Data Practices Policies
Minnesota Statutes, Chapter 13, requires that each government entity establish a number of policies that govern the treatment of government data.
Right of access to government data
Each government entity is required to have two policies about access to government data.
- One policy must explain the rights of the public (Model Policy for the Public). NOTE: Data about a member of the public requesting access to public data are presumptively public. Entities are not required, but may wish to note that in their policy.
- The other policy (Model policy for Data Subjects) must explain the rights of data subjects.
IPAD developed a worksheet to help create the policies.
Not public data inventory
A government entity is required to create a document that identifies and describes any private or confidential data maintained by the entity. The Department of Administration's Data Inventory meets this requirement.
Ensuring appropriate access to not public data
Effective August 1, 2014, section 13.05, subd. 5, includes a requirement that government entities create procedures “ensuring that data that are not public are only accessible to persons whose work assignment reasonably requires access to the data.” This requires government entities to create procedures to identify which employees have access to not public data and develop a policy incorporating these procedures.
- One way to meet this requirement is to list employee work assignment access to not public data in an entity's Data Inventory and to establish a Policy for Ensuring the Security of Not Public Data.
Other suggestions to implement this requirement:
- Incorporate access to not public data in all employee positions descriptions (sample from Admin).
- Utilize SharePoint or other shared folders or networks to catalog data access and/or security roles.
- Create a data access approval form for each employee that lists authorized files/folders with appropriate security acknowledgement by employee and manager/supervisor.
- Implement a security matrix similar to what is required by the federal HIPAA Privacy Rules (resource: U.S. Department of Health and Human Services-Security 101 for Covered Entities).