MN PRIMA:2014 Data Practices Presentation

Stacie Christensen, DirectorInformation Policy Analysis Division, Admin

• Information Policy Analysis Division (IPAD)Informal adviceCommissioner of Administration advisory

opinionsTraining and workshopsWebsite, info pages, listserv and newslettersLegislative assistance

Who We Are and What We Do

Overview: Government Data Practices Act

• Minnesota Statutes, Chapter 13– Applies to government entities in Minnesota– Presumes government data are public– Classifies data that are not public– Provides rights for the public and data subjects– Requires that data on individuals are accurate,

complete, current, and secure

• Minnesota Rules, Chapter 1205

Other Data Practices Related Laws

• The Official Records Act (Minn. Stat. § 15.17)

• The Records Management Statute (Minn. Stat. § 138.17)

What are government data?

• Government data are “all data collected, created, received, maintained or disseminated by any government entity regardless of its physical form, storage media or conditions of use.”

Official Records Act:Create and Maintain Data

Government Data Practices Act:Administer Data

Records Management Statute:Destroy Data

Classification of Government Data

• Classification Access Examples

Public Available to anyone for any reason Government employee’s name

Private/Nonpublic

Data subject Those in the entity whose

work requires access Entities authorized by law Those authorized by data

subject

Social security numbers

Confidential/Protected Nonpublic

Those in the entity whose work requires access

Entities authorized by law

**Data subject does not have access

Active investigative data

Maintaining Government Data

• No requirement to maintain data in a particular format or system of organization

However…• Data must be “easily accessible for

convenient use.”(Minn. Stat. § 13.03, subd. 1)

Penalties and Remedies

• Remedies (Minn. Stat. §13.08)– Action to compel compliance– Action for damages, costs, and attorneys fees

• Administrative remedy (Minn. Stat. §13.085)– Administrative hearing within 2 years of alleged

violation– Action to compel compliance

• Penalties (Minn. Stat. §13.09)– Willful violation or knowing unauthorized acquisition of

not public data = misdemeanor– Dismissal or suspension

• Advisory opinions (Minn. Stat. §13.072)

Liability Considerations:Data Breach Legislation

• Creation of Procedures for Not Public Data (Ch. 284, sec. 1; 13.05, subd. 5)– Requires the responsible authority to establish procedures to ensure

that only those who have a work assignment can access not public data• Data Security Breaches (Ch. 284, sec. 2; 13.055)

– Data breach requirements now apply to all government entities– Responsible authority must investigate and create a report that details

any breach of the security of not public data– Annual security assessment– Applies to all security breaches beginning August 1, 2014

• Penalties (Ch. 284, sec. 3; 13.09)– Penalty for knowing access to not public data without a work reason– Applies to unauthorized access beginning August 1, 2014

Other State Breach Notification Minnesota Other StatesType of data that require a notification if breach occurs

Private or Confidential Data on Individuals

Many states list the specific data that require a breach notification•Most include: name of individual in combination with SSN, DL number, or credit card info•CA recently included username or email with password or security question and answer

Risk of harm analysis before notification

Breach notification is required if the breach “compromises the security and classification of the data”

Most states require a risk of harm analysis in determining if notification is required•Alaska requires an investigation and a determination that there is not a reasonable likelihood of harm

Require notice to state official

State agencies must notify the OLA for any improper use of not public data

Many states require notice to the Attorney General at the same time that they provide breach notification

Require notice for access

Notification is required for both access and acquisition

Many states only require notification for acquisition

Liability Considerations: General Requirements

• Data collection– Limited to that necessary for the

administration and management of programs

• Data protection and security– Establish appropriate security safeguards• Procedures for ensuring that data that are not

public are only accessible to persons whose work assignment reasonably requires access

Liability Considerations: Specific Issues

• Issues– Credit card information– License plate reader data– Cloud Storage– Squad cams/body cams– Others?

STACIE.CHRISTENSEN@STATE.MN.US(651) 201-2500

WWW.IPAD.STATE.MN.US INFO.IPAD@STATE.MN.US(651)296-6733