Note: Due to a legislative change in 2014, Minnesota Statutes, section 13.055, now applies to all government entities.

Facts and Procedural History:

On February 6, 2008, IPAD received a letter dated same, from E. Joseph Newton, General Counsel for the Minnesota Department of Public Safety (DPS). In his letter, Mr. Newton asked the Commissioner to issue an advisory opinion regarding the classification of certain data DPS maintains.

Upon receiving Mr. Newton's opinion request, IPAD, on behalf of the Commissioner, wrote to the DPS employees whose data are at issue in this opinion. The letters invited the employees to submit comments because their rights could be affected by the outcome of the opinion. The Commissioner did not receive any responses. A summary of the facts as provided by Mr. Newton is as follows. In the opinion request, he wrote:

[DPS] has received two separate requests for certain data related to, an investigation and data breach. Specifically, DPS undertook an audit of use of drivers license data and application data maintained on Minnesota residents applying for a driver's license. The data is collected under Minnesota Statutes Chapter 171 and is classified as private data under 18 U.S.C. section2721. The audit uncovered misuse by two DPS employees. DPS complied with Minnesota law relative to unauthorized use of the data. See Minn. Stat. section13.055. As required, under law, DPS notified affected individuals that certain data had been accessed, identified the specific data. DPS also issued a press release with the same information.

DPS also sought to discipline the employees and as of the date of this letter the discipline is not considered final under Minn. Stat. section13.43, subd. 2

Two individuals requested the names of the employees subject to the investigation and documents in reference to them.

DPS takes the position that the names are private data. On the one hand, DPS is required to notify individuals of a data breach. By its very nature, the notice must go into some detail for it to be meaningful.

DPS is also required to maintain certain personnel data as private under the law.

Members of the public should not be able to use the statutorily mandated data to receive what would otherwise be private data under a separate statute. To do so eviscerates the private rights of state employees, mandated by Minn. Stat. section13.43.

[Emphasis provided.]

Issue:

Pursuant to Minnesota Statutes, Chapter 13, what is the classification of the names of Minnesota Department of Public Safety (DPS) employees who are subject to discipline that is not yet final after DPS provided required notice to the public of a data breach?

---

Discussion:

Pursuant to Minnesota Statutes, section 13.03, subdivision 1, government data are public except as otherwise classified.

Section 13.43 classifies data on individuals who are current or former employees. Subdivision 2 lists the types of personnel data that are public and subdivision 4 classifies most other types of personnel data as private.

In a situation in which someone has complained about an employee, the following data are public pursuant to section 13.43, subdivision 2(a)(4): the existence and status of the complaint or charge.

If a government entity has taken disciplinary action against an employee and a final disposition has occurred, the following additional data are public pursuant to section 13.43, subdivision 2(a)(5): the final disposition of any disciplinary action together with the specific reasons for the action and data documenting the basis for the action.

The Commissioner previously has described the legislative policy behind the language in section 13.43:

The current language balances two strongly competing interests. The public has an important interest in knowing how government entities are handling and have handled complaints and charges that are made against public employees. On the other hand, public employees have strong reputational and other interests in not having unsubstantiated and potentially false complaints or charges made against them disclosed to the public. The legislature has achieved that balance by saying that certain data about complaints or charges against public employees will always be public but certain other data, and particular details concerning a given complaint or charge against a public employee, will not become public unless and until there is a final disposition of a disciplinary action against the employee.

(See Advisory Opinion 94-042.)

Mr. Newton stated that a final disposition has not occurred. Typically, at this point in an investigation into a complaint, the following data would be public: the employee's name connected with fact that a complaint exists against that employee and the status of complaint.

However, the situation here is complicated because the complaint against the employees is an unauthorized use of data:

A state agency that collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach. Notification must be made to any individual who is the subject of the data and whose private or confidential data was, or is reasonably believed to have been, acquired by an unauthorized person.

[Emphasis added.]

(See section 13.055, subdivision 2.)

DPS was required, under section 13.055, to provide notification of the security breach. The information DPS provided as part of that process, in effect, disclosed the nature of the complaint against the employees. If DPS now were to release publicly the names of the employees, the employees' rights under section 13.43 would be violated because there has not been a final disposition of discipline in the matter.

Minnesota Statutes, section 645.26, discusses how to interpret statutory provisions that are in conflict. Subdivision 1 of section 645.26 states that when the conflict is irreconcilable, the special provision shall prevail and shall be construed as an exception to the general provision, unless the general provision shall be enacted at a later session. Here, section 13.055 required disclosure of the nature of the complaint prior to a final disposition having occurred at DPS, which, when the name of the employee is public, is in direct conflict with the classification of data in section 13.43.

The language in section 13.055 was enacted during the 2005 Legislative Session. The language relating to complaints/disciplinary action was enacted prior to 2005. Based on the above analysis, the Commissioner concludes that because DPS has released the nature of the complaint, it cannot, at this time, release the names of the employees. DPS can release the names if a final disposition occurs.

Two final notes are appropriate. First, section 13.055 applies only to state agencies. Although local level governments voluntarily may wish to notify data subjects of any data breaches that occur, they need to consider the conclusions reached in Advisory Opinions 98-024 and 01-063, and Navarre v. South Washington County Schools, 652 N.W.2d 9 (Minn. 2002): section 13.43 authorizes only the disclosure of existence and status of complaints prior to a final disposition of discipline; the type of complaint cannot be disclosed. In the situation currently before the Commissioner, DPS, as a state agency, was required to provide notice of the data breach.

Second, the issue DPS raised is one that deserves legislative discussion, especially given the difference in outcome depending upon whether the entity is part of state or local government.

---

Opinion:

Based on the facts and information provided, my opinion on the issues that Mr. Newton raised is as follows:

Pursuant to Minnesota Statutes sections 13.055 and 13.43, the names of Minnesota Department of Public Safety (DPS) employees are private unless there is a final disposition pursuant to section 13.43, subdivision 2(b).

Signed:

Dana B. Badgerow
Commissioner

Dated: April 16, 2008

---