HF 3258

Subd. 5.

Log of use required.

(a) A law enforcement agency that installs or uses an
automated license plate reader must maintain a public log of its use, including but not limited
to:

(1) specific times of day that the reader actively collected data;

(2) the aggregate number of vehicles or license plates on which data are collected for
each period of active use and a list of all state and federal databases with which the data
were compared, unless the existence of the database itself is not public;

(3) for each period of active use, the number of vehicles or license plates deleted text begin in each of the
following categories where the data identify a vehicle or license plate that has been stolen,
a warrant for the arrest of the owner of the vehicle or an owner with a suspended or revoked
driver's license or similar category, or are active investigative datadeleted text end new text begin on which data are
collected:
new text end

new text begin (i) that identify a vehicle or license plate that has been stolen;
new text end

new text begin (ii) that identify a vehicle whose owner has an outstanding arrest warrant; and
new text end

new text begin (iii) that identify a vehicle whose owner has a suspended, revoked, or canceled driver's
licensenew text end ; and

(4) for a reader at a stationary or fixed location, the location at which the reader actively
collected data and is installed and used.

(b) The law enforcement agency must maintain a list of the current and previous locations,
including dates at those locations, of any fixed stationary automated license plate readers
or other surveillance devices with automated license plate reader capability used by the
agency. The agency's list must be accessible to the public, unless the agency determines
that the data are security information as provided in section 13.37, subdivision 2. A
determination that these data are security information is subject to in-camera judicial review
as provided in section 13.08, subdivision 4.

Subd. 6.

Biennial audit.

(a) deleted text begin In addition to the log required under subdivision 5, the law
enforcement agency must maintain records showing the date and time automated license
plate reader data were collected and the applicable classification of the data. The law
enforcement agency shall arrange for an independent, biennial audit of the records to
determine whether data currently in the records are classified, how the data are used, whether
they are destroyed as required under this section, and to verify compliance with subdivision
7. If the commissioner of administration believes that a law enforcement agency is not
complying with this section or other applicable law, the commissioner may order a law
enforcement agency to arrange for additional independent audits. Data in the records required
under this paragraph are classified as provided in subdivision 2.deleted text end new text begin A law enforcement agency
that installs or uses an automatic license plate reader must contract with the state auditor or
a private auditing firm to perform an independent, biennial audit of the agency's automated
license plate reader data to verify compliance with this section. For purposes of this
subdivision, the time period for conducting a biennial audit commences when an agency
begins using automated license plate reader technology. By July 1 of each odd-numbered
year, the agency must provide a report on the results of each audit to the commissioner of
administration, to the chair and ranking minority members of the legislative committees
with jurisdiction over data practices and public safety issues, and to the Legislative
Commission on Data Practices and Personal Data Privacy.
new text end

(b) The deleted text begin results of thedeleted text end audit deleted text begin aredeleted text end new text begin report required under paragraph (a) isnew text end publicdeleted text begin .deleted text end new text begin and must
include the following and assess compliance with this section:
new text end

new text begin (1) the number of automated license plate readers used by the agency, including the
brand and model of each reader, whether the reader is mobile or stationary, and contact
information for the agency's automated license plate reader vendor;
new text end

new text begin (2) all information in the log of use required by subdivision 5 for the biennial period;
and
new text end

new text begin (3) all agency policies and procedures regarding automated license plate readers and
automated license plate reader data, including policies and procedures regarding classification
of the data, role-based access and data security, data retention and destruction, and data
sharing.
new text end

new text begin (c) new text end The commissioner of administration shall review the deleted text begin results of thedeleted text end auditnew text begin reportnew text end . new text begin If,
based on the audit report, the commissioner of administration believes that a law enforcement
agency is not complying with this section or other applicable law, the commissioner may
order a law enforcement agency to arrange for additional independent audits. new text end If the
commissioner determines that there is a pattern of substantial noncompliance with this
section by the law enforcement agency, the agency must immediately suspend operation of
all automated license plate reader devices until the commissioner has authorized the agency
to reinstate their use. An order of suspension under this paragraph may be issued by the
commissioner, upon review of the deleted text begin results of thedeleted text end auditnew text begin reportnew text end , review of the applicable
provisions of this chapter, and after providing the agency a reasonable opportunity to respond
to the audit's findings.

deleted text begin (c) A report summarizing the results of each audit must be provided to the commissioner
of administration, to the chair and ranking minority members of the committees of the house
of representatives and the senate with jurisdiction over data practices and public safety
issues, and to the Legislative Commission on Data Practices and Personal Data Privacy no
later than 30 days following completion of the audit.
deleted text end

Subd. 7.

Authorization to access data.

(a) A law enforcement agency must comply
with sections 13.05, subdivision 5, and 13.055 in the operation of automated license plate
readers, and in maintaining automated license plate reader data.

(b) The responsible authority for a law enforcement agency must establish written
procedures to ensure that law enforcement personnel have access to the data only if authorized
in writing by the chief of police, sheriff, or head of the law enforcement agency, or their
designee, to obtain access to data collected by an automated license plate reader for a
legitimate, specified, and documented law enforcement purpose. new text begin The ability of authorized
individuals to enter, update, or access automated license plate reader data must be limited
through the use of role-based access that corresponds to the official duties or training level
of the individual and the statutory authorization that grants access for that purpose. new text end Consistent
with the requirements of paragraph (c), each access must be based on a reasonable suspicion
that the data are pertinent to an active criminal investigation and must include a record of
the factual basis for the access and any associated case number, complaint, or incident that
is the basis for the access.

(c) deleted text begin The ability of authorized individuals to enter, update, or access automated license
plate reader data must be limited through the use of role-based access that corresponds to
the official duties or training level of the individual and the statutory authorization that
grants access for that purpose.deleted text end All queries and responses, and all actions in which data are
entered, updated, accessed, shared, or disseminated, must be recorded in a data audit trail.
Data contained in the audit trail are public, to the extent that the data are not otherwise
classified by law.

Subd. 8.

Notification to Bureau of Criminal Apprehension.

(a) Within ten days of
deleted text begin the installation or current use ofdeleted text end new text begin acquiringnew text end an automated license plate reader or the integration
of automated license plate reader technology into another surveillance device, a law
enforcement agency must notify the Bureau of Criminal Apprehension deleted text begin of that installation
or usedeleted text end new text begin that it has acquired automated license plate reader technology. Within ten days of
beginning the use of an automated license plate reader, a law enforcement agency must
notify the Bureau of Criminal Apprehension that it has begun using automated license plate
reader technologynew text end and of any fixed location of a stationary automated license plate reader.

(b) The Bureau of Criminal Apprehension must maintain a list of law enforcement
agencies using automated license plate readers or other surveillance devices with automated
license plate reader capability, including new text begin the dates that the agency acquired and first began
using the technology and the new text end locations of any fixed stationary automated license plate readers
or other devices. Except to the extent that the law enforcement agency determines that the
location of a specific reader or other device is security information, as defined in section
13.37, this list is accessible to the public and must be available on the bureau's Web site. A
determination that the location of a reader or other device is security information is subject
to in-camera judicial review, as provided in section 13.08, subdivision 4.

Subd. 7.

Authorization to access data.

(a) A law enforcement agency must comply
with sections 13.05, subdivision 5, and 13.055 in the operation of portable recording systems
and in maintaining portable recording system data.

(b) The responsible authority for a law enforcement agency must establish written
procedures to ensure that law enforcement personnel have access to the portable recording
system data that are not public only if authorized in writing by the chief of police, sheriff,
or head of the law enforcement agency, or their designee, to obtain access to the data for a
legitimate, specified law enforcement purpose.new text begin The ability of authorized individuals to enter,
redact, or access portable recording system data must be limited through the use of role-based
access that corresponds to the official duties or training level of the individual and the
statutory authorization that grants access for that purpose. Consistent with the requirements
of paragraph (c), each access must include a record of the factual basis for the access and
any associated case number, complaint, or incident that is the basis for the access.
new text end

new text begin (c) All actions in which data are entered, updated, accessed, shared, or disseminated,
must be recorded in a data audit trail. Data contained in the audit trail are public to the extent
that the data are not otherwise classified by law.
new text end

Subd. 9.

Biennial audit.

(a) deleted text begin A law enforcement agency must maintain records showing
the date and time portable recording system data were collected and the applicable
classification of the data. The law enforcement agency shall arrange for an independent,
biennial audit of the data to determine whether data are appropriately classified according
to this section, how the data are used, and whether the data are destroyed as required under
this section, and to verify compliance with subdivisions 7 and 8. If the governing body with
jurisdiction over the budget of the agency determines that the agency is not complying with
this section or other applicable law, the governing body may order additional independent
audits. Data in the records required under this paragraph are classified as provided in
subdivision 2.deleted text end new text begin A law enforcement agency that uses a portable recording system must contract
with the state auditor or a private auditing firm to perform an independent, biennial audit
of the agency's portable recording system data to verify compliance with this section. By
July 1 of each odd-numbered year, the agency must provide a report on the results of each
audit to the commissioner of administration, to the chair and ranking minority members of
the legislative committees with jurisdiction over data practices and public safety issues, and
to the Legislative Commission on Data Practices and Personal Data Privacy.
new text end

(b) The deleted text begin results of thedeleted text end audit deleted text begin aredeleted text end new text begin report required under paragraph (a) isnew text end publicdeleted text begin , except for
data that are otherwise classified under law.deleted text end new text begin and must include the following and assess
compliance with this section:
new text end

new text begin (1) all information required by subdivision 5 for the biennial period; and
new text end

new text begin (2) all agency policies and procedures regarding portable recording systems and portable
recording system data including policies and procedures regarding classification of the data,
role-based access and data security, data retention and destruction, and data sharing.
new text end

new text begin (c)new text end The governing body with jurisdiction over the budget of the law enforcement agency
shall review the deleted text begin results of thedeleted text end auditnew text begin reportnew text end . If the governing body determines that there is a
pattern of substantial noncompliance with this section, the governing body must order that
operation of all portable recording systems be suspended until the governing body has
authorized the agency to reinstate their use. An order of suspension under this paragraph
may only be made following review of the deleted text begin results of thedeleted text end audit new text begin report new text end and review of the
applicable provisions of this chapter, and after providing the agency and members of the
public a reasonable opportunity to respond to the audit's findings in a public meeting.

deleted text begin (c) A report summarizing the results of each audit must be provided to the governing
body with jurisdiction over the budget of the law enforcement agency and to the Legislative
Commission on Data Practices and Personal Data Privacy no later than 60 days following
completion of the audit.
deleted text end