FYi - July 2018

FYi Newsletter – From the Data Practices Office at the Department of Administration

JULY 2018     

Legislative Commission on Data Practices and Personal Data Privacy

Discussion on the Minnesota Health Records Act and Federal HIPAA Privacy Rule

The Legislative Commission on Data Practices met on June 13, 2018, to begin delving into the complicated area of state and federal laws and rules governing the privacy of health records. At the hearing, Commission members received background information on the relevant state and federal laws and rules. The Commission Chair, Rep. Peggy Scott, stated the end goal in having these discussions is to generate recommendations and a possible “middle ground” for the full legislature to consider.

Going forward, the Commission will meet monthly through the end of the year to continue these discussions. In July, Commission members will receive additional background information before moving into hearing testimony from stakeholders.

All of the Commission’s materials are available to the public, including video from the June 13 hearing on this topic.

Advisory Opinion Update

Response Time for Requests from Data Subjects

In Advisory Opinion 18-005, a data subject asked if a county responded appropriately to a data request when it failed to comply within ten business days. The Commissioner concluded that Minn. Stat. § 13.04, subdivision 3, is clear: entities must comply with data subject requests within ten business days. The request resulted in almost 3,000 emails and, as of the date of the opinion, the County had failed to provide any emails to the data subject. The Commissioner acknowledged the challenge in producing all of the data within the strict time limit, but also noted that the statute does not allow for additional time in mitigating circumstances.

Response Time for Requests from the Public

In Advisory Opinion 18-006, a member of the public asked whether a University had violated the Data Practices Act because it had not provided him with access to the data he requested (public personnel data on three employees) as of the date of his opinion request, which was two months after he asked for the data. In previous advisory opinions, the Commissioner has stated that a prompt, reasonable response is relative to the volume of data requested. Here, he opined that given the facts of this specific data request, including the type and amount of data requested, the University’s response was not timely. 

Sealed Records and Background Checks

In Advisory Opinion 18-007, a City asked if it was required to provide access to a sealed criminal record pursuant to 5 USC § 9101. The language in that provision allows military recruiters to access certain records maintained by state and local law enforcement when the expunged records remain available for background checks. Here, the case against the subject of the records was ultimately dismissed and therefore, because there were not any record of a “conviction,” the records are not available for background checks under Minn. Stat. § 609A.03. Therefore, the City could not disclose the sealed records to the military recruiter.

Case Law Update

Carpenter v. United States, 585 U.S.____ (2018)

In a 5-4 decision, the U.S. Supreme Court ruled that accessing historical cell phone location data without a warrant violates the Fourth Amendment. Between 2010 and 2011, various individuals robbed RadioShack and T-Mobile stores in Michigan and Ohio. The police arrested four men, including the petitioner, in part because law enforcement connected Carpenter to the crimes via cellphone location data records obtained from his service provider. The records were obtained under the federal Stored Communications Act, which permits prosecutors to obtain a court order for disclosure by merely providing “specific and articulable facts showing there are reasonable grounds to believe” that the data are relevant to a criminal investigation. The Court held that the request constituted a Fourth Amendment search and thus required prosecutors to obtain a search warrant to access the records and meet the higher standard of demonstrating probable cause.

State v. Hammer, A17-1748 (Minn. Ct. App. June 11, 2018)

Appellant Hammer was terminated for cause by the Department of Corrections for violating various DOC policies, including ones related to electronic communications and personnel files. An arbitrator ultimately ordered that Appellant be reinstated, finding that the policy violations were not sufficient to warrant bypassing progressive discipline in favor of immediate discharge.

The court of appeals overturned the arbitrator's decision. The applicable DOC electronic communications policy prescribes discipline "up to and including discharge" for, among other things, illegal activity. During his employment Appellant had divulged to unauthorized co-workers information classified as private personnel data under Minn. Stat. § 13.43, such as one employee's likely suspension, and another employee's possible termination due to alcohol use. Because Minn. Stat. § 13.09 makes the willful violation of the Data Practices Act a misdemeanor, and provides that such a violation is just cause for dismissal of a public employee, the DOC's decision to terminate Appellant without progressive discipline was justified.

Cieslack v. Easly, 17-2338 (D. Minn. June 11, 2018)

Plaintiff lost his Wisconsin driver's license at a Minnesota casino. The casino found the missing license and incorporated it into new-employee training, which Plaintiff claimed was a violation of the Drivers Privacy Protection Act (DPPA). The court dismissed the case for failure to state a claim. To implicate the DPPA, there must be a disclosure of a "motor vehicle record" as defined by the DPPA, and because a record must "pertain to the driver's license", the "record" must be something other than the license itself. Also, the casino and its employees did not access Plaintiff's license through the Wisconsin DMV, and so did not amount to a disclosure of "information originating from state department of motor vehicle records."

Upcoming DPO Workshops

Stay tuned for another round of DPO Workshops this fall!