To return to this list after selecting an opinion, click on the "View entire list" link above the opinion title.
June 15, 1995; University of Minnesota
6/15/1995 10:14:43 AM
This is an opinion of the Commissioner of Administration issued pursuant to section 13.072 of Minnesota Statutes, Chapter 13 - the Minnesota Government Data Practices Act. It is based on the facts and information available to the Commissioner as described below.
Facts and Procedural History:For purposes of simplification, the information presented by the citizen who requested this opinion and the response from the government entity with which the citizen disagrees are presented in summary form. Copies of the complete submissions are on file at the offices of PIPA and are available for public access.On May 11, 1995, PIPA received a letter dated May 8, 1995, from Gary A. Weissman, an attorney, in which he requested an advisory opinion on behalf of his client, who he identified by the alias Melinda Muffett. Ms. Muffett is employed as an account specialist by the University of Minnesota, hereinafter University. From 1991 to 1993, Ms. Muffett also performed overtime bookkeeping services for another unit of the University. According to Mr. Weissman, at some point during the time period 1993-1995, another employee alleged that Ms. Muffett was performing the overtime services during regular working hours. In February and March of this year, Ms. Muffett was interviewed three times by two internal auditors about her overtime work. Mr. Weissman stated that she was not given a Tennessen Warning, i.e., the notice requirement provided in Minnesota Statutes Section 13.04, subdivision 2, on any of those occasions. Mr. Weissman also stated that the third interview was . . . in Ms. Muffett's work station, which is separated only by a banker's partition from [the employee who made the allegations] and obviously in earshot of her. In his request, Mr. Weissman included three attachments. Attachment one is a copy of the March 14, 1995, letter he wrote, on Ms. Muffett's behalf, to the head of the University's Department of Audits, hereinafter Department. Attachment two is a copy of the University's reply, dated April 3, 1995, from Lorie S. Gildea, University associate general counsel. Attachment three is a copy of Mr. Weissman's, reply, dated April 4, 1995, to Ms. Gildea's letter. Details of the contents of each attachment follow. In attachment one, Mr. Weissman referred to the interviews conducted by the Department, and stated that, given that no Tennessen Warning had been administered to Ms. Muffett by the interviewers, the data had been collected improperly. Mr. Weissman then made several formal requests of the Department. Mr. Weissman requested that all data collected from Ms. Muffett by the two Department interviewers be destroyed, and that the destruction be certified in writing, pursuant to Section 13.05, subdivision 4. Mr. Weissman asked the Department to inform him, pursuant to Section 13.04, subdivision 3, whether it maintains data on Ms. Muffett, and if so, how the data are classified. Mr. Weissman also requested copies of all public and private data on Ms. Muffett currently maintained by the Department, or which it did maintain on or after November 1, 1994. In addition, Mr. Weissman asked that if the Department head were not a properly appointed Designee of the University's Responsible Authority, that his request be forwarded to the appropriate person. In that circumstance, he asked that the Department or the University provide him with that person's identity. In attachment two, Ms. Gildea stated that the Department had forwarded Mr. Weissman's letter to her office for response. She indicated that she had been unable to reach Mr. Weissman by telephone the previous week. (Ms. Gildea did not identify herself as either the University's Responsible Authority or Designee.) In that reply, Ms. Gildea stated that the University was not required to give Ms. Muffett a Tennessen Warning because she was . . . questioned about her compensation and employment by the University, both of which the University is entitled to do without providing the extensive warning in the Data Practices Act. In any event, [Ms. Muffett] was fully informed of the nature and purpose of the inquiry of the [Department.] Ms. Gildea further stated that the University would not destroy the data provided by Ms. Muffett, as the University . . . has valid and appropriate reasons . . . . for maintaining the data, which are . . . relevant to legitimate evaluation of her performance as [an employee.] In response to Mr. Weissman's question about whether and what type of data the Department maintains on his client, Ms. Gildea responded that the University maintains public, private and confidential data on Ms. Muffett. She said that the confidential data were internal audit data, pursuant to Section 13.794, and therefore inaccessible to Ms. Muffett. In attachment three, Mr. Weissman reiterated his request for access to the public and private data, if any, on Ms. Muffett maintained by the Department (not the University.) He also stated that if the Department claims that the data maintained by it are confidential, pursuant to Section 13.794, then the Department was required to give Ms. Muffett a Tennessen Warning upon its collection of those data from her. Mr. Weissman also questioned Ms. Gildea's statement that the data were relevant to legitimate evaluation of [Ms. Muffett] as a University employee. He stated that [i]f the [Department] is conducting performance evaluations, then it presumably is not part of an audit or investigation and, consequently, would not be protected from disclosure to the data subject by section 13.794, subd.1. Mr. Weissman repeated his objection to the Department's use of data he believes were not collected in accordance with the requirements set forth in Section 13.05, subdivision 4. On May 4, 1995, Ms. Muffett was interviewed a fourth time by the same two internal auditors. Both Mr. Weissman and Ms. Gildea were present. According to Mr. Weissman, Ms. Gildea reiterated that she disagreed with Mr. Weissman's assertion that . . . the confidential data collected by [the auditors] required a Tennessen Warning . . . . However, before Ms. Muffett was questioned, Ms. Gildea gave her an oral Tennessen Warning. According to Mr. Weissman, Ms. Gildea also . . . described some 120-150 pages of public and private data the auditors maintained on Ms. Muffett (none of which included anything remotely like auditors' notes). During the meeting, Mr. Weissman requested that Ms. Muffett be provided access to the data the following day, May 5, 1995. Ms. Gildea replied that the data . . . weren't ready for inspection . . . Mr. Weissman noted that the initial request for access to those data had been made seven weeks earlier, on March 14, 1995. Mr. Weissman then requested the Commissioner to issue this opinion, on the six issues described below. In response to Mr. Weissman's request, PIPA, on behalf of the Commissioner, wrote to Mr. Mark Rotenberg, University general counsel. The purposes of this letter, dated May 12, 1995, were to inform Mr. Rotenberg of Mr. Weissman's request, to provide him with a copy of the request, to ask Mr. Rotenberg to provide any information or support for the University's position and to inform him of the date by which the Commissioner was required to issue this opinion. (In subsequent correspondence, Mr. Weissman was notified that the Commissioner would be taking a portion of the additional 30 days allowed by the opinion statute to issue this opinion.) On May 22, 1995, PIPA received a letter in response, dated May 18, 1995, from Tracy M. Smith, University associate general counsel. In her response, Ms. Smith provided a substantially similar summary of the events outlined by Mr. Weissman, and the University's reasons for its actions. She also included a letter, dated May 5, 1995, from Ms. Gildea to Mr. Weissman. Ms. Smith did not respond directly to each of the six issues raised in this opinion. In that letter, Ms. Gildea responded to Mr. Weissman's request on May 4, that Ms. Muffett be provided access on May 5 to the public and private data on her maintained by the Department. Ms. Gildea said that the data would be available for Ms. Muffett's inspection by sometime late next week. (In her response to the Commissioner, Ms. Smith stated that Ms. Muffett inspected the data the University made available on May 12, 1995.) In response to the question of whether the auditors were required to give Ms. Muffett a Tennessen Warning, Ms. Smith stated that . . . the University was entitled to question [Ms. Muffett] concerning her work hours . . . . [and] was not obligated to give [her] a Tennessen warning before doing so. Ms. Smith stated that the auditors interviewed Ms. Muffett as part of their investigation into possible improprieties concerning her overtime claims, and that the University has authority to . . . investigate whether one of its employees was wrongfully taking public compensation based on falsified work hours. Ms. Smith stated that the Tennessen Warning requirement does not apply when an employer questions an employee about work hours, and that . . . this conclusion remains true even if the public employer seeks the information through its internal audit office. She stated that pursuant to Section 13.794, all active audit data are confidential, but [t]he fact that audit investigations are confidential while active . . . has no bearing on the question of whether auditors must issue a Tennessen Warning before gathering the data to perform the audits. Ms. Smith stated that the auditors had informed Ms. Muffett of the purpose of the interviews, and concluded that Ms. Muffett could not claim that . . . she did not understand what the investigation was about or what the consequences of providing information about falsifying hours might be. In response to the issue of the time it took the University to provide Ms. Muffett access to the data pursuant to Mr. Weissman's March 14 request, Ms. Smith stated that the . . . University was obligated to produce no data in response to this request. She stated that the data are active audit data and are confidential data pursuant to Section 13.794, subdivision 1. However, she stated that although Ms. Muffett had no right to inspect the data, the . . . University gathered the documents from the [Department], redacted confidential auditors' notes . . . . and made the data available for Ms. Muffett's inspection. In doing so, according to Ms. Smith, the University exceeded its obligations under Chapter 13. Issue six concerns whether the Department violated Ms. Muffett's rights under Chapter 13 by conducting its interviews with her in a place in which they could be overheard. Ms. Smith stated the subject of the interview was [Ms. Muffett's] work hours. Such data is not confidential . . . . but public, pursuant to Section 13.43, subdivision 2. She stated that there . . . may be some instances where discretion would dictate that such a conversation take place in private . . . . but if it does not, it is not a violation of Chapter 13.
Issues:
In his request for an opinion, Mr. Weissman asked the Commissioner to address the following issues:
Discussion:
Issue 1.Is a Tennessen Warning pursuant to Minnesota Statutes Section 13.04, subdivision 2, required for the collection of data pursuant to an internal audit investigation and admitted to be confidential data by the government entity?
Minnesota Statutes Section 13.04, subdivision 2, provides the notice requirement commonly referred to as a Tennessen Warning. When a government entity asks a data subject to provide private or confidential data about her/himself, the entity must inform the individual how it intends to use the data, and for what purpose, whether the individual may legally refuse to supply the data, the consequences of providing or not providing the data, and the identity of others who are authorized by state or federal law to receive the data. Therefore, in order to address the first issue, it is necessary to determine the classification of the data collected from Ms. Muffett by the auditors. If any of the data collected are classified as private or confidential, the University was required to give Ms. Muffett a Tennessen Warning. Mr. Weissman maintains that the data were collected as part of an investigation conducted by the University auditor's office, and therefore, pursuant to Section 13.794, the auditors collected confidential data from Ms. Muffett. The University's position is less clear. On the one hand, the University has claimed that the data are about Ms. Muffett's work hours, and are public, pursuant to Section 13.43. On the other hand, the University acknowledges that data were collected from Ms. Muffett by the auditors during their investigation of her possible fraudulent actions. The University told Mr. Weissman that those data are classified as confidential active investigative data, pursuant to Section 13.794. As a further complication in the University's position, Ms. Gildea characterized the data as relevant to legitimate evaluation of [Ms. Muffett's] performance as a University employee. This statement indicates that the University is treating these data as private personnel data. (See Section 13.43.) Section 13.43, the personnel data Section of Chapter 13, provides that personnel data . . . means data on individuals collected because the individual is or was an employee of . . . . a state agency, statewide system or political subdivision . . . . Clearly, the data on Ms. Muffett were collected because she is an employee of the University. As such, absent an investigation, the data collected are personnel data. Ms. Smith discussed at some length a rationale whereby the University was justified in asking Ms. Muffett questions about her employment without giving her a Tennessen Warning. She said that Ms. Muffett had been asked about her work hours, data which are public under Section 13.43. Certainly, Section 13.43, subdivision 2, provides that . . . payroll time sheets or other comparable data . . . . are public. However, Ms. Muffett was asked questions as part of the Department's effort to ascertain whether she had defrauded the University. Apparently, she was asked to provide more than payroll and time sheet data. According to Ms. Gildea, the data are . . . relevant to legitimate evaluation of her performance as a University employee. However, pursuant to Section 13.43, subdivision 2, performance evaluation data are not public data. Pursuant to Section 13.43, subdivision 4, those data are classified as private. Therefore, the collection of those data from Ms. Muffett by anyone at the University, not just auditors, was subject to the requirements of Section 13.04, subdivision 2. Further, at the time of the interviews with Ms. Muffett, the Department was conducting an investigation, of which Ms. Muffett was the subject. Ms. Muffett was interviewed during an investigation of possible fraud, conducted by the internal audit department of the University. Section 13.794, subdivision 1, provides that [d]ata, notes, and preliminary drafts of reports created, collected, and maintained by the internal audit offices of state agencies or persons performing audits for state agencies and relating to an audit or investigation are confidential data on individuals or protected nonpublic data until the final report has been published or the audit or investigation is no longer being pursued actively. (Emphasis added.) Clearly, by operation of Section 13.794, data created, collected or maintained by an internal audit office as part of an active audit or investigation are confidential. Those same data very likely may be classified otherwise, outside the context of an auditor's investigation. Ms. Smith stated that [t]he fact that audit investigations are confidential while active, however, has no bearing on the question of whether auditors must issue a Tennessen warning before gathering data to perform the audits. University auditors may collect data, both public and private, from a host of sources . . . . Auditors need not give a Tennessen warning every time they collect data. However, the issue is whether the auditors were required to give Ms. Muffett a Tennessen Warning when they collected data from her as part of their investigation. The Tennessen Warning requirement does not apply to all collections of private or confidential data. It applies to collections of private or confidential data from the data subject, when s/he is asked to supply private or confidential data about her/himself. It may well be the case that in some, or even most, of the situations in which auditors collect data for investigative purposes, auditors are not required to give Tennessen Warnings. To the extent that the Department, during an audit or investigation, collects data from sources other than the data subject, that is the case. However, by operation of Section 13.794, the data the Department collects during an investigation are confidential. If those investigative data are collected from the data subject, and are about the data subject, the collection of the data requires a Tennessen Warning. Clearly then, in this instance, regardless whether the auditors were investigating Ms. Muffett for fraud, or conducting a personnel evaluation, the data collected from her are either confidential audit data, private personnel data, or a combination of both types of data. Therefore, the Department was required to give Ms. Muffett a Tennessen Warning. Ms. Smith also stated that the auditors had informed Ms. Muffett of the purpose of the interviews, and concluded that Ms. Muffett could not claim that . . . she did not understand what the investigation was about or what the consequences of providing information about falsifying hours might be. The University acknowledges that Ms. Muffett did not receive a Tennessen Warning from the auditors. Ms. Smith appears to suggest that the obligation was Ms. Muffett's, not the University's, to determine the consequences of providing data to the auditors, absent a proper Tennessen Warning. However, Chapter 13 imposes obligations on government entities, not on data subjects. The Legislature, in its enactment of Section 13.04, subdivision 2, provided one of the fundamental right of data subjects, i.e., the right to be informed, inter alia, as to the purpose and consequences of providing private or confidential data to the government. The issue is not whether Ms. Muffett properly ascertained the consequences of supplying the data to the auditors. The issue is whether agents of the University complied with their statutory obligation to provide her with a Tennessen Warning when they interviewed her. As such, the collection of those data was subject to the requirements of Section 13.04, subdivision 2. Ms. Muffett should have been given a Tennessen Warning by the auditors. Issue 2.Do internal auditors' notes about the data subject, collected pursuant to Section 13.794, subdivision 1, constitute confidential data? The auditors interviewed Ms. Muffett as part of their investigation to determine whether she had defrauded the University. Pursuant to Section 13.02, subdivision 7, [g]overnment data means all data collected, created, received, maintained or disseminated . . . . Clearly, the auditors notes constitute government data, and by operation of Section 13.794, are classified as confidential while the investigation is active. There appears to be no disagreement between Mr. Weissman and the University on this issue. Issue 3.Does Section 13.05, subdivision 4, forbid a governmental entity from using for any purpose, confidential data collected absent a Tennessen Warning?
Minnesota Statutes Section 13.05, subdivision 4, in relevant part, states the following policy:
The Legislature, through enactment of this subdivision, sought to provide some substance to the protections provided to individual data subjects in Section 13.04, subdivision 2, so that individuals, having received the Section 13.04 notice, can expect that private or confidential data they provide to a government entity will not be used or disseminated except as described to them at the time they provided the data. The Legislature, by connecting the notice requirement of Section 13.04, subdivision 2, with the limitations on uses and disseminations of data established by Section 13.05, subdivision 4, also provided a consequence for government entities which do not meet their statutory obligation regarding the collection of private or confidential data. If a government entity does not administer a Tennessen Warning that meets the requirements of Section 13.04, subdivision 2, there are strict limitations imposed on the entity regarding any data it collects without giving the notice required by statute. That is, those data may not be stored, used or disseminated except as provided in Section 13.05, subdivision 4, as cited above. Apparently none of the exceptions that are provided in clauses a-d applies in this case. Therefore, according to the plain words of the statute, the University may not use the data it collected from Ms. Muffett in the auditors' interviews for any purpose. Issue 4.Is it a violation of Section 13.04, subdivision 3, for the University to delay for seven weeks in providing a data subject access to public and private data maintained on her by the investigators?
Section 13.04, subdivision 3, provides that:
In his letter dated March 14, 1995, sent to the director of the Department, Mr. Weissman made three requests pursuant to Section 13.04, subdivision 3. He asked the Department to (1) inform him whether it maintains data on Ms. Muffett, (2) if so, how those data are classified, and (3) if the Department was maintaining public and private data on Ms. Muffett, he asked for copies of those data. In addition, Mr. Weissman asked that if the director were not a properly appointed Designee of the Responsible Authority, that his letter be forwarded to the appropriate responsible official. He also asked for that individual's identity. Fourteen working days later, Ms. Gildea responded, in a letter dated April 3, 1995. She indicated that she had been unable to reach Mr. Weissman by telephone the previous week. In that letter, she responded that the University (not the Department) maintains public, private and confidential data on Ms. Muffett, pursuant to Sections 13.43 and 13.794. She told Mr. Weissman that Ms. Muffett could not have access to the confidential active audit investigative data, but that the other data were accessible. She asked Mr. Weissman to indicate which public or private data he wanted copied, and told him the copying cost. Mr. Weissman wrote to Ms. Gildea, in a letter dated April 4, 1995, and repeated his request that he be informed about data maintained by the Department specifically, not the University as a whole. He asked that if the Department maintained public or private data on Ms. Muffett, that he be sent copies, unless the data exceeded ten pages. In that case, he asked Ms. Gildea to inform Ms. Muffett when she would be able to inspect the data. Mr. Weissman repeated his request for access to the public and private data maintained on Ms. Muffett by the Department at the May 4, 1995 interview. At that time, Ms. Gildea told him that the data were not yet ready for inspection. Finally, in Ms. Gildea's letter dated May 5, 1995, she acknowledged that the Department did maintain public and private data on Ms. Muffett, and that the data would be available for inspection the next week. According to Ms. Smith, Ms. Muffett inspected the data on May 12, 1995. Mr. Weissman asked the Commissioner whether the University had complied with its obligation, under Section 13.04, subdivision 3, to inform Ms. Muffett about whether the Department maintained data about her, to tell her the classification of any such data, and to provide access to the data within the time limits provided in that Section. Ms. Gildea informed Mr. Weissman, fourteen working days after the date of his initial request, that the University maintains public, private and confidential data on his client. He was informed that the Department maintains data on his client seven weeks after he requested that information. His client was provided access to the public and private data on her maintained by the Department, with the confidential auditors' notes redacted, eight weeks after his initial request. In her response to the Commissioner, Ms. Smith stated that the . . . University was obligated to produce no data in response to this request. She stated that the data are active audit data and are confidential data pursuant to Section 13.794, subdivision 1. However, she stated that although Ms. Muffett had no right to inspect the data, the . . . University gathered the documents from the [Department], redacted confidential auditors' notes . . . . and made the data available for Ms. Muffett's inspection. In doing so, according to Ms. Smith, the University exceeded its obligations under Chapter 13. The Department, pursuant to Section 13.794, might reasonably have told Mr. Weissman that all of the data it maintains on Ms. Muffett are confidential investigative data. However, the Department told him that it maintains public and private data on her as well, and made those data available to her. Therefore, the Department was obligated to provide Ms. Muffett with access to those data within five days of her request, or within ten days with notice. That obligation was not met, either by Ms. Gildea's response of April 3, 1995, or her response of May 5, 1995. Issue 5.Is it a violation of Section 13.05, subdivision 4, for the University to retain wrongfully collected data (i.e., confidential data collected without a Tennessen warning)? As discussed above, private and confidential data may not be collected, stored, used or disseminated except as provided in Section 13.05. From the information provided to the Commissioner, it appears that Ms. Muffett, in her interviews with the auditors, supplied the data to them without having received a Tennessen Warning. Therefore, according to the plain words of the statute, the University may not retain the data obtained from Ms. Muffett by the auditors. The University may retain other data about this investigation that were not collected in violation of Section 13.04, subdivision 2. Issue 6. Is it a violation of Chapter 13 or its accompanying Rules to collect confidential data from a data subject in a manner which can easily be overheard by someone whose job does not require access to such information? The Commissioner has determined, as discussed above, that most of the data collected from Ms. Muffett by the auditors appear to be private or confidential, or both. By definition, private or confidential data are not accessible by the public. In situations in which government agents are collecting not public data, those agents are obligated to take reasonable measures to ensure that the privacy and confidentiality of those data are afforded the protections provided by statute. Any other conclusion would vitiate those protections. Further, Section 13.05, subdivision 5, provides that Responsible Authorities . . . establish appropriate security safeguards . . . . for all data on individuals. Minnesota Rules Part 1205.0400, subpart 2, provides that access to private data within a government entity is limited to those whose work assignments reasonably require access. From the information provided, it is not clear if the auditors collected private or confidential data from Ms. Muffett in a manner which allowed access to those data by unauthorized persons. Clearly, the University had an obligation to ensure that such an event did not occur. Ms. Smith also stated that there is no indication that Ms. Muffett asked the auditors to move the location of the interview. Ms. Smith stated [a]n employee cannot be allowed to silently permit a data practices violation to continue and later turn it against the employer to further her own self-interest. Ms. Smith, in that statement, seems to imply that it was Ms. Muffett's responsibility to ask for a private place in which to be interviewed. However, as noted above, Chapter 13 imposes obligations upon government entities, not individual data subjects. Under Chapter 13, the rights of data subjects not to have private or confidential data about them made public include the right to have those data secured and protected against unauthorized access. The issue is not whether Ms. Muffett took any action to secure a private place in which to be interviewed. The issue is whether the University took appropriate action to ensure the privacy and confidentiality of the data. One further note is in order. One of the issues Mr. Weissman raised with the University, but did not raise when he requested this opinion, is the identity of the University's Responsible Authority, and if any, her/his Designee(s.) Apparently, the University did not provide Mr. Weissman with the identity of the individual it has properly appointed as Responsible Authority, pursuant to Section 13.02, subdivision 16, and Minnesota Rules Part 1205.0200, subpart 13. Presumably the University has complied with its statutory obligation to appoint a Responsible Authority and Designees. The role of the Responsible Authority is absolutely essential to a government entity's proper fulfillment of its responsibilities under Chapter 13. Pursuant to Section 13.05, the Responsible Authority is required to establish policies and procedures regarding the appropriate collection, use, dissemination and storage of government data. Government entities presumably could avoid the kinds of problems addressed in this opinion if they appoint Responsible Authorities (if they are required to appoint them), and if so, they grant their Responsible Authorities and Designees the authority to fulfill the entities' obligations under Chapter 13. Opinion:Based on the correspondence in this matter, my opinion on the issues raised by Mr. Weissman is as follows:
Signed:
Elaine S. Hansen
Dated: June 15, 1995
|
Data subjects
Educational data
Legislative authority and intent
Tennessen warning
Internal audit
Tennessen warning notice
Limitation on collection and use of private/confidential data (13.05, subd. 4)
Security safeguards (13.05, subd. 5)
Tennessen warning notice (13.04, subd. 2)
Limitation on collection/use of data (13.05, subd. 4)
