Administration Policies: Data Practices

Chapter 5. Data Practices

5A. Data Practices Policy For Data Subjects

5B. Data Practices Policy for Members of the Public

5C. Data Practices Contacts

5D. Policy for Ensuring the Security of Not Public Data

 

5A. Data Practices Policy for Data Subjects

 

What is a “Data Subject”?

When government has information recorded in any form (paper, hard drive, voicemail, video, email, etc.), that information is called “government data” under the Government Data Practices Act (Minnesota Statutes, Chapter 13). When we can identify you in government data, you are the “data subject” of that data. The Data Practices Act gives you, as a data subject, certain rights. This policy explains your rights as a data subject, and tells you how to request data about you, your minor child, or someone for whom you are the legal guardian.

 

When GRRL Has Data about You

The Government Data Practices Act (Minnesota Statutes, Chapter 13) says that data subjects have certain rights related to a government entity collecting, creating, and keeping government data about them. You are the subject of data when you can be identified from the data. Government data is a term that means all recorded information a government entity has, including paper, email, DVDs, photographs, etc.

 

Public Data

The Data Practices Act presumes that all government data are public unless a state or federal law says that the data are not public. We must give public data to anyone who asks. It does not matter who is asking for the data or why the person wants the data. The following are examples of public data about you that we might have:

  • the names of Minnesota government employees

 

Private data

We cannot give private data to the general public. We can share your private data with you, with someone who has your permission, with our government entity staff whose job requires or permits them to see the data, and with others as permitted by law or court order. The following are examples of private data about you that we might have:

  • Social Security number of employees;
  • Data that link a library patron’s name with materials requested or borrowed by the patron or that link a patron’s name with a specific subject about which the patron has requested information or materials, or data in applications for borrower cards, other than the name of the borrower.

 

Confidential data

Confidential data have the most protection. Neither the public nor you can access confidential data even when the confidential data are about you. We can share confidential data about you with our government entity staff who have a work assignment to see the data, and to others as permitted by law or court order. The following is an example of confidential data about you:

  • the identity of the subject of an active criminal investigation

 

Your Rights under the Government Data Practices Act

As a data subject, you have the following rights.

 

Access to Your Data

You have the right to look at (inspect), free of charge, public and private data that GRRL keeps about you. You also have the right to get copies of public and private data about you. The Government Data Practices Act allows GRRL to charge for copies. You have the right to look at data, free of charge, before deciding to request copies.

 

Also, if you ask, GRRL will tell you whether GRRL keeps data about you and whether the data are public, private, or confidential.

 

Access to Data on Minor Children

As a parent, you have the right to look at and get copies of public and private data about your minor children (under the age of 18). As a legally appointed guardian, you have the right to look at and get copies of public and private data about an individual for whom you are appointed guardian.

 

Minors have the right to ask GRRL not to give data about them to their parent or guardian. If you are a minor, GRRL will tell you that you have this right. GRRL may ask you to put your request in writing and to include the reasons that GRRL should deny your parents access to the data. GRRL will make the final decision about your request based on your best interests.

 

When GRRL Collects Data from You              
When GRRL asks you to provide data about yourself that are not public, GRRL must give you a notice. The notice is sometimes called a Tennessen warning. The notice controls what GRRL does with the data that GRRL collects from you. Usually, GRRL can use and release the data only in the ways described in the notice.

 

GRRL will ask for your written permission if GRRL needs to use or release private data about you in a different way, or if you ask GRRL to release the data to another person. This permission is called informed consent. If you want GRRL to release data to another person, you may use the consent form GRRL provides.

 

Protecting your Data

The Government Data Practices Act requires GRRL to protect your data. GRRL has established appropriate safeguards to ensure that your data are safe.

 

In the unfortunate event that GRRL determines a security breach has occurred and an unauthorized person has gained access to your data, GRRL will notify you as required by law.

 

When Your Data are Inaccurate and/or Incomplete

You have the right to challenge the accuracy and/or completeness of public and private data about you. You also have the right to appeal GRRL’s decision. If you are a minor, your parent or guardian has the right to challenge data about you.

 

How to Make a Request for Your Data

You can ask to look at (inspect) data at our offices, or ask for copies of data that we have about you, your minor child, or an individual for whom you have been appointed legal guardian. Make your request for data to the appropriate individual listed in the Data Practices Contacts. You may make your request by mail, fax, or email, using the GRRL Data Request Form – Data Subjects.

 

If you choose not use to use the GRRL Data Request Form – Data Subjects, your request should include:

  • Say that you are making a request as a data subject, for data about you (or your child, or person for whom you are the legal guardian), under the Government Data Practices Act (Minnesota Statutes, Chapter 13).
  • Include whether you would like to inspect the data, have copies of the data, or both.

  • Provide a clear description of the data you would like to inspect or have copied.
  • Provide proof that you are the data subject or data subject’s parent/legal guardian.

 

GRRL requires proof of your identity before GRRL can respond to your request for data. If you are requesting data about your minor child, you must show proof that you are the minor’s parent. If you are a guardian, you must show legal documentation of your guardianship. Please see the Standards for Verifying Identity. If you do not provide proof that you are the data subject, we cannot respond to your request.

 

How GRRL Responds to Your Data Request

Upon receiving your request, GRRL will review it. 

  • We may ask you to clarify what data you are requesting.
  • We will ask you to confirm your identity as the data subject.

 

If GRRL does not have the data, GRRL will notify you in writing within 10 business days.

  • If GRRL has the data, but the data are confidential or private data that are not about you, GRRL will notify you within 10 business days and identify the law that prevents us from providing the data.
  • If GRRL has the data, and the data are public or private data about you, GRRL will respond to your request within 10 business days, by doing one of the following:
    • Arrange a date, time, and place to inspect data in our office, ensuring you have a meaningful opportunity to inspect data within 10 business days of your request at no charge
    • Tell you how much the copies cost, and then provide you with copies of the data within 10 business days and upon payment of charges for the copies. You may choose to pick up your copies, or have us mail or email them to you. We will provide electronic copies (such as email or CD-ROM) upon request, if we keep the data in electronic format and we can reasonably make a copy.

 

For information about copy charges see Copy Costs – Data Subjects. GRRL also will arrange for you to prepay for the copies. If you do not make arrangements within 10 business days to inspect the data or pay for the copies, we will conclude that you no longer want the data and will consider your request closed.

 

After GRRL has provided you with access to data about you, GRRL does not have to show you the data again for 6 months unless there is a dispute or GRRL collects or creates new data about you.

 

If you do not understand some of the data (technical terminology, abbreviations, or acronyms), please let GRRL know. GRRL will give you an explanation if you ask.

 

The Government Data Practices Act does not require GRRL to create or collect new data in response to a data request if GRRL does not already have the data, or to provide data in a specific form or arrangement if GRRL does not keep the data in that form or arrangement. (For example, if the data you request are on paper only, GRRL is not required to create electronic documents to respond to your request.) If GRRL agrees to create data in response to your request, GRRL will work with you on the details of your request, including cost and response time.

 

In addition, GRRL is not required under the Government Data Practices Act to respond to questions that are not specific requests for data.

 

Approved Date: 03/17/15              
Revised Date: 07/16/24

 

Copy Costs – Data Subjects

Minnesota Statutes, section 13.04, subdivision 3 allows us to charge for copies. You must pay for the copies before GRRL will give them to you.

 

For 100 or Fewer Paper Copies – 25 cents per page

100 or fewer pages of black and white, letter or legal size paper copies cost 25¢ for a one-sided copy, or 50¢ for a two-sided copy.

 

Most Other Types of Copies – Actual cost

The charge for most other types of copies, when a charge is not set by statute or rule, is the actual cost of searching for and retrieving the data, and making the copies or electronically transmitting the data (e.g.. sending the data by email).

 

We will charge the actual cost of making copies for data about you. In determining the actual cost, we include the employee time to create and send the copies, the cost of the materials onto which we are copying the data (paper, CD, DVD, etc.), and mailing costs such as postage (if any).

 

If your request is for copies of data that we cannot copy ourselves, such as photographs, we will charge you the actual cost we must pay an outside vendor for the copies. The cost of employee time to search for data, retrieve data, and make copies is $23.38 per hour.

 

If, because of the subject matter of your request, GRRL finds it necessary for a higher-paid employee to search for and retrieve the data, GRRL will calculate the search and retrieval portion of the copy charge at the higher salary/wage.

 

Approved Date: 03/17/15              
Revised Date: 03/21/23, 07/16/24

 

Standards for Verifying Identity

The following constitute proof of identity.

  • An adult individual must provide a valid photo ID, such as
    • a driver’s license
    • a state-issued ID
    • a tribal ID
    • a military ID
    • a passport
    • the foreign equivalent of any of the above
  • minor individual must provide a valid ID, such as
    • a driver’s license
    • a state-issued ID (including a school/student ID)
    • a tribal ID
    • a military ID
    • a passport
    • the foreign equivalent of any of the above
  • The parent or guardian of a minor must provide a valid photo ID and either
    • a certified copy of the minor’s birth certificate or
    • a certified copy of documents that establish the parent or guardian’s relationship to the child, such as
      • a court order relating to divorce, separation, custody, foster care
      • a foster care contract
      • an affidavit of parentage
  • The legal guardian for an individual must provide a valid photo ID and a certified copy of appropriate documentation of formal or informal appointment as guardian, such as
    • court order(s)
    • valid power of attorney

 

Note: Individuals who do not exercise their data practices rights in person must provide either notarized or certified copies of the documents that are required or an affidavit of ID.

 

5B. Data Practices Policy for Members of the Public

 

Your Right to See Public Data

The Government Data Practices Act (Minnesota Statutes, Chapter 13) presumes that all government data are public unless a state or federal law says the data are not public. Government data is a term that means all recorded information a government entity has, including paper, email, flash drives, CDs, DVDs, photographs, etc.

 

The law also says that Great River Regional Library (GRRL) must keep all government data in a way that makes it easy for you to access public data. You have the right to look at (inspect), free of charge, all public data that we keep. You also have the right to get copies of public data. The Data Practices Act allows us to charge for copies. You have the right to look at data, free of charge, before deciding to request copies.

 

How to Request Public Data

You can ask to look at (inspect) data at our offices, or ask for copies of public data that we keep. Make your request for data to the appropriate individual listed in the Data Practices Contacts section of this policy. You may make your request for data by mail, fax, or email, using the GRRL Data Request Form – Members of the Public.

 

If you choose not to use the GRRL Data Request Form – Members of the Public, your request should:

  • Say that you are making a request for public data under the Government Data Practices Act (Minnesota Statutes, Chapter 13).
  • Include whether you would like to inspect the data, have copies of the data, or both.
  • Provide a clear description of the data you would like to inspect or have copied.

 

You are not required to identify yourself or explain the reason for your data request. However, you may need to provide us with some personal information for practical reasons (for example: if you want us to mail copies to you, you need to provide us with an address or P.O. Box). If we do not understand your request and have no way to contact you, we cannot respond to your request.

 

How GRRL Responds to Your Data Request

Upon receiving your request, GRRL will review it.

  • We may ask you to clarify what data you are requesting.
  • If GRRL does not have the data, GRRL will notify you in writing as soon as reasonably possible.
  • If we have the data, but we are not allowed to give it to you, we will tell you as soon as reasonably possible and identify the law that prevents us from providing the data. 
  • If GRRL has the data, and the data are public, GRRL will respond to your request appropriately and promptly, within a reasonable amount of time by doing one of the following:
    • Arrange a date, time, and place for you to inspect the data at our offices; or
    • You may choose to pick up your copies, or we will mail or email them to you. We will provide electronic copies (such as email or CD-ROM) upon request, if we keep the data in that format and we can reasonably make a copy. 
    • Response time may be impacted by the size and/or complexity of your request, and also by the number of requests you make in a given period of time.
    • You may choose to pick up your copies, or GRRL will mail or fax them to you. If you want GRRL to send you the copies, you will need to provide GRRL with an address or fax number. GRRL will provide electronic copies (such as email or CD-ROM) upon request if GRRL keeps the data in electronic format.

 

Following our response, if you do not make arrangements within 10 business days to inspect the data or pay for the copies, we will conclude that you no longer want the data and will consider your request closed.

 

For information about copy charges is see Copy Costs – Members of the Public.

 

GRRL also will arrange for you to pre-pay for the copies.

 

If you do not understand some of the data (technical terminology, abbreviations, or acronyms), please tell the person who provided the data to you. We will give you an explanation if you ask. 

 

The Data Practices Act does not require us to create or collect new data in response to a data request, or to provide data in a specific form or arrangement if we do not keep the data in that form or arrangement. For example, if the data you request are on paper only, we are not required to create electronic documents to respond to your request. If we agree to create data in response to your request, we will work with you on the details of your request, including cost and response time.

 

We are also not required to respond to questions that are not about your data requests, or requests for government data.

 

Requests for Summary Data

Summary data are statistical records or reports that are prepared by removing all identifiers from private or confidential data on individuals. The preparation of summary data is not a means to gain access to private or confidential data. GRRL will prepare summary data if you make your request in writing and pre-pay for the cost of creating the data. Upon receiving your written request – you may use the GRRL Data Request Form – Members of the Public – GRRL will respond within ten business days with the data or details of when the data will be ready and how much GRRL will charge.

 

Approved Date: 03/17/15              
Revised Date: 07/16/24

 

Copy Costs – Members of the Public

GRRL charges members of the public for copies of government data. These charges are authorized under Minnesota Statutes, section 13.03, subdivision 3(c).

 

You must pay for the copies before GRRL will give them to you.

 

For 100 or Fewer Paper Copies – 25 cents per page

100 or fewer pages of black and white, letter or legal size paper copies cost 25¢ for a one-sided copy, or 50¢ for a two-sided copy.

 

Most Other Types of Copies – Actual cost

The charge for most other types of copies, when a charge is not set by statute or rule, is the actual cost of searching for and retrieving the data, and making the copies or electronically transmitting the data (e.g. sending the data by email).In determining the actual cost of making copies, GRRL factors in employee time, the cost of the materials onto which GRRL is copying the data (paper, CD, DVD, etc.), and mailing costs (if any). If your request is for copies of data that GRRL cannot reproduce itself, such as photographs, GRRL will charge you the actual cost GRRL must pay an outside vendor for the copies.

 

The cost of employee time to search for data, retrieve data, and make copies is $23.38 per hour.

 

If, because of the subject matter of your request, GRRL finds it necessary for a higher-paid employee to search for and retrieve the data, GRRL will calculate the search and retrieval portion of the copy charge at the higher salary/wage.

 

Approved Date: 03/17/15           
Revised Date: 03/21/23, 07/16/24

 

5C. Data Practices Contacts

Please direct all questions regarding this policy to GRRL’s Data Practices Compliance Official:

 

Responsible Authority

Karen Pundsack, Executive Director

1300 W. St. Germain Street, St. Cloud, MN 56301

Phone number: 320 650-2500

Fax number: 320 650-2535

Email address: karenp@grrl.lib.mn.us

 

As Responsible Authority, the Executive Director orders the following individuals as data practices compliance official and designees.

 

Data Practices Compliance Official

Name: Karen Pundsack, Executive Director

Address: 1300 W. St. Germain Street, St. Cloud, MN 56301

Phone number: 320 650-2500

Fax number: 320 650-2535

Email address: karenp@grrl.lib.mn.us

 

Data Practices Designees

(Personnel Data)

Name: Nichol Wojcik, Associate Director Human Resources

Address: 1300 W. St. Germain Street, St. Cloud, MN 56301

Phone number: 320 650-2500

Fax number: 320 650-2535

Email address: nicholw@grrl.lib.mn.us

 

(Patron Data)

Name: Karen Pundsack, Executive Director

Address: 1300 W. St. Germain Street, St. Cloud, MN 56301

Phone number: 320 650-2500

Fax number: 320 650-2535

Email address: karenp@grrl.lib.mn.us

 

Approved Date: 03/17/15            
Revised Date: 07/16/24

 

5D. Procedure for Ensuring the Security of Not Public Data

 

Data inventory

Under the requirement in Minn. Stat. 13.025 subd. 1, GRRL will prepare a Data Inventory, which identifies and describes all not public data on individuals maintained by GRRL. To comply with the requirement in Minn. Stat. 13.05 subd. 5, GRRL will also include in its Data Inventory the position titles of the employees who have access to not public data.

 

In the event of a temporary duty as assigned by a manager or supervisor, an employee may access certain not public data for as long as the work is assigned to the employee.

 

In addition to the employees listed in GRRL's Data Inventory, the Responsible Authority, the Data Practices Compliance Official, and GRRL's Attorney may have access to all not public data maintained by GRRL if necessary for specified duties. Any access to not public data will be strictly limited to the data necessary to complete the work assignment.

 

Employee position descriptions

Position descriptions may contain provisions identifying any not public data accessible to the employee when a work assignment reasonably requires access.

 

Data sharing with authorized entities or individuals

Federal or state law may authorize the sharing of not public data in specific circumstances. Not public data may be shared with another entity if a federal or state law allows or mandates it. Individuals will have notice of any sharing in applicable Tennessen warnings or GRRL will obtain the individual’s informed consent. Any sharing of not public data will be strictly limited to the data necessary or required to comply with the applicable law.

 

Ensuring that not public data are not accessed without a work assignment

Within GRRL, departments may assign tasks by employee or by job classification. If a department maintains not public data that all employees within its division do not have a work assignment allowing access to the data, the department will ensure that the not public data are secure.

 

Recommended actions for ensuring appropriate access include:

  • Assigning appropriate security roles, limiting access to appropriate shared network drives, and implementing password protections for not public electronic data.
  • Password protecting employee computers and locking computers before leaving workstations.
  • Securing not public data within locked workspaces and in locked file cabinets.
  • Shredding not public documents before disposing of them.

 

Penalties for unlawfully accessing not public data

GRRL will utilize the penalties for unlawful access to not public data as provided for in Minnesota Statutes section 13.09, if necessary. Penalties include suspension, dismissal or referring the matter to the appropriate prosecutorial authority who may also pursue a criminal misdemeanor charge.

 

Approved Date: 03/17/15           
Revised Date: 07/16/24