Minnesota Legislature
SF 568
1st Engrossment - 83rd Legislature (2003 - 2004) Posted on 12/15/2009 12:00am
KEY: stricken = removed, old language.
underscored = added, new language.
1.1 A bill for an act 1.2 relating to data practices; providing for the 1.3 classification of, access to, and sharing of certain 1.4 data; providing for an award of attorney fees when a 1.5 government entity does not act in compliance with a 1.6 commissioner's opinion; clarifying classification of 1.7 data relating to bids and proposals; requiring notices 1.8 regarding computer access to data; clarifying 1.9 provisions dealing with certain data on nonpublic 1.10 school students; codifying temporary classifications; 1.11 classifying data on the location of a National Night 1.12 Out event; authorizing human services and mental 1.13 health data sharing; classifying certain data received 1.14 from the federal government; classifying data received 1.15 by the state lottery for marketing purposes; allowing 1.16 the sharing of data for programs under the department 1.17 of economic security; providing for the privacy of 1.18 financial records; requiring consumer consent for the 1.19 release of certain records; amending Minnesota 1.20 Statutes 2002, sections 13.08, subdivision 4; 13.32, 1.21 by adding a subdivision; 13.37, subdivision 3; 13.46, 1.22 subdivision 7; 13.643, by adding a subdivision; 1.23 13.746, subdivision 3; 16C.06, by adding a 1.24 subdivision; 16C.10, subdivision 7; 144.335, by adding 1.25 a subdivision; 268.19, by adding a subdivision; 1.26 307.08, by adding a subdivision; 349A.08, subdivision 1.27 9; 626.556, by adding a subdivision; 626.557, 1.28 subdivision 9a; proposing coding for new law in 1.29 Minnesota Statutes, chapter 13; proposing coding for 1.30 new law as Minnesota Statutes, chapter 13E; repealing 1.31 Minnesota Statutes 2002, section 13.6401, subdivision 1.32 4; Laws 2001, First Special Session chapter 10, 1.33 article 2, section 40. 1.34 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: 1.35 ARTICLE 1 1.36 GOVERNMENT DATA 1.37 Section 1. Minnesota Statutes 2002, section 13.08, 1.38 subdivision 4, is amended to read: 1.39 Subd. 4. [ACTION TO COMPEL COMPLIANCE.] (a) In addition to 2.1 the remedies provided in subdivisions 1 to 3 or any other law, 2.2 any aggrieved person seeking to enforce the person's rights 2.3 under this chapter or obtain access to data may bring an action 2.4 in district court to compel compliance with this chapter and may 2.5 recover costs and disbursements, including reasonable attorney's 2.6 fees, as determined by the court. If the court determines that 2.7 an action brought under this subdivision is frivolous and 2.8 without merit and a basis in fact, it may award reasonable costs 2.9 and attorney fees to the responsible authority. If the court 2.10 issues an order to compel compliance under this subdivision, the 2.11 court may impose a civil penalty of up to $300 against the 2.12 government entity. This penalty is payable to the state general 2.13 fund and is in addition to damages under subdivision 1. The 2.14 matter shall be heard as soon as possible. In an action 2.15 involving a request for government data under section 13.03 or 2.16 13.04, the court may inspect in camera the government data in 2.17 dispute, but shall conduct its hearing in public and in a manner 2.18 that protects the security of data classified as not public. If 2.19 the court issues an order to compel compliance under this 2.20 subdivision, the court shall forward a copy of the order to the 2.21 commissioner of administration. 2.22 (b) In determining whether to assess a civil penalty under 2.23 this subdivision, the court shall consider whether the 2.24 government entity has substantially complied with general data 2.25 practices under this chapter, including but not limited to, 2.26 whether the government entity has: 2.27 (1) designated a responsible authority under section 13.02, 2.28 subdivision 16; 2.29 (2) designated a data practices compliance official under 2.30 section 13.05, subdivision 13; 2.31 (3) prepared the public document that names the responsible 2.32 authority and describes the records and data on individuals that 2.33 are maintained by the government entity under section 13.05, 2.34 subdivision 1; 2.35 (4) developed public access procedures under section 13.03, 2.36 subdivision 2; procedures to guarantee the rights of data 3.1 subjects under section 13.05, subdivision 8; and procedures to 3.2 ensure that data on individuals are accurate and complete and to 3.3 safeguard the data's security under section 13.05, subdivision 3.4 5; 3.5 (5) sought an oral, written, or electronic opinion from the 3.6 commissioner of administration related to the matter at issue 3.7 and acted in conformity with that opinion or acted in conformity 3.8 with an opinion issued under section 13.072 that was sought by 3.9 another person; or 3.10 (6) provided ongoing training to government entity 3.11 personnel who respond to requests under this chapter. 3.12 (c) The court shall award reasonable attorney fees to a 3.13 prevailing plaintiff who has brought an action under this 3.14 subdivision if the government entity that is the defendant in 3.15 the action was the subject of a written opinion issued under 3.16 section 13.072 and did not act in conformity with the opinion. 3.17 Sec. 2. [13.15] [COMPUTER DATA.] 3.18 Subdivision 1. [DEFINITIONS.] As used in this section, the 3.19 following terms have the meanings given. 3.20 (a) [ELECTRONIC ACCESS DATA.] "Electronic access data" 3.21 means data created, collected, or maintained about a person's 3.22 access to a government entity's computer for the purpose of: 3.23 (1) gaining access to data or information; 3.24 (2) transferring data or information; or 3.25 (3) using government services. 3.26 (b) [COOKIE.] "Cookie" means any data that a 3.27 government-operated computer electronically places on the 3.28 computer of a person who has gained access to a government 3.29 computer. 3.30 Subd. 2. [CLASSIFICATION OF DATA.] Electronic access data 3.31 are private data on individuals or nonpublic data. 3.32 Subd. 3. [NOTICE.] A government entity that creates, 3.33 collects, or maintains electronic access data or uses its 3.34 computer to install a cookie on a person's computer must inform 3.35 persons gaining access to the entity's computer of the creation, 3.36 collection, or maintenance of electronic access data or the 4.1 entity's use of cookies before requiring the person to provide 4.2 any data about the person to the government entity. As part of 4.3 that notice, the government entity must inform the person how 4.4 the data will be used and disseminated, including the uses and 4.5 disseminations in subdivision 4. 4.6 Subd. 4. [USE OF ELECTRONIC ACCESS DATA.] Electronic 4.7 access data may be disseminated: 4.8 (1) to the commissioner for the purpose of evaluating 4.9 electronic government services; 4.10 (2) to another government entity to prevent unlawful 4.11 intrusions into government electronic systems; or 4.12 (3) as otherwise provided by law. 4.13 Sec. 3. Minnesota Statutes 2002, section 13.32, is amended 4.14 by adding a subdivision to read: 4.15 Subd. 4a. [NONPUBLIC SCHOOL STUDENTS.] Data collected by a 4.16 public school on a child, or parents of a child, whose identity 4.17 must be reported pursuant to section 120A.24 is private data 4.18 which: 4.19 (1) shall not be designated directory information pursuant 4.20 to subdivision 5 unless prior written consent is given by the 4.21 child's parent or guardian; and 4.22 (2) may be disclosed only pursuant to subdivision 3, clause 4.23 (a), (b), (c), or (f). This provision does not apply to 4.24 students who receive shared-time educational services from a 4.25 public agency or institution. 4.26 Sec. 4. [13.3215] [UNIVERSITY OF MINNESOTA DATA.] 4.27 Claims experience and all related information received from 4.28 carriers and claims administrators participating in a University 4.29 of Minnesota group health, dental, life, or disability insurance 4.30 plan or the University of Minnesota workers' compensation 4.31 program, and survey information collected from employees or 4.32 students participating in these plans and programs, are 4.33 nonpublic data. The University of Minnesota may release the 4.34 data described in this section if it determines that the release 4.35 will not be detrimental to the plan or program. 4.36 Sec. 5. Minnesota Statutes 2002, section 13.37, 5.1 subdivision 3, is amended to read: 5.2 Subd. 3. [DATA DISSEMINATION.] Crime prevention block maps 5.3 and names, home addresses, and telephone numbers of volunteers 5.4 who participate in community crime prevention programs may be 5.5 disseminated to volunteers participating in crime prevention 5.6 programs. The location of a National Night Out event is public 5.7 data. 5.8 Sec. 6. Minnesota Statutes 2002, section 13.46, 5.9 subdivision 7, is amended to read: 5.10 Subd. 7. [MENTAL HEALTH CENTER DATA.] (a) Mental health 5.11 data are private data on individuals and shall not be disclosed, 5.12 except: 5.13 (1) pursuant to section 13.05, as determined by the 5.14 responsible authority for the community mental health center, 5.15 mental health division, or provider; 5.16 (2) pursuant to court order; 5.17 (3) pursuant toaparagraph (c) or another statute 5.18 specifically authorizing access to or disclosure of mental 5.19 health data; or 5.20 (4) with the consent of the client or patient. 5.21 (b) An agency of the welfare system may not require an 5.22 individual to consent to the release of mental health data as a 5.23 condition for receiving services or for reimbursing a community 5.24 mental health center, mental health division of a county, or 5.25 provider under contract to deliver mental health services. 5.26 (c) County mental health services may share mental health 5.27 data with a police department crisis intervention team to 5.28 determine whether an individual that has been apprehended is a 5.29 client of the county and if so, the individual's physician, 5.30 therapist, or case manager. 5.31 Sec. 7. [13.468] [DATA SHARING WITHIN COUNTIES.] 5.32 County welfare, human services, corrections, public health, 5.33 and veterans service units of a county may inform each other as 5.34 to whether an individual or family currently is being served by 5.35 the county unit, without the consent of the subject of the 5.36 data. Data that may be shared are limited to the following: 6.1 the name, telephone number, and last known address of the data 6.2 subject; and the identification and contact information 6.3 regarding personnel of the county unit responsible for working 6.4 with the individual or family. If further information is 6.5 necessary for the county unit to carry out its duties, each 6.6 county unit may share additional data if the unit is authorized 6.7 by state statute or federal law to do so or the individual gives 6.8 written, informed consent. 6.9 Sec. 8. Minnesota Statutes 2002, section 13.643, is 6.10 amended by adding a subdivision to read: 6.11 Subd. 5. [DATA RECEIVED FROM FEDERAL GOVERNMENT.] All data 6.12 received by the department of agriculture from the United States 6.13 Department of Health and Human Services, the Food and Drug 6.14 Administration, and the Agriculture, Food Safety, and Inspection 6.15 Service for the purpose of carrying out the department of 6.16 agriculture's statutory food safety regulatory and enforcement 6.17 duties are classified as nonpublic data under section 13.02, 6.18 subdivision 9, and private data on individuals under section 6.19 13.02, subdivision 12. 6.20 Sec. 9. Minnesota Statutes 2002, section 13.746, 6.21 subdivision 3, is amended to read: 6.22 Subd. 3. [STATE LOTTERY.] (a) [ACCESS TO CRIMINAL DATA.] 6.23 The state lottery director's access to criminal history data on 6.24 certain persons is governed by sections 349A.06, subdivision 4, 6.25 and 349A.07, subdivision 2. 6.26 (b) [LOTTERY PRIZE WINNERS.] Certain data on lottery prize 6.27 winners are classified under section 349A.08, subdivision 9. 6.28 (c) [DIRECT MARKETING.] Data on individuals given to the 6.29 lottery for direct marketing purposes are classified in section 6.30 349A.08, subdivision 9. 6.31 Sec. 10. Minnesota Statutes 2002, section 16C.06, is 6.32 amended by adding a subdivision to read: 6.33 Subd. 3a. [INFORMATION IN BIDS AND PROPOSALS.] Data 6.34 relating to bids and proposals are governed by section 13.591. 6.35 Sec. 11. Minnesota Statutes 2002, section 16C.10, 6.36 subdivision 7, is amended to read: 7.1 Subd. 7. [REVERSE AUCTION.] (a) For the purpose of this 7.2 subdivision, "reverse auction" means a purchasing process in 7.3 which vendors compete to provide goods at the lowest selling 7.4 price in an open and interactive environment. 7.5 (b) The provisions ofsectionsections 13.591, subdivision 7.6 3, and 16C.06,subdivisionssubdivision 2and 3, do not apply 7.7 when the commissioner determines that a reverse auction is the 7.8 appropriate purchasing process. 7.9 Sec. 12. Minnesota Statutes 2002, section 144.335, is 7.10 amended by adding a subdivision to read: 7.11 Subd. 3d. [RELEASE OF RECORDS TO COUNTY LOCAL WELFARE 7.12 AGENCY.] If a provider has been notified by a county local 7.13 welfare agency under section 626.556, subdivision 3d, the 7.14 provider must report to the agency the birth of a child to that 7.15 individual within 24 hours of the birth. 7.16 Sec. 13. Minnesota Statutes 2002, section 268.19, is 7.17 amended by adding a subdivision to read: 7.18 Subd. 1a. [WAGE DETAIL DATA.] (a) Wage and employment data 7.19 gathered pursuant to section 268.044 may be disseminated to and 7.20 used, without the consent of the subject of the data, by an 7.21 agency of another state that is designated as the performance 7.22 accountability and consumer information agency for that state 7.23 pursuant to Code of Federal Regulations, volume 20, part 7.24 663.510(c), in order to carry out the requirements of the 7.25 Workforce Investment Act of 1998, United States Code, title 29, 7.26 sections 2842 and 2871. 7.27 (b) The commissioner may enter into a data exchange 7.28 agreement with an employment and training service provider under 7.29 section 116L.17, or the Workforce Investment Act of 1998, United 7.30 States Code, title 29, section 2864, under which the 7.31 commissioner, with the consent of the subject of the data, may 7.32 furnish data on the quarterly wages paid and number of hours 7.33 worked on those individuals who have received employment and 7.34 training services from the provider. With the initial consent 7.35 of the subject of the data, this data may be shared for up to 7.36 three years after termination of the employment and training 8.1 services provided to the individual without execution of an 8.2 additional consent. This data shall be furnished solely for the 8.3 purpose of evaluating the employment and training services 8.4 provided. 8.5 Sec. 14. Minnesota Statutes 2002, section 307.08, is 8.6 amended by adding a subdivision to read: 8.7 Subd. 11. [BURIAL SITES DATA.] Burial sites locational and 8.8 related data maintained by the office of the state archaeologist 8.9 and accessible through the office's "Unplatted Burial Sites and 8.10 Earthworks in Minnesota" Web site are security information for 8.11 purposes of section 13.37. Persons who gain access to the data 8.12 maintained on the site are subject to liability under section 8.13 13.08 and the penalty established by section 13.09 if they 8.14 improperly use or further disseminate the data. 8.15 Sec. 15. Minnesota Statutes 2002, section 349A.08, 8.16 subdivision 9, is amended to read: 8.17 Subd. 9. [PRIVACY.] (a) The phone number and street 8.18 address of a winner of a lottery prize is private data on 8.19 individuals under chapter 13. 8.20 (b) Data on an individual, including name, physical and 8.21 electronic address, and telephone number, that are given to the 8.22 lottery for direct marketing purposes are private data on 8.23 individuals as defined in section 13.02. 8.24 Sec. 16. Minnesota Statutes 2002, section 626.556, is 8.25 amended by adding a subdivision to read: 8.26 Subd. 3d. [REPORT TO PROTECT SAFETY OF AT-RISK 8.27 NEWBORNS.] If a county local welfare agency determines that a 8.28 child born to an individual would be subjected to a threatened 8.29 injury while in the care of that individual, the agency may 8.30 disclose private data on the individual to providers for the 8.31 purpose of requesting notification of the birth of a child to 8.32 the individual. For purposes of this subdivision, "provider" 8.33 has the meaning given in section 144.335, subdivision 1. 8.34 Sec. 17. Minnesota Statutes 2002, section 626.557, 8.35 subdivision 9a, is amended to read: 8.36 Subd. 9a. [EVALUATION AND REFERRAL OF REPORTS MADE TO A 9.1 COMMON ENTRY POINT UNIT.] The common entry point must screen the 9.2 reports of alleged or suspected maltreatment for immediate risk 9.3 and make all necessary referrals as follows: 9.4 (1) if the common entry point determines that there is an 9.5 immediate need for adult protective services, the common entry 9.6 point agency shall immediately notify the appropriate county 9.7 agency; 9.8 (2) if the report contains suspected criminal activity 9.9 against a vulnerable adult, the common entry point shall 9.10 immediately notify the appropriate law enforcement agency; 9.11 (3) if the report references alleged or suspected 9.12 maltreatment and there is no immediate need for adult protective 9.13 services, the common entry point shall notify the appropriate 9.14 lead agency as soon as possible, but in any event no longer than 9.15 two working days; 9.16 (4) if the report does not reference alleged or suspected 9.17 maltreatment, the common entry point may determine whether the 9.18 information will be referred; and 9.19 (5) if the report contains information about a suspicious 9.20 death, the common entry point shall immediately notify the 9.21 appropriate law enforcement agencies, the local medical 9.22 examiner, and the ombudsman established under section 245.92. 9.23 Law enforcement agencies shall coordinate with the local medical 9.24 examiner and the ombudsman as provided by law. 9.25 Sec. 18. [REPEALER.] 9.26 Minnesota Statutes 2002, section 13.6401, subdivision 4; 9.27 Laws 2001, First Special Session chapter 10, article 2, section 9.28 40, are repealed. 9.29 Sec. 19. [EFFECTIVE DATE.] 9.30 Sections 9 and 15 are effective the day following final 9.31 enactment. 9.32 ARTICLE 2 9.33 FINANCIAL PRIVACY 9.34 Section 1. [13E.01] [DEFINITIONS.] 9.35 For purposes of this chapter, the terms "consumer," 9.36 "financial institution," "nonaffiliated third party," "nonpublic 10.1 personal information," and "joint agreement" have the meanings 10.2 given in section 509 of the Gramm-Leach-Bliley Financial 10.3 Services Modernization Act, codified as United States Code, 10.4 title 15, section 6809, including any federal regulations 10.5 implementing that section. 10.6 Sec. 2. [13E.02] [PRIVACY OF FINANCIAL DATA.] 10.7 Except as required by sections 13E.03 to 13E.05, which 10.8 afford greater protection to consumers, every financial 10.9 institution doing business in this state shall comply with 10.10 sections 502 and 503 of the Gramm-Leach-Bliley Financial 10.11 Services Modernization Act, codified as United States Code, 10.12 title 15, sections 6802 and 6803 respectively, including any 10.13 federal regulations issued under authority of section 504 of the 10.14 act, codified as United States Code, title 15, section 6804. 10.15 Sec. 3. [13E.03] [DUTY OF CONFIDENTIALITY.] 10.16 A financial institution doing business in this state shall 10.17 not disclose nonpublic personal information about a consumer to 10.18 any nonaffiliated third party unless the disclosure is made in 10.19 accordance with any of the following: 10.20 (1) pursuant to affirmative consent granted by the consumer 10.21 in accordance with this chapter; 10.22 (2) pursuant to the exception in section 502(b)(2) of the 10.23 Gramm-Leach-Bliley Financial Services Modernization Act, 10.24 codified as United States Code, title 15, section 6802(b)(2), 10.25 including any federal regulations issued to implement that 10.26 section; or 10.27 (3) pursuant to an exception in section 502(e) of the 10.28 Gramm-Leach-Bliley Financial Services Modernization Act, 10.29 codified as United States Code, title 15, section 6802(e), 10.30 including any federal regulations issued to implement that 10.31 section. 10.32 Sec. 4. [13E.04] [AFFIRMATIVE CONSENT.] 10.33 Subdivision 1. [USE.] Affirmative consent must not be 10.34 required as a condition of doing business with any financial 10.35 institution. Any affirmative consent obtained from a consumer 10.36 as a condition of doing business with a financial institution 11.1 shall not be effective for purposes of this chapter. 11.2 Subd. 2. [FORM.] Affirmative consent as required by this 11.3 chapter must be in writing and signed by the consumer. The 11.4 affirmative consent form signed by the consumer must be 11.5 contained on a separate page that also clearly and conspicuously 11.6 discloses the following: 11.7 (1) the time during which the consent will operate, which 11.8 must not be longer than five years; 11.9 (2) each category of nonpublic personal information to be 11.10 disclosed, including, but not limited to, the consumer's social 11.11 security number, account numbers, account balances, credit 11.12 limits, the amount or date of any transaction, the identity of 11.13 persons to whom the consumer's checks are made payable, and the 11.14 identity of merchants or other persons honoring the consumer's 11.15 credit cards; and 11.16 (3) the type of nonaffiliated third parties to whom 11.17 disclosure may be made. 11.18 Sec. 5. [13E.05] [ACCESS TO AND CORRECTION OF NONPUBLIC 11.19 PERSONAL INFORMATION.] 11.20 Subdivision 1. [ACCESS AND CORRECTION.] If a consumer 11.21 submits a written request to a financial institution for access 11.22 to nonpublic personal information held by the financial 11.23 institution about the consumer, within 30 business days from the 11.24 date the request is received, the financial institution shall: 11.25 (1) provide to the consumer in person, by regular mail, or 11.26 by electronic mail a copy of all such nonpublic personal 11.27 information, or a reasonably described portion of the 11.28 information, whichever the consumer requests; and 11.29 (2) provide to the consumer a summary of the procedures by 11.30 which the consumer may request correction, amendment, or 11.31 deletion of nonpublic personal information. 11.32 If any nonpublic personal information is in coded or electronic 11.33 form, an accurate translation in hard copy must be provided. 11.34 Subd. 2. [REASONABLE FEE.] A financial institution may 11.35 charge a reasonable fee to copy nonpublic personal information 11.36 provided under this section, provided the fee is clearly and 12.1 conspicuously disclosed to the consumer. A financial 12.2 institution may not charge for inspection of nonpublic personal 12.3 information by the consumer. 12.4 Sec. 6. [13E.06] [REMEDIES.] 12.5 The attorney general may seek the remedies set forth in 12.6 section 8.31, subdivision 3, against any financial institution 12.7 in violation of this chapter. 12.8 Sec. 7. [13E.07] [OTHER LAW.] 12.9 This chapter does not limit any rights or remedies 12.10 protecting the privacy of information that are available under 12.11 other law. 12.12 Sec. 8. [EFFECTIVE DATE.] 12.13 This article is effective July 1, 2004.