Facts and Procedural History:

The Minnesota Department of Education (MDE) requested an advisory opinion from the Commissioner regarding access to and sharing of private and/or confidential data on individuals pursuant to the Minnesota Government Data Practices Act, Minnesota Statutes, Chapter 13 (Chapter 13). 

MDE wrote, 

[MDE] is the state agency charged with implementing state and federal education laws as well as with exercising general supervision over public education in the state. MDE is the state’s designated lead agency for purposes of the federal early intervention program for infants and toddlers with disabilities, see 34 C.F.R. Chapter 303. MDE recently received a federal Preschool Development Grant, and seeks to use that grant, in part, to improve communication among the various government entities serving Minnesota’s children and their families. One aspect of communication that MDE believes might be improved is clarifying the legal authority of government entities to share private and confidential data on children and their families for the purpose of coordinating and providing additional services that may help the children.

Issues:

Discussion:

Issue 1: When may an employee in one unit of a government entity subject to the Minnesota Government Data Practices Act access private or confidential data on individuals collected by another unit or a different program within the same government entity?

Data on individuals are “government data in which any individual is or can be identified as the subject of that data, unless the appearance of the name or other identifying data can be clearly demonstrated to be only incidental to the data and the data are not accessed by the name or other identifying data of any individual.” (Minnesota Statutes, 13.02, subdivision 5.) 

Data on individuals can be classified as public, private, or confidential, depending on the content of the data. When data on individuals are classified as private or confidential, access to the data is limited. (Minnesota Statutes, 13.02, subdivisions 3 and 12.) 

Minnesota Rules, part 1205.0400, subpart 2, outlines access to private data and specifically identifies those within a government entity that may access private data on individuals. Private data may be disclosed to individuals within a government entity whose work assignments reasonably require access to the data. Subpart 3 of this rule further states that the responsible authority of each government entity shall establish written procedures to assure that access is gained only by those parties identified in subpart 2. 

Minnesota Rules, part 1205.0600, subpart 2, similarly states that confidential data may be accessed by those within the government entity whose work assignments reasonably require access. 

Therefore, individuals within the same government entity may access private and confidential data when their work assignments reasonably require access, even when those individuals work within different units or programs of the same entity.

Issue 2: When may private data be shared or exchanged between a school district and a county without written consent of the individual subject of the data?

Pursuant to Minnesota Rules, part 1205.0400, subpart 2, private data may be shared with other government entities that are authorized by statute or federal law to access the data.

Federal law is defined as “United States Code, rules and regulations of federal agencies as published in the Code of Federal Regulations, and federal case law, including decisions of any court in the federal judicial system.” (See Minnesota Rules, part 1205.0200, subpart 7.)

MDE identified numerous provisions that authorize school districts and counties to share or exchange private data without written consent of the data subject.

The Commissioner agrees that the following provisions identified by MDE provide statutory authority to share data between a school district and a county when the circumstances of each provision are met. The Commissioner notes that this is not an exhaustive list of potential sharing provisions available to school districts and counties, and entities that would like to rely on these sharing provisions should review the statutes for a full understanding of the legal authority.

1. Federal Education Rights and Privacy Act (FERPA) – The Commissioner notes that FERPA is also incorporated in Minnesota Statutes, section 13.32.
2. Uninterrupted Scholars Act (an amendment to FERPA), specifically 20 U.S.C. 1232g(b)(1)(L), which permits the release of education records to certain welfare agency representatives or tribal organizations when the agency or organization is “legally responsible for the care and protection of the student.”
3. Minnesota Statutes, section 13.32, subdivision 3, identifies specific instances when disclosure of private education data is permitted, including pursuant to a valid court order, certain health and safety emergencies, and to the juvenile justice system when necessary to protect health and safety. Section 13.32, subdivision 12 also provides for certain access to education data by personnel in a county’s welfare system.
4. Minnesota Statutes, section 260C.208, subdivision 1, which authorizes agencies with “legal responsibility for the placement of a child” to request and receive information pertaining to the child that is necessary to carry out its duties, including education, medical, psychological, psychiatric, social, and family history data.
5. Minnesota Statutes, section 13.46, subdivision 2 identifies when private data on individuals within the “welfare system” as defined by Minnesota Statutes, section 13.46, subdivision 1(c), may be shared, and subdivision 2(a)(32) specifically authorizes sharing of names, dates of birth, gender, and addresses to the chief administrative officer of a school to coordinate services for students and their families.
6. Minnesota Statutes, section 119B.08, subdivision 3(1), which outlines what information biennial child care fund plans submitted to the Commissioner of Education by counties and “designated administering agencies” for the administration of child care assistance must include. Subdivision 1 of this statute indicates that the Commissioner of Education must specify the requirements for the reports pursuant to the authority provided in Minnesota Statutes, section 256.01, subdivision 2(p). Child care assistance program payment data are classified as private data pursuant to Minnesota Statutes, section 119B.02, subdivision 6. 

MDE also cited Minnesota Rules, part 9560.0560, subpart 2 as a potential sharing provision. However, pursuant to the administrative rules, sharing authority must be in state statute or federal law. Minnesota Rules are not considered statutes or federal law, and as a result do not provide sufficient authority to share or exchange data between government entities.

The Commissioner reminds government entities of their obligation to provide Tennessen Warning notices to individuals when they collect private or confidential data from an individual, about that individual. The notice must include, (a) the purpose and intended use of the data; (b) whether the individual can refuse or is legally required to provide the requested data; (c) what the consequences are of supplying or not supplying the data; and (d) the identity of other persons or entities outside of the collecting agency authorized by state or federal law to receive the data. (See Minnesota Statutes, section 13.04, subdivision 2.)

Opinion:

Based on the facts and information provided, the Commissioner’s opinion on the issues raised is as follows:

1. Private or confidential data may be shared with individuals in other programs or units within the same government entity, when the individuals have a work assignment that reasonably requires access.
2. Private data may be shared or exchanged between government entities when authorized by statute or federal law.

Signed:

Lenora Madigan
Deputy Commissioner

April 14, 2020