Primary navigation

    Opinion Library

    To return to this list after selecting an opinion, click on the "View entire list" link above the opinion title.

    RSS feed

    Advisory Opinion 95-007

    February 15, 1995; Bemidji State University

    2/15/1995 10:14:43 AM

    This is an opinion of the Commissioner of Administration issued pursuant to section 13.072 of Minnesota Statutes, Chapter 13 - the Minnesota Government Data Practices Act. It is based on the facts and information available to the Commissioner as described below.


    Facts and Procedural History:

    For purposes of simplification, the information presented by the citizen who requested this opinion and the response from the government entity with which the citizen disagrees are presented in summary form. Copies of the complete submissions are on file at the offices of PIPA and are available for public access.

    On January 10, 1995, PIPA received a letter dated January 4, 1995, from Mr. Alexander Nadesan, a professor at Bemidji State University (BSU), in which he requested an advisory opinion of the Commissioner. Mr. Nadesan's request concerned aspects of BSU's student registration system. In order to clarify some of the information in the documents he provided, and to discuss the scope of the Commissioner's opinion authority, PIPA staff had subsequent telephone conversations with Mr. Nadesan.

    On January 19, 1995, PIPA received a second letter from Mr. Nadesan, dated January 12, 1995, in which he restated his request for an opinion. (After subsequent telephone conversations, in which the information provided by Mr. Nadesan was further clarified, the issues were identified on January 24, 1995.)

    Mr. Nadesan described the operation of BSU's new Touchtone Registration System, and expressed his concern with the system's reliance upon faculty birth dates, and faculty and student Social Security numbers. Mr. Nadesan asked whether the use of his Social Security number and birth date for the purposes of registering BSU students was a violation of Minnesota Statutes Chapter 13, the Minnesota Government Data Practices Act, and asked whether BSU was required to give him a Tennessen Warning, the notice required pursuant to Minnesota Statutes Section 13.04, subdivision 2, regarding this practice. Mr. Nadesan raised other issues concerning BSU's treatment of Social Security numbers, and after clarification with PIPA staff, requested an opinion on the issues detailed in the Issues section below.

    In response to Mr. Nadesan's request, PIPA, on behalf of the Commissioner, wrote to Mr. M. James Bensen, President of BSU. The purposes of this letter were to inform Mr. Bensen of Mr. Nadesan's opinion request, to provide a copy of the request to him, to ask Mr. Bensen or BSU's attorney to provide information or support for its position, and to inform him of the date by which the Commissioner was required to issue this opinion. (In subsequent correspondence, Mr. Nadesan and Mr. Bensen were notified that the Commissioner would be taking a portion of the additional 30 days allowed by the opinion statute to issue this opinion.)

    On February 3, 1995, PIPA received a response from Ms. Linda L. Baer, Senior Vice President for Academic and Student Affairs. In her letter, Ms. Baer stated that BSU's registration system uses faculty members' Social Security numbers and Personal Identification Numbers (PINs) ...to insure security on a restricted system. Ms. Baer stated that BSU's records office assigns the initial PIN, which is the faculty member's birth date. PINs may be changed by faculty, and Ms. Baer said that the directions provided to faculty members recommended that the PIN be changed to ...a more personal and more confidential number immediately. She also stated that [i]f a faculty member wished to have their original PIN assigned by the Records Office as something other than birthday and year, that wish is accommodated.

    Ms. Baer further stated that ...as the means by which the security on the registration system is maintained.... Social Security numbers and PINs are ...obviously NOT information intended to be given to a student or another university employee not involved in the registration process.

    Ms. Baer also commented on several concerns which Mr. Nadesan had raised in his original request, which will not be addressed in this opinion.


    Issue:

    In his request for an opinion, Mr. Nadesan asked the Commissioner to address the following issues:
    1. Does Bemidji State University have the authority to require faculty members to provide their Social Security numbers and birth dates for the purposes of student registration, or is this a violation of Minnesota Statutes Chapter 13?

    2. Does the Bemidji State University have an obligation to provide faculty members with the notice requirement ( Tennessen Warning ) detailed in Section 13.04, subdivision 2, concerning the collection and use of faculty Social Security numbers and birth dates for purposes of registering students? If Tennessen Warnings are not given, what is the effect on BSU's ability to use faculty members' Social Security numbers and birth dates in its student registration system?


    Discussion:

    Chapter 13 contains specific provisions that regulate a government entity's authority to collect and use private data. In the case of Social Security numbers, provisions of the federal Privacy Act of 1974, Public Law 93-579, are also implicated. The discussion of the requirements of the Privacy Act concerning a government entity's use of Social Security numbers follows the discussion of the relevant provisions of Chapter 13.

    According to the documents provided by both Mr. Nadesan and Ms. Baer, BSU's student registration system relies upon faculty members to enter their Social Security numbers and PINs by touchtone telephone, along with the student's Social Security number and course registration information.

    Mr. Nadesan asked whether BSU's requirement that faculty members supply the records office with personal data invoked the notice provision of Minnesota Statutes Section 13.04, subdivision 2, commonly known as the Tennessen Warning. This provision states:

    An individual asked to supply private or confidential data concerning the individual shall be informed of: (a) the purpose and intended use of the requested data within the collecting state agency, political subdivision, or statewide system; (b) whether the individual may refuse or is legally required to supply the requested data; (c) any known consequence arising from supplying or refusing to supply private or confidential data; and (d) the identity of other persons or entities authorized by state or federal law to receive the data....

    Mr. Nadesan's Social Security number and birth date, as collected, maintained and used by BSU, are personnel data. Pursuant to Section 13.43, personnel data ...means data on individuals collected because the individual is or was an employee of...a state agency, statewide system or political subdivision.... Certain personnel data are classified as public under subdivision 2; all other personnel data, including Social Security numbers and birth dates, are private, pursuant to subdivision 4. Therefore, Mr. Nadesan's Social Security number and birth date, as collected, maintained and used by BSU, are private personnel data, which means that BSU must give a Tennessen Warning concerning the use of these data at the time they are collected. (Section 13.43 notwithstanding, the Legislature had classified Social Security numbers as private prior to the enactment of Chapter 13. It has further underscored its intention regarding classification of these data through its 1994 enactment of Section 13.49, which classifies Social Security numbers as private.)

    In order to evaluate BSU's obligations regarding its use and dissemination of faculty Social Security numbers for student registration, it is also necessary to review provisions of Section 13.05, which detail the means by which a government entity may obtain authority to use private data in a manner which was not included in a Tennessen Warning, and which place further restrictions upon the collection and use of private data. Subdivision 4 states that [p]rivate or confidential data on an individual shall not be collected, stored, used, or disseminated...for any purposes other than those stated to the individual at the time of collection in accordance with Section 13.04, except as provided in this subdivision.

    The exceptions to the requirement that private data may be used and disseminated only as stated to an individual at the time of collection are when: (1) the data were collected prior to August 1, 1975 and are used for the originally-stated purpose, or a purpose specifically authorized by the Commissioner; (2) subsequent to the data collection, a state, local or federal law specifically authorizes the use or dissemination; (3) the Commissioner specifically authorizes the use; (4) the individual gives her/his informed consent; or (5) at a meeting open to the public to the extent provided in Section 471.705, subdivision 1d.

    Section 13.05, subdivision 3, further limits a government entity's collection of all data, and the use of private and confidential data to ...that necessary for the administration and management of programs specifically authorized by the Legislature or local governing body or mandated by the federal government. If the collection or use is necessary, and the data are private or confidential, then the entity must give the individual a Tennessen Warning. When the provisions of Sections 13.04 and 13.05 are read together, it is clear that a government entity may use and disseminate private data only as stated to an individual at the time of collection, unless one of the exceptions noted above applies. If the entity fails to give a Tennessen Warning, then the data may not be used for any purpose.

    Therefore, in order for BSU to have implemented a registration system which relies upon the use of private data, i.e. faculty Social Security numbers and birth dates, it was obligated first to determine that it had authority to do so, and then to assure that it established procedures to exercise that authority properly, in accordance with the requirements contained in Sections 13.04 and 13.05.

    Professor Nadesan stated that he did not receive a Tennessen Warning concerning this use of private data about him, and he has not indicated that he has given BSU his informed consent. BSU was invited to comment on whether it has provided faculty members with Tennessen Warnings concerning this issue, but in its response to the Commissioner, it chose not to. Ms. Baer did say that a faculty member could request that the original PIN assigned by the records office could be something other than the birth date, but did not indicate that faculty members are notified of that right. BSU also did not provide information as to what statutory authority it relied upon to establish this practice.

    Mr. Nadesan also asked the Commissioner to comment on the relevance of the federal Privacy Act of 1974, Public Law 93-579, to BSU's Touchtone Registration System. In general, the Commissioner is reluctant to address federal law in her opinions. However, for educational and information purposes in this instance, which concerns Social Security numbers, she has concluded that it is necessary for her to do so.

    The relevant provision, Section 7* of Public Law 93-579, the Privacy Act of 1974, reads as follows:

    (a) (1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his Social Security account number.

    (2) the provisions of paragraph (1) of this subsection shall not apply with respect to-
    (A) any disclosure which is required by Federal statute, or
    (B) the disclosure of a Social Security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.

    (b) Any Federal, State, or local government agency which requests an individual to disclose his Social Security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

    (*Public Law 93-579 was codified at 5 U.S.C. section 552a. Section 7, as quoted above, was not incorporated into the U.S.Code.)

    The Congress has enacted very limited exceptions to the constraints it has imposed upon government entities' authority to require individuals to provide their Social Security numbers. An individual may be denied ...a right, benefit, or privilege provided by law because of such individual's refusal to disclose his Social Security account number... only in very narrow circumstances. The most notable are contained in a 1976 amendment to the Social Security Act, which authorizes states and their political subdivisions to require individuals to provide their Social Security numbers for the purposes of the administration of any tax, general public assistance, or driver's license or motor vehicle registration, regardless of whether the number was used for those purposes prior to January 1, 1975 (42 U.S.C. section 405(c)(2)(C)(i) and (iii).)

    It appears, in the absence of evidence to the contrary, that BSU has implemented a student registration system which is dependent upon faculty and student Social Security numbers for its operation. It appears that BSU's practice amounts to a mandatory requirement that faculty and students provide their Social Security numbers for this purpose. There does not appear to be authority within the language of Public Law 93-579, the Privacy Act of 1974, or the 1976 amendment to the Social Security Act noted above, for BSU to do so.

    In addition, Public Law 93-579, Section 7 (b) clearly imposes upon state and local government agencies an affirmative obligation to apprise individuals who have been asked to supply their Social Security numbers of certain information. In particular, individuals must be informed of the uses to which the number will be put, and whether the disclosure is voluntary or mandatory. This notice must be given whenever the government entity requests that an individual provide her/his Social Security number; the obligation contained in this Section is not qualified in any way. As a state government entity, BSU has an affirmative obligation, pursuant to state and federal law, to provide proper notice to individuals from whom it requests Social Security numbers, and has had this obligation for more than twenty years.

    The impetus for government entities to employ the Social Security number as a universal identifier is increasing. Both the Minnesota Legislature and the U.S. Congress have addressed in statute and law their concerns in this regard, and their intention that individuals be able to make informed decisions when asked to disclose their Social Security numbers to agents of government. Therefore, it is incumbent upon any Minnesota government entity, when contemplating the use of the Social Security number as a unique identifier, as a security access code, or for other purposes, to address the requirements of the federal Privacy Act of 1974, and the Legislature's classification of Social Security numbers as private data.

    Opinion:


    Based on the correspondence provided in this matter, my opinion on the issue raised by Mr. Nadesan is as follows:

    1. As to Issue 1,

      it does not appear that Bemidji State University has the statutory authority to require faculty members to provide their Social Security numbers and birth dates for the purposes of student registration. This practice/system also raises significant issues under the federal Privacy Act which should be addressed by BSU.

    2. As to Issue 2,

      Bemidji State University has an affirmative obligation to provide faculty members with the notice requirement detailed in Minnesota Statutes Section 13.04, subdivision 2, concerning the collection and use of faculty Social Security numbers and birth dates, which are private data, for purposes of registering students. If Tennessen Warnings have not been given, BSU may not properly use faculty members' Social Security numbers and birth dates in its student registration system.

    Signed:

    Elaine M. Hansen
    Commissioner

    Dated: February 15, 1995


    Data subjects

    Tennessen warning

    Limitation on collection and use of private/confidential data (13.05, subd. 4)

    Tennessen warning notice

    Tennessen warning and federal Privacy Act notices required

    back to top