who are the subjects of the data or statutory authority and with the intent to use the data for nongovernmental purposes. (d) “Unauthorized person” means any person who accesses government data without a work assignment that reasonably requires access, or regardless of the person’s work assignment, for a purpose not described in the procedures required by Minn. Stat. § 13.05, subdivision 5. Subd. 2. Notice to individuals; investigation report. (a) A government entity that collects, creates, receives, maintains, or disseminates private or confidential data on individuals must disclose any breach of the security of the data following discovery or notification of the breach. Written notification must be made to any individual who is the subject of the data and whose private or confidential data was, or is reasonably believed to have been, acquired by an unauthorized person and must inform the individual that a report will be prepared under paragraph (b), how the individual may obtain access to the report, and that the individual may request delivery of the report by mail or email. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with: (1) the legitimate needs of a law enforcement agency as provided in subdivision 3; or (2) any measures necessary to determine the scope of the breach and restore the reasonable security of the data. (b) Notwithstanding Minn. Stat. §§ 13.15 or 13.37, upon completion of an investigation into any breach in the security of data and final disposition of any disciplinary action for purposes of Minn. Stat. § 13.43, including exhaustion of all rights of appeal under any applicable collective bargaining agreement, the responsible authority shall prepare a report on the facts and results of the investigation. If the breach involves unauthorized access to or acquisition of data by an employee, contractor, or agent of the government entity, the report must at a minimum include: (1) a description of the type of data that were accessed or acquired; (2) the number of individuals whose data was improperly accessed or acquired; (3) if there has been final disposition of disciplinary action for purposes of Minn. Stat. § 13.43, the name of each employee determined to be responsible for the unauthorized access or acquisition, unless the employee was performing duties under Minn. Stat. Chapter 5B; and
100
Made with FlippingBook - Online Brochure Maker