Minnesota Data Privacy Laws

Associations of local authorities can be consulted for specific information on data practices in their area of competence. The MGDPA grants specific rights to individuals who are subject to government data. One of these rights is the data subject`s right to access data about them: this chapter is only intended to provide a very basic and superficial overview of some of the key provisions of the Minnesota government`s Data Practices Act and should not be construed as legal advice. The MGDPA creates legal obligations and requirements for government organizations and others to whom the MGDPA applies. Non-compliance with a specific provision of the MGDPA, for example: by disclosing information that should not have been disclosed or by not disclosing data to a person authorized to do so, this could result in fines and penalties for the organization, as well as criminal prosecution and loss of employment for government employees responsible for non-compliance with the GMCPA. Since many provisions of the MGDPA can be described as unclear, complicated and confusing, it is strongly recommended that all matters relating to the receipt, classification, storage, use and dissemination of information be referred to the appropriate authority and legal counsel of the Society. “We`re doing our best to make sure companies don`t end up with a hodgepodge of 50 states of completely independent privacy bills,” he said. “We are trying to create a common framework of as many states as possible.” In 2007, Minnesota became the first state to include part of the payment card industry`s data security standard in its data security or privacy laws. The Minnesota Act, known as the Plastic Card Security Act, was passed largely in response to the massive data breach at TJX Companies, when card issuers had to reissue millions of debit and credit cards.

The Plastic Card Security Act prohibits anyone doing business in Minnesota from storing sensitive credit and debit card information after the transaction is authorized. The Plastic Card Security Act also makes non-compliant businesses liable for the costs incurred by financial institutions to cancel and replace compromised credit cards in a security breach. As a result, any company that is breached and has “prohibited” cardholder data (e.g. magnetic stripe, CCV codes, tracking data, etc.) is required to reimburse banks and others for the costs associated with blocking and reissuing cards. Violation: breach of the “security system” means any unauthorized collection of computerized data that compromises the security, confidentiality or integrity of personal data managed by the person or company. The following resources may contain useful information on the MGDPA and other laws regarding data practices. With little chance of Congress passing national regulations, states are beginning to adopt their own privacy plans. In addition to its application to government entities, some or all of its provisions may apply to non-governmental entities under contract with government entities.

[5] A government entity that enters into a contract with a private party for the performance of one of its functions must include a notice indicating that the data collected from the individual is subject to the Data Practices Act. Failure to include the notice in the contract does not render the application of the law null and void. [6] A national system is defined as “any system of record in which government data is collected, stored, disseminated and used through a system common to one or more government agencies or more than one of their strategic subdivisions, or any combination of government agencies and policy subdivisions.” [4] Minnesota does not have laws that provide special protection for children`s privacy online. However, the Federal Children`s Online Privacy Protection Act of 1998 (“COPPA”) requires operators of websites directed to children under the age of 13 (or websites that knowingly collect information from children under the age of 13) to provide a detailed privacy statement regarding their collection and use of children`s information on the Internet. COPPA also requires the site operator to obtain “verifiable parental consent” before collecting or using information from children beyond a single request. The operator must give parents the opportunity to view the information collected from the child and request its deletion at any time. Whenever a government agency asks a person to provide private or confidential information about themselves, the institution must give that person a notification — sometimes called a Tennessee warning. To protect the government agency from possible future claims, Tennessee`s warning should be written or in another recorded format, though the law does not explicitly require it. In this context, the person must sign a confirmation that he or she has received the notification, and a copy of a written communication must be given to the person concerned and the original kept by the government agency with the relevant data. If information is collected by telephone, the notification must be verbal. The Corporation must record details such as whether the notice was given, the date and the identity of the person making the notice.

If the notification is made orally, the government agency may also make it in writing as soon as possible. The MGDPA establishes specific rights for individuals who are subject to government data and establishes controls over how government agencies collect, store, use, and share data about individuals. The legislator established these rights and controls because the decisions that government agencies make when using information about these people can have a major impact on their lives. Minnesota has a more restrictive law than HIPAA that prohibits healthcare providers from disclosing protected health information for any reason, including processing and payment, without the patient`s explicit consent. The MHRA protects data contained in patients` individual medical records collected by healthcare providers such as doctors, dentists, psychotherapists, nurses, healthcare facilities and other licensed healthcare professionals. The MHRA deals with the sharing of this recorded data, but does not control how it should be protected or transmitted electronically. HIPAA and the HIPAA Privacy Policy set standards for collecting, protecting, and sharing individually identifiable health information for relevant companies in accordance with the HIPAA security and privacy rules in 45 CFR Part 164. Unlike MHRA, HIPAA does not require consent for processing or payment purposes. The Tennessee warning is issued at the time of data collection.

The notification must be made at all times: national systems are also subject to the MGDPA. A national system is a records or data management system established by federal laws, state laws, administrative decisions or agreements, or joint powers and applies to any combination of state agencies and/or political subdivisions. John Reynolds, director of energy, telecommunications and election policy for the Minnesota Chamber of Commerce, said an estimate by the California attorney general`s office predicts upfront compliance costs in the state of $55 billion. “Despite significant costs, early analysis by a data service provider in California shows fairly low consumer usage,” he said. Private or confidential data collected prior to August 1, 1975 (the effective date of Tennessee`s warning requirement) may be retained for the purposes for which the data was collected. This data may also be retained for reasons of public health, safety or welfare, if the institution obtains the authorization of the administrative commissioner. From now on, the bill would give consumers partial rights over their personal data managed by a private entity, including obtaining a copy, correcting inaccuracies, deleting data, knowing whether your information has been sold, and the right to opt out of selling the data. Companies would be required to provide a privacy statement about how personal data is collected and used. According to Minn.

Stat. §13.04, subd. 1, a person who is asked to provide private or confidential data concerning him or her must be informed of: The standards for obtaining informed consent are set out in Minn. Stat. § 13.05, subd. 4(d) and Minn. R. 1205.1400. A consent form must be completed to disclose personal information about individuals if (a) the disclosure of the data is necessary for the administration or administration of a legally authorized program and (b) one of the following applies: These rights allow the data subject to decide whether or not to provide the requested data; to see what information the Company keeps about it; determine whether this information is accurate, complete and up-to-date and what impact the data can (or has had) on business decisions; and prevent inaccurate and/or incomplete data from causing problems for individuals.

The person requesting government data may request access to certain types of data or data elements, certain documents or parts of documents, entire records, files or databases, or any public data maintained by the institution. The reporting obligation is triggered when a system security breach is discovered or reported. The notification must be made as soon as possible and without undue delay, in accordance with the legitimate needs of law enforcement authorities or any measure necessary to determine the extent of the breach, identify data subjects and restore adequate data integrity. In the event of a violation affecting more than 500 people (1,000 for state agencies), consumer reporting offices must be notified within 48 hours and must be notified of the timing, distribution, and content of communications sent to Minnesota residents.