The Minnesota Government Data Practices Act at 46

Feeling Its Age and Weight  (A Perfect Time to Review the Basics) 

The Minnesota Government Data Practices Act (MGDPA or the “Act”) was enacted in 1974, partly in response to revelations about the secret Army surveillance of citizens project and partly as a result of the recommendations of the Department of Health, Education, and Welfare report Computers and the Rights of Citizens.¹ The MGDPA is premised on the proposition that all government data collected, created, received, maintained, or disseminated by a government entity shall be public unless classified by statute, temporary classification, or federal law as nonpublic or protected nonpublic, private, or confidential. ² 

Between the MGDPA, other state and federal statutes, rules and regulations, and Advisory Opinions of the Commissioner there is much to contemplate when considering a request to a Minnesota government entity to release data, or contesting an adverse response to that request. Despite–and perhaps because of–its complexity, private practitioners representing clients that require access to Minnesota government data, whether public data or private data on individuals, must understand some of the basic concepts within the Act and the Rules in order to adequately represent their clients. This article will attempt to cut through some of the “noise” of the scheme’s depth, breadth, and complexity to help the general practitioner understand the Act’s basic tenets. 

History 

What began in 1974 as a six-page statute³ has “blossomed” over time into 171 pages in Minnesota Statutes Chapter 13 and 20 pages in Minnesota Rules Chapter 1205 (the “Rules”) as currently set forth on the Revisor of Statutes website.⁴ The complexity of the scheme has been driven by the increasing amount and types of data maintained by government entities, the need to classify that data, and the legislative balancing act of making government actions transparent while also protecting the privacy rights of individuals served by state government entities. 

Application of the scheme has become more complex over time not only with the growth of the Act and the Rules to their current proportions but also with the enactment of other Minnesota and federal statutes, rules, and regulations classifying data—HIPAA among them—all of which must be read and interpreted together to determine data classification and accessibility. 

There is no obvious way to refer to all federal laws that might impact the classification of data maintained by a Minnesota government entity. The Legislature has used federal law to define certain terms and authorize dissemination in certain circumstances, such as educational data⁵ and welfare data,⁶ while also citing the relevant federal statutes and regulations.⁷

What has been an equally complex endeavor is the classification of data as “nonpublic.” The first appearance of a “skyway” to identifying “not public” data was the enactment of Minnesota Statute Section 13.99 in 1991,⁸ which provided a bulleted summary of each state statute—over 220 statutes as of 1996—that classify government data outside of the MGDPA.⁹ That “skyway” was subsequently modified through the repeal and relocation of various classifications into the topical areas of the current Act as described as “data coded elsewhere.” There are currently 47 instances of Minnesota government data that, by state law, fall outside of the Act. The good news, if one can call it such, is that “47” is much less than the 220 instances identified in 1996.

Further weight and complexity to understanding and applying the Act has been driven by the advent of advisory opinions issued by the Minnesota Commissioner of Administration. Prior to 1993, if the requestor and the government entity maintaining the requested information could not agree on the classification of the data or the requestor’s right of access, the only remedy provided under the MGDPA was judicial review and decision. In 1993, the Legislature gave the Minnesota Department of Administration the right to issue written opinions about any question relating to public access to government data, the rights of subjects of data, and the classification of data under Chapter 13 or any other Minnesota statutes governing government data practices.¹⁰ That change was good news: lawsuits—expensive, time consuming, unpredictable by their nature—were no longer the only course available to resolve data disputes. The number of these more “informal” challenges to the classification and release of government data and the resulting volume of opinions from the commissioner have consequently expanded the advisory literature over time. The Minnesota Department of Administration, Data Practices Office website now contains 41 pages of Advisory Opinions stretching over 26 years. 

Applying the Act—How It Works

The need to acquire Minnesota government data may occur in a variety of circumstances. For example, an attorney representing a client in a divorce, child custody, or order for protection proceeding may need access to child protection records,¹¹ corrections/probation records,¹² or law enforcement data¹³ to fully represent the client’s interests. A lawyer representing a client bidding to contract for government services may want to see other, similar contracts held by the government entity, programmatic data related to the contracted service let for bid, or responses from other bidders when challenging a contract award.¹⁴ Counsel representing public employees in employment grievances, arbitration, or related litigation will need access to their client’s personnel records and related investigation data.¹⁵ Data breaches resulting from a variety of incidents, from government employee inadvertence, mistake, or misconduct to cyber-attacks and malware launched against government entities by malicious third parties—including such things as phishing emails, ransomware, and other forms of malware—are unfortunately becoming more commonplace. These incidents may give rise to notification rights to individuals, access to investigative reports under the Act,¹⁶ or a claim for civil remedies under Section 13.08 of the Act or other state or federal law. 

Regardless of an attorney’s reason for needing access to government-held data, it is important to understand how the Act functions. 

1. How the MGDPA fits with the Official Records Act and the Records Management Statute

It is important to note that the MGDPA only provides information on how certain data are defined and classified and who may have access. However, what government data are required to be maintained and how long they are kept are codified elsewhere in the law. The Official Records Act requires government entities to “make and preserve all records necessary to a full and accurate knowledge of their official activities”; ¹⁷ meanwhile, the Records Management Statute requires that the head of each government body create a retention schedule for its various records.¹⁸ 

This is relevant because government entities may not have the data that you are looking for when you make your MGDPA request, as they are only required to maintain records of their official acts and they are only required to retain the data according to the record retention and disposal schedules they set in place. 

2. “Government data” and its classifications

The term “government data” is defined under the Act as “all data collected, created, received, maintained, or disseminated by any government entity regardless of its physical form, storage media, or condition of use.”¹⁹ Under the statutory scheme, data are initially categorized in broad categories: “data on individuals” and “data not on individuals.” Data on individuals is comprised of all government data in which any individual is or can be identified as the subject of the data unless the identifying information is only incidental to the data and the data are not accessed by name or other identifying data of any individual.²⁰ “Data not on individuals” are defined simply as “government data that are not data on individuals.”²¹ Data not on individuals typically relate to entities such as corporations, partnerships, and LLCs.

The two broad categories of data further break down into three subcategories for each type of data. 

• Data on individuals may be public, private, or confidential.²² 
• Data not on individuals may be public, nonpublic, or protected nonpublic.²³ 
• Data that are public, whether on individuals or not on individuals, are available to anyone for any reason. 

Data that are private (individuals) or nonpublic (entities) are available to the data subject, individuals within the government entity whose work assignments require access to the data, other entities as authorized by law, and other individuals as authorized by data subjects. Data that are confidential (individuals) or protected nonpublic (entities) are available to individuals within the government entity whose work assignments required access and to other entities as authorized by law, but are not available to the subjects of the data.²⁴

3. To whom a request for data should be made and why it matters

Requests for data under the MGDPA should be made to the proper person--the government entity’s “responsible authority” (RA), or its RA “designee.” The responsible authority “in any political subdivision means the individual designated by the governing body of that political subdivision as the individual responsible for the collection, use, and dissemination of any set of data on individuals, government data, or summary data, unless otherwise provided by state law.”²⁵ A designee is “any person designated by the responsible authority to be in charge of individual files or systems containing government data and to receive and comply with requests for government data.”²⁶

The responsible authority is also defined generally, and more specifically for state agencies, political subdivisions, and statewide systems, in the Rules at Part 1205.0200, Subparts 12-15. Each government entity must identify, designate, or appoint the individual who is ultimately responsible for the collection, use, and dissemination of data and the entity’s data practices decisions. The RA must also make sure that the entity complies with the requirement of the Act and the Rules.²⁷ 

The duties of the RA are primarily set forth in Section 13.05 of the Act, but there are 100 references to the RA throughout the Act, and 132 references to the RA throughout the Rules, imposing a wide variety of duties and obligations. Included within these hundreds of other references to RAs, for example, is one that defines the RA for each of the six separate components of Minnesota’s “welfare system.”²⁸ If this all sounds complicated, it is. To simplify, a general practitioner need only understand that the Rules require responsible authorities and designees to be appointed by name in a public document.²⁹ The Act also requires RAs to prepare written data access policies, updated no later than August 1 of each year or at other times as necessary to “reflect changes in personnel, procedures, or other circumstances that impact the public’s ability to access data.”³⁰ The entity’s RA must also make copies of these required policies easily available to the public by distributing free copies or by posting on the government entity’s website.³¹

Why does it matter that individuals make their data request to the correct RA or RA designee? Because a government entity is not liable under the Act for alleged violations of sections 13.03, subdivision 3 (Access to Government Data—Request for access to data) and 13.04, subdivision 3 (Rights of Subjects of Data—Access by individual) if the requestor did not satisfy the requirement of making his or her request to the government entity’s specified (named) responsible authority or designee.³² Thus, for example, if one makes a data request to a social worker, probation officer, police officer or case manager, etc., rather than to the appropriate RA or RA designee, and the request is ignored, untimely, denied, or incomplete, there is no enforcement available to the requestor under the MGDPA.

A practitioner should also understand that under the MGDPA and the Rules, a singular legal entity such as a county may have multiple RAs or RA designees because of the complexity of the underlying scheme: each elected county official (each County Board member, County Attorney, County Sheriff) is his or her own RA and may have a designee, the welfare and veteran’s services functions of the county each have their own RA or designee, and the remainder of county departments/functions have one other RA or designee. Thus, it pays dividends to go to the entity’s web page to review its MGDPA policies and verify the correct RA or designee before making a data request to that named individual. 

4. Informed consent

Informed consent is written permission from an individual allowing the release of the individual’s private data to another person or entity. Valid informed consent is required before a government entity may release private data to an individual’s attorney.³³ Informed consent is also required when a government entity wants to use the individual’s private data in a way that is different than explained to the individual at the time the data were collected.³⁴ The Rules govern the mechanics of what constitutes informed consent by a data subject: informed consent means that the data subject “possesses and exercises sufficient mental capacity to make a decision which reflects an appreciation of the consequences of allowing the entity to initiate a new purpose or use of the data in question.³⁵

Informed consent must be in writing and the document must inform the data subject in writing prior to his or her signature being affixed of the consequences of giving informed consent.³⁶ A lawyer making a request for a client’s private data must present the government entity’s responsible authority or its designee with a valid, written informed consent signed by the client in conjunction with the request—a letter or certificate of representation is not sufficient to allow the release of private data under the MGDPA.

Limitations on Receipt of Data 

 
1. Limitations on requesting private data under the MGDPA

After an individual has been shown his or her private data and informed of its meaning, the data need not be disclosed to that individual for six months thereafter unless a dispute or action concerning access to the data is pending or additional data on the individual has been collected or created.³⁷

2. Action in response to a denial of access to data 

Individuals requesting government data who believe they have been wrongfully denied access to data in violation of the Act may file a complaint with the Office of Administrative Hearings alleging the violation and seeking compelled compliance. The procedure for this administrative remedy is set forth in Section 13.085 of the Act. 

Final Thoughts and Resources

The Act and its Rules have become a complicated and somewhat cumbersome set of requirements. There are government lawyers who must spend a significant portion of their time parsing out how the MGDPA applies to contract provisions, regulatory compliance, employment disputes, media requests for records, and more. While it can be cumbersome and complex for the specialist, it is worthwhile for the non-specialist needing routine or even occasional access to Minnesota government data to have a basic understanding of how the Act and Rules function. One other important key to success when working on issues governed by the MGDPA is communication and cooperation on both ends of the equation to facilitate data requests and responses. Talk to each other, acknowledge receipt of the data request, explain why it may be taking more time than anticipated to respond to the request, work to clarify any questions or ambiguities concerning the request, and do not be afraid of working cooperatively and creatively toward a quicker, better resolution if possible. 

The best available resources for your money (they are free!) are the website and/or staff of the Minnesota Department of Administration’s Data Practices Office (DPO). The DPO’s website³⁸ is replete with helpful information, including topical explanations, Advisory Opinions of the Commissioner, and access to laws, rules, reports, and training materials. DPO staff (most, if not all, of whom are attorneys) are also available by email and telephone to help you understand the Act and Rules in application to particular circumstances. Although DPO staff does not provide “legal advice”—that’s up to you—they have many years of combined experience and can help direct you to specific Advisory Opinions that can provide you with a “leg up” in obtaining Minnesota government data and providing advice to your clients.³⁹

Court Orders, Subpoenas, and the MGDPA

1. Many sections of the MGDPA authorize access to not public data with a court order. A court order is necessary to access private data not otherwise available to the requesting party. A verbal court order is sufficient. A court order does not change the classification of the data. 
2. A subpoena is not equivalent to a court order and cannot be used on its own to access private data. 
3. Federal laws typically allow for the disclosure of private data pursuant to a subpoena in many circumstances, and their requirements merely provide a “floor,” with the MGDPA being more restrictive.
4.  Pursuant to the Supremacy Clause of the U.S. Constitution, Minnesota government entities should release requested data when subject to a federal administrative or judicial subpoena, regardless of whether it is accompanied by a court order. 

---

Timelines and Costs

• Entities should respond to requests in a prompt and appropriate manner, within a “reasonable” time.
• The “reasonable time” is commensurate with the amount of data requested. 
• Entities are allowed to charge for copies of government data. If they do charge, the allowable amount depends on whether the requester is the data subject. 
• Non-data-subjects can pay up to 25 cents per page of black-and-white print. For more than 100 pages or digital data, the entity may charge the actual cost for an employee to search for the data, retrieve the data, and make paper or print copies of electronically stored data.
• When a data subject requests data about herself or himself, the responsible authority must comply immediately or, at most, within 10 days of the request. 
• Data subjects can be required to pay the actual costs of retrieving and providing the data. 
• Actual costs can include costs of media, mailing, and employee time, but they do not include employee time to separate public from nonpublic data, operating expense of a copier, accounting functions, or costs related to inspection. 
• Individuals can “be shown” or “inspect” data without charge and “upon request” be informed of the data’s meaning. 
• Inspection of public data should be available remotely on the requester’s own computer equipment, though an entity may charge a reasonable fee for any enhanced access. 
• Public data maintained in a computer storage medium must be provided to any individual requesting a copy, if the government can reasonably make the copy. This does not require the entity to provide the data in an alternate format or program from how it is originally maintained, and the entity may require the requesting person to pay the actual cost of providing the copy. 

Ayah Helmy: Ms. Helmy works as counsel for Bright Health and teaches at the Mitchell Hamline School of law and the University of Minnesota. She formerly worked in private practice and as an Assistant Ramsey County Attorney, advising and litigating on behalf of county agencies.

Bennett C. Rosene: After a career in both private and public civil practice, including a long career at the Ramsey County Attorney’s Office as their primary data practices expert, Mr. Rosene is Of Counsel at the Innova Law Group, working on data privacy matters.

Notes

¹ Data Practices at the Cusp of the Millennium, 22 Wm. Mitchell L. Review 767, 771 (1996).

² Minn. Stat. Sect. 13.03, subd. 1.

³ Act of April 11, 1974, ch. 479, 1974 Laws 1199 (initially codified at Minn. Stat. Sections 15.162-43 (1974).

⁴ https://www.revisor.mn.gov/statutes/cite/13; https://www.revisor.mn.gov/rules/pdf/1205/2014-01-18%2000:44:22+00:00.

⁵ Minn. Stat. Sect. 13.32.

⁶ Minn. Stat. Sect. 13.46.

⁷ Data Practices at the Cusp of the Millennium, 22 Wm. Mitchell L. Review 767, 783–784 (1996).

⁸ 1991 Minn. Laws 106, Sect. 6.

⁹ Data Practices at the Cusp of the Millennium, 22 Wm. Mitchell L. Review 767, 784, 785 (1996).

¹⁰ Minn. Stat. Sect. 13.072, subd. 1(a) (Supp. 1995).

¹¹ Classified as confidential or private data under Minn. Stat. Sect. 13.46.

¹² Classified as public, private, or confidential Court Services data under Minn. Stat. Sect. 13.841, 13.841 and/or public, private, or confidential Corrections and Detention data classified under Minn. Stat. Sect. 13.85, 13.851.

¹³ Classified as public, private, or confidential data under Minn. Stat. Sect. 13.82.

¹⁴ Attorneys working in these circumstances should become familiar with the classification of Business Data under Minn. Stat. Sect. 13.591, and with the definition and classification of Trade Secret Data under Minn. Stat. Sect. 13.37. 

¹⁵ Classified as public, private, and confidential Personnel Data under Minn. Stat. Sect. 13.43.

¹⁶ See Minn. Stat. Sect. 13.055, Disclosure of Breach in Security; Notification and Investigation Report.

¹⁷ Minn. Stat. Sect. 15.17.

¹⁸ Minn. Stat. Sect. 138.17.

¹⁹ Minn. Stat. Sect. 13.02, subd. 7.

²⁰ Minn. Stat. Sect. 13.02, subd. 5.

²¹ Minn. Stat. Sect. 13.02, subd. 4.

²² See Minn. Stat. Sect. 13.02, subds. 15, 12, and 3. 

²³ See Minn. Stat. Sect. 13.02, subds. 14, 9, and 13. 

²⁴ See Minn. Stat. Sect. 13.02, subds. 3 and 13; Minn. Admin. R. 1204.1400, subp. 2.

²⁵ Minn. Stat. Sect. 13.02, subd. 16(b).

²⁶ Id., subd. 6.

²⁷ https://mn.gov/admin/data-practices/data/contacts/responsible/.

²⁸ Minn. Stat. Sect. 13.46, subd. 10(a). 

²⁹ Scheffler v. City of Anoka, 890 N.W. 2nd 437, 445 (Minn. App 2017) citing Minn. Admin. R. 1205.0200, subp. 14.B (requiring cities to appoint an employee as the responsible authority); Minn. Admin. R. 1205.1200, subp. 2 (requiring public document to identity the responsible authority or the designee who is responsible for answering questions about the MGDPA;id., subp. 3 (requiring public document to identity the name, title, and address of designees appointed by the responsible authority).

³⁰ Minn. Stat. Sect. 13.025, subs 2 and 3.

³¹ Id., subd.4.

³² Scheffler, 890 N.W. 2d 437, 447, holding that “Under Minnesota Statutes sections 13.03, subdivision 3, and 13.04, subdivision 3, a person seeking data from a government entity must make his request to the government entity’s specified responsible authority or designee before claiming an MGDP failure to provide data or failure to provide a reason for denial.”

³³ Minn. Stat. Sect. 13.04, subd. 4(d).

³⁴ Minn. Stat. Sect. 13.04.

³⁵ Minn. Admin. R. 1205.1400, subp. 3.

³⁶ Id., subp. 4. B.4(b).

³⁷ Minn. Stat. Sect. 13.03, subd. 3.

³⁸ https://mn.gov/admin/data-practices/

³⁹ Opinions of the commissioner are not binding but must be given deference by a court or other tribunal in a proceeding involving data.  An entity or person that acts in conformity with a written opinion of the commissioner is not liable for compensatory or exemplary damages or awards of attorney’s fees in actions for violations under section 13.08 or 13.085, or for a penalty under section13.09.  See Minn. Stat. Sect. 13.072, subd. 2.