Data Practice Request

Request release of certain types of data from the County.

Request data

The Minnesota Government Data Practices Act (MGDPA), Chapter 13 of the Minnesota Statutes, is a set of laws that control how government data in Minnesota is collected, created, maintained, used and disseminated. You have the right to request release of certain types of data from the County. However, the County must follow the requirements of the MGDPA and any other applicable state or federal laws to determine whether the data you have requested may legally be released to you. If you wish to make a data request, please click the “Request Data” link below to start that process.

A copy of the MGDPA may be accessed at the link below.

Minnesota Statute Chapter 13 - full chapter

Request Data

Data Access Policy for Data Subjects

402.1 PURPOSE AND SCOPE

The Data Practices Act (Minnesota Statutes, Chapter 13) provides that data subjects have certain rights related to the collection, creation and storage of data about them by a government entity. A person is the subject of data when s/he can be identified from the data. Government data means all data collected, created, received, maintained or distributed by any government entity regardless of its physical form, the form in which it is stored or the conditions under which it is used. This policy contains information on "How Data is Classified", "Your Rights under the Data Practices Act", "How to Make a Request for Your Data", "How We Respond to a Data Request" and "How Olmsted County Responds in the Event of a Data Breach".

402.2 POLICY

The following are the definitions, rules and regulations regarding data about an individual, from the MN Data Practices Act and how they are applied at Olmsted County.

(a) Classification of Data about You

1. The Data Practices Act presumes that all government data is public unless a state or federal law says that the data is not public. Data about a person is classified by state law as public, private, or confidential. See below for some examples.

(b) Public data:

1. Public data must be given to anyone who asks; it does not matter who is asking for the data or why. The following is an example of public data about a person: an employee's job title and bargaining unit.

1. Private data cannot be given to the public, but a data subject may have access to this data when it is about the subject. The following is an example of private data about a person: a social security number. Private data can be shared with the data subject, with someone to whom the data subject has given permission to receive it, with Olmsted County staff who need the data to do their work, and/ or as permitted by law or court order.

(d) Confidential data:

1. Confidential data has the most protection; neither the public nor the data subject are permitted to obtain access. is about the data subject. The following is an example of confidential data about a person: the identity of a person who registers a complaint with a government entity concerning violations of state laws or local ordinances concerning the use of real property. Confidential data can be shared with Olmsted County staff who need the data to do their work and to others as permitted by law or court order. Data subjects do not have access to confidential data.

402.2.1 YOUR RIGHTS UNDER THE DATA PRACTICES ACT

Olmsted County must keep all government data in a way that makes it easy for a data subject to access data about himself/herself. Also, the County can collect and keep only data that is needed for administering and managing programs that are permitted by law.

402.2.2 DATA SUBJECTS HAVE THE FOLLOWING RIGHTS

(a) Access to Data:

1. A data subject has the right to review, free of charge, public and private data that Olmsted County keeps about him/her. Data subjects have the right to get copies of public and private data about themselves. The Data Practices Act allows the County to charge for copies. Data subjects have the right to review data, free of charge, before deciding whether to request copies.

If a data subject asks, the County will indicate whether data is kept about the data subject and whether that data is public, private, or confidential.

Parents have the right to look at and get copies of public and private data about their minor children (under the age of 18). Legally appointed guardians have the right to look at and get copies of public and private data about an individual for whom they have been appointed guardian.

Minors have the right to ask Olmsted County not to give data about them to their parent or guardian. Minors will be told that they have this right. We may ask a minor to put their request in writing and to include the reasons that we should deny the minor's parents access to the data. We will make the final decision about the request based on the minor's best interests. Note: Minors do not have this right if the data in question is educational data maintained by an educational agency or institution.

(b) When the County Collects Data from Individuals:

1. When a person is asked to provide personal data that is not public, they must be given a Tennessen warning. The Tennessen warning is a notice that describes what will be done with the data. Data collected by the County can only be used in the manner described in the Tennessen warning.The County will ask for written permission if it is necessary to use or release private data about the person in a different way, or if the person asks for the data to be released to another person. This permission is called informed consent. If the person wants data to be released to another person, the person must use the consent form provided by the County.

1. The Data Practices Act requires the County to protect data about a person. The County has established appropriate safeguards to ensure that personal data is safe.

(d) When your Data are Inaccurate and/or Incomplete:

1. Data subjects have the right to challenge the accuracy and/or completeness of public and private data about them. Data subjects also have the right to appeal the County's classification of data. If a data subject is a minor, a parent or guardian has the right to challenge data the minor.

402.2.3 HOW TO MAKE A REQUEST FOR YOUR DATA

(a) A data request is necessary to look at data, or request copies of data that Olmsted County keeps about a person, their minor children, or an individual for whom the person have been appointed legal guardian. The request can be made at the electronic Data Practice Request form. A written request may be made by mail, fax, or email. If a requester chooses not to use the data request form, a written request should include:

1. that the requester is making a request, under the Data Practices Act (Minnesota Statutes, Chapter 13), as a data subject, for data about the requester;

2. whether the requester would like to inspect the data, have copies of the data, or both;

3. a clear description of the data the requester would like to inspect or have copied; and

4. identifying information that proves the requester is the data subject, or data subject's parent/guardian.

(b) Olmsted County requires proof of identity before responding to a request for private data. If a person is requesting private data about a minor child, the requester must show proof that he/she is the minor's parent. If the requester is a guardian, he/she must show legal documentation of the guardianship. Please see the Standards for Verifying Identity document

402.2.4 HOW WE RESPOND TO A DATA REQUEST

(a) Once a data request has been received, the County we will begin processing the request.

1. If it is not clear what data is being requested, the County will ask for clarification.

2. If the County does not have the data, the requester will be notified in writing within 10 business days.

3. If the County does have the data, but the data is confidential or if it is private data not about the requester, the County will notify the requester in writing within 10 business days and state which specific law prohibits the requester from accessing the data.

4. If the County has the data, and the data are public or private data about the requester, we will respond to the request within 10 business days, by doing one of the following:

(a) Arrange a date, time, and place to review the data, for free, if the request is to look at the data, or

(b) Provide the requester with copies of the data within 10 business days. The requester may choose to pick up the copies, or we will mail or fax them to the requester. We will provide electronic copies (such as email or CD- ROM) upon request if we keep the data in electronic format. Information about copy charges is on Page Six. If the request takes longer than four hours to prepare, we will arrange for the requester to prepay for the copies. Following our response, if you do not make arrangements within 14 business days to inspect the data or pay for the copies, we will conclude that you no longer want the data and will consider your request closed.

(b) After access to data about himself/herself has been provided, the County does not have to show the requester the data again for 6 months unless there is a dispute, or unless new data about the requester is collected.

(c) If a requester does not understand some of the data (technical terminology, abbreviations, or acronyms), the County will provide an explanation if asked.

(d) The Data Practices Act does not require the County to create or collect new data in response to a data request if we do not already have the data. Nor is the County required to provide data in a specific form or arrangement if we do not keep the data in that form or arrangement. (For example, if the data you request is on paper only, we are not required to create electronic documents to respond to a request.) If we agree to create data in response to a request, we will work with the requester on the details of the request, including cost for the request and response time.

(e) In addition, the County is not required under the Data Practices Act to respond to questions that are not requests for data.

(f) Minnesota Statutes, section 13.05, subdivision 8, requires us to have this document.

402.3 ASSOCIATED LAWS AND REGULATIONS

The following constitute sufficient proof of identity when needed for a data request. An adult individual must provide a valid photo ID, such as

• a state driver's license

• a military ID

• a passport

• a Minnesota ID

• a Minnesota tribal ID

A minor individual must provide a valid photo ID, such as

• a state driver's license

• a passport

• a Minnesota ID

• a Minnesota Tribal ID

• a Minnesota school ID

The parent or guardian of a minor must provide a valid photo ID and either

• a certified copy of the minor's birth certificate or

• a certified copy of documents that establish the parent or guardian's relationship to the child, such as

o a court order relating to divorce, separation, custody, foster care

o a foster care contract

o an affidavit of parentage

The legal guardian for an individual must provide a valid photo ID and a certified copy of appropriate documentation of formal or informal appointment as guardian, such as

• court orders

• or an original signed valid power of attorney

Note: Individuals who do not exercise their data practices rights in person must provide notarized or certified copies of the documents that are required.

402.4 ASSOCIATED PROCEDURES

402.4.1 COPY COSTS FOR DATA SUBJECTS

Olmsted County charges data subjects for copies of government data. These charges are authorized under section 13.04, subdivision 3.

Fees are due upon delivery of requested data.

402.4.2 ACTUAL COST OF MAKING THE COPIES

In determining the actual cost of making copies, we factor in employee time, the cost of the materials onto which we are copying the data (paper, CD, DVD, etc.), and mailing costs (if any). If your request is for copies of data that we cannot reproduce ourselves, such as photographs, we will charge a requester the actual cost we must pay an outside vendor for the copies.

If, because of the subject matter of your request, we find it necessary for a higher-paid employee to search for and retrieve the data, we will calculate the search and retrieval portion of the copy charge at the higher salary/wage.

402.4.3 COPY CHARGES SET BY STATUTE OR RULE

As defined in Minnesota Statute 13.03 subd. 3(c) Olmsted County may charge up to $0.25 cents per page of letter or legal size black and white copies up to 100 pages. For requests which exceed this amount, we may include all overhead costs associated with the data request except the cost associated with separating public data from nonpublic data.

402.5 AUTHORITY, ROLES AND RESPONSIBILITIES Responsible Authority

Listing Available by contacting Lisa Morris-Helmstetler

Data Practices Designee(s)

Listing Available by contacting Lisa Morris-Helmstetler

Data Practices Compliance Official Lisa Morris-Helmstetler, Administration 151 4th St. SE, Rochester, MN 55904 507.328.6012 (phone)

507.328.6012 (fax)

lisa.morris-helmstetler@olmstedcounty.gov

402.6 RELATED INFORMATION

402.6.1 ASSOCIATED CHAPTER 13 INFORMATION

How Olmsted County Responds in the Event of a Data Breach

Olmsted County has certain obligations under state law to establish appropriate security safeguards for all records containing data on individuals, including procedures for ensuring that data that is not public is only accessible to persons whose work assignment reasonably requires access to the data, and only for those purposes. The County has certain steps it must take in the event private or confidential data is released to persons or entities not legally authorized to receive it. The following is a summary of the applicable requirements in Minnesota Statutes Section 13.055 which spells out the County's obligations following a breach in greater detail.

402.6.2 DEFINITIONS

For purposes of this section, the following terms have the meanings given to them.

• "Breach of the security of the data" means acquiring data maintained by Olmsted County without permission in a way that compromises the security and classification of the data. If an employee, contractor, or agent of Olmsted County acquires or accesses this data in good faith on behalf of the County, it is not a breach of the security of the data, so long as unauthorized persons cannot view the data.

• "Contact information" means either the name and mailing address or e-mail address for each individual who is the subject of data maintained by the County.

• "Unauthorized acquisition" means that a person has obtained, accessed, or viewed County data without the informed consent of the subject(s) of the data intending to use the data for a purpose not approved by the County.

• "Unauthorized person" means any person who accesses County data without a work assignment that reasonably requires access, or for a purpose not which is not permitted.

402.6.3 NOTICE TO INDIVIDUALS; INVESTIGATION REPORT

(a) The County, as a government entity that collects, creates, receives, maintains, or disseminates private or confidential data on individuals, must disclose any breach of the security of the data following discovery or notification of the breach. If a contractor or authorized agent of the County caused the data breach, that contractor or agent must assist the County in meeting its obligations following a data breach and will be expected to bear the financial costs which the County incurs for the required response to that breach. The County must notify any individual who is the subject of the data and whose private or confidential data was, or is believed to have been, acquired by an unauthorized person. The notification must inform the individual that a report will be prepared under paragraph

(b) How the individual may obtain access to the report, and that the individual may request delivery of the report by mail or e-mail. The disclosure must be made as soon as possible and without unreasonable delay, consistent with

1. the legitimate needs of the Olmsted County Sheriff's Department to complete their investigation if any; or

2. any measures necessary to determine the scope of the breach and restore the reasonable security of the data.

(c) Once the County completes an investigation into any breach in the security of data and any disciplinary action against a county employee responsible has become final, the County will prepare a report on the facts and results of the investigation. If the breach involves unauthorized access to or acquisition of data by an employee, contractor, or agent of the County, the report will at a minimum include:

1. a description of the type of data that was accessed or acquired;

2. the number of individuals whose data was improperly accessed or acquired;

3. the name of each County employee determined to be responsible for the unauthorized access or acquisition, if there has been disciplinary action against the employee which has become final; and

4. the final disposition of any disciplinary action taken against any County employee in response if disciplinary action was found to be warranted.

402.6.4 DELAYED NOTICE

The notification required by this section may be delayed if the Olmsted County Sheriff's Department determines that the notification will impede an active criminal investigation. The notification required by this section must be made after the Sheriff's Department determines that it will not compromise the investigation.

402.6.5 METHOD OF NOTICE

Notice under this section may be provided by one of the following methods:

(a) Written notice by first class mail to each affected individual; or

(b) Electronic notice to each affected individual; or

1. Would exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or the County does not have sufficient contact information.

Substitute notice consists of all the following:

(a) E-mail notice if the County has an e-mail address for the affected individuals;

(b) Conspicuous posting of the notice on the County's website; and

402.6.6 COORDINATION WITH CONSUMER REPORTING AGENCIES

If the County discovers circumstances requiring notification under this section of more than 1,000 individuals at one time, the County will also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.

402.6.7 SECURITY ASSESSMENTS

At least annually, the County will conduct a comprehensive security assessment of any personal information maintained by the County.

402.7 HISTORY

04/18/2019 Initial Draft Approved

402.8 POLICY OWNERSHIP

Policy Originating Department - Administration Department Contact - Lisa Morris-Helmstetler

Data Access Policy for Members of the Public

403.1 PURPOSE AND SCOPE

The Data Practices Act (Minnesota Statutes, Chapter 13) presumes that all government data is public unless a state or federal law says the data is not public. Government data means all data collected, created, received, maintained or distributed by any government entity regardless of its physical form, the form in which it is stored or the conditions under which it used.

The Data Practices Act also provides that Olmsted County must keep all government data in a way that makes it possible for a member of the public, to access public data. The public has the right to look at (inspect), free of charge, all public data that the County keeps. The public also has the right to obtain copies of public data. The Data Practices Act allows the County to charge data requesters for copies. The public does have the right to look at data, free of charge, before deciding to request copies however. This policy contains information on "How to Make a Data Request", "How We Respond to a Data Request", "Requests for Summary Data", and "How Olmsted County Responds in the Event of a Data Breach".

403.2 POLICY

The following are the definitions, rules and regulations regarding public access to data, from the Minnesota Government Data Practices Act and how they are applied at Olmsted County.

403.2.1 HOW TO MAKE A DATA REQUEST

To look at data or request copies of data that Olmsted County keeps, click this link: Data Practice Request You can also make a written request for data to the Data Practice Team at. You may submit your Data Practice Request from this electronic form by clicking submit. You can also submit requests in writing by mail, fax, or Data Practice Team at. We recommend the Data Practice Request form be used to expedite your request. If you choose not to use the Data Practice Request electronic form, your written request should include:

(a) That you, as a member of the public, are making a request for data under the Data Practices Act, Minnesota Statutes, Chapter 13;

(b) Whether you would like to look at the data, get copies of the data, or both; and

Olmsted County cannot require you, as a member of the public, to identify yourself or explain the reason for your data request. However, depending on how you want us to process your request (if, for example, you want us to mail you copies of data), we may need some information about you. If you choose not to give us any identifying information, we will provide you with contact information, so you may check on the status of your request. In addition, please keep in mind that if we do not understand your request and have no way to contact you, we will not be able to begin processing your request.

403.2.2 HOW WE RESPOND TO A DATA REQUEST

Upon receiving your written request, we will work to process it.

(a) If we do not have the data, we will notify the requester in writing as soon as reasonably possible.

(b) If we have the data, but the data are not public, we will notify the requester in writing as soon as reasonably possible and state which specific law says you the requester cannot access the data.

(c) If we have the data, and the data is public, we will respond to the request appropriately and promptly, within a reasonable amount of time by doing one of the following:

1. Arrange a date, time, and place for you to inspect the data, for free, if your request is to look at the data, or

2. Provide you with copies of the data as soon as reasonably possible. You may choose to pick up your copies, or we will mail or fax them to you. If you want us to send you the copies, you will need to provide us with a mailing address or fax number. We will provide electronic copies (such as email or CD-ROM) upon request if we keep the data in electronic format. Information about copy charges can be found on page five. If your request takes longer than four hours to prepare, we will arrange for you to prepay for copies.

3. Following our response, if you do not make arrangements within 14 business days to inspect the data or pay for the copies, we will conclude that you no longer want the data and will consider your request closed

If the requester does not understand some of the data (technical terminology, abbreviations, or acronyms), please notify the County and our staff will provide an explanation. The Data Practices Act does not require the County to create or collect new data in response to a data request if we do not already have the data, or to provide data in a specific form or arrangement if we do not keep the data in that form or arrangement. (For example, if the data you request is on paper only, we are not required to create electronic documents to respond to a request.) If we agree to create data in response to a request, we will work with the requester on the details of your request, including cost for the request and estimated response time.

In addition, the Data Practices Act does not require us to answer questions that are not requests for data .

403.2.3 REQUESTS FOR SUMMARY DATA

Summary data are statistical records or reports that are prepared by removing all identifiers from private or confidential data on individuals. The preparation of summary data is not a means to gain access to private or confidential data. Olmsted County will prepare summary data if you make your request in writing and pay for the cost of creating the data. Upon receiving your written request

– you may use the data request form on page seven – we will respond within ten business days with the data or details of when the data will be ready and how much we will charge.

Minnesota Statutes, section 13.03, subdivision 2(b), requires us to have this document.

403.3 ASSOCIATED LAWS AND REGULATIONS

403.3.1 COPY COSTS FOR MEMBERS OF THE PUBLIC

Olmsted County charges data subjects for copies of government data. These charges are authorized under section 13.04, subdivision 3.

Fees are due upon delivery of requested data.

403.3.2 FOR 100 OR FEWER PAPER COPIES - $0.25 CENTS PER PAGE

100 or fewer pages of black and white, letter or legal-size paper copies cost $0.25 for a one-sided copy, or $0.50 for a two-sided copy.

403.3.3 MOST OTHER TYPES OF COPIES - ACTUAL COST

The charge for most other types of copies, when a charge is not set by statute or rule, is the actual cost of searching for and retrieving the data and making the copies or electronically transmitting the data (e.g. sending the data by email).

403.3.4 COPY CHARGES SET BY STATUTE OR RULE

403.4 AUTHORITY, ROLES AND RESPONSIBILITIES Responsible Authority

Listing Available by contacting Lisa Morris-Helmstetler

Data Practices Designee(s)

Listing Available by contacting Lisa Morris-Helmstetler

Data Practices Compliance Official

Lisa Morris-Helmstetler, Administration 151 4th St. SE, Rochester, MN 55904 507.328.6012 (phone)

lisa.morris-helmstetler@olmstedcounty.gov

403.5 RELATED INFORMATION

403.5.1 ASSOCIATED CHAPTER 13 INFORMATION

How Olmsted County Responds in the Event of a Data Breach

403.5.2 DEFINITIONS

For purposes of this section, the following terms have the meanings given to them.

• "Contact information" means either the name and mailing address or e-mail address for each individual who is the subject of data maintained by the County.

• "Unauthorized person" means any person who accesses County data without a work

403.5.3 NOTICE TO INDIVIDUALS; INVESTIGATION REPORT

1. The legitimate needs of the Olmsted County Sheriff's Department to complete their investigation if any; or

2. Any measures necessary to determine the scope of the breach and restore the reasonable security of the data.

1. A description of the type of data that was accessed or acquired;

2. The number of individuals whose data was improperly accessed or acquired;

3. The name of each County employee determined to be responsible for the unauthorized access or acquisition, if there has been disciplinary action against the employee which has become final; and

4. The final disposition of any disciplinary action taken against any County employee in response if disciplinary action was found to be warranted.

403.5.4 DELAYED NOTICE

403.5.5 METHOD OF NOTICE

Notice under this section may be provided by one of the following methods:

(a) Written notice by first class mail to each affected individual; or

(b) Electronic notice to each affected individual; or

(c) Substitute notice, if the County determines that the cost of providing the written notice required by paragraph (a) would exceed $250,000, or that the affected class of individuals to be notified exceeds 500,000, or the County does not have sufficient contact information.

Substitute notice consists of all the following:

(a) E-mail notice if the County has an e-mail address for the affected individuals;

(b) Conspicuous posting of the notice on the County's website; and

403.5.6 COORDINATION WITH CONSUMER REPORTING AGENCIES

403.5.7 SECURITY ASSESSMENTS

At least annually, the County will conduct a comprehensive security assessment of any personal information maintained by the County.

403.6 HISTORY

4/18/10 Initial Draft Approved

403.7 POLICY OWNERSHIP

Policy Originating Department - Administration Department Contact - Lisa Morris-Helmstetler

Was this helpful?