Minnesota Legislature
Office of the Revisor of Statutes
Minnesota Administrative Rules
CHAPTER 1205, DATA PRACTICES
DEPARTMENT OF ADMINISTRATION
| Part | Title |
|---|---|
| GENERAL AND DEFINITIONS | |
| 1205.0100 | HOW THESE RULES APPLY. |
| 1205.0200 | DEFINITIONS. |
| ACCESS TO DATA | |
| 1205.0300 | ACCESS TO PUBLIC DATA. |
| 1205.0400 | ACCESS TO PRIVATE DATA. |
| 1205.0500 | ACCESS TO PRIVATE DATA CONCERNING DATA SUBJECTS WHO ARE MINORS. |
| 1205.0600 | ACCESS TO CONFIDENTIAL DATA. |
| 1205.0700 | ACCESS TO SUMMARY DATA. |
| RESPONSIBLE AUTHORITY | |
| 1205.0800 | CLASSIFICATION OF DATA. |
| 1205.0900 | AUTHORITY OF THE RESPONSIBLE AUTHORITY. |
| 1205.1000 | APPOINTMENT OF THE RESPONSIBLE AUTHORITY. |
| 1205.1100 | APPOINTMENT POWER OF THE RESPONSIBLE AUTHORITY. |
| 1205.1200 | DUTIES OF THE RESPONSIBLE AUTHORITY RELATING TO PUBLIC ACCOUNTABILITY. |
| 1205.1300 | DUTIES OF THE RESPONSIBLE AUTHORITY IN ADMINISTERING PRIVATE AND CONFIDENTIAL DATA. |
| 1205.1400 | AUTHORIZING NEW PURPOSES FOR DATA COLLECTION. |
| 1205.1500 | DUTIES OF RESPONSIBLE AUTHORITY IN ADMINISTERING ALL ENTITY DATA. |
| APPEAL AND COMMISSIONER DUTIES | |
| 1205.1600 | ADMINISTRATIVE APPEAL. |
| 1205.1700 | GENERAL POWERS OF THE COMMISSIONER. |
| 1205.1800 | [Repealed, L 2010 c 365 art 1 s 12] |
| SEVERABLE PROVISIONS AND FORMS | |
| 1205.1900 | SEVERABLE PROVISIONS. |
| 1205.2000 | ADVISORY FORMS. |
GENERAL AND DEFINITIONS
1205.0100 HOW THESE RULES APPLY.
Subpart 1.
Scope.
Parts 1205.0100 to 1205.2000 relate to and shall apply to the provisions of Minnesota Statutes, chapter 13.
Subp. 2.
Purpose.
The purpose of this chapter is to aid governmental entities in implementing and administering Minnesota Statutes, chapter 13, as those sections relate to data on individuals. This chapter is intended to guide entities so that while protection is given to individual privacy, neither necessary openness in government nor the orderly and efficient operation of government is curtailed.
Subp. 3.
Government agencies.
This chapter shall apply to those governmental entities as defined by Minnesota Statutes, section 13.02, subdivisions 11, 17, and 18, which collect, create, use, store, and disseminate data on individuals as defined in Minnesota Statutes, section 13.02, subdivision 5.
This chapter shall only apply to data on individuals, as defined by Minnesota Statutes, section 13.02, subdivision 5, which is created, collected, maintained, used, or disseminated by governmental entities.
This chapter shall not apply to any government data collected, created, used, stored, or disseminated which is not data on individuals as defined in Minnesota Statutes, section 13.02, subdivision 5, except this chapter shall apply to summary data.
Subp. 4.
Social service agencies.
Nonprofit social service agencies meeting the requirements of Minnesota Statutes, section 13.02, subdivision 11 shall include, but are not limited to, agencies providing mental health, physical health, counseling, and day-activities services.
This chapter shall only apply in the instance where such an agency is required by the terms of a written contract with a state agency, political subdivision, or statewide system to collect, create, store, use, or disseminate data on individuals.
In the event of such a contract, this chapter shall only apply to the data on individuals that is actually generated by the social service agency because of the contract.
Any data generated by activities of the social service agency that are independent of the contractually based activities shall not be subject to these rules.
This chapter shall not apply to personnel data maintained on employees of such social service agencies.
Subp. 5.
Legal proceedings.
Nothing in these rules shall limit the discovery procedures available at law to any party in a civil or criminal action or administrative proceeding as described in the Minnesota Rules of Civil Procedure and the Minnesota Rules of Criminal Procedure as adopted by the Minnesota Supreme Court or in Minnesota Statutes and rules adopted thereunder.
Nothing in this chapter shall restrict or limit the scope or operation of any judicial order or rule issued by a state or federal court.
In the event of the issuance of a subpoena duces tecum for any private or confidential data or a subpoena requiring any agent of an entity to testify concerning any private or confidential data, the court's attention shall be called, through the proper channels, to those statutory provisions, rules, or regulations which restrict the disclosure of such information.
Nothing in this chapter shall be construed to diminish the rights conferred on subjects of data by Minnesota Statutes, section 13.04, or any other statute.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.0200 DEFINITIONS.
Subpart 1.
Scope.
All terms shall have the meanings given them by Minnesota Statutes, section 13.02. Those terms and additional terms as used in this chapter shall have the meanings as follows.
Subp. 2.
Act.
"Act" means Minnesota Statutes, chapter 13, as amended, officially entitled the "Minnesota Government Data Practices Act."
Subp. 3.
Confidential data.
"Confidential data," as defined in Minnesota Statutes, section 13.02, subdivision 3 shall only include data which is expressly classified as confidential by either a state statute, including the provisions of Minnesota Statutes, section 13.06, or federal law.
Data is confidential only if a state statute or federal law provides substantially that certain data shall not be available either to the public or to the data subject; or certain data shall not be available to anyone for any reason except agencies which need the data for agency purposes. Certain data shall be confidential if a state statute or federal law provides that the data may be shown to the data subject only at the discretion of the person holding the data, and if such state statute or federal law provides standards which limit the exercise of the discretion of the person maintaining the data.
Data is not confidential if a state statute or federal law provides that the data is confidential, but the context of the statute or federal law, in which the term confidential appears, reasonably indicates the data is accessible by the data subject, or if the data subject is given access to the data only upon the discretion of the person holding the data and the state statute or federal law does not provide any standards which limit the exercise of such discretion. In such cases, the proper classification of the data is private.
A state agency rule, an executive order, an administrative decision, or a local ordinance shall not classify data as "confidential" or use wording to make data inaccessible to the data subject unless there is a state statute or federal law as the basis for the classification.
Subp. 4.
Data.
"Data" means "data on individuals" as defined in Minnesota Statutes, section 13.02, subdivision 5, unless stated otherwise.
Data can be maintained in any form, including, but not limited to, paper records and files, microfilm, computer medium, or other processes.
The duration of the existence of data, including whether certain data is temporary rather than permanent, is not relevant to compliance with this chapter.
All data, in whatever form it is maintained, is "data on individuals" if it can in any way identify any particular individual.
Code numbers, which are used to represent particular individuals, constitute "data on individuals" if a list or index of any type is available by which the code number can be cross referenced to a name or other unique personal identifier so that any individual's identity is revealed. Code numbers, lists of code numbers, or data associated with code numbers may qualify for treatment as summary data, pursuant to part 1205.0700.
"Code number" means the labeling or enumeration of data by use of a letter, number, or combination thereof, which is used in place of an individual's name, including but not limited to index numbers, dummy numbers, SOUNDEX codes, and Social Security numbers.
Data is "data on individuals" if it identifies an individual in itself, or if it can be used in connection with other data elements to uniquely identify an individual. Such data shall include, but is not limited to, street addresses, job titles, and so forth where the particular data could only describe or identify one individual.
Subp. 5.
Designee.
"Designee" shall have the meaning given that term by Minnesota Statutes, section 13.02, subdivision 6.
Subp. 6.
Entity.
"Entity" means any governmental agency subject to the requirements of the act, including state agencies, political subdivisions, and statewide systems as those terms are defined in Minnesota Statutes, section 13.02.
"State agency" shall include any entity which is given power of statewide effect by statute or executive order.
"Political subdivision" shall include those local government entities which are given powers of less than statewide effect by statute or executive order.
"Statewide systems" shall include, but are not limited to, record keeping and data-administering systems established by statute, federal law, administrative decision or agreement, or joint powers agreement. "Statewide systems" shall include, but are not limited to, the Criminal Justice Information System administered by the Bureau of Criminal Apprehension, the Statewide Accounting System, and the various welfare systems primarily administered by the Department of Human Services.
Subp. 7.
Federal law.
"Federal law" means United States Code, rules and regulations of federal agencies as published in the Code of Federal Regulations, and federal case law, including decisions of any court in the federal judicial system.
Subp. 8.
Individual.
"Individual" means any living human being. "Individual" shall not include any fictional entity or business such as a corporation, association, partnership, or sole proprietorship even in those instances where the name of such an entity or business includes the name of a natural person.
Subp. 9.
Private data.
"Private data," as defined in Minnesota Statutes, section 13.02, subdivision 12 shall only include data which is expressly classified by either a state statute, including the provisions of Minnesota Statutes, section 13.06, or federal law.
Data is private if a state statute or federal law provides substantially that:
A.
Certain data shall not be available to the public but shall be available to the subject of that data.
B.
Certain data shall not be available to anyone, except the data subject or the subject's designated representative such as an attorney.
C.
Certain data shall be confidential and the person the data is about may view the data at reasonable times.
D.
Certain data shall be confidential and may be shown to the data subject at the discretion of the person holding the data. Such data shall be private if the state statute or federal law does not provide standards which limit the exercise of the discretion of the person maintaining the data.
E.
Certain data is confidential, but the context of the statute or federal law in which the term confidential appears reasonably indicates the data is accessible by the individual who is the subject of the data.
Data is not private if a federal agency rule provides substantially that as a part of its plan for implementation of a certain federal program, a state agency, statewide system, or political subdivision must provide for the confidentiality of data obtained from program subjects.
A state agency rule, an executive order, an administrative decision, or a local ordinance shall not classify data as "private" or use wording to make data inaccessible to the public unless there is a state statute or federal law as the basis for the classification.
Subp. 10.
Public data.
"Public data" shall mean "data on individuals," not classified by state statute, including Minnesota Statutes, section 13.06, or federal law as private or confidential data. This subpart shall not limit the ability of an entity to apply for temporary classifications of data pursuant to Minnesota Statutes, section 13.06.
Subp. 11.
Records Management Act.
"Records Management Act" means Minnesota Statutes, section 138.17.
Subp. 12.
Responsible authority.
"Responsible authority" means the individual in each entity who is designated or appointed pursuant to Minnesota Statutes, section 13.02, subdivision 16.
Subp. 13.
Responsible authority in state agencies.
In state agencies, the responsible authority shall be as follows, unless otherwise provided by state law: for departments, the commissioner of the department; for constitutional offices, the constitutional officer; for the University of Minnesota, the individual appointed by the Board of Regents; for all other state agencies, the chief executive officer, or if none, then an individual chosen by the agency's governing body.
Subp. 14.
Responsible authority in political subdivisions.
In political subdivisions, the responsible authority shall be as follows, unless otherwise provided by state law:
A.
For counties, each elected official of the county shall be the responsible authority for the official's office. An individual who is an employee of the county shall be appointed by the county board to be the responsible authority for any data administered outside the offices of elected officials.
C.
For school districts, the school board shall appoint an individual who is an employee of the school district.
D.
For nonprofit corporations or nonprofit social service agencies, unless a statute or the governmental entity which created the corporation or agency appoints an individual, the governing body of the corporation or agency shall appoint an individual. If no appointment is made, the chief executive officer of the nonprofit corporation or agency shall be the responsible authority. If the corporation or agency is part of a statewide system, the responsible authority for the statewide system shall be the responsible authority for the corporation or agency as determined by this part.
E.
For all other political subdivisions, the governing body shall appoint an individual who is an employee of the political subdivision.
Subp. 15.
Responsible authority in statewide systems.
In "statewide systems," the responsible authority shall be as follows, unless otherwise provided by state law:
A.
the commissioner of any state department or any executive officer designated by statute or executive order as responsible for such a system; or
B.
if a state statute or executive order does not designate an individual as responsible authority, the commissioner of administration shall appoint the responsible authority after the entities which participate in the system jointly apply for such an appointment in a form provided by the commissioner of administration.
Subp. 16.
Summary data.
"Summary data," as defined in Minnesota Statutes, section 13.02, subdivision 19, means data which has been extracted, manipulated, or summarized from private or confidential data, and from which all data elements that could link the data to a specific individual have been removed. "Summary data" includes, but is not limited to, statistical data, case studies, reports of incidents, and research reports. Once it is summarized from private or confidential data, summary data remains summary if the responsible authority maintains any list of numbers or other data which could uniquely identify any individual in the summary data physically separated from the summary data and the responsible authority does not make such list or other data available to persons who gain access to, or possession of the summary data.
Statutory Authority:
MS s 13.07
History:
L 1984 c 654 art 5 s 58; 17 SR 1279
Published Electronically:
July 13, 2007
ACCESS TO DATA
1205.0300 ACCESS TO PUBLIC DATA.
Subpart 1.
General.
The responsible authority shall comply with the following general rules governing access to public data.
Subp. 2.
Who may see public data.
The responsible authority shall provide access to public data to any person, without regard to the nature of that person's interest in the data.
Subp. 3.
Access procedures.
The responsible authority shall establish procedures to describe how such access may be gained. The procedures established shall be in compliance with Minnesota Statutes, section 13.03. In such procedures, the responsible authority may limit the time during which access to public data is available to the time during which the normal operations of the agency are conducted. In such procedures, the responsible authority shall provide for a response to a request for access within a reasonable time.
Subp. 4.
Determining fee for copies.
The responsible authority may charge a reasonable fee for providing copies of public data.
In determining the amount of the reasonable fee, the responsible authority shall be guided by the following:
C.
any schedule of standard copying charges as established by the agency in its normal course of operations;
D.
any special costs necessary to produce such copies from machine based record keeping systems, including but not limited to computers and microfilm systems; and
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.0400 ACCESS TO PRIVATE DATA.
Subpart 1.
General.
Pursuant to Minnesota Statutes, sections 13.02, subdivision 12; and 13.05, the responsible authority shall comply with the following rules concerning access to private data.
Subp. 2.
Who may see private data.
Access to private data shall be available only to the following: the subject of such data, as limited by any applicable statute or federal law; individuals within the entity whose work assignments reasonably require access; entities and agencies as determined by the responsible authority who are authorized by statute, including Minnesota Statutes, section 13.05, subdivision 4, or federal law to gain access to that specific data; and entities or individuals given access by the express written direction of the data subject.
Subp. 3.
Access procedure.
The responsible authority shall establish written procedures to assure that access is gained only by those parties identified in subpart 2.
In those procedures, the responsible authority shall provide for reasonable measures to assure, in those instances where an individual who seeks to gain access to private data asserts that he or she is the subject of that data or the authorized representative of the data subject, that the individual making the assertion is in fact the subject of the data or the authorized representative of the data subject. Examples of such reasonable measures include, but are not limited to, the following:
A.
requiring the person seeking to gain access to appear at the offices of the entity to gain such access or, in lieu of a personal appearance, requiring the signature of any data subject who is unable to appear at the offices of the entity; and
Subp. 4.
Time limits.
The responsible authority may limit the time that access is available to the data subject to the normal working hours of the agency.
Subp. 5.
Fees.
The responsible authority shall not charge the data subject any fee in those instances where the data subject only desires to view private data. The responsible authority may charge the data subject a reasonable fee for providing copies of private data.
In determining the amount of the reasonable fee, the responsible authority shall be guided by the criteria set out in part 1205.0300 concerning access to public data.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.0500 ACCESS TO PRIVATE DATA CONCERNING DATA SUBJECTS WHO ARE MINORS.
Subpart 1.
General.
Pursuant to Minnesota Statutes, sections 13.02, subdivisions 8 and 12; and 13.05, the responsible authority shall comply with the following rules concerning access.
In addition to the particular requirements of this part, access to private data concerning a minor data subject shall be subject to the requirements of part 1205.0400 concerning access to all private data.
Subp. 2.
Who may see private data concerning minors.
Access to private data concerning minors shall be available only to the following:
B.
Subject to the provisions of Minnesota Statutes, section 13.02, subdivision 8, any other applicable statute, and the exception set out at subpart 3, item A, the parents of the minor data subject. For purposes of this part, the responsible authority shall presume the parent has the authority to exercise the rights inherent in the act unless the responsible authority has been provided with evidence that there is a state law or court order governing such matters as divorce, separation, or custody, or a legally binding instrument which provides to the contrary.
Subp. 3.
Access procedures for parents.
Pursuant to the provisions of Minnesota Statutes, section 13.02, subdivision 8, the responsible authority shall establish procedures to provide access by the parents of a minor data subject to private data concerning that minor, subject to the following:
A.
The responsible authority may deny parental access to private data when the minor, who is the subject of that data, requests that the responsible authority deny such access. The responsible authority shall provide minors from whom the entity collects private or confidential data with a notification that the minor individual has the right to request that parental access to private data be denied. The responsible authority may require the minor data subject to submit a written request that the data be withheld. The written request shall set forth the reasons for denying parental access and shall be signed by the minor.
B.
Upon receipt of such a request, the responsible authority shall determine if honoring the request to deny parental access would be in the best interest of the minor data subject. In making the determination, the responsible authority shall be guided by at least the following:
(1)
whether the minor is of sufficient age and maturity to be able to explain the reasons for and to understand the consequences of the request to deny access;
(2)
whether the personal situation of the minor is such that denying parental access may protect the minor data subject from physical or emotional harm;
(3)
whether there is ground for believing that the minor data subject's reasons for precluding parental access are reasonably accurate;
(4)
whether the data in question is of such a nature that disclosure of it to the parent could lead to physical or emotional harm to the minor data subject; and
Subp. 4.
Parents' access to educational records.
The responsible authority shall not deny access by parents to data that is considered an "education record," as that term is defined in Code of Federal Regulations, title 45, part 99, section 99.3, unless the minor to whom the data pertains is enrolled as a full-time student in a postsecondary educational institution or the student has attained the age of 18. As of the date of the adoption of these rules, the term "education records" was defined by Code of Federal Regulations, title 45, part 99, section 99.3 as follows:
(a) "Education records" means those records which:
(1) are directly related to a student; and
(2) are maintained by an educational agency or institution or by a party acting for the agency or institution.
(b) The term does not include:
(1) Records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which:
(i) are in the sole possession of the maker thereof; and
(ii) are not accessible or revealed to any other individual except a substitute. For the purpose of this definition, a "substitute" means an individual who performs on a temporary basis the duties of the individual who made the record, and does not refer to an individual who permanently succeeds the maker of the record in his or her position.
(2) Records of a law enforcement unit of an educational agency or institution which are:
(i) maintained apart from the records described in paragraph (a) of this definition;
(ii) maintained solely for law enforcement purposes; and
(iii) not disclosed to individuals other than law enforcement officials of the same jurisdiction; provided that education records maintained by the educational agency or institution are not disclosed to the personnel of the law enforcement unit.
(3)(i) Records relating to an individual who is employed by an educational agency or institution which:
(A) are made and maintained in the normal course of business;
(B) relate exclusively to the individual in that individual's capacity as an employee; and
(C) are not available for use for any other purpose.
(ii) This paragraph does not apply to records relating to an individual in attendance at the agency or institution who is employed as a result of his or her status as a student.
(4) Records relating to an eligible student which are:
(i) created or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional or paraprofessional capacity, or assisting in that capacity;
(ii) created, maintained, or used only in connection with the provision of treatment to the student; and
(iii) not disclosed to anyone other than individuals providing the treatment; provided that the records can be personally reviewed by a physician or other appropriate professional of the student's choice. For the purpose of this definition, "treatment" does not include remedial educational activities or activities which are part of the program of instruction at the educational agency or institution.
(5) Records of an educational agency or institution which contain only information relating to a person after that person was no longer a student at the educational agency or institution. An example would be information collected by an educational agency or institution pertaining to the accomplishments of its alumni.
Subp. 5.
Denying access without a request from a minor.
Without a request from a minor, the responsible authority may deny parental access to private data on a minor, pursuant to the provisions of Minnesota Statutes, sections 144.291 to 144.298 or any other statute or federal law that allows or requires the responsible authority the authority to do so, if such state statute or federal law provides standards which limit the exercise of the discretion of the responsible authority.
Statutory Authority:
MS s 13.07
History:
L 2007 c 147 art 10 s 15
Published Electronically:
August 6, 2013
1205.0600 ACCESS TO CONFIDENTIAL DATA.
Subpart 1.
General.
Pursuant to Minnesota Statutes, sections 13.02, subdivision 3; and 13.05, the responsible authority shall comply with the following rules concerning access to confidential data.
Subp. 2.
Who may see confidential data.
Access to confidential data is available only to the following:
Subp. 3.
Access procedures.
The responsible authority shall establish written procedures to assure that access may be gained only by those parties identified in subpart 2.
In the drafting and administration of those procedures, the responsible authority shall provide measures by which data subjects or their authorized representatives shall be informed, upon request, if they are the subjects of confidential data.
The responsible authority shall not disclose the actual confidential data to the data subjects, but shall inform them whether confidential data concerning them is or is not retained.
The responsible authority shall take reasonable measures to assure that the person making inquiry is actually the individual data subject or the authorized representative of the data subject. Reasonable measures include, but are not limited to:
C.
requiring the notarized signature of any data subject who is unable to appear at the offices of the entity.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.0700 ACCESS TO SUMMARY DATA.
Subpart 1.
General.
Pursuant to Minnesota Statutes, section 13.05, subdivision 7, the responsible authority shall comply with the following general rules concerning access to summary data. Summary data is public data, unless classified by statute, federal law, or temporary classification as not public. The responsible authority shall comply with part 1205.0300 concerning access to public data.
Subp. 2.
Definitions.
For the purposes of administering Minnesota Statutes, section 13.05, subdivision 7, the following terms shall have the meanings given them:
A.
"Administrative officer" includes, but is not limited to, the entity's research director, statistician, or computer center director.
B.
"Person outside" the entity includes the person requesting the summary data or any other person designated by the person requesting the data.
Subp. 3.
Access procedures.
The responsible authority shall prepare and implement procedures in his/her agency to assure that access to summary data is provided pursuant to Minnesota Statutes, section 13.05, subdivision 7. In the preparation and administration of such procedures, the responsible authority shall comply with the following.
Subp. 4.
Responding to requests for summary data.
Preparation of summary data may be requested by any person. The request shall be in writing in a form provided by the responsible authority. Within ten days of the receipt of such a request, the responsible authority shall inform the requester of the estimated costs if any, pursuant to subpart 7 and subject to the provisions of that subpart either:
B.
provide a written statement to the requester, describing a time schedule for preparing the requested summary data, including reasons for any time delays; or
C.
provide access to the requester to the private or confidential data for the purpose of the requester's preparation of summary data, pursuant to Minnesota Statutes, section 13.05, subdivision 7, and subpart 5; or
D.
provide a written statement to the requester stating reasons why the responsible authority has determined that the requester's access would compromise the private or confidential data.
Subp. 5.
Nondisclosure agreement.
A nondisclosure agreement, as required by Minnesota Statutes, section 13.05, subdivision 7 shall contain at least the following:
A.
a general description of the private or confidential data which is being used to prepare summary data;
C.
a statement that the preparer understands he/she may be subject to the civil or criminal penalty provisions of the act in the event that the private or confidential data is disclosed.
Subp. 6.
Methods of preparing summary data.
Methods of preparing summary data include but are not limited to the following:
A.
removing from a set of data, a file, or a record keeping system all unique personal identifiers so that the data that remains fulfills the definition of summary data as defined by Minnesota Statutes, section 13.02, subdivision 19; and
B.
removing from the entity's report of any incident, or from any collection of data similar to an incident report, all unique personal identifiers so that the resulting report fulfills the definition of summary data in Minnesota Statutes, section 13.02, subdivision 19.
For the purpose of this part, "removing all unique personal identifiers" includes but is not limited to blacking out personal identifiers on paper records, tearing off or cutting out the portions of paper records that contain the personal identifiers, and programming computers in such a way that printed, terminal, or other forms of output do not contain personal identifiers.
Subp. 7.
Paying for preparation of summary data.
Any costs incurred in the preparation of summary data shall be borne by the requesting person. In assessing the costs associated with the preparation of summary data, the responsible authority shall:
B.
provide to the requesting person an estimate of the costs associated with the preparation of the summary data;
C.
prior to preparing or supplying the summary data, collect any funds necessary to reimburse the entity for its costs;
D.
charge no more than reasonable copying costs when the summary data being requested requires only copying and no other preparation; and
E.
take into account the reasonable value to the entity of the summary data prepared and where appropriate reduce the costs assessed to the requesting person.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
RESPONSIBLE AUTHORITY
1205.0800 CLASSIFICATION OF DATA.
In order to comply with the provisions of Minnesota Statutes, sections 13.02, 13.04, and 13.05, the responsible authority shall:
A.
review and identify all of the types of data maintained by the entity, including data retained as active and inactive;
B.
determine what types of data maintained by the entity are classified as private or confidential, according to the definitions of those terms pursuant to part 1205.0200 and Minnesota Statutes, section 13.02;
C.
identify either a state statute or provisions of federal law supporting any determination that certain data is either private or confidential; and
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.0900 AUTHORITY OF THE RESPONSIBLE AUTHORITY.
Pursuant to Minnesota Statutes, sections 13.02 to 13.06, the responsible authority shall have the authority to:
B.
make good faith attempts to resolve all administrative controversies arising from the entity's practices of creation, collection, use, and dissemination of data;
C.
prescribe changes to the administration of the entity's programs, procedures, and design of forms to bring those activities into compliance with the act and with this chapter;
D.
take all administrative actions necessary to comply with the general requirements of the act, particularly Minnesota Statutes, section 13.04, and this chapter; and
E.
where necessary, direct designees to perform the detailed requirements of the act and this chapter under the general supervision of the responsible authority.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.1000 APPOINTMENT OF THE RESPONSIBLE AUTHORITY.
Pursuant to Minnesota Statutes, section 13.02, subdivision 16, the governing body of each political subdivision and the governing body of each state agency whose activities are subject to the direction of a governing body shall, by September 30, 1981, if it has not done so, appoint a responsible authority. This part shall not affect the appointments of responsible authorities made previous to the adoption of these rules. The governing body shall confer on the responsible authority full administrative authority to carry out the duties assigned by the act and by this chapter. Governing bodies may use the forms set forth in part 1205.2000 to appoint the responsible authority.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.1100 APPOINTMENT POWER OF THE RESPONSIBLE AUTHORITY.
Subpart 1.
Power to appoint designees.
Pursuant to Minnesota Statutes, section 13.03, subdivision 2, the responsible authority shall, on deeming it to be in the best interest of the administration and enforcement of the act, appoint designees who shall be members of the staff of the entity. In the exercise of this appointment power, the responsible authority shall comply with the following.
Subp. 2.
Appointment order.
The appointment order shall be in writing and copies of the order constitute public data on individuals, pursuant to Minnesota Statutes, section 13.02, subdivision 15.
Subp. 3.
Instructing designees.
The responsible authority shall instruct any designees in the requirement of the act and of this chapter. If the responsible authority deems it necessary, such instruction shall include:
A.
distribution to designees of written materials describing the requirements of the act and of this chapter;
B.
preparation of training programs whose objective is to familiarize agency personnel with the requirements of the act and of this chapter; and
C.
requiring attendance of designees and other entity personnel at training programs held within or outside the entity.
Statutory Authority:
MS s 13.07
History:
17 SR 1279
Published Electronically:
July 13, 2007
1205.1200 DUTIES OF THE RESPONSIBLE AUTHORITY RELATING TO PUBLIC ACCOUNTABILITY.
Subpart 1.
General.
Pursuant to Minnesota Statutes, section 13.05, the duties of the responsible authority shall include but not be limited to the following.
Subp. 2.
Informing public where to direct inquiries.
For the purposes of public accountability, the responsible authority shall, by October 31, 1981, or until August 1 of each year when the requirements of subpart 3 are fully complied with, place his/her name, job title and business address, and the name(s) and job titles of any designees selected by the responsible authority on a document. Such document shall be made available to the public and/or posted in a conspicuous place by each entity. The document shall identify the responsible authority or designees as the persons responsible for answering inquiries from the public concerning the provisions of the act or of this chapter.
Subp. 3.
Information required by public notice.
In the public document to be prepared or updated by August 1 of each year as required by Minnesota Statutes, section 13.05, the responsible authority shall identify and describe by type all records, files, or processes maintained by his/her entity, which contain private or confidential data. In addition to the items to be placed in the public document as required by Minnesota Statutes, section 13.05, the responsible authority shall include the following: the name, title, and address of designees appointed by the responsible authority; identification of the files or systems for which each designee is responsible; and a citation of the state statute or federal law which classifies each type of data as private or confidential.
Subp. 4.
Required readability in public notice.
The responsible authority shall draft the descriptions of the types of records, files, and processes in easily understandable English. Technical or uncommon expressions understandable only by a minority of the general public shall be avoided, except where required by the subject matter.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.1300 DUTIES OF THE RESPONSIBLE AUTHORITY IN ADMINISTERING PRIVATE AND CONFIDENTIAL DATA.
Subpart 1.
Determining collection date.
In order to administer the requirements of Minnesota Statutes, section 13.05, subdivision 4, the responsible authority shall determine for each type of record, file, or process identified in part 1205.1200 whether the data contained therein was collected prior to, on, or subsequent to August 1, 1975.
Subp. 2.
Reviewing earlier records.
For each type of record, file, or process containing data collected prior to August 1, 1975, the responsible authority shall:
A.
review the federal, state, or local legal enabling authority which mandated or necessitated the collection of the private or confidential data;
B.
based on that review, determine the lawful purpose for the collection of the data at the time it was originally collected; and
C.
direct the staff of the entity that private or confidential data collected prior to August 1, 1975, shall not be used, stored, or disseminated for any purpose, unless that purpose was authorized by the enabling authority which was in effect at the time the data was originally collected.
Subp. 3.
Reviewing later records.
For each type of record, file, or process containing private or confidential data collected on or subsequent to August 1, 1975, the responsible authority shall:
A.
review the legal enabling authority which mandates or necessitates the collection of the data; and
Subp. 4.
Preparing lists.
Using the purposes and uses identified in subparts 2 and 3, the responsible authority shall:
A.
prepare lists which identify the uses of and purposes for the collection of private or confidential data for each type of record, file, or process identified in part 1205.1500. Each list shall identify all persons, agencies, or entities authorized by state or federal law to receive any data disseminated from the particular record, file, or process.
B.
Pursuant to Minnesota Statutes, section 13.04, subdivision 2 either:
(1)
attach each list identifying purposes, uses, and recipients of data to all agency forms which collect the private or confidential data that will be retained in each record, file, or process; or
(2)
communicate, in any reasonable fashion, the contents of each list to data subjects at the time particular data that will be retained in each record, file, or process is collected from them. For purposes of this subitem, "reasonable fashion" shall include, but not be limited to, oral communications made to data subjects and providing data subjects with brochures that describe the entity's purposes for the collection of and the uses to be made of private and confidential data.
Subp. 5.
Making policy.
In administering the entity's private or confidential data consistent with the provisions of these rules, the responsible authority shall:
B.
prepare administrative procedures that will acquaint entity personnel with authorized purposes and uses; and
C.
distribute policy directives requiring compliance with the entity's determination of authorized purposes and uses.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.1400 AUTHORIZING NEW PURPOSES FOR DATA COLLECTION.
Subpart 1.
General conditions.
The responsible authority shall authorize a new purpose for the collection of private or confidential data or a new use for private or confidential data under any one of the following conditions: if subsequent passage of federal or state legislation requires initiation of a new or different purpose or use pursuant to Minnesota Statutes, section 13.05, subdivision 4, clause (b), or the responsible authority, prior to initiation of the new or different purpose or use, complies with the provisions of either Minnesota Statutes, section 13.05, subdivision 4, clause (a), (c), or (d).
Subp. 2.
Statement.
For the purposes of administration of Minnesota Statutes, section 13.05, subdivision 4, clause (a) or (c), the responsible authority shall file a statement in a form prescribed by the commissioner.
Subp. 3.
Informed consent.
For the purposes of Minnesota Statutes, section 13.05, subdivision 4, clause (d) the following term shall have the meaning given it.
"Informed consent" means the data subject possesses and exercises sufficient mental capacity to make a decision which reflects an appreciation of the consequences of allowing the entity to initiate a new purpose or use of the data in question.
Subp. 4.
Restrictions.
For the purposes of the administration of Minnesota Statutes, section 13.05, subdivision 4, clause (d), the responsible authority shall comply with the following:
A.
The responsible authority shall not take any action to coerce any data subject to give an "informed consent." The responsible authority shall explain the necessity for or consequences of the new or different purpose or use.
B.
All informed consents shall be given in writing. Prior to any signature being affixed to it by the data subject, such writing shall identify the consequences of the giving of informed consent.
C.
If the responsible authority makes reasonable efforts to obtain the informed consent of a data subject and if those efforts are not acknowledged in any way, the responsible authority shall interpret the silence of the data subject as the giving of an implied consent to the new or different purpose or use of the data. For purposes of this item, "reasonable efforts" shall include:
(1)
depositing in the United States mail, postage prepaid and directed to the last known address of the data subject, at least two communications requesting informed consent; and
D.
The data subject may give informed consent to less than all of the data elements in any list of data elements presented by a responsible authority, thereby giving only partial consent. Only those elements that the data subject has expressly consented to shall become part of the new or different purpose or use.
Subp. 5.
Seeking informed consent for dissemination to insurer.
If the responsible authority seeks an individual's informed consent to the release of private data to an insurer or the authorized representative of an insurer, the responsible authority shall comply with the provisions of Minnesota Statutes, section 13.05, subdivision 4, paragraph (d), clauses (1) to (7).
Statutory Authority:
MS s 13.07
Published Electronically:
August 6, 2013
1205.1500 DUTIES OF RESPONSIBLE AUTHORITY IN ADMINISTERING ALL ENTITY DATA.
Subpart 1.
Plan to review and analyze data administration.
Pursuant to Minnesota Statutes, section 13.05, subdivision 3, the responsible authority shall, by March 1, 1983, formulate a plan that will provide for the review and analysis of the data administration practices of the entity.
Subp. 2.
Definitions.
In the formulation of the plan described in subpart 3, the responsible authority shall provide for the establishment of administrative mechanisms and procedures that comply with Minnesota Statutes, section 13.05, subdivision 5. For purposes of this part:
B.
"Complete" means that the data in question reasonably reflects the history of an individual's transactions with the particular entity. Omissions in an individual's history that place the individual in a false light shall not be permitted.
C.
"Current" means that the data in question must be logically related to the entity's required and actual use of the data in its day to day operations.
Subp. 3.
List or index.
In the formulation of this plan, the responsible authority shall at least provide for the preparation of a list of or index to all data or types of data currently collected, stored, used, or disseminated by the entity. The list or index developed shall include the identification of the state statute(s), federal law(s), or local ordinance(s) that authorize(s) the programs or functions for which data or types of data are collected, or which authorize(s) the actual collection, storage, use, or dissemination of data or types of data. The plan shall further provide for the list or index to be updated when new or different data collection, storage, use, or dissemination is authorized. This list or index shall be available to members of the general public, upon request.
Subp. 4.
Determining need for data.
The responsible authority shall use this plan and the list or index developed to aid in the determination of whether collection and storage of data and use and dissemination of private or confidential data is necessary. For purposes of this part, data is necessary if:
A.
the particular data is both required to carry out programs and functions that are expressly or impliedly authorized by a provision of state statute, federal law, or a local ordinance; and periodically examined, updated, modified, or referred to by the entity; or
B.
the entity would be unable to fulfill its duties without undue or increased burden or expense, if the particular data were not collected, stored, used, or disseminated; or
C.
retention of the particular data is required in the event that a legal action is brought against or by the entity; or
D.
retention of the particular data is essential to comply with a state or federal requirement that data be retained for a specified period for the purposes of auditing, records retention, historical interest, and other similar purposes.
Subp. 5.
Treating unnecessary data.
For any data determined to be not necessary pursuant to subpart 4, the responsible authority shall provide for the following activities in the entity's plan:
A.
Taking all actions, including modification of the entity's data collection forms and data collection procedures, to assure that all unnecessary data is no longer collected and stored and all private and confidential data determined to be not necessary is no longer used and disseminated. Private data shall continue to be disseminated upon request by the data subject.
B.
Disposing of data determined to be not necessary pursuant to the procedures of the Records Management Act. Inquiries concerning procedures for disposition of data may be directed to the Records Management Division, Department of Administration, Saint Paul, Minnesota 55155.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
APPEAL AND COMMISSIONER DUTIES
1205.1600 ADMINISTRATIVE APPEAL.
Subpart 1.
Procedure.
Pursuant to Minnesota Statutes, section 13.04, subdivision 4 an individual may appeal an adverse determination of a responsible authority to the commissioner of administration. The appeal shall follow the procedures established in Minnesota Statutes, chapter 14, as amended, and the rules of the Office of Administrative Hearings relating to contested case proceedings.
Subp. 2.
Submitting an appeal; time limits.
Notice of an appeal must be submitted to the commissioner within a reasonable time of the determination made by the responsible authority pursuant to Minnesota Statutes, section 13.04, subdivision 4. For purposes of this subpart, "reasonable time" shall mean 180 days unless the responsible authority has provided the individual with a written statement which informs the individual of the right to appeal the determination to the commissioner. In the event this statement is provided, "reasonable time" for purposes of this subpart shall mean 60 days.
Subp. 3.
Contents of appeal notice.
The notice shall be in writing and addressed to: Commissioner of Administration, State of Minnesota, 50 Sherburne Avenue, Saint Paul, Minnesota 55155.
The notice shall contain the following information:
D.
a description of the desired result of the appeal; upon written request of the data subject stating reasons, the appeal may be processed under the name of a pseudonym.
Subp. 4.
Grounds for dismissing appeals.
The administrative law judge, at any stage of the proceedings, after all parties have had an opportunity to present their views, may recommend dismissal of any sham, capricious, or frivolous case, or any case not within the jurisdiction of the Department of Administration.
Subp. 5.
Repaying cost of appeal.
The Department of Administration shall be reimbursed for all costs associated with the contested case proceeding by the entity whose responsible authority has been the impetus for the individual's appeal to the commissioner. The commissioner shall establish appropriate accounting procedures to provide to the entity an itemized invoice.
Statutory Authority:
MS s 13.07
History:
L 1984 c 640 s 32
Published Electronically:
July 13, 2007
1205.1700 GENERAL POWERS OF THE COMMISSIONER.
Pursuant to Minnesota Statutes, section 13.05, subdivision 2 and to assist in the general implementation and enforcement of the act, the commissioner shall have the following powers:
A.
If the commissioner determines that certain information is relevant to monitoring any entity's data collection and handling practices, policies, and procedures, the commissioner shall require the responsible authority of such entity to submit the information.
B.
Any inquiries concerning the act or these rules and any information submissions required to be made by item A shall be directed to: Data Privacy Division, Department of Administration, State of Minnesota, 50 Sherburne Avenue, Saint Paul, Minnesota 55155.
C.
The Data Privacy Division shall respond promptly to all inquiries within personnel and budgetary limitations.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.1800
[Repealed, L 2010 c 365 art 1 s 12]
Published Electronically:
July 30, 2010
SEVERABLE PROVISIONS AND FORMS
1205.1900 SEVERABLE PROVISIONS.
If any provisions of this chapter are found invalid for any reason, the remaining provisions shall remain valid.
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
1205.2000 ADVISORY FORMS.
Subpart 1.
Advisory form A:
resolution appointing a county responsible authority.
State of Minnesota
County of (name of county) _________________
WHEREAS, Minnesota Statutes, section 13.02, subdivision 16, requires that (name of county) _______________ County appoint one person as the Responsible Authority to administer the requirements for collection, storage, use and dissemination of data on individuals within the county and,
WHEREAS, the (name of county) _______________ County Board of Commissioners shares the concern expressed by the legislature on the responsible use of all County data and wishes to satisfy this concern by immediately appointing an administratively and technically qualified Responsible Authority as required under the statute.
BE IT RESOLVED, the County Board of Commissioners appoints (name of individual) _______________ as the Responsible Authority for the purpose of meeting all requirements of Minnesota Statutes, chapter 13, as amended, and with rules as lawfully promulgated by the Commissioner of Administration as published in the State Register on (insert appropriate date) __________.
ADOPTED BY (name of county) __________ COUNTY COMMISSIONERS ON (date) _______.
| ATTESTED TO: | _____________________________________ |
| (signature of appropriate official) | |
| _____________________________________ | |
| (title of appropriate official) |
Subp. 2.
Advisory form B:
resolution appointing a city responsible authority.
State of Minnesota
City of (insert name of city) ___________________
Resolution Title: Appointment of Responsible Authority
WHEREAS, Minnesota Statutes, section 13.02, Subdivision 16, as amended, requires that the City of (insert name of city) _______________ appoint one person as the Responsible Authority to administer the requirements for collection, storage, use and dissemination of data on individuals, within the City and,
WHEREAS, the (insert name of city) _______________ City Council shares concern expressed by the legislature on the responsible use of all City data and wishes to satisfy this concern by immediately appointing an administratively qualified Responsible Authority as required under the statute.
BE IT RESOLVED, the City Council of (insert name of city) ____________ appoints (name of individual appointed) _______________ as the Responsible Authority for the purposes of meeting all requirements of Minnesota Statutes, chapter 13, as amended, and with rules as lawfully promulgated by the Commissioner of Administration as published in the State Register on (insert appropriate date) _______________.
ADOPTED BY (insert name of city) _______________ CITY COUNCIL ON (date) _______________.
ATTESTED TO BY THE:
| ____________________________ | ____________________ | |
| (Signature of Mayor) | on | (date) |
| ____________________________ | ____________________ | |
| (Signature of City Clerk) | (date) | |
Subp. 3.
Advisory form C:
resolution appointing a school district responsible authority.
State of Minnesota
(name of district) _______________ School District
School District Number ____
Pursuant to the provisions of Minnesota Statutes, section 13.02, subdivision 16, as amended, (insert name of individual) ____________________, is hereby appointed Responsible Authority for the (insert name of district) _______________ School District Number ____.
(insert name of individual appointed) ____________________ is hereby authorized to take all actions necessary to assure that all programs, administrative procedures and forms used within School District (insert number) ____ are administered in compliance with the provisions of Minnesota Statutes, chapter 13, as amended, and with rules as lawfully promulgated by the Commissioner of Administration as published in the State Register on (insert appropriate date) __________.
Subp. 4.
Advisory form D:
resolution appointing a responsible authority for state or local boards or commissions.
State of Minnesota
(insert name of board or commission) ___________________
Under the provisions of Minnesota Statutes, section 13.02, Subdivision 16, as amended, (name of individual) ____________________ is hereby appointed Responsible Authority for (insert name of board or commission) ____________________.
(insert name of individual appointed) _________________________ is hereby authorized to take all actions necessary to assure that all programs, administrative procedures and forms used by the (insert name of board or commission) _________________________ are administered in compliance with the provisions of Minnesota Statutes, chapter 13, as amended, and with rules as lawfully promulgated by the Commissioner of Administration and published in the State Register on (insert date) ____.
Subp. 5.
Advisory form E:
public document as required by Minnesota Statutes, section 13.05.
| GOVERNMENTAL ENTITY: | (Name of Entity) | RESPONSIBLE AUTHORITY: | (Name) |
| _ | _ | ||
| (Address) | (Title) | ||
| _ | _ | ||
| (Address) | |||
| _ | _ | ||
| _ | _ |
| NAME OF RECORD, FILE, SYSTEM OR PROCESS | DESCRIPTION OF RECORD, FILE, SYSTEM OR PROCESS | CLASSIFI- CATION | CITATION OF STATUTE OR FEDERAL LAW THAT CLASSIFIES THE DATA | NAME, TITLE AND ADDRESS OF DESIGNEE, IF ANY FOR FILE. ETC. |
| (Insert a name sufficient to identify.) | (Describe in terms understandable by the general public.) | (Insert private or confidential.) | (Insert citation to state or federal statute, federal rule, case law) | (Insert name, etc. of person appointed to be in charge of this file) |
|
.
. |
||||
|
.
. |
||||
|
.
. |
||||
|
.
. |
||||
|
.
. |
Statutory Authority:
MS s 13.07
Published Electronically:
July 13, 2007
Official Publication of the State of Minnesota
Revisor of Statutes