GRRL Data Practices Policy

I. Data Practices Policy For Data Subjects

Data about You

The Government Data Practices Act (Minnesota Statutes, Chapter 13) says that data subjects have certain rights related to a government entity collecting, creating, and keeping government data about them. You are the subject of data when you can be identified from the data. Government data is a term that means all recorded information a government entity has, including paper, email, DVDs, photographs, etc.

Classification of Data about You

The Government Data Practices Act presumes that all government data are public unless a state or federal law says that the data are not public. Data about you are classified by state law as public, private, or confidential. See below for some examples.

  • Public data: GRRL must give public data to anyone who asks; it does not matter who is asking for the data or why.

    The following is an example of public data about you:
     

    • the names of Minnesota government employees
       
  • Private data: GRRL cannot give private data to the general public, but you have access when the data are about you. GRRL can share your private data with you, with someone who has your permission, with GRRL staff who need the data to do their work, and as permitted by law or court order.

    The following are examples of private data about you:

    • Social Security number of employees;
    • Data that link a Library patron’s name with materials requested or borrowed by the patron or that link a patron’s name with a specific subject about which the patron has requested information or materials, or data in applications for borrower cards, other than the name of the borrower.
  • Confidential data: Confidential data have the most protection. Neither the public nor you can get access even when the confidential data are about you. GRRL can share confidential data about you with GRRL staff who need the data to do their work and to others as permitted by law or court order. GRRL cannot give you access to confidential data.

    The following is an example of confidential data about you:

    • the identity of the subject of an active criminal investigation

Your Rights under the Government Data Practices Act

GRRL must keep all government data in a way that makes it easy for you to access data about you. Also, GRRL can collect and keep only those data about you that GRRL needs for administering and managing programs that are permitted by law. As a data subject, you have the following rights.

  • Access to Your Data
    You have the right to look at (inspect), free of charge, public and private data that GRRL keeps about you. You also have the right to get copies of public and private data about you. The Government Data Practices Act allows GRRL to charge for copies. You have the right to look at data, free of charge, before deciding to request copies.

    Also, if you ask, GRRL will tell you whether GRRL keeps data about you and whether the data are public, private, or confidential.

    As a parent, you have the right to look at and get copies of public and private data about your minor children (under the age of 18). As a legally appointed guardian, you have the right to look at and get copies of public and private data about an individual for whom you are appointed guardian.

    Minors have the right to ask GRRL not to give data about them to their parent or guardian. If you are a minor, GRRL will tell you that you have this right. GRRL may ask you to put your request in writing and to include the reasons that GRRL should deny your parents access to the data. GRRL will make the final decision about your request based on your best interests. Note: Minors do not have this right if the data in question are educational data maintained by an educational agency or institution.
     

  • When GRRL Collects Data from You
    When GRRL asks you to provide data about yourself that are not public, GRRL must give you a notice. The notice is sometimes called a Tennessen warning. The notice controls what GRRL does with the data that GRRL collects from you. Usually, GRRL can use and release the data only in the ways described in the notice.

    GRRL will ask for your written permission if GRRL needs to use or release private data about you in a different way, or if you ask GRRL to release the data to another person. This permission is called informed consent. If you want GRRL to release data to another person, you may use the consent form GRRL provides.
     

  • Protecting your Data
    The Government Data Practices Act requires GRRL to protect your data. GRRL has established appropriate safeguards to ensure that your data are safe.

    In the unfortunate event that GRRL determines a security breach has occurred and an unauthorized person has gained access to your data, GRRL will notify you as required by law.
     

  • When your Data are Inaccurate and/or Incomplete
    You have the right to challenge the accuracy and/or completeness of public and private data about you. You also have the right to appeal GRRL’s decision. If you are a minor, your parent or guardian has the right to challenge data about you.

How to Make a Request for Your Data

To look at data, or request copies of data that GRRL keeps about you, your minor children, or an individual for whom you have been appointed legal guardian, make a written request. Make your request for data to the appropriate individual listed in the Data Practices Contacts. You may make your request by mail, fax, or email, using the GRRL Data Request Form - Data Subjects.

If you choose not use to use the GRRL Data Request Form - Data Subjects, your request should include:

  • that you are making a request, under the Government Data Practices Act (Minnesota Statutes, Chapter 13), as a data subject, for data about you;
  • whether you would like to inspect the data, have copies of the data, or both;
  • a clear description of the data you would like to inspect or have copied; and
  • identifying information that proves you are the data subject, or data subject’s parent/guardian.

GRRL requires proof of your identity before GRRL can respond to your request for data. If you are requesting data about your minor child, you must show proof that you are the minor’s parent. If you are a guardian, you must show legal documentation of your guardianship. Please see the Standards for Verifying Identity.

How GRRL Responds to a Data Request

Once you make your request, GRRL will work to process your request. If it is not clear what data you are requesting, GRRL will ask you for clarification.

  • If GRRL does not have the data, GRRL will notify you in writing within 10 business days.
  • If GRRL has the data, but the data are confidential or private data that are not about you, GRRL will notify you within 10 business days and state which specific law says you cannot access the data.
  • If GRRL has the data, and the data are public or private data about you, GRRL will respond to your request within 10 business days, by doing one of the following:
    • arrange a date, time, and place to inspect data, for free, if your request is to look at the data, or
    • provide you with copies of the data within 10 business days. You may choose to pick up your copies, or GRRL will mail or fax them to you. GRRL will provide electronic copies (such as email or CD-ROM) upon request if GRRL keeps the data in electronic format.

For information about copy charges see Copy Costs – Data Subjects. GRRL also will arrange for you to prepay for the copies.

After GRRL has provided you with access to data about you, GRRL does not have to show you the data again for 6 months unless there is a dispute or GRRL collects or creates new data about you.

If you do not understand some of the data (technical terminology, abbreviations, or acronyms), please let GRRL know. GRRL will give you an explanation if you ask.

The Government Data Practices Act does not require GRRL to create or collect new data in response to a data request if GRRL does not already have the data, or to provide data in a specific form or arrangement if GRRL does not keep the data in that form or arrangement. (For example, if the data you request are on paper only, GRRL is not required to create electronic documents to respond to your request.) If GRRL agrees to create data in response to your request, GRRL will work with you on the details of your request, including cost and response time.

In addition, GRRL is not required under the Government Data Practices Act to respond to questions that are not specific requests for data.

Approved Date: 03/17/2015
Effective Date:
Revised Date:

Copy Costs - Data Subjects

GRRL charges members of the public for copies of government data. These charges are authorized under Minnesota Statutes, section 13.03, subdivision 3(c).

You must pay for the copies before GRRL will give them to you.

For 100 or Fewer Paper Copies – 25 cents per page

100 or fewer pages of black and white, letter or legal size paper copies cost 25¢ for a one-sided copy, or 50¢ for a two-sided copy.

Most Other Types of Copies – Actual cost

The charge for most other types of copies, when a charge is not set by statute or rule, is the actual cost of searching for and retrieving the data, and making the copies or electronically transmitting the data (e.g. sending the data by email).

In determining the actual cost of making copies, GRRL factors in employee time, the cost of the materials onto which GRRL is copying the data (paper, CD, DVD, etc.), and mailing costs (if any). If your request is for copies of data that GRRL cannot reproduce itself, such as photographs, GRRL will charge you the actual cost GRRL must pay an outside vendor for the copies.

The cost of employee time to search for data, retrieve data, and make copies is $17.44 per hour.

If, because of the subject matter of your request, GRRL finds it necessary for a higher-paid employee to search for and retrieve the data, GRRL will calculate the search and retrieval portion of the copy charge at the higher salary/wage.

II. Data Practices Policy for Members of the Public

Right to Access Public Data

The Government Data Practices Act (Minnesota Statutes, Chapter 13) presumes that all government data are public unless a state or federal law says the data are not public. Government data is a term that means all recorded information a government entity has, including paper, email, DVDs, photographs, etc.

The Government Data Practices Act also provides that this government entity, the Great River Regional Library, (GRRL) must keep all government data in a way that makes it easy for you, as a member of the public, to access public data. You have the right to look at (inspect), free of charge, all public data that GRRL keeps. You also have the right to get copies of public data. The Government Data Practices Act allows GRRL to charge for copies. You have the right to look at public data, free of charge, before deciding to request copies.

How to Make a Data Request

To look at data or request copies of data that GRRL keeps, make a written request. Make your request for data to the appropriate individual listed in the Data Practices Contacts section of this policy. You may make your request for data by mail, fax, or email, using the GRRL Data Request Form - Members of the Public.

If you choose not to use the GRRL Data Request Form - Members of the Public, your request should include:

  • that you, as a member of the public, are making a request for data under the Government Data Practices Act, Minnesota Statutes, Chapter 13;
  • whether you would like to look at the data, get copies of the data, or both; and
  • a clear description of the data you would like to inspect or have copied.

GRRL cannot require you, as a member of the public, to identify yourself or explain the reason for your data request. However, depending on how you want us to process your request (if, for example, you want GRRL to mail you copies of data), GRRL may need some information about you. If you choose not to give GRRL any identifying information, GRRL will provide you with contact information so you may check on the status of your request. In addition, please keep in mind that if GRRL does not understand your request and has no way to contact you, GRRL will not be able to begin processing your request.

How GRRL Responds to a Data Request

Upon receiving your request, GRRL will work to process it.

  • If GRRL does not have the data, GRRL will notify you in writing as soon as reasonably possible.
  • If GRRL has the data, but the data are not public, GRRL will notify you as soon as reasonably possible and state which specific law says the data are not public.
  • If GRRL has the data, and the data are public, GRRL will respond to your request appropriately and promptly, within a reasonable amount of time by doing one of the following:
    • arrange a date, time, and place to inspect data, for free, if your request is to look at the data, or
    • provide you with copies of the data as soon as reasonably possible. You may choose to pick up your copies, or GRRL will mail or fax them to you. If you want GRRL to send you the copies, you will need to provide GRRL with an address or fax number. GRRL will provide electronic copies (such as email or CD-ROM) upon request if GRRL keeps the data in electronic format.

For information about copy charges is see Copy Costs – Members of the Public.

GRRL also will arrange for you to pre-pay for the copies.

If you do not understand some of the data (technical terminology, abbreviations, or acronyms), please let GRRL know. GRRL will give you an explanation if you ask.

The Government Data Practices Act does not require GRRL to create or collect new data in response to a data request if GRRL does not already have the data, or to provide data in a specific form or arrangement if GRRL does not keep the data in that form or arrangement. (For example, if the data you request are on paper only, GRRL is not required to create electronic documents to respond to your request.) If GRRL agrees to create data in response to your request, GRRL will work with you on the details of your request, including cost and response time.

In addition, the Government Data Practices Act does not require GRRL to answer questions that are not requests for data.

Requests for Summary Data

Summary data are statistical records or reports that are prepared by removing all identifiers from private or confidential data on individuals. The preparation of summary data is not a means to gain access to private or confidential data. GRRL will prepare summary data if you make your request in writing and pre-pay for the cost of creating the data. Upon receiving your written request – you may use the GRRL Data Request Form - Members of the Public – GRRL will respond within ten business days with the data or details of when the data will be ready and how much GRRL will charge.

Approved Date: 03/17/2015
Effective Date:
Revised Date:

Copy Costs - Members of the Public

GRRL charges members of the public for copies of government data. These charges are authorized under Minnesota Statutes, section 13.03, subdivision 3(c).

You must pay for the copies before GRRL will give them to you.

For 100 or Fewer Paper Copies – 25 cents per page

100 or fewer pages of black and white, letter or legal size paper copies cost 25¢ for a one-sided copy, or 50¢ for a two-sided copy.

Most Other Types of Copies – Actual cost

The charge for most other types of copies, when a charge is not set by statute or rule, is the actual cost of searching for and retrieving the data, and making the copies or electronically transmitting the data (e.g. sending the data by email).

In determining the actual cost of making copies, GRRL factors in employee time, the cost of the materials onto which GRRL is copying the data (paper, CD, DVD, etc.), and mailing costs (if any). If your request is for copies of data that GRRL cannot reproduce itself, such as photographs, GRRL will charge you the actual cost GRRL must pay an outside vendor for the copies.

The cost of employee time to search for data, retrieve data, and make copies is $17.44 per hour.

If, because of the subject matter of your request, GRRL finds it necessary for a higher-paid employee to search for and retrieve the data, GRRL will calculate the search and retrieval portion of the copy charge at the higher salary/wage.

III. Policy for Ensuring the Security of Not Public Data

Legal requirement

The adoption of this policy by the Great River Regional Library (GRRL) satisfies the requirement in Minn. Stat. 13.05 subd. 5 to establish procedures ensuring the appropriate access to not public data. By incorporating employee access to not public data into GRRL’s Data Inventory (required by Minn. Stat. 13.025 subd. 1), in the individual employee’s position description, or both, GRRL’s policy limits access to not public data to employees whose work assignment reasonably requires access.

Please direct all questions regarding this policy to GRRL’s Data Practices Compliance Official:

Karen Pundsack, Executive Director
1300 W. St. Germain Street, St. Cloud, MN 56301
Phone number: 320 650-2500
Fax number: 320 650-2535
Email address: karenp@grrl.lib.mn.us

Approved Date: 03/17/2015
Effective Date:
Revised Date:

Data Practices Contacts

Responsible Authority
Name: Karen Pundsack, Executive Director
Address: 1300 W. St. Germain Street, St. Cloud, MN 56301
Phone number: 320 650-2500
fax number: 320 650-2535
email address: karenp@grrl.lib.mn.us

Data Practices Compliance Official
Name: Karen Pundsack, Executive Director
Address: 1300 W. St. Germain Street, St. Cloud, MN 56301
Phone number: 320 650-2500
fax number: 320 650-2535
email address: karenp@grrl.lib.mn.us

Data Practices Designees
(Personnel Data)
Name: Julie Schmitz, Associate Director, Human Resources
Address: 1300 W. St. Germain Street, St. Cloud, MN 56301
Phone number: 320 650-2500
fax number: 320 650-2535
email address: juliesc@grrl.lib.mn.us

(Patron Data)
Name: Karen Pundsack, Executive Director
Address: 1300 W. St. Germain Street, St. Cloud, MN 56301
Phone number: 320 650-2500
fax number: 320 650-2535
email address: karenp@grrl.lib.mn.us

Standards for Verifying Identity Procedure

The following constitute proof of identity.

  • An adult individual must provide a valid photo ID, such as
    • a state driver’s license
    • a military ID
    • a passport
    • a Minnesota ID
    • a Minnesota tribal ID
       
  • A minor individual must provide a valid ID, such as
    • a state driver’s license
    • a military ID
    • a passport
    • a Minnesota ID
    • a Minnesota Tribal ID
    • a Minnesota school ID
    • a certified copy of birth certificate
       
  • The parent or guardian of a minor must provide a valid photo ID and either
    • a certified copy of the minor’s birth certificate or
    • a certified copy of documents that establish the parent or guardian’s relationship to the child, such as
      • a court order relating to divorce, separation, custody, foster care
      • a foster care contract
      • an affidavit of parentage
  • The legal guardian for an individual must provide a valid photo ID and a certified copy of appropriate documentation of formal or informal appointment as guardian, such as
    • court order(s)
    • valid power of attorney

Note: Individuals who do not exercise their data practices rights in person must provide either notarized or certified copies of the documents that are required or an affidavit of ID.

Procedure for Ensuring the Security of Not Public Data

Data inventory
Under the requirement in Minn. Stat. 13.025 subd. 1, GRRL will prepare a Data Inventory which identifies and describes all not public data on individuals maintained by GRRL. To comply with the requirement in Minn. Stat. 13.05 subd. 5, GRRL will also include in its Data Inventory the position titles of the employees who have access to not public data.

In the event of a temporary duty as assigned by a manager or supervisor, an employee may access certain not public data for as long as the work is assigned to the employee.

In addition to the employees listed in GRRL's Data Inventory, the Responsible Authority, the Data Practices Compliance Official, and GRRL's Attorney may have access to all not public data maintained by GRRL if necessary for specified duties. Any access to not public data will be strictly limited to the data necessary to complete the work assignment.

Employee position descriptions
Position descriptions may contain provisions identifying any not public data accessible to the employee when a work assignment reasonably requires access.

Data sharing with authorized entities or individuals
Federal or state law may authorize the sharing of not public data in specific circumstances. Not public data may be shared with another entity if a federal or state law allows or mandates it. Individuals will have notice of any sharing in applicable Tennessen warnings or GRRL will obtain the individual’s informed consent. Any sharing of not public data will be strictly limited to the data necessary or required to comply with the applicable law.

Ensuring that not public data are not accessed without a work assignment
Within GRRL, departments may assign tasks by employee or by job classification. If a department maintains not public data that all employees within its division do not have a work assignment allowing access to the data, the department will ensure that the not public data are secure.

Recommended actions for ensuring appropriate access include:

  • Assigning appropriate security roles, limiting access to appropriate shared network drives, and implementing password protections for not public electronic data.
  • Password protecting employee computers and locking computers before leaving workstations.
  • Securing not public data within locked work spaces and in locked file cabinets.
  • Shredding not public documents before disposing of them.

Penalties for unlawfully accessing not public data
GRRL will utilize the penalties for unlawful access to not public data as provided for in Minnesota Statutes section 13.09, if necessary. Penalties include suspension, dismissal or referring the matter to the appropriate prosecutorial authority who may also pursue a criminal misdemeanor charge.