The Data Practices Act requires a government entity to perform a yearly, comprehensive security assessment of any personal information it maintains. (See Minnesota Statutes, section 13.055, subdivision 6)
Personal information, defined by Minnesota Statutes section 325E.61, subdivision 1(e), is an individual's first name or first initial and last name in combination with one or more of these elements:
Personal information does not include data classified as public, or data that are encrypted or protected using technology that makes the data unreadable. However, if the key or means for reading this protected data are acquired by another party, then these data would be considered personal information and included in the security assessment.
An entity's security assessment will vary depending on the amount of personal information the entity maintains. Developing the security assessment will require collaboration with an entity's legal counsel and internal auditor.
The Department of Administration uses the Control Environment Self-Assessment Tool, developed by the Internal Control and Accountability unit at Minnesota Management and Budget (MMB) as part of the Annual Internal Control System Certification. Control Activities for Data in the tool target the requirements in section 13.055. You can learn more about control environments at MMB's website.
