MN PRIMA: 2014 Data Practices Presentation Stacie Christensen, Director Information Policy Analysis...
-
Upload
rodolfo-garl -
Category
Documents
-
view
212 -
download
0
Transcript of MN PRIMA: 2014 Data Practices Presentation Stacie Christensen, Director Information Policy Analysis...
MN PRIMA:2014 Data Practices Presentation
Stacie Christensen, DirectorInformation Policy Analysis Division, Admin
• Information Policy Analysis Division (IPAD)Informal adviceCommissioner of Administration advisory
opinionsTraining and workshopsWebsite, info pages, listserv and newslettersLegislative assistance
Who We Are and What We Do
Overview: Government Data Practices Act
• Minnesota Statutes, Chapter 13– Applies to government entities in Minnesota– Presumes government data are public– Classifies data that are not public– Provides rights for the public and data subjects– Requires that data on individuals are accurate,
complete, current, and secure
• Minnesota Rules, Chapter 1205
Other Data Practices Related Laws
• The Official Records Act (Minn. Stat. § 15.17)
• The Records Management Statute (Minn. Stat. § 138.17)
What are government data?
• Government data are “all data collected, created, received, maintained or disseminated by any government entity regardless of its physical form, storage media or conditions of use.”
Official Records Act:Create and Maintain Data
Government Data Practices Act:Administer Data
Records Management Statute:Destroy Data
Classification of Government Data
• Classification Access Examples
Public Available to anyone for any reason Government employee’s name
Private/Nonpublic
Data subject Those in the entity whose
work requires access Entities authorized by law Those authorized by data
subject
Social security numbers
Confidential/Protected Nonpublic
Those in the entity whose work requires access
Entities authorized by law
**Data subject does not have access
Active investigative data
Maintaining Government Data
• No requirement to maintain data in a particular format or system of organization
However…• Data must be “easily accessible for
convenient use.”(Minn. Stat. § 13.03, subd. 1)
Penalties and Remedies
• Remedies (Minn. Stat. §13.08)– Action to compel compliance– Action for damages, costs, and attorneys fees
• Administrative remedy (Minn. Stat. §13.085)– Administrative hearing within 2 years of alleged
violation– Action to compel compliance
• Penalties (Minn. Stat. §13.09)– Willful violation or knowing unauthorized acquisition of
not public data = misdemeanor– Dismissal or suspension
• Advisory opinions (Minn. Stat. §13.072)
Liability Considerations:Data Breach Legislation
• Creation of Procedures for Not Public Data (Ch. 284, sec. 1; 13.05, subd. 5)– Requires the responsible authority to establish procedures to ensure
that only those who have a work assignment can access not public data• Data Security Breaches (Ch. 284, sec. 2; 13.055)
– Data breach requirements now apply to all government entities– Responsible authority must investigate and create a report that details
any breach of the security of not public data– Annual security assessment– Applies to all security breaches beginning August 1, 2014
• Penalties (Ch. 284, sec. 3; 13.09)– Penalty for knowing access to not public data without a work reason– Applies to unauthorized access beginning August 1, 2014
Other State Breach Notification Minnesota Other StatesType of data that require a notification if breach occurs
Private or Confidential Data on Individuals
Many states list the specific data that require a breach notification•Most include: name of individual in combination with SSN, DL number, or credit card info•CA recently included username or email with password or security question and answer
Risk of harm analysis before notification
Breach notification is required if the breach “compromises the security and classification of the data”
Most states require a risk of harm analysis in determining if notification is required•Alaska requires an investigation and a determination that there is not a reasonable likelihood of harm
Require notice to state official
State agencies must notify the OLA for any improper use of not public data
Many states require notice to the Attorney General at the same time that they provide breach notification
Require notice for access
Notification is required for both access and acquisition
Many states only require notification for acquisition
Liability Considerations: General Requirements
• Data collection– Limited to that necessary for the
administration and management of programs
• Data protection and security– Establish appropriate security safeguards• Procedures for ensuring that data that are not
public are only accessible to persons whose work assignment reasonably requires access
Liability Considerations: Specific Issues
• Issues– Credit card information– License plate reader data– Cloud Storage– Squad cams/body cams– Others?
[email protected](651) 201-2500
WWW.IPAD.STATE.MN.US [email protected](651)296-6733