Annual Security Assessment

The Data Practices Act requires a government entity to perform a yearly, comprehensive security assessment of any personal information it maintains. (See Minnesota Statutes, section 13.055, subdivision 6)

An entity's security assessment will vary depending on the amount of personal information the entity maintains. Developing the security assessment will require collaboration with an entity's legal counsel and internal auditor.

The Department of Administration uses the Control Environment Self-Assessment Tool, developed by the Internal Control and Accountability unit at Minnesota Management and Budget (MMB) as part of the Annual Internal Control System Certification. Control Activities for Data in the tool target the requirements in section 13.055. You can learn more about control environments at MMB's website.

What is "personal information"?
Personal information, defined by Minnesota Statutes section 325E.61, subdivision 1(e), is an individual's first name or first initial and last name in combination with one or more of these elements:
- a social security number;
- driver's license number or Minnesota ID card number; or
- account number or credit/debit card number in combination with any required security code, access code, or password that would permit access to the individual's financial account;
Personal information does not include data classified as public, or data that are encrypted or protected using technology that makes the data unreadable. However, if the key or means for reading this protected data are acquired by another party, then these data would be considered personal information and included in the security assessment.
What are some examples of personal information?
- A paper form with a person's name and driver's license number;
- An unencrypted database with an individual's first initial and last name, and their social security number;
- Financial account access information
- A database of student information after a cybersecurity incident leaks the encryption code