Use of ‘stone-age’ technology hampers securing private data


Rep. Peggy Scott is one of 7,000 individuals whose information was inappropriately accessed last year by a Department of Natural Resources employee. The Andover Republican is ready to sign onto any class action suit that may be filed because of the incident. Exhibiting frustration over the breach, her comments came during testimony on a bill that would put in place safeguards to protect private data collected by government entities.

Rep. Mary Liz Holberg (R-Lakeville) has been the go-to person for data practices issues during most of her 15 years in the House. She told the House Civil Law Committee Wednesday that government computers are “operating in the stone-age” regarding their ability to protect private data.

Sponsored by Holberg, HF183 is a result of the DNR case. It would add some protections to help prevent information breaches and impose stiffer penalties. “What is apparent, in many instances, is a complete lack of oversight, and this bill is trying to get a handle on some of those issues.”

As amended, the bill was approved and sent to the House floor. It would:

  • permit a person to request the name of anyone who has obtained access to their private data, unless the data would identify an undercover law enforcement officer or an active case;
  • require procedures for ensuring that private data is accessible only to those whose work assignment calls for that access; and
  • expand current law requiring that notification of a breach of privacy to all government entities, not just state agencies as now directed.

“One of the basic precepts of good data practices policy is that an individual has the right to know what information is being collected and how it is being used,” Holberg said. This is a key part of her bill, but Holberg said the language, in its current form, may be too hard to implement and that it is a work in progress. “The conversation needs to begin.”

Under the bill, the breach would be just cause for suspension without pay or dismissal of the offending employee.

It’s questionable whether local government units have the technology in place that would provide the proposed safeguards, said Keith Carlson, who represents the League of Minnesota Cities and the Minnesota Inter-County Association.

“This applies to every bit of private data administered by state and local government and would be a nightmare to administer,” he said. Data is still being collected in print, including driver’s license applications, where the name is considered private. “It would be impossible to track which employees access private data. And it would cost literally millions of dollars to meet this so-called obligation.”

Carlson suggested that requiring these safeguards as local governments make technology upgrades would be more acceptable.

The companion, SF211, sponsored by Sen. D. Scott Dibble (DFL-Mpls), awaits action by the full Senate.