Presentation on theme: "MN PRIMA: 2014 Data Practices Presentation Stacie Christensen, Director Information Policy Analysis Division, Admin."— Presentation transcript:
MN PRIMA: 2014 Data Practices Presentation Stacie Christensen, Director Information Policy Analysis Division, Admin
Information Policy Analysis Division (IPAD) Informal advice Commissioner of Administration advisory opinions Training and workshops Website, info pages, listserv and newsletters Legislative assistance Who We Are and What We Do
Overview: Government Data Practices Act Minnesota Statutes, Chapter 13 – Applies to government entities in Minnesota – Presumes government data are public – Classifies data that are not public – Provides rights for the public and data subjects – Requires that data on individuals are accurate, complete, current, and secure Minnesota Rules, Chapter 1205
Other Data Practices Related Laws The Official Records Act (Minn. Stat. § 15.17) The Records Management Statute (Minn. Stat. § 138.17)
What are government data? Government data are “all data collected, created, received, maintained or disseminated by any government entity regardless of its physical form, storage media or conditions of use.”
Official Records Act: Create and Maintain Data Government Data Practices Act: Administer Data Records Management Statute: Destroy Data
Classification of Government Data ClassificationAccessExamples Public Available to anyone for any reason Government employee’s name Private/ Nonpublic Data subject Those in the entity whose work requires access Entities authorized by law Those authorized by data subject Social security numbers Confidential/ Protected Nonpublic Those in the entity whose work requires access Entities authorized by law **Data subject does not have access Active investigative data
Maintaining Government Data No requirement to maintain data in a particular format or system of organization However… Data must be “easily accessible for convenient use.” (Minn. Stat. § 13.03, subd. 1)
Penalties and Remedies Remedies (Minn. Stat. §13.08) – Action to compel compliance – Action for damages, costs, and attorneys fees Administrative remedy (Minn. Stat. §13.085) – Administrative hearing within 2 years of alleged violation – Action to compel compliance Penalties (Minn. Stat. §13.09) – Willful violation or knowing unauthorized acquisition of not public data = misdemeanor – Dismissal or suspension Advisory opinions (Minn. Stat. §13.072)
Liability Considerations: Data Breach Legislation Creation of Procedures for Not Public Data (Ch. 284, sec. 1; 13.05, subd. 5) – Requires the responsible authority to establish procedures to ensure that only those who have a work assignment can access not public data Data Security Breaches (Ch. 284, sec. 2; 13.055) – Data breach requirements now apply to all government entities – Responsible authority must investigate and create a report that details any breach of the security of not public data – Annual security assessment – Applies to all security breaches beginning August 1, 2014 Penalties (Ch. 284, sec. 3; 13.09) – Penalty for knowing access to not public data without a work reason – Applies to unauthorized access beginning August 1, 2014
Other State Breach Notification MinnesotaOther States Type of data that require a notification if breach occurs Private or Confidential Data on Individuals Many states list the specific data that require a breach notification Most include: name of individual in combination with SSN, DL number, or credit card info CA recently included username or email with password or security question and answer Risk of harm analysis before notification Breach notification is required if the breach “compromises the security and classification of the data” Most states require a risk of harm analysis in determining if notification is required Alaska requires an investigation and a determination that there is not a reasonable likelihood of harm Require notice to state official State agencies must notify the OLA for any improper use of not public data Many states require notice to the Attorney General at the same time that they provide breach notification Require notice for access Notification is required for both access and acquisition Many states only require notification for acquisition
Liability Considerations: General Requirements Data collection – Limited to that necessary for the administration and management of programs Data protection and security – Establish appropriate security safeguards Procedures for ensuring that data that are not public are only accessible to persons whose work assignment reasonably requires access
Liability Considerations: Specific Issues Issues – Credit card information – License plate reader data – Cloud Storage – Squad cams/body cams – Others?
S TACIE.C HRISTENSEN @ STATE. MN. US (651) 201-2500 WWW. IPAD. STATE. MN. US INFO. IPAD @ STATE. MN. US (651)296-6733
Your consent to our cookies if you continue to use this website.