13.05 DUTIES OF RESPONSIBLE AUTHORITY.
Subdivision 1. Public document of data categories.
The responsible authority shall
prepare a public document containing the authority's name, title and address, and a description
of each category of record, file, or process relating to private or confidential data on individuals
maintained by the authority's government entity. Forms used to collect private and confidential
data shall be included in the public document. Beginning August 1, 1977 and annually thereafter,
the responsible authority shall update the public document and make any changes necessary to
maintain the accuracy of the document. The document shall be available from the responsible
authority to the public in accordance with the provisions of sections
Subd. 2. Copies to commissioner.
The commissioner may require responsible authorities
to submit copies of the public document required in subdivision 1, and may request additional
information relevant to data collection practices, policies and procedures.
Subd. 3. General standards for collection and storage.
Collection and storage of all data
on individuals and the use and dissemination of private and confidential data on individuals shall
be limited to that necessary for the administration and management of programs specifically
authorized by the legislature or local governing body or mandated by the federal government.
Subd. 4. Limitations on collection and use of data.
Private or confidential data on an
individual shall not be collected, stored, used, or disseminated by government entities for any
purposes other than those stated to the individual at the time of collection in accordance with
, except as provided in this subdivision.
(a) Data collected prior to August 1, 1975, and which have not been treated as public data,
may be used, stored, and disseminated for the purposes for which the data was originally collected
or for purposes which are specifically approved by the commissioner as necessary to public
health, safety, or welfare.
(b) Private or confidential data may be used and disseminated to individuals or entities
specifically authorized access to that data by state, local, or federal law enacted or promulgated
after the collection of the data.
(c) Private or confidential data may be used and disseminated to individuals or entities
subsequent to the collection of the data when the responsible authority maintaining the data has
requested approval for a new or different use or dissemination of the data and that request has been
specifically approved by the commissioner as necessary to carry out a function assigned by law.
(d) Private data may be used by and disseminated to any person or entity if the individual
subject or subjects of the data have given their informed consent. Whether a data subject
has given informed consent shall be determined by rules of the commissioner. The format for
informed consent is as follows, unless otherwise prescribed by the HIPAA, Standards for Privacy
of Individually Identifiable Health Information, 65 Fed. Reg. 82, 461 (2000) (to be codified as
Code of Federal Regulations, title 45, section 164): informed consent shall not be deemed to have
been given by an individual subject of the data by the signing of any statement authorizing
any person or entity to disclose information about the individual to an insurer or its authorized
representative, unless the statement is:
(1) in plain language;
(3) specific in designating the particular persons or agencies the data subject is authorizing to
disclose information about the data subject;
(4) specific as to the nature of the information the subject is authorizing to be disclosed;
(5) specific as to the persons or entities to whom the subject is authorizing information
to be disclosed;
(6) specific as to the purpose or purposes for which the information may be used by any of
the parties named in clause (5), both at the time of the disclosure and at any time in the future;
(7) specific as to its expiration date which should be within a reasonable period of time, not
to exceed one year except in the case of authorizations given in connection with applications for
(i) life insurance or noncancelable or guaranteed renewable health insurance and identified as
such, two years after the date of the policy or (ii) medical assistance under chapter 256B or
MinnesotaCare under chapter 256L, which shall be ongoing during all terms of eligibility, for
individual education plan health-related services provided by a school district under section
125A.21, subdivision 2
The responsible authority may require a person requesting copies of data under this
paragraph to pay the actual costs of making, certifying, and compiling the copies.
(e) Private or confidential data on an individual may be discussed at a meeting open to the
public to the extent provided in section
Subd. 5. Data protection.
(a) The responsible authority shall (1) establish procedures to
assure that all data on individuals is accurate, complete, and current for the purposes for which
it was collected; and (2) establish appropriate security safeguards for all records containing
data on individuals.
(b) When not public data is being disposed of, the data must be destroyed in a way that
prevents its contents from being determined.
Subd. 6. Contracts.
Except as provided in section
13.46, subdivision 5
, in any contract
between a government entity subject to this chapter and any person, when the contract requires
that data on individuals be made available to the contracting parties by the government entity, that
data shall be administered consistent with this chapter. A contracting party shall maintain the data
on individuals which it received according to the statutory provisions applicable to the data.
Subd. 7. Preparation of summary data.
The use of summary data derived from private or
confidential data on individuals under the jurisdiction of one or more responsible authorities is
permitted. Unless classified pursuant to section
, another statute, or federal law, summary
data is public. The responsible authority shall prepare summary data from private or confidential
data on individuals upon the request of any person if the request is in writing and the cost of
preparing the summary data is borne by the requesting person. The responsible authority may
delegate the power to prepare summary data (1) to the administrative officer responsible for any
central repository of summary data; or (2) to a person outside of the entity if the person's purpose
is set forth, in writing, and the person agrees not to disclose, and the entity reasonably determines
that the access will not compromise private or confidential data on individuals.
Subd. 8. Publication of access procedures.
The responsible authority shall prepare a public
document setting forth in writing the rights of the data subject pursuant to section
specific procedures in effect in the government entity for access by the data subject to public or
private data on individuals.
Subd. 9. Intergovernmental access of data.
A responsible authority shall allow another
responsible authority access to data classified as not public only when the access is authorized or
required by statute or federal law. An entity that supplies government data under this subdivision
may require the requesting entity to pay the actual cost of supplying the data.
Subd. 10. International dissemination.
No state agency or political subdivision shall
transfer or disseminate any private or confidential data on individuals to the private international
organization known as Interpol, except through the Interpol-United States National Central
Bureau, United States Department of Justice.
Subd. 11. Privatization.
(a) If a government entity enters into a contract with a private person
to perform any of its functions, the government entity shall include in the contract terms that make
it clear that all of the data created, collected, received, stored, used, maintained, or disseminated
by the private person in performing those functions is subject to the requirements of this chapter
and that the private person must comply with those requirements as if it were a government entity.
The remedies in section
apply to the private person under this subdivision.
(b) This subdivision does not create a duty on the part of the private person to provide
access to public data to the public if the public data are available from the government entity,
except as required by the terms of the contract.
Subd. 12. Identification or justification.
Unless specifically authorized by statute,
government entities may not require persons to identify themselves, state a reason for, or justify
a request to gain access to public government data. A person may be asked to provide certain
identifying or clarifying information for the sole purpose of facilitating access to the data.
Subd. 13. Data practices compliance official.
By December 1, 2000, each responsible
authority or other appropriate authority in every government entity shall appoint or designate an
employee of the government entity to act as the entity's data practices compliance official. The
data practices compliance official is the designated employee of the government entity to whom
persons may direct questions or concerns regarding problems in obtaining access to data or other
data practices problems. The responsible authority may be the data practices compliance official.
History: 1974 c 479 s 2; 1975 c 401 s 2; 1976 c 239 s 3; 1976 c 283 s 6,7; 1978 c 790 s 3;
1979 c 328 s 8; 1981 c 311 s 7,39; 1Sp1981 c 4 art 1 s 7; 1982 c 545 s 24; 1984 c 436 s 6-9; 1986
c 444; 1987 c 351 s 3; 1992 c 569 s 3; 1994 c 618 art 1 s 3; 1999 c 227 s 22; 1999 c 250 art 1 s
42; 2000 c 468 s 6,7; 2002 c 277 s 1; 2002 c 374 art 10 s 1; 2005 c 163 s 15-20; 2006 c 233 s 1