Minnesota Government Data Practices Act and Other Data Privacy Laws Pose Specific Requirements for Public Entities
The Minnesota Government Data Practices Act (MGDPA) is an evolving statute that attempts to strike a balance between the dual public policy goals of government transparency and data privacy. The Act regulates all government data collected, created, received, maintained, disseminated or stored by public government entities irrespective of the data’s physical form, storage, media or conditions of use.
Failure to comply with the Act may result in civil damages, or civil or criminal penalties.
The MGDPA establishes a presumption that government data are publicly accessible, unless access is prohibited either by law or by a temporary data classification. The Act largely determines whether a government entity must, upon request of various parties, release certain types of data.
Key Areas to Watch
The Minnesota Government Data Practices Act is complex. Areas to which members should pay particular attention are:
- Data classification: who legally has access to that data, including personnel data
- Requests for data: how they should be received, who determines whether the information can be released to the requesting party, what to do about data that includes both public and private information and how to deny access to data
- Fees that can be charged for data
- Data security breaches: when notices of a data breach must be released and to whom, and investigations of data breaches
- Government data provided to contractors for the purpose of conducting government business
Federal Driver’s Privacy Protection Act and Minnesota Statutory Protections for Driver’s License Data
The Driver’s Privacy Protection Act (DPPA) prohibits individuals from knowingly obtaining, disclosing or using personal information from a motor vehicle database for unauthorized uses. Violation of the law may result in a civil lawsuit with damages and an award of reasonable plaintiff’s attorney fees.
Protected information under the DPPA includes an individual’s photograph, Social Security number, driver identification number, name, address (not ZIP code), telephone number and medical or disability information.
The DPPA identifies 14 situations that authorize when obtaining, disclosing or using personal information is permissible. For example, law enforcement can access private information to perform police work and any government agency can legally use private data for purposes of carrying out its functions.
Additionally, Minnesota Statutes Section 171.07, Subdivision 1a restricts use of driver’s license photos to:
- The issuance and control of drivers’ licenses
- Criminal justice agencies for investigation and prosecution of crimes; service of process; enforcement of no contact orders; location of missing persons; and investigation and preparation of cases for criminal, juvenile and traffic court, and supervision of offenders
- Public defenders for the investigation and preparation of cases for criminal, juvenile and traffic court
- Child support enforcement purposes under Minnesota Statutes, Section 256.978
- County medical examiner or coroner as necessary to fulfill his or her statutory duties
Medical and Health Information Laws
Government entities receive medical data for many reasons. The reason the entity has the medical or health data determines the rules and responsibilities surrounding the information. The common laws that apply to this information are:
- Minnesota Government Data Practices Act
- Health Information Portability and Accountability Act (HIPAA)
- Americans with Disabilities Act (ADA)
- Family and Medical Leave Act (FMLA)
- Minnesota Human Rights Act
- Minnesota Health Records Act
Members are encouraged to learn the specific rules and requirements of these laws and to develop policies and procedures to ensure compliance.
Resources to Help Comply with the Laws
- Information Policy Analysis Division of The Minnesota Department of Administration: This agency is authorized to grant advisory opinions on questions related to government data access and the rights of data subjects. These opinions are posted to IPAD’s website. Although they are not binding on a government entity, the opinions are granted deference in a court proceeding involving the data at issue. The agency’s website provides other guidance materials about the MGDPA.
- MCIT Resource Library: MCIT encourages members to review the resources related to data practices, privacy and retention to gain a general understanding of the laws and learn tips for staying in compliance with them.
- MCIT Speaker Services: MCIT can provide in-person training about the Minnesota Government Data Practices Act, other privacy laws and records retention laws for members and affiliated organizations. Learn more about this service on the Speaker Services page.
- Legal Counsel: MCIT strongly recommends that members consult their legal counsel when a data practices question arises.