13.05 Duties of responsible authority.
Subdivision 1. Public document of data categories. The responsible authority shall prepare a public document containing the authority's name, title and address, and a description of each category of record, file, or process relating to private or confidential data on individuals maintained by the authority's state agency, statewide system, or political subdivision. Forms used to collect private and confidential data shall be included in the public document. Beginning August 1, 1977 and annually thereafter, the responsible authority shall update the public document and make any changes necessary to maintain the accuracy of the document. The document shall be available from the responsible authority to the public in accordance with the provisions of sections 13.03 and 15.17.
Subd. 2. Copies to commissioner. The commissioner may require responsible authorities to submit copies of the public document required in subdivision 1, and may request additional information relevant to data collection practices, policies and procedures.
Subd. 3. General standards for collection and storage. Collection and storage of all data on individuals and the use and dissemination of private and confidential data on individuals shall be limited to that necessary for the administration and management of programs specifically authorized by the legislature or local governing body or mandated by the federal government.
Subd. 4. Limitations on collection and use of data. Private or confidential data on an individual shall not be collected, stored, used, or disseminated by political subdivisions, statewide systems, or state agencies for any purposes other than those stated to the individual at the time of collection in accordance with section 13.04, except as provided in this subdivision.
(a) Data collected prior to August 1, 1975, and which have not been treated as public data, may be used, stored, and disseminated for the purposes for which the data was originally collected or for purposes which are specifically approved by the commissioner as necessary to public health, safety, or welfare.
(b) Private or confidential data may be used and disseminated to individuals or agencies specifically authorized access to that data by state, local, or federal law enacted or promulgated after the collection of the data.
(c) Private or confidential data may be used and disseminated to individuals or agencies subsequent to the collection of the data when the responsible authority maintaining the data has requested approval for a new or different use or dissemination of the data and that request has been specifically approved by the commissioner as necessary to carry out a function assigned by law.
(d) Private data may be used by and disseminated to any person or agency if the individual subject or subjects of the data have given their informed consent. Whether a data subject has given informed consent shall be determined by rules of the commissioner. The format for informed consent is as follows, unless otherwise prescribed by the HIPAA, Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82, 461 (2000) (to be codified as Code of Federal Regulations, title 45, section 164): informed consent shall not be deemed to have been given by an individual subject of the data by the signing of any statement authorizing any person or agency to disclose information about the individual to an insurer or its authorized representative, unless the statement is:
(1) in plain language;
(3) specific in designating the particular persons or agencies the data subject is authorizing to disclose information about the data subject;
(4) specific as to the nature of the information the subject is authorizing to be disclosed;
(5) specific as to the persons or agencies to whom the subject is authorizing information to be disclosed;
(6) specific as to the purpose or purposes for which the information may be used by any of the parties named in clause (5), both at the time of the disclosure and at any time in the future;
(7) specific as to its expiration date which should be within a reasonable period of time, not to exceed one year except in the case of authorizations given in connection with applications for (i) life insurance or noncancelable or guaranteed renewable health insurance and identified as such, two years after the date of the policy or (ii) medical assistance under chapter 256B or MinnesotaCare under chapter 256L, which shall be ongoing during all terms of eligibility, for individual education plan health-related services provided by a school district under section 125A.21, subdivision 2.
The responsible authority may require a person requesting copies of data under this paragraph to pay the actual costs of making, certifying, and compiling the copies.
(e) Private or confidential data on an individual may be discussed at a meeting open to the public to the extent provided in section 13D.05.
Subd. 5. Data protection. The responsible authority shall (1) establish procedures to assure that all data on individuals is accurate, complete, and current for the purposes for which it was collected; and (2) establish appropriate security safeguards for all records containing data on individuals.
Subd. 6. Contracts. Except as provided in section 13.46, subdivision 5, in any contract between a governmental unit subject to this chapter and any person, when the contract requires that data on individuals be made available to the contracting parties by the governmental unit, that data shall be administered consistent with this chapter. A contracting party shall maintain the data on individuals which it received according to the statutory provisions applicable to the data.
Subd. 7. Preparation of summary data. The use of summary data derived from private or confidential data on individuals under the jurisdiction of one or more responsible authorities is permitted. Unless classified pursuant to section 13.06, another statute, or federal law, summary data is public. The responsible authority shall prepare summary data from private or confidential data on individuals upon the request of any person if the request is in writing and the cost of preparing the summary data is borne by the requesting person. The responsible authority may delegate the power to prepare summary data (1) to the administrative officer responsible for any central repository of summary data; or (2) to a person outside of its agency if the person's purpose is set forth, in writing, and the person agrees not to disclose, and the agency reasonably determines that the access will not compromise private or confidential data on individuals.
Subd. 8. Publication of access procedures. The responsible authority shall prepare a public document setting forth in writing the rights of the data subject pursuant to section 13.04 and the specific procedures in effect in the state agency, statewide system or political subdivision for access by the data subject to public or private data on individuals.
Subd. 9. Intergovernmental access of data. A responsible authority shall allow another responsible authority access to data classified as not public only when the access is authorized or required by statute or federal law. An agency that supplies government data under this subdivision may require the requesting agency to pay the actual cost of supplying the data.
Subd. 10. International dissemination. No state agency or political subdivision shall transfer or disseminate any private or confidential data on individuals to the private international organization known as Interpol, except through the Interpol-United States National Central Bureau, United States Department of Justice.
Subd. 11. Privatization. (a) If a government entity enters into a contract with a private person to perform any of its functions, the government entity shall include in the contract terms that make it clear that all of the data created, collected, received, stored, used, maintained, or disseminated by the private person in performing those functions is subject to the requirements of this chapter and that the private person must comply with those requirements as if it were a government entity. The remedies in section 13.08 apply to the private person under this subdivision.
(b) This subdivision does not create a duty on the part of the private person to provide access to public data to the public if the public data are available from the government entity, except as required by the terms of the contract.
Subd. 12. Identification or justification. Unless specifically authorized by statute, government entities may not require persons to identify themselves, state a reason for, or justify a request to gain access to public government data. A person may be asked to provide certain identifying or clarifying information for the sole purpose of facilitating access to the data.
Subd. 13. Data practices compliance official. By December 1, 2000, each responsible authority or other appropriate authority in every government entity shall appoint or designate an employee of the government entity to act as the entity's data practices compliance official. The data practices compliance official is the designated employee of the government entity to whom persons may direct questions or concerns regarding problems in obtaining access to data or other data practices problems. The responsible authority may be the data practices compliance official.
HIST: 1974 c 479 s 2; 1975 c 401 s 2; 1976 c 239 s 3; 1976 c 283 s 6,7; 1978 c 790 s 3; 1979 c 328 s 8; 1981 c 311 s 7,39; 1Sp1981 c 4 art 1 s 7; 1982 c 545 s 24; 1984 c 436 s 6-9; 1986 c 444; 1987 c 351 s 3; 1992 c 569 s 3; 1994 c 618 art 1 s 3; 1999 c 227 s 22; 1999 c 250 art 1 s 42; 2000 c 468 s 6,7; 2002 c 277 s 1; 2002 c 374 art 10 s 1