Focus On New Laws: Data Practices Act

Amendments to the Data Practices Act require cities to adopt new security procedures to protect not public data.
(Published Aug 11, 2014)

The 2014 Legislature made changes to state data practices law regarding access to data that is not public. The changes were made largely in response to media reports and lawsuits alleging the unauthorized access of not public data by public employees. These claims have resulted in many lawsuits and have cost state and local governments millions of dollars.

The League recommends that all cities make compliance with the new law a high priority.

State data practices law defines “not public data” as any government data classified by law as confidential, private, nonpublic, or protected nonpublic. Common examples of “not public data” include the name of a person who has signed up for a city newsletter, some law enforcement data, and certain personnel data. (See Minnesota Statutes, section 13.02, subdivision 8a.)

Governmental entities must now establish additional security measures “ensuring that data that are not public are only accessible to persons whose work assignment reasonably requires access to the data, and is only being accessed by those persons for purposes described in the procedure …” (Minnesota Statutes, section 13.05, subdivision 5). This requires government entities to create procedures to identify which employees have access to not public data and to develop a policy incorporating these procedures. The new law took effect on Aug. 1.

The Information and Policy Analysis Division (IPAD) of the Minnesota Department of Administration is the state department that administers the Minnesota Government Data Practices Act (MGDPA). In order to assist local governments with implementing the new law, IPAD has published policy guidance on its website and has posted sample policy guidance for use by government entities.

IPAD notes that one way to meet the requirements of the new law is to list employee work assignments that include access to “not public” data in an entity data inventory, and to establish a “Policy for Ensuring the Security of Not Public Data.” The policy, in conjunction with the data inventory, is designed to prevent employees from accessing not public data unless they have a legitimate work reason to do so.

An example of an inventory entry is as follows:

Data Type: Employee personnel files
Description: Record of current and prior employment history
Classification: Public and private. Minnesota Statutes, section 13. 43
Employee Access: All HR staff on an as-needed basis as part of specific work assignments

Other changes to the MGDPA

Investigation of data breaches. Local units of government are now required to follow the new data breach requirements in Minnesota Statutes, section 13.055 that previously only applied to state agencies. If a city discovers a data breach, it must disclose that breach to the subject of the data, and the person must be informed that the entity will perform an investigation of the data breach, and instructions on how the report can be accessed after completion. The report must contain, at a minimum, the following information:

  • A description of the type of data that was accessed or acquired.
  • The number of individuals whose data was improperly accessed or acquired.
  • If there has been a final disposition of disciplinary action, the name of each employee determined to be responsible for the unauthorized access or acquisition.
  • The final disposition of any disciplinary action taken against each employee in response.

In addition, if a data breach involves more than 1,000 individuals at one time, the entity must notify, without reasonable delay, all consumer reporting agencies that compile data on consumers on a nationwide basis, as defined in U.S.C. title 15, section 1681a. This section of law applies to breaches occurring on or after Aug. 1, 2014.

Annual security assessment. Government entities will also have to perform an annual security assessment of “personal information” maintained by the entity. Personal information is defined in Minnesota Statutes, section 325E.51 as a person’s name kept in combination with a social security number, driver’s license number, or account numbers with passwords or access codes. Personal information does not include “publicly available information that is lawfully made available to the general public from federal, state, or local government records.”

Additional penalties for violation of the MGDPA. The new law also makes clear that actions constituting the “knowing unauthorized access of not public data … is guilty of a misdemeanor.” The law also states that any such violation constitutes just cause for suspension without pay or dismissal of the public employee. This provision applies to crimes committed on or after Aug. 1, 2014.

If you have questions about the new law or the sample policy documents, contact the League Research Department at research@lmc.org.

Read the current issue of the Cities Bulletin

* By posting you are agreeing to the LMC Comment Policy.