Minnesota Government Data Practices Act, An Introduction

The MGDPA requires that government entities designate a responsible authority (RA). The RA is the individual responsible for the collection, use and dissemination of any set of data on individuals, government data or summary data. (Minn. Stat. § 13.02, subd. 16)

For counties, each elected county official shall be the RA for his or her office. An individual county employee shall be appointed by the county board to be the RA for any data administered outside the offices of elected officials. (Minn. R. 1205.0200, subp. 14)

If no individual has been designated, either the county coordinator or administrator will act as a county’s RA by default. If the county does not employ a coordinator or administrator, the default RA is the county auditor. (Minn. Stat. § 13.02, subd. 16)

The director of the county welfare agency is the RA for that agency. The RA for a local social services agency, human services board or community mental health center board is the chair of the board. (Minn. Stat. § 13.46, subd. 10)

For other political subdivisions, the governing body shall appoint an individual who is an employee of that political subdivision as the RA. If no individual has been designated, the chief clerical officer for filing and record keeping purposes is the political subdivision’s RA by default. (Minn. Stat. § 13.02, subd. 16; Minn. R. 1205.0200, subp. 14)

In part, the RA shall (Minn. Stat.  §13.02, subd. 16, §13.025, §13.05):

• Oversee the collection, storage and dissemination of data.
• Prepare and annually update (by Aug. 1) data access procedures for requesting parties.
• Draft and annually update (by Aug. 1) a policy reflecting the rights of data subjects and the procedures used by the government entity for access by the data subject to public or private data.
• Establish internal procedures to ensure that the entity responds to requests for government data appropriately and promptly, and that stored data is accurate, complete and current.
• Develop procedures for safeguarding data, including procedures to ensure not public data are only accessible to persons whose work assignments reasonably require access and that the access is only for appropriate purposes.
• Maintain and annually update an inventory that categorizes the private and confidential data stored on individuals by the government entity.
• Prepare summary data derived from private or confidential data on individuals.
• Ensure overall compliance with the MGDPA and companion rules.
• Conduct an annual comprehensive security assessment of any personal information maintained by the government entity.

Data Practices Compliance Official (DPCO): The Act requires a responsible authority to appoint a DPCO to respond to all public questions or concerns related to data access or practices. The RA may be designated as the DPCO. (Minn. Stat. § 13.05, subd. 13)

Designees: The MGDPA allows an RA to appoint designees to manage the day-to-day flow of data. (Minn. Stat. § 13.03, subd. 2)

The MGDPA’s provisions largely determine whether a government entity must, upon the request of certain parties, release certain types of data.

The Act establishes a presumption that government data are publicly accessible unless prohibited by law or by a temporary classification of the data. The RA must provide access to public data to any requesting party, regardless of that party’s reason for requesting the data. (Minn. Stat. § 13.01, subd. 3)

Not all government data is public. The classifications for not public data[1] vary whether the data maintained is considered data on individuals or data not on individuals. (Minn. R. 1205.0300, subp. 2)

Data on Individuals

Private is accessible to:

• The data subject
• Those to whom the data subject provides written consent for release
• Individuals within the government entity whose job responsibilities reasonably require access
• Entities and agencies authorized by law.

(Minn. Stat. §13.02, subd. 12;  §13.05, subd. 4; Minn. R. 1205.0400, subp. 2)

Confidential data is:

• Not accessible to the data subject.
• Accessible to individuals within the government entity whose job responsibilities reasonably require access.
• Accessible to entities and agencies authorized by law.

(Minn. Stat. § 13.02, subd. 3; Minn. R. 1205.0600, subp. 2)

Data Not on Individuals (e.g., a corporation)

Nonpublic is accessible to:

• The data subject.
• Individuals within the government entity whose job responsibilities reasonably require access.
• Entities and agencies authorized by law.

(Minn. Stat. § 13.02, subd. 9)

Protected Nonpublic data is:

• Not accessible to the data subject.
• Accessible to individuals within the government entity whose job responsibilities reasonably require access.
• Accessible to entities and agencies authorized by law.

(Minn. Stat. § 13.02, subd. 13)

Note the similarities in accessibility between private and nonpublic data, as well as confidential and protected nonpublic data.

Temporary Classification

Government entities can apply to the commissioner of the Minnesota Department of Administration to classify data or types of data on individuals as private or confidential, or data not on individuals as nonpublic or protected nonpublic on a temporary basis.

If granted, a temporary data classification is effective until the Minnesota Legislature has an opportunity to act. The process for requesting a temporary data classification is found in Minnesota Statutes § 13.06.

Summary Data

Summary data means data that has been extracted, manipulated or summarized from private or confidential data on individuals, and from which all data elements that could link the data to a specific individual have been removed. (Minn. Stat. § 13.02, subd. 19; Minn. R. 1205.0200, subp. 16)

Summary data includes but is not limited to statistical data, case studies, reports of incidents and research reports. Unless otherwise classified by law, summary data is classified as public.

The responsible authority shall prepare summary data from private or confidential data on individuals upon the request of any person if the request is in writing and the requesting person pays the cost of preparing the summary data. (Minn. Stat. § 13.05, subd. 7)

Intergovernmental Release of Data

An RA shall allow another RA access to data classified as not public only when the access is authorized or required by state or federal law. (Minn. Stat. § 13.05, subd. 9)

Requests for information should be made in writing and specifically identify the type of information being requested.

Request by Public

Members of the public are entitled to inspect and copy public data at reasonable times and places, upon request. A member of the public also has the right to be informed of the meaning of public data. (Minn. Stat. § 13.03, subd. 1 and 3)

The MGDPA mandates that government data be kept—regardless of classification—in such an arrangement and condition as to make them easily accessible for convenient use.

A request for public data must be responded to as soon as reasonably possible. Determining what is reasonably possible will be fact dependent. If possible, MCIT recommends responding to a request within 10 business days.

As a recommended practice, if the government entity cannot provide data within this period, the government entity should advise the requesting party of the delay and when the data will be available. The government entity should also provide any data available for release at the time.

Request by Data Subject

Individuals have the right to be informed whether they are the subject of any government personnel data and whether the data is classified as public, private or confidential. Upon further request, individuals who are the subjects of public or private data have the right to inspect and receive copies of the data and, if desired, shall be informed of the content and meaning of that data. (Minn. Stat. § 13.04, subd. 3)

A request for data by the subject of the data must be responded to immediately if possible or within 10 business days of the request. Again, as a recommended practice, if the data cannot be provided within the required period, the government entity should advise the requesting party of the delay and when the data will be available. The government entity should also provide any data available for release at the time.

Data That Contains Both Public and Not Public Data

In situations where public and not public data are commingled in one document, the question often arises as to what data may be released. When this occurs, the RA or designee must determine if the not public data can be readily redacted (deleted or hidden) from the public data.

An entire document may be withheld under the MGDPA only when public and not public data is so “inextricably intertwined” that separating the data would impose a significant financial burden and leave the remaining part of the document with little information of value. If redaction is not feasible, the document cannot be released. (Northwest Publishing Inc. v. City of Bloomington, 499 N.W. 2d 509 (Minn. App. 1993); Minn. Dept. of Admin. Advisory Op. 10-003)

Denying Access to Data

If an RA or designee determines an individual is not entitled to the requested data, the RA or designee must inform the requester of that fact and cite the applicable law classifying the data as private, confidential, nonpublic or protected nonpublic.

Upon request, the RA or designee must certify in writing that a request for data has been denied and cite the applicable law requiring denial of access to the data.

To a limited extent, government entities have an opportunity to recover costs for responding to data requests. If a person is merely requesting an inspection of data, no charge or fee is permitted. However, if copies or electronic transmittals are requested, the entity may charge a fee. (Minn. Stat. §13.03, subd. 3; §13.04, subd. 3)

Copies of Data

If the individual requesting copies of the data is the subject of the data, the government entity may only charge the “actual cost” of copies (see Chart 2). The government entity may not charge to search for and retrieve the data, to separate public and not public data, or to redact private or confidential data about others. (Minn. Stat. § 13.04, subd. 3)

If the person requesting copies of the data is anyone other than the subject of the data, the government entity may charge 25 cents per page if the request is for 100 or fewer, black and white, legal or letter size paper copies. (Minn. Stat. § 13.03, subd. 3)

In all other circumstances, the government entity may only charge the “actual costs” of searching for and retrieving data, including the cost of employee time; and for making, certifying, compiling and electronically transmitting the copies of the data or the data.

The government entity may not charge for separating public from not public data.

When calculating costs for employee time, the cost must be calculated based on the wage or salary (may include benefits) of the lowest-paid entity employee who could have completed the task. (Minn. Dept. of Admin. Advisory Opinion 04-056)

Note the difference in fees between requests for copies by the data subject and members of the public.

Developmental Costs

In certain situations, developmental costs may be assessed. This may include costs for developing electronic storage and retrieval systems. Developmental costs may only be assessed if all of the following criteria are met:

• The data is public.
• The data has commercial value.
• The data is a substantial and discrete portion of or an entire formula, pattern, compilation, program, device, method, technique, process, database or system.
• The data was developed with a significant expenditure of public funds by the government entity.

(Minn. Stat. § 13.03, subd. 3)

The difficulties in assessing developmental costs are numerous. The lack of clarity around “commercial value” is just one of the uncertainties regarding this issue.

The statute does not define the term. An argument can be made that data that has any potential to provide financial gain has commercial value. Alternatively, an opposing argument holds that data only has commercial value if the person requesting the data has a commercial use for it.

Remote Access to Data

A government entity may be allowed to charge a reasonable fee for remote access to data where either the data or the access is enhanced at the request of the person seeking access. (Minn. Stat. § 13.03, subd. 3; Minn. Dept. of Admin. Advisory Op. 06-011)

A breach of the security of the data refers to any unauthorized acquisition of data that compromises the security and classification of data.

Unauthorized acquisition occurs when a person “obtained, accessed or viewed” data without consent or a work assignment that reasonably requires access to that data and with intent to use it for a nongovernmental purpose.

It also includes those whose work assignment may require access to data but they do so for a reason not related to their work.

Notice of Data Breaches

A government entity must provide notification of a breach of the security of data. An entity must provide written notice to any individual who is the subject of the data and whose private or confidential data was or is reasonably believed to have been acquired, accessed or viewed by an unauthorized person for a nongovernmental purpose. (Minn. Stat. § 13.055, subd. 2)

This notice must also inform the individual that a report is being prepared and that the individual may request delivery of that report either through mail or email.

These notices must be sent out as soon as possible without delay, taking into account the needs of law enforcement in investigating the breach, any measures needed to determine the scope of the breach and the measures necessary to restore security to the data. (Minn. Stat. § 13.0554, subd. 2)[2]

Entities shall also notify all consumer reporting agencies as may be required by law, including if more than 1,000 individuals’ data was breached at one time.

Investigation of Data Breaches

Upon the completion of an investigation into any data breach and the final disposition of any disciplinary action, including exhaustion of all rights of appeal under any collective bargaining agreement, the RA will prepare a report on the facts and results of the investigation. (Minn. Stat. § 13.055, subd. 2)

This report shall include all of the following:

• A description of the data accessed or acquired
• The number of individuals whose data was breached
• If there was a final disposition of discipline, the name of each employee determined responsible for the breach unless the employee was performing duties under Minnesota Statutes Chapter 5B
• Final disposition of any discipline taken against the named employees

Tennessen Warning

Any time a government entity collects private or confidential data from an individual, the government entity must give a Tennessen Warning to the individual prior to collection. (Minn. Stat. § 13.04, subd. 2)

Specifically, the government entity must inform the individual of all of the following:

• The purpose and intended use of the data requested
• Whether the individual may refuse to supply or is legally required to supply the data
• Any known consequences of supplying or refusing to supply the data
• The identity of other persons or entities authorized by state or federal law to receive the data

With limited exception, private or confidential data on an individual may not be collected, stored, used or disseminated by government entities for any purposes other than those stated within the Tennessen Warning. One of these exceptions is with the informed consent of the data subject. (Minn. Stat. § 13.05, subd. 4)

Intergovernmental Access to Data

Unless a state or federal law specifically authorizes the release of the data to another government entity (and the appropriate Tennessen Warning was given or exception exists), the collecting government entity must receive the informed consent of the data subject prior to releasing the data to the other government entity. (Minn. Stat. § 13.05, subd. 9; Minn. Dept. of Admin. Advisory Op. 98-034)

Challenging Accuracy or Completeness of Data

A data subject can challenge the accuracy or completeness of public or private data by submitting a written challenge to the government entity. Within 30 days, the responsible authority (not the designee) must either:

• Correct the data and notify individuals (including those identified by the data subject) who have previously received inaccurate or incomplete data; or
• Notify the data subject that the RA has determined the existing data to be correct and that no changes will be made. The data subject’s challenge must be included any time the data at issue is disclosed.

(Minn. Stat. § 13.04, subd. 4)

The data subject has the right of appeal to the Office of Administrative Hearings. The appeal deadline is 60 days if the right of appeal is outlined in the RA’s response, and 180 days if the right is not outlined in the response. (Minn. Stat. § 13.04, subd. 4; Minn. Stat. Chap. 14)

If a government entity contracts with a private person or entity to perform any of the government entity’s functions, the private person or entity is subject to the requirements of the MGDPA. The Act requires that the contract terms make it clear that:

• All data created, collected, received, stored, used, maintained or disseminated by the private person or entity in performing the government functions is subject to the Act’s requirements; and
• The private person or entity must comply with those requirements as if it were a government entity.

(Minn. Stat. § 13.05, subd. 11)

If the contract does not include such a clause, such a clause will be inferred for all contracts entered into after July 31, 1999. A better practice is to always include a provision in the contract that articulates the contractor’s obligation to follow the requirements of the MGDPA. (WDSI, Inc. v. County of Steele, 672 NW 2d 617 (Minn. App. 2003))

Also, unless otherwise excluded by law, the Act applies to all persons or entities that enter into contracts with government entities that require the disclosure of government data on individuals to the contracting parties. The contracting party is required to maintain the government data on individuals in accordance with the MGDPA’s requirements. (Minn. Stat. § 13.05, subd. 6)

Failure to comply with the Act may result in civil damages, civil or criminal penalties, or disciplinary action.

Minnesota Statutes, Section 13.08 allows a person to sue a government entity for damages resulting from a violation of the Act, plus costs and attorney fees. (Minn. Stat. § 13.08, subd.1 and 2)

If a court determines that a willful violation occurred, the government entity also may be liable for exemplary (punitive) damages ranging from $1,000 to $15,000 for each violation. Injunctive relief may also be sought.

A person may also bring a civil lawsuit to compel compliance with the MGDPA. A successful claimant may recover costs and disbursements, including reasonable attorney fees. If the court issues an order to compel compliance, the court may impose a civil penalty of up to $1,000 against the government entity to be paid to the state general fund. (Minn. Stat. § 13.08, subd. 4)

As an alternative to a civil lawsuit, the MGDPA allows an individual to file a complaint with the Office of Administrative Hearings as an expedited method to compel compliance. A complainant who substantially prevails on the merits in this forum may be awarded reasonable attorney fees, not to exceed $5,000. (Minn. Stat. § 13.085)

The hearing officer also has the authority to impose a civil penalty against the government entity up to $300.

Additionally, any person who willfully violates the Act, including knowingly accessing not public data, can be found guilty of a misdemeanor, subject to a fine of $1,000 and/or a jail sentence of up to 90 days. (Minn. Stat. § 13.09)

Finally, the MGDPA provides that a willful violation by a public employee constitutes just cause for a government entity to impose disciplinary sanctions, including suspension without pay or termination of employment. (Minn. Stat. § 13.09)

Upon request by any government entity or individual, the Commissioner of the Minnesota Department of Administration is authorized to grant an advisory opinion on a question related to government data access and the rights of data subjects. (Minn. Stat. § 13.072, subds. 1 and 2)

The Commissioner must release each advisory opinion to the public, indicating when an advisory opinion is not intended to guide all similarly situated persons or government entities.

An advisory opinion is nonbinding on a government entity, but must be granted deference in a court proceeding involving the data at issue. Acting in conformity with an advisory opinion provides a measure of protection to government entities.