slide compares the time to respond for either inspection of data or for copies of data to a member of the public vs. a data subject. It is important to remember the different time frames in responding to data requests depend on who is requesting the data.
Inspection – always free, does not matter who is making the request to inspect the data. An entity can never charge the requestor for just inspecting or looking at data. This is true even if the entity has to make a copy for the requestor to view the data. If a requestor wants to take notes, take pictures, or bring in a scanner to make copies of the requested data – that is permissible. In these instances, the person is still inspecting the data and the entity may not charge for this inspection. Copies – cost depends on who is requesting the data and may depend on how many and what type of copies are requested. The legislative policy behind allowing government entities to charge for copies of data is that the entity can recoup costs for providing the data. Member of the public – if a member of the public requests copies and the entity determines that the data are public, there are two different fee structures an entity must consider: If a requestor asks for 100 or fewer copies that are black & white, on legal or letter size paper , the entity may charge up to 25 ¢ per page (50¢ for a two-sided copy). If a requestor asks for more than 100 copies, or any other type of copy (color copies, photos, faxes, etc.), the entity may charge the “actual costs of searching for and retrieving” the data. This includes the cost of employee time and making, certifying, and electronically transmitting copies of the data, but an entity may NOT charge for separating public from not public data or charge a minimum fee. Data subject – an entity may charge the actual costs for the copies, but may NOT charge for searching for and retrieving data or separating public from not public data. In charging employee time to make the copies, it is important to remember that the entity should only charge the cost of the lowest paid employee who would be able to complete the task of making copies. An entity may request pre-payment for copies if this is within the entity’s data practices policies. Chapter 13’s Rules in 1205.0300 and 1205.0400 provide additional guidance about reasonable fees for copies. IPAD also has two information pieces available to assist with copy costs. Charging members of the public for copies: www.ipad.state.mn.us/docs/copyfees1303.pdf Charging data subjects for copies: www.ipad.state.mn.us/docs/copyfees1304.pdf Additional notes: There are a number of the Commissioner of Administration’s advisory opinions that relate to copy costs. The opinions are on IPAD’s website ( www.ipad.state.mn.us ) under the link for “Advisory Opinions.” Relevant opinions can be located by using the full-text search option (for example, use the search: “copy costs”). Additional information about the full-text search opinion is available on IPAD’s website. Relevant opinions can also be located by clicking the “Opinion Index” link under Advisory Opinions and locating the “Copy Costs” section of the index.
As was discussed on the last slide, the costs that may be charged for copies of government data are different depending on who is requesting the data. This chart compares the charges for a member of the public vs. a data subject that were discussed on the last slide.
First bullet – The collection and storage of data on individuals and the use and dissemination of private and confidential data by a government entity must be necessary for the administration and management of programs specifically authorized by law (see Minnesota Statutes, section 13.05, subdivision 3). Second bullet – The information that must be given to individuals prior to the collection of private or confidential data about them is commonly referred to as notice called the “Tennessen warning” (named for the Senator who authored the legislation) and requires a government entity to provide an individual with certain information necessary to make an educated decision about releasing data about him/herself to the government. A Tennessen warning notice is only required when an entity collects private or confidential data about an individual from that individual. More information about Tennessen warnings will be provided in later in the presentation. Third bullet – The right discussed in the third bullet point refers to “informed consent” – more information on this topic will be in later slides Fourth bullet – Individuals have the right to challenge the accuracy and/or completeness of government data maintained about them by the government entity. Data could be inaccurate or incomplete because a wrong word, name, or phrase was used; because certain information is not in the record; or because certain information in the record should not be there. More information on data challenges is available on IPAD’s website at www.ipad.state.mn.us/docs/dschallenge.pdf Fifth bullet – Keeping data on individuals secure is part of an entity’s duty to establish appropriate security safeguards for all data about individuals under Minnesota Statutes, section 13.05, subdivision 5. Minnesota Rules 1205.0400 also require an entity to establish written procedures to assure that access to private data is only provided to those authorized to see the data.
The definition of individual in Chapter 13 (section 13.02, subdivision 8) also includes a parent or guardian, or someone who is acting as a parent or guardian in the absence of a parent or guardian. This means that the parent or guardian of a minor (under age 18) can exercise the rights of his/her child under Chapter 13. In releasing private data about a minor to a parent or guardian, entities should have policies in place to verify the identity of a parent or guardian to secure the private data. Each entity is in the best position to determine what types of identification are necessary to verify an identity. An entity must presume that a parent may exercise the rights of the minor unless provided with evidence that a court order, or other legally binding instrument, specifically directs otherwise. Such court orders include those relating to divorce, separation or custody, and the termination of parental rights. Technically, either the minor or the minor’s parent can consent to the release of private data. In practice; however, a 5-year-old is likely not mature enough to give informed consent (no sufficient mental capacity) and so the ability to consent remains with the parents. There is not a rule as to when a minor is old enough to consent to the release of data. Maturity is one of the factors that should be considered. Entities can have a policy setting out the age requirements for when a minor may give informed consent. If an entity does not have a policy, it should evaluate every minor on a case-by-case basis to determine whether the minor is mature enough to give informed consent and document the evaluation. A minor has the right to request that an entity withhold private data about her/him from a parent or guardian. The entity may require that the request be in writing. A written request must include the reasons for withholding the data from the parents and must be signed by the minor data subject. Additional information about access to private data about minor data subjects is in Minnesota Rules 1205.0500. Federal law provides an exception to a minor’s right to request that access to private data be withheld from a parent or guardian. Under the Family Educational Rights and Privacy Act (FERPA), a public educational entity or institution may not deny a parent access to education records about a minor child. See 20 U.S.C. 1232g and 34 C.F.R. Part 99. The parent of a dependent student who is 18 years or older may have access to the student’s records without the student’s consent. Certain students 18 years or older may be claimed as dependents by their parents for federal income tax purposes.
There are times when government entity employees need to collect private or confidential data from individuals to do their jobs, but first a notice must be given to those individuals. As mentioned in a previous slide, this notice is called a Tennessen warning. The purpose of the notice is to give an individual enough information so that s/he can decide whether to give the requested private or confidential data to the government. The information provided to the individual must include: What are the purposes and intended uses of the requested data within the collecting entity (why are the data being collected and how will the entity use the data)? Can the individual refuse to provide the data to the entity, or is the individual legally required to provide the requested data? Are there any consequences to the individual, known to the entity at the time the data are collected, for either supplying or refusing to supply the requested data? What other persons or entities, outside of the collecting entity, have statutorily authorized access to the requested data? (See Minnesota Statutes, section 13.04, subdivision 2) In making decisions about what data to collect or create, entities should keep in mind that if they collect private or confidential data about an individual from that individual and don't provide a “Tennessen Warning” – the entity cannot keep or use the data. If entities do give a “Tennessen warning” notice – the collected data may be used and disseminated consistently with what the individual was told. A Tennessen warning notice does not have to be given by law enforcement officers who are investigating a crime (see Minnesota Statutes, section 13.04, subdivision 2). The notice also does not have to be given to the data subject when a data subject voluntarily provides data not requested by the entity, the data requested from the data subject are about someone else, or the data requested from the data subject are public data about the data subject. The law does not require that a Tennessen warning notice be given in writing. For practical and legal purposes, it is best to give the notice in writing (or in another recorded format) to document that the data subject received the notice. Although there is not a law that requires individuals to sign an acknowledgment that they received the Tennessen warning notice, many entities ask a data subject to sign and date a written notice, in which case a copy of a written notice should be given to the data subject. When information is collected over the phone, the notice should be provided orally and documented in writing. Additional notes: The following is an example of when a Tennessen warning notice must be provided: As new employees are hired by government entities, certain data must be collected about those employees. So, employees of a government entity become data subjects because the entity now has data about them. The section of Chapter 13 relevant to data about public employees is section 13.43 – personnel data. Personnel data are data collected because an individual is or was an employee of a government entity. The personnel data section reverses the general presumption of Chapter 13 that all data are public unless otherwise classified and says all personnel data are private, unless specifically listed as public within section 13.43. Some of the data collected from new employees are private data based on section 13.43. For that reason, a Tennessen warning must be given to new employees for any private data initially collected from the employees about the employees.
A data subject can give permission, known as informed consent, for the new use or release of government data. (See Minnesota Statutes, section 13.05, subdivision 4(d).) It is important to remember that a Tennessen warning happens first – before an entity collects private or confidential data from an individual. An informed consent happens after the data have been collected. Once a Tennessen warning has been given, no further permission is necessary for the entity to use the data in the way described in the Tennessen warning. The following are situations when an entity must have informed consent from an individual: An individual must give an entity additional permission – or informed consent – when the individual asks the entity to release private data to another entity or person. Informed consent is necessary for an entity to release private data to a new or different recipient not listed in the original Tennessen warning. Informed consent is required when the data subject received a Tennessen warning notice before collection of private data and the entity now wants to use or release the data in a way that is different than what was explained in the notice. Minnesota Statutes, section 13.05, subdivision 4, prohibits an entity from using or releasing any private data if a Tennessen warning was not provided at the time of collection unless an individual has given informed consent for the new use or release. A valid informed consent must: Be in writing Not be coerced Include an explanation of the why the consent is necessary and any consequences of giving permission for the new purpose, use, or release The person giving informed consent must have sufficient mental capacity to understand the consequences of the decision to give consent for the new purpose or use of the data. (See Minnesota Rules 1205.1400, subpart 3)
Minnesota Statutes, section 13.05, subdivision 5(a), requires government entities to establish appropriate security safeguards for all data on individuals. It is recommended that entities establish policies to implement these required security safeguards to protect their data. Minnesota Statutes, section 13.05, subdivision 5(b), requires not public data to be destroyed in a way that prevents contents from being determined. Examples of proper destruction for not public data include using a cross-shredder for paper documents, using a special shredder for CDs, and properly disposing USB flash drives by breaking or crushing the device. IPAD often hears about situations where sensitive data, held both by government and the private sector, are stolen or disposed of improperly. To help remedy these situations, government entities are required to notify individuals if there is a breach in the security of private or confidential data maintained by the entity. In 2005, the Legislature enacted Minnesota Statutes, section 13.055, which requires state entities (not local levels of government) to notify individuals if there is a breach in security of the data. It is important for agencies to be aware of the requirements in this section and create related policies. The following are some practical tips that can be used to protect not public data within government entities: Lock the screen of your computer when leaving your desk Turn copies of not public data documents over, or place them outside of plain view when leaving your desk Use locked file cabinets for not public data Do not leave papers with not public data on a public copier, printer, or fax machine Do not discuss not public data with co-workers whose work does not require knowing about the data Create strong passwords for your computer, do not share passwords with others, and change your passwords periodically. To create a “strong” password, use a combination of numbers, letters, and symbols in the password. (For example: XY*12abc!) Remove private data that you do not need to do your job from your laptop or briefcase If you must use not public electronic data away from the office, consult with your technology person to discuss encryption options Do not access not public data using a web browser on a public computer Do not keep your laptop in plain view in your car; take it with you. If you must keep your laptop in your car, put it in the trunk before you get to the place where you park your car.
Social Security numbers – government entities should be aware that Social Security numbers (SSNs) can only be collected if there is specific legal authority to collect them. Both MN and federal law place restrictions on the collection of SSNs. Federal law restriction – individuals cannot be denied any right, privilege, or benefit for refusing to provide their SSN unless the disclosure of the SSN to the entity is required by federal law. Federal law also requires entities to give individuals a privacy notice when collecting SSNs. MN restriction – entities should be collecting only those data they need to manage a specific program authorized by law (Minnesota Statutes, section 13.05, subdivision 3). Therefore, an SSN, or part of an SSN, should only be collected if necessary to manage a program authorized by law. It is important to remember that section 13.355 classifies an SSN, or part of an SSN, as private data, so a Tennessen warning must be given when an entity collects any part of an individual’s SSN from that individual. Additional information about the collection of SSNs, including the required contents of the federal privacy notice, is available on IPAD’s website at: www.ipad.state.mn.us/docs/ssnpart.pdf www.ipad.state.mn.us/docs/ssncollect.pdf Security information – classified as private or nonpublic and defined in Minnesota Statutes, section 13.37, subdivision 1(a), generally as government data that if disclosed, likely would substantially jeopardize the security of information, possessions, individuals or property. Government entities have a certain amount of discretion in using this section to protect data, but must be reasonable in their determinations. Entities should take care not to be arbitrary is using this section to protect data. The responsible authority should make determinations as to what data are classified as security information and put those determinations in writing. Examples of data that should be protected as security information are credit card numbers or account numbers if collected by an entity for payment of something. Trade secret data – also classified as private or nonpublic in section 13.37. The elements of trade secret data are: a collection of information; that was supplied by the affected individual or organization; that is the subject of reasonable efforts to maintain its secrecy; and that derives independent economic value from not being generally known to or readily ascertainable by other persons who can obtain economic value from its disclosure or use. It is up to a government entity to explain to a 3rd party who submits data to the government that they must include a statement specifying how the data meets each of the trade secret elements – the data are not automatically protected if claimed to be trade secret by the 3rd party. A government entity must then determine whether the data should be classified as trade secret.
There are situations where a government entity might maintain data about the entity’s employees that are outside the scope of the Data Practices Act, Chapter 13. If, for example, a government entity has a policy that allows for minimal, incidental personal use of government-owned computers, the data created during the personal use of the computer are not government data. What constitutes “personal data” depends on what the entity has authorized for personal use. These personal data are not government data because, although they were created and/or maintained on government-owned equipment, the employee did not create them in her/his capacity as a government employee and the purpose of the data is not related to the operation of government.
Government entities or responsible authorities may be sued civilly for violating any of the provisions in Chapter 13 if damage is suffered from the violation (see Minnesota Statutes, section 13.08, subdivision 1). Government entities or responsible authorities may also be enjoined by a district court (see section 13.08, subdivision 2). Any aggrieved person may also bring an action in district court to compel compliance (see section 13.08, subdivision 4). Any person who willfully – knowingly – violates Chapter 13 is guilty of the criminal penalty of a misdemeanor. Willful violations by government entity employees are just cause for suspension without pay or dismissal.
The Information Policy Analysis Division, or IPAD, of the MN Department of Administration has a number of resources available to assist with data practices issues and questions. The Commissioner of Administration has the authority to issue data practices advisory opinions to individuals or government entities. The advisory opinions are all available on IPAD’s website and can be located using a search engine or by topical, year, or entity index. For additional information about advisory opinions, see www.ipad.state.mn.us/opinions/index.html IPAD issues an electronic newsletter on a quarterly basis. The newsletters provide information on current data practices related issues, advisory opinion updates, updates on data practices related case law, legislative updates, and data practices training information. Links to current and past newsletters are available at www.ipad.state.mn.us/newsletters.html IPAD’s website has a number of informational materials related to data practices. For members of the public, see www.ipad.state.mn.us/publicresources.html . For government entities, see www.ipad.state.mn.us/dpgoveducation.html . IPAD has an email listserv available to anyone who would like to subscribe. The listserv alerts subscribers to publication of the newsletter, recent appellate court cases containing discussion of data practices issues, changes the Minnesota Legislature has made to relevant statutes, new IPAD information pieces, and other pertinent information. IPAD has analysts available to assist with data practices related questions. Additional notes: With this slide, the presenter should also include any information about the name of the entity’s responsible authority, DPCO, any designees, and any other internal data practices contacts. The entity’s data practices access policies and data inventory should also be mentioned.
Feel free to contact IPAD using any of the methods listed on this slide for assistance with any data practices related questions. Possible self-assessment checklist: Does our government entity know what data we collect and keep? Does our government entity understand how the data are classified? Does our government entity have a “responsible authority” (RA) who is designated to ensure our procedures and practices are aligned with Chapter 13? Does our government entity have a “data practices compliance official” (DPCO) who can help citizens and our entity with data practices requests? Does our government entity have written procedures, required by Minnesota Statutes, section 13.03, subdivision 2, and section 13.05, subdivision 8, that provide data requestors with our policies in accessing government data? Does our government entity have a policy and/or procedure that discusses which employee or employees within our entity are responsible for handling data practices issues? Does our government entity have the public document required by Minnesota Statutes, section 13.05, subdivision 1, that identifies our responsible authority and describes the private and confidential data on individuals we maintain? Does our government entity have policies and procedures in place to: Ensure that the data we collect and keep are accurate and complete? Secure the data on individuals? Regulate employee access to data we collect, maintain, use, and disseminate? Does our government entity follow the requirements in Minnesota Statutes, section 13.03, subdivision 3(c), when determining fees for providing copies of data to members of the public, and follow section 13.04, subdivision 3, for copies to data subjects? Does our government entity have procedures in place to notify minors of their right to have data withheld from their parents or guardians if we determine it is in the minor’s best interest to do so? (Note: this requirement in Minnesota Rules 1205.0500, subpart 3, does not apply to educational data.)