Legislators to tackle abuse of data privacy law

By T.W. Budig

ECM Capitol Reporter

[email protected]

She could be in a coffee shop, said Rep. Sarah Anderson, and not know the person she meets was the one who wrongfully obtained her personal information.

“Unfortunately, I was one of the 5,000 people in the state of Minnesota,” said Anderson, R-Plymouth, of the improper access to Minnesota Driver and Vehicle Services (DVS) records by a former Department of Natural Resources (DNR) employee.

Disgusted by repeated examples of public employees violating data privacy law, a group of lawmakers, including Rep. Mary Liz Holberg, R-Lakeville, a legislator with expertise in data privacy, is pursuing legislation to stop the abuse.

“We’re really, really tired of it,” said Holberg, speaking at a Capitol press conference Wednesday.

Holberg, along with Sen. Scott Dibble, DFL-Minneapolis, has drafted legislation taking a number of steps not only to punish public employees wrongfully accessing the state database but to spread “sunshine” and greater scrutiny on cases where it occurs.

Under the legislation, a public employee who acquires or accesses private data in a manner not explicitly allowed by law could be found guilty of a gross misdemeanor if the action occurs repeatedly.

In cases of accessing multiple data subjects, they could be found guilty if they do it once.

“I think it will take a change of culture,” Holberg said.

Beyond possible penalties, Holberg and Dibble’s legislation requires state agencies in which data practices violations occur to publish a report on the facts and findings of investigation.

This must at least include a description of the data accessed or acquired, the number of individuals whose data was accessed or acquired, the name or names of responsible parties and the final disposition of any disciplinary action.

In cases where no disciplinary action took place, the reasons must be given.

Holberg believes the “good actors,” the government officials who honor and follow data privacy law, support stronger actions against public-employee data-privacy abusers.

They don’t want their agency sporting black eyes, Holberg said.

Government agencies often want more access to information. But if they can’t protect the data they have, granting greater latitude becomes problematic, Holberg said.

“The time is right,” Holberg said. She expects data privacy legislation to pass the Legislature this year.

The public, when it learns more of the scope of data privacy abuse, will take concerns to lawmakers, Holberg said.

“This is not the end of it,” she said.

As for the DNR incident, it’s her understanding that the case was uncovered by an investigation looking into a different matter, Holberg said.

Most of the 5,000 residents whose data was wrongfully accessed were women, she said.

Media reports said the DNR is sending notification letters to the 5,000 people whose data has been compromised.

The DVS information accessed included names, addressees, photos and other information.

Local government officials may have had their awareness of the data privacy abuse problem heightened, Holberg said, by the big money settlements individuals have won in recent cases.

It’s frustrating that cases of public employees wrongly accessing private data continue to occur, Holberg said.

Holberg, who came to office back when the state was preparing for Y2K, expressed puzzlement over the laggardness of the government in protecting its own data.

This legislation is not an attempt to limit the rightful access of information by law enforcement officials, she said.