Sourcewell Technology Data Practices Policy

Minnesota Government Data Practices Act Policy

Minnesota Government Data Practices Act Policy – Policy & Procedures for Requesting Information from Sourcewell Technology (“SWT”)


Policy Statement 

SWT will provide convenient and timely access to public information in accordance with the Minnesota Government Data Practices Act ("MGDPA"), Chapter 13 of the Minnesota Statutes. The Chief Solutions Officer is the Responsible Authority ("RA") under the MGDPA and is responsible for managing and fulfilling requests for information under the MGDPA. The Chief Legal Officer is the Data Practices Compliance Official" ("DPCO") under the MGDPA and is responsible to respond to questions or concerns regarding data access or other problems. The Principal Security Architect/Principal Enterprise Architect, CISSP, who reports to the RA, is a 11 Designee11 under the MGDPA appointed by the RA to be in charge of systems containing government data and to receive and comply with data requests under the MGDPA. Whenever possible, SWT will direct requestors to existing sources of public information. 

 

How to Request Public Data 

You can ask to look at (inspect) data at our offices, or ask for copies of public data that we keep. You have the right to look at (inspect), free of charge, all public data that we keep. You also have the right to get copies of public data. The MGDPA allows us to charge for copies. You have the right to look at data, free of charge, before deciding to request copies. 

Charges for copies of data will comply with the MGDPA. The DPCO will respond to the requestor with an estimate of the charges for the copies. Charges must be paid in full prior to the receipt of the copies. 

For 100 or fewer paper copies - 25 cents per page
100 or fewer pages of black and white, letter or legal size paper copies cost 25C for a one-sided copy, or SOC for a two-sided copy. 

Most other types of copies - actual cost
The charge for most other types of copies, when a charge is not set by statute or rule, is the actual cost of searching for and retrieving the data, and making the copies or electronically sending the data. 
In determining the actual cost of making copies, we include employee time, the cost of the materials onto which we are copying the data (paper, CD, DVD, etc.), and mailing costs (if any). If your request is for copies of data that we cannot copy ourselves, such as photographs, we will charge you the actual cost we must pay an outside vendor for the copies.

If, based on your request, we find It necessary for a higher-paid employee to search for and retrieve the data, we will calculate search and retrieval charges at the higher salary/wage. 

Data Request Form 

All data requests must be in writing. SWT uses the Data Request Form. If you do not use the Data Request Form, your request should: 

  • State that you are making a request for public data under the MGDPA (Minnesota Government Data Practices Act, Minnesota Statutes, Chapter 13). 
  • Include whether you would like to inspect the data, have copies of the data, or both. 
  • Provide a clear description of the data you would like to inspect or have copied.

You are not required to identify yourself or explain the reason for your data request. However, you may need to provide us with some personal information for practical reasons (for example: if you want us to mail copies to you, you need to provide us with an address or P.O Box). If we do not understand your request and have no way to contact you, we cannot respond to your request. 

Click here to download the Data Request Form.

Data Practices Contacts 

Data Request Forms or other written requests must be directed to the following SWT contacts: 

Responsible Authority 
Bob Seward
Chief Solutions Officer 
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6036 
Email: bob.seward@sourcewelltech.org

Data Practices Compliance Official 
Susan Mussell
Chief Legal Officer 
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6216 
Email: susan.mussell@sourcewelltech.org

Data Practices Designee 
Ryan Cloutier
Principal Security Architect/Principal Enterprise Architect, CISSP
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6822 
Email: ryan.cloutier@sourcewelltech.org 

 

How We Will Respond to Your Data Request

We will acknowledge receipt of your data request within three (3) business days of receipt.

  • We may ask you to clarify what data you are requesting.
  • We will work with you on a time frame for response, and help narrow the request as much as possible in order to provide the information requested as soon as possible.
  • Requestors should understand that requested data may need to be gathered from several departments or individuals.
  • If we have the data, but we are not allowed to give it to you, we will tell you as soon as reasonably possible and identify the law that prevents us from providing the data.
  • If we have the data, and the data are public, we will respond to your request appropriately and promptly, within a reasonable amount of time by doing one of the following:
    • Arrange a date, time, and place for you to inspect the data at our offices; or 
    • You may choose to pick up your copies, or we will mail or email them to you. We will provide electronic copies (such as email or CD-ROM) upon request if we keep the data in that format and we can reasonably make a copy.
    • Response time will be impacted by the size and/or complexity of your request, and also by the number of requests you make in a given period of time.
  • Following our response, if you do not make arrangements within twenty (20) working days to inspect the data or pay for the copies, we will conclude that you no longer want the data and will consider your request closed.

The MGDPA does not require SWT to create or collect new data in response to a data request, or to provide data in a specific form or arrangement if we do not keep the data in that form or arrangement. For example, if the data you request are on paper only, we are not required to create electronic documents to respond to your request. If we agree to create data in response to your request, we will work with you on the details of your request, including cost and response time. 

We are also not required to respond to questions that are not about your data requests, or requests for government data.

 

Requests for Summary Data 

Summary data means reports or statistical data derived from private data and from which all identifying information is removed. If you request summary data, you are required to pay SWT for the costs of preparing summary data, which may include employee time, material programming costs, etc. Within ten (10) business days of receipt of your request, SWT will inform you: (1) whether it is possible to produce summary data without compromising confidentiality, and (2) if so, the time schedule and the estimated costs for producing the summary data. Charges must be paid in full prior to the information being processed. You may use the Data Request Form to request summary data.

 

Standing Requests 

Standing requests will be honored for sixty (60) days, after which you must renew them to ensure that you are still interested in receiving the data. 

 

Keeping Data Secure 

SWT has policies and procedure relating to the privacy and security of information. These policies are stated below. 

In the event of an unfortunate "security incident" or "privacy incident" as defined in such policies, SWT will report the event to its school customers within five (5) business days, subject to any restrictions imposed by law enforcement authorities as described in further detail in the policy. 

Identity Verification Guide

The following constitute proof of identity. 

An adult individual must provide a valid photo ID, such as:

  • a state driver's license
  • a military ID 
  • a passport
  • a Minnesota ID 
  • a Minnesota tribal ID 

A minor individual must provide a valid photo ID, such as:

  • a state driver's license
  • a military ID 
  • a passport
  • a Minnesota ID 
  • a Minnesota Tribal ID 
  • a Minnesota school ID 

The parent or guardian of a minor must provide a valid photo ID and either:

  • a certified copy of the minor's birth certificate, or
  • a certified copy of documents that establish the parent or guardian's relationship to the child, such as: 
    • a court order relating to divorce, separation, custody, foster care
    • a foster care contract
    • an affidavit of parentage

The legal guardian for an Individual must provide a valid photo ID and a certified copy of appropriate documentation of formal or informal appointment as guardian, such as: 

  • court order(s)
  • valid power of attorney

Note: Individuals whose identity cannot be verified in person must provide a notarized verification using the Notary Identity Verification Form.
 

Click here to download the Notary Identity Verification Form

Information on Rights of Subjects of Government Data

Policy Statement 

Sourcewell Technology ("SWT") provides educational products and services to school districts and related education entities. In connection with such services, SWT hosts educational data, including student data shared with SWT by its school district customers. SWT also maintains data about its employees and business partners. SWT's adoption of this policy satisfies the requirement set forth in Minn. Stat. §13.025, subd. 3 to prepare a written policy of the rights of data subjects under Minn. Stat. §13.04.

 

Right to know what data is kept about you and how it is classified 

  • Upon request, you may be informed about what data is kept about you and whether it is classified as public, private, or confidential. You have the right to see data about yourself that is classified as public, private, or confidential. If SWT maintains data about you that is classified as confidential, you will be told that the information exists, but you will not be able to access the data. 
  • To access public or private data on yourself, you can make a written request to the Data Request Contacts listed in the following section.
  • If you are requesting information on yourself, please be as specific as possible. If you have an employee or student ID number, please include that in your request (if you do not have that information, please include a birth date or the last 4 digits of your SSN). 
  • If we do not have the data, we will notify you in writing within ten (10) business days after we receive your request.
  • If we have the data, but the data are confidential or private data that are not about you, we will notify you within ten (10) business days receipt of your request and state which specific law says you cannot access the data. 
  • If we have the data, and the data are public or private about you, we will respond to your request within ten 
  • (10) business days after we receive your request by either sending you copies of the information or making arrangements for you to access the data. In some cases, there may be charges for copies of the data we have on you. We will work with you to pay any charges in advance of receiving the data. 
  • After we have provided you with access to data about you, we do not have to show you the data again for six (6) months unless there is a dispute or we collect or create new data about you.
  • The Minnesota Government Data Practices Act ("MGDPA") does not require us to create or collect new data in response to a data request if we do not already have the data, or to provide data in a specific form or arrangement if we do not keep the data in that form or arrangement. In addition, we are not required to respond to questions that are not specific requests for data. 
  • Private data on you will only be shared with you, with someone who has your written permission, with SWT staff who need the data to do their work, and as permitted by law or court order. 
  • There is no charge to view data about yourself, but if you are requesting copies of data, there might be a charge for copies. You will be told about any charges in advance.
  • Upon request, you will be informed of the content and meaning of the public or private data that is maintained on you. 

 

Data Practices Contacts 

Data Request Forms or other written requests must be directed to the following SWT contacts: 

Responsible Authority 
Bob Seward
Chief Solutions Officer 
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6036 
Email: bob.seward@sourcewelltech.org 

Data Practices Compliance Official 
Susan Mussell
Chief legal Officer 
2340 Energy Park Dr., Suite 200 
Direct: 651-999-6216 
Emall: susan.mussell@sourcewelltech.org 

Data Practices Designee 
Ryan Coutier
Principal Security Architect/ Principal Enterprise Architect, CISSP
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6822 
Email: ryan.cloutier@sourcewelltech.org

 

Right to data notice when private or confidential data is collected from you

If you are asked to supply private or confidential data about yourself, you must be told of the intended use of the data, whether you are legally required to provide the data, any known consequences of giving or withholding the data, and which other agencies or persons are authorized by law to receive the data. This notice is commonly known as the Tennessen Warning. 



Right to challenge the accuracy or completeness of data about you 

  • If you think that data maintained by SWT about you is inaccurate or incomplete, you may file a data challenge to try and have the data changed.
  • Accurate means that the data are reasonably correct and do not contain factual errors; complete means that the data describe the history of your contact with SWT in a complete way. This procedure is not a substitute for any grievance process available to either data subjects or employees. 
  • To make a data challenge, write to the Data Contact Resources and state clearly that you are making an accuracy or completeness challenge; identify the data you are challenging, and what you think should be done. You will receive a decision within thirty (30) days whether SWT agrees with your challenge. If we agree, your data will be amended appropriately. If SWT disagrees or believes that your request has to do with something other than the accuracy or completeness of the data, the challenge will be denied. 
  • If your challenge is denied, you have the right to file an appeal with the Commissioner of the Minnesota Department of Administration. Your appeal must be in writing and filed within sixty (60) days after SWT's decision.
  • If you believe that public or private data that SWT maintains about you is Inaccurate or incomplete, you have the right to include a statement of disagreement with the data. If the disputed data is released to a third party, SWT will include your statement of disagreement with the data. 



Right to have your data protected 

  • SWT Is required under the MGDPA to protect your data. We have established appropriate safeguards to ensure that your data is safe. Our polices are outlined below.
  • In the event of an unfortunate "security incident" or "privacy incident" as defined In such policies, SWT will ensure that you are notified as required by law. 

Data Security Classification Policy

Policy Statement 

To protect the security and integrity of Sourcewell Technology ("SWT") data, and comply with the Minnesota Government Data Practices Act ("MGDPA"), Chapter 13 of the Minnesota Statutes, SWT data must be classified appropriately. SWT uses data security classification and security level to ensure all data and the systems on which it is stored, accessed, transmitted, or have the ability to impact the security of the data have appropriate security controls to protect the confidentiality, integrity and availability of the data. 

SWT's adoption of this policy satisfies the requirement set forth in Minn. Stat. §13.05, subd. 5 to establish procedures to ensure appropriate access to not public data. SWT limits employees' access to not public data whose work assignment reasonably requires access, or who have a legitimate need to know, and to other entities or individuals authorized by law. 



Data Inventory 

Under the requirement set forth in Minn. Stat. §13.025, subd. 1, SWT has prepared a Data Inventory available below which Identifies and describes all not public data on individuals and not individuals maintained by SWT. To comply with Minn. Stat. §13.05, subd. 5, the Data Inventory identifies SWT employees who have access to not public data. In the event of a temporary duty assignment by a manager or supervisor, an employee may access not public data for as long as the work is assigned to the employee. 

In addition to the employees listed in the Data Inventory, the following employees have access to not public data as necessary for their duties: Managing Director, Chief Operating Officer, Chief Technology Officer, Chief Legal Officer, Human Resources Director, Responsible Authority and Data Practices Compliance Official, Data Practices Compliance Official, Principal Security Architect/Principal Enterprise Architect, CISSP, and Designee(s). 

Employee position descriptions
Position descriptions may include provisions identifying any not public data accessible to the employee when a work assignment reasonably requires access. 

Data sharing with authorized entities or Individuals
State or federal law may authorize the sharing of not public data In specific circumstances. Not public data may be shared with another entity if state or federal law allows or mandates it. Individuals will be provided with Tennessen warnings as required under Minn. Stat. §13.04, subd. 2 in accordance with the nature of any data request. Any sharing of not public data will be strictly limited to the data necessary or required to comply with applicable law.

Ensuring that Not Public data Is not accessed
SWT ensures that not public data is accessed only by employees as necessary for their job responsibilities by following the procedures set forth in the separate Data Classification & Control Policy adopted on August 26, 2009.

Penalties for unlawfully accessing Not Public data
SWT will utilize the penalties for unlawful access to not public data as set forth in Minn. Stat. §13.09 If necessary. Penalties include suspension, termination and/or referring the matter to the appropriate prosecutorial authority who may pursue a criminal misdemeanor charge.

 

Data Classification

SWT data security classifications are:

Confidential (individuals} or Protected Nonpublic (not on Individuals)
This classification includes data that is not public and is not accessible to the data subject. It is available to SWT employees with a legitimate need to know, or whose work assignments reasonably require access, and other entities or individuals authorized by law. 

Private (individuals) or Nonpublic (not on Individuals)
This classification includes data that is not public and is accessible to the data subject, and to SWT employees with a legitimate need to know, or whose work assignments reasonably require access, and other entities or individuals authorized by law.

Public
This classification includes data that is accessible by anyone for any reason.

Questions 
Questions regarding this policy should be directed to either the:

Responsible Authority and Data Practices Compliance Official
Bob Seward
Chief Solutions Officer 
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6036 
Email: bob.seward@sourcewelltech.org  

or to:

Data Practices Compliance Official
Susan Mussell
Chief Legal Officer 
2340 Energy Park Dr., Suite 200 
St. Paul, MN 55108 
Direct: 651-999-6216 
Email: susan.mussell@sourcewelltech.org

 

Data Inventory 

This page is intentionally left blank. Sourcewell Technology's Data Inventory dated 2014 (when Sourcewell Technology was operating as Technology and Information Educational Services (TIES)) under the Minnesota Government Data Practices Act (MGDPA) is attached for the following categories of data: 

  • Administration
  • Building
  • Finance
  • Health and Safety
  • Payroll 
  • Personnel
  • Transportation

Sourcewell Technology Data Inventory

Legend: ADM (Administration); BLD (Building); FIN (Finance); HSF (Health & Safety); PAY (Payroll); PER (Personnel); TRN (Transportation), SWT (Sourcewell Technology) 

SECTION: ADMINISTRATION 

Item        Name of Record, File, Process, Form or Data Type       Description       Data Practices Classifications/Statue       Employee Work Access

ADM00100

  Affidavit of Publication    Public Hearings, Budget Publication,   Public    

ADM00200

  Election Records    Ballots, Notices, Notifications   Public    

ADM00300

  Annual Reports to Executive Committee   Reports Generated (PER, Accountability Reports, formal Annual Report)    Public MS 120.811     

ADM00400

  Authority to Dispose of Records   Application for Authority to Dispose of Records form    Public/Private-Nonpublic MS 13.43, MS 13.32, MS 13.39    Department, Data and Product Managers 

ADM00900

  Correspondence/Administrative   Executive Director Unless Otherwise Specifically Addressed Elsewhere in Records Retention Schedule    Public/Private-Nonpublic MS13.32, MS 13.43   Executive/Admin Assistants and persons in other agencies working under contract with SWT providing the services of a confidential employee, may see this data 

ADM01000

  Court Case/Trial information   Litigation Correspondence    Public/Private-Nonpublic MS13.32, MS 13.43, MS 13.90   SWT employees who collect, gather, organize, analyze or distribute this data

ADM1010

  Court orders       Public/Private-Nonpublic MS13.32, MS13.43    SWT employees who collect, gather, organize, analyze or distribute this data are allowed to access it in the course of their duties related to the investigation 

ADM01100

  Grant Applications    Successful Applications 
 
  Public 
20 USC 123f(a)
   

ADM01110

 

Grant Applications

 

Unsuccessful Applications 

 

Public 

 

 

ADM01200

 

In-service Workshops

 

Attendance Records, Agenda and Materials (Employee Right to Know,

 

Public 

 

 

ADM01300

 

Inter District Cooperative Agreements 

 

Includes Vocational, Special Ed and Special Purpose Cooperatives formed by

 

Public 

 

 

ADM01400

 

Minutes

 

Executive Committee Minutes

 

Public 

 

 

ADM01410

 

Minutes

 

Officially Designated Committees 

 

Public 

 

 

ADM01420

 

Minutes

 

Other Than Referred to in ADM01300, ADM 01400, and ADM 01410

 

Public 

 

 

ADM01430

 

Minutes - Tape Recordings

 

Executive Committee Minutes Only

 

Public

 

 

ADM01440

 

Executive Committee Policies

 

 

 

Public

 

 

ADM01600 

 

Newsletters and Publications

 

 

 

Public

 

 

ADM01900 

 

Video Tapes

 

Building Security

 

Private-Nonpublic/Public MS13.32, MS13.43

 

SWT employees who collect, gather, organize, analyze or distribute this data are allowed to access it in the course of

ADM02000

  E-Mail and other electronic communications       Private-Nonpublic/Public MS 13.32 , MS 13.43   Executive/Admin Assistants, computer/technical staff, and persons in other agencies working under contract with SWT providing the services of a confidential employee may see this data

SECTION: BUILDING

Item       Name of Record, File, Process, Form or Data Type       Description       Data Practices Classifications/Statute       Employee Work Access

BLD00100

 

Accident/Damage Records

 

Property - Related

 

Public

 

 

BLD00200

 

Building Maintenance Records

 

 

 

Public

 

 

BLD00300

 

Building Permits

 

Applications (initial/interim), Inspection

 

Public

 

 

BLD00400

 

Building Program Records

 

Current and Projected Needs. Review

 

Public

 

 

BLD00500

 

Buildings and Grounds Records

 

Blueprints, Construction Specifications, Abstracts, Deeds, Title Papers, Final inspection Reports, Land and Building

 

Public

 

 

BLD00600

 

Fixed Asset Records

 

Equipment, Fixtures, and Materials, Inventory and Depreciation

 

Public

   

SECTION: FINANCE

Item

     

Name of Record, File, Process, Form or Data Type

     

Description

     

Data Practices Classifications/Statue

     

Employee Work Access

FIN00100

 

Abstracts/Deeds/Title Papers/Mortgages

 

See Buildings (See BLD00500)

 

 

 

 

FINS00200

 

Accounts Payable

 

Credit Memos, Freight Bills/Claims, Bills of Lading, Purchase Orders, Acknowledgments/Orders/Shipping Notices, Invoices and Purchasing Contracts, Claims/Vouchers, 1099

 

Public/Private-Nonpublic MS 13.43

 

Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in

FIN00210

 

W-9 Form

 

Credit Memos, Freight Bills/Claims, Bills of Lading, Purchase Orders, Acknowledgments/Orders/Shipping Notices, Invoices and Purchasing Contracts, Claims/Vouchers, 1099

 

Public/Private-Nonpublic MS 13.43

 

Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in

FIN00300

 

Year-End Financial Reports

 

Revenue and Expenditure Summary Transaction Reports

 

Public

 

 

FIN00305

 

Year-End Financial Reports

 

Revenue and Expenditure Detailed Transaction Reports

 

Public

 

 

FIN00310

 

Year-End Financial Reports

 

UFARS Revenue and Expenditure

 

Public

 

 

FIN00315

 

Year-End Financial Reports

 

Special Funded Projects Report

 

Public

 

 

FIN00325

 

Year-End Financial Reports

 

Includes: Clerks and Treasurer's Reports Register of Receipts & Disbursements, Treasurer's Annual Report, Treasurer's

 

Public

 

 

FIN00330

 

Year-End Financial Reports

 

Accounts Receivable Numbered Receipts, Accounts Receivable Invoices,

 

Public

 

 

FIN00335

 

Year-End Financial Reports

 

General Ledger, General Journals, Journal Entries, Disbursements Journal, Check Register Adopted and Revised Budget, Budget Publications, Balance

 

Public

 

 

FIN00400

 

Audit Reports

 

 

 

Public

 

 

FIN00500

 

Bank Statements/ Reconciliations

 

Checks, Canceled Returned or Voided

 

Public/Private-Nonpublic MS 13.43

 

Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in

FIN00510

 

Bank Statements/ Reconciliations

 

Statement of Pledged Securities

 

Public

 

 

FIN00600

 

Bonds and Coupons

 

Bond Ledgers/Registers

 

Public

 

 

FIN00700

 

Bond Issues - Official Statements

 

Enabling Documentation

 

Public

 

 

FIN00800

 

Building and Land Contracts

 

See Buildings (See BLD00500)

 

Public

 

 

FIN00900

 

County Auditor Statements

 

Tax Settlement Report and Taxes

 

Public

 

 

FIN01100

 

Insurance Documents

 

Fidelity/Surety Bonds

 

Public

 

 

FIN01110

 

Insurance Documents

 

Insurance Bids, Health, Dental, Life etc. (Accepted and Rejected)

 

Public

 

 

FIN01120

 

Insurance Policies

 

Heath, Property, Liability, etc., Policies, Amendments and Waivers

 

Public

 

 

FIN01200

 

Inventory

 

Year End Inventory List, Warehouse Listing, Library Holdings

 

Public

 

 

FIN01300

 

Lease/Agreements

 

 

 

Public

 

 

FIN01400

 

Levies

 

 

 

Public

 

 

FIN01500

 

Property Appraisals

 

 

 

Public

 

 

FIN01600

 

Sealed Bids

 

Successful and Unsuccessful

 

Public

 

 

FIN01700

 

Quotes

 

Successful and Unsuccessful

 

Public MS 471.345

 

 

FIN 02000

 

Transportation Contracts

 

With Independent Contractors

 

Public

   

SECTION: HEALTH & SAFETY

Item       Name of Record, File, Process, Form or Data Type       Description       Data Practices Classifications/Stature       Employee Work Access
HSF00100   Infectious Disease and Occupational Exposure Files   Files on each Employee Dealing with Safety and Training on Diseases such as Hepatitis and Aids. Retain in Employee's Medical File.   Public/Private-Nonpublic MS 13.43   Human Resources, Sr. Building Engineer and persons in other agencies working under contract with SWT providing Health & Safety services, may see this data
HSF00200   OSHA - Citations of Penalty   Notifications of Violations   Public/Private-Nonpublic MS 13.43   Human Resources, Sr. Building Engineer and persons in other agencies working under contract with SWT providing Health & Safety services, may see this data
HSF00300   OSHA - Employee Accident Reports   OSHA Report Numbers 200 and 101   Public/Private-Nonpublic MS 13.43   Human Resources, Sr. Building Engineer and persons in other agencies working under contract with SWT providing Health & Safety services, may see this data
HSF00400   OSHA - Employee Exposure Records   Any Information Concerning Employee Exposure to Toxic Substances or Harmful Physical Agents   Public/Private-Nonpublic MS 13.43   Human Resources, Sr. Building Engineer and persons in other agencies working under contract with SWT providing Health & Safety services, may see this data
HSF00500   Safety Committee Agendas and Minutes       Public    
HSF00600   Training Records - Right to know       Public    

SECTION: PAYROLL

Item       Name of Record, File, Process, Form or Data Type       Description       Data Practices Classifications/Statue       Employee Work Access
PAY00100   Cafeteria Plan Records       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff as needed basis.
PAY00300   Check Requests for Manual Checks   Lost or Missing Check Replacement, etc.   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in as a confidential employee in finance area, may see this
PAY00500   Garnishments   Wage Garnishment, Notice of Bankruptcy, Wage Levy, and Related   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff as needed basis.
PAY00700   Payroll Register   Name; Address; Date of Birth; Occupation; Rate of Pay; Compensation Earned Each Week   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in as a confidential employee in finance area, may see this
PAY0800   PERA Eligibility Sheets and Reports       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in as a confidential employee in finance area, may see this
PAY0900   Prior Year's Quarterly FICA       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in as a confidential employee in finance area, may see this
PAY01000   Quarterly Report of Local Government   Employees and Wages (Weeks or Hours Worked)   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in financial area
PAY01100   Salary Deduction       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in financial area
PAY01200   Voluntary Withholding   Requests for Withholding (United Way, Savings Bonds, etc.)   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in as a confidential
PAY01300   Stop Payment Orders and Bonds       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff as needed basis.
PAY01400   Tax Reports   Federal, Minnesota and Other States   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in financial area
PAY01500   Tax Sheltered Annuity Contracts       Public/Private-Nonpublic MS 13.43 29 CFR §1627.3(b)(2)   Human Resource/Payroll and Finance staff as needed basis.
PAY01600   Tax Sheltered Annuity - Authorization   457 and 403(B) Plans   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in as a confidential
PAY01700   Time Sheets       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and computer/technical staff working on projects involving financial functions of SWT may see this data. Supervisors and managers of positions may also see this
PAY01800   TRA/PERA - Retirement Remittance Report   Monthly and Annual Reports   Public/Private-Nonpublic MS 13.43/354.52   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in financial area
PAY02000   W-2 Statements (Employer's Copy)       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff, and computer/technical staff working on projects involving financial functions of SWT may see this data and persons in other agencies contract with SWT providing service in financial area
PAY02100   W-4 Statements       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff as needed basis.

SECTION: PERSONNEL

Item       Name of Record, File, Process, Form or Data Type       Description       Data Practices Classifications/Statue       Employee Work Access
PER00100   Employee Medical Records   Any information Concerning the Health Status of an Employee which is Made or Maintained by A Physician, Nurse or Other Health Care Personnel, or Technician Includes Medical and Employment Questionnaires or Histories, Medical Exams, Medical   Private-Nonpublic MS 13.384 MS 13.43   Human Resource staff
PER00120   Request for Leave   Requests for Leave (Vacation, Sick, Personal)   Public/Private-Nonpublic MS 13.43   Human Resources/Payroll and supervisors or managers of the position
PER00200   Leave of Absence Reports   Formal Reports to PERA, TRA, etc., Regarding Unpaid, Executive Committee Approved Leaves   Public/Private-Nonpublic MS 13.43   Human Resources/Payroll or computer/technical staff working on projects involving financial functions of SWT may see this data
PER00210   Discrimination Claim Records   Sexual Harassment and Discrimination   Public/Private-Nonpublic Confidential MS 13.43, MS 13.39   SWT employees who collect, gather, organize, analyze or distribute this data are allowed to access it in the course of their duties related to the claim
PER0220   First Report of Injury       Private-Nonpublic MS 13.43, MS 176.231 MS 176.151   Human Resources or staff of another agency with which SWT contracts to provide the services of a confidential employee may also see data
PER00300   Applications for Employment/Resume/ Interview Documents   Not Hired. Any and all employment records, including but not limited to , application forms, resumes, cover letters, interview notes, interview questions and answers job inquiries,   Public/Private-Nonpublic MS 13.43, 29 CFR 1602.14(a), 29 CFR 1602.40, 29 CFR 1627.3(b)(1), Minn. Rules 5000.225   Admin Assistants, on a as needed basis as part of a specific work assignment, and supervisors and managers of the position and other persons involved in the hiring process may see this information
PER00310   Applications for Employment/Resume/and Supporting Documentation   Hired. Any and all employment records, including but not limited to, application forms, resumes, cover letters, interview notes, interview questions and answers, job inquires, rejection letter and other   Public/Private-Nonpublic MS 13.43 29 CFR, 1602.14(1), 29 CFR 1602.40, 29 CFR 1627.3(b)(1), Minn. Rules 5000.225   Admin Assistants, on a as needed basis as part of a specific work assignment, and supervisors and managers of the position and other persons involved in the hiring process may see this information
PER00500   Contracts and Assignments       Public    
PER00700   Equal Employment Opportunity Reports/Summary Data (EEOC/MNCRIS)       Public 29 CFR 1602.39    
PER01000   Insurance: Group Master Policies, Contracts and Agreements       Public    
PER01100   Insurance: Reports   Insurance Census, Premium Reports, Etc.   Public/Private-Nonpublic MS 13.43   Human Resource and persons in other agencies contract with SWT providing financial service, may see this data
PER01300   Insurance Records: Enrollment Cards       Public/Private-Nonpublic MS 13.43   Human Resource and persons in other agencies contract with SWT providing service in benefits area, may see this data
PER01400   Insurance Records: Employee On Leave of Absence   Employees on Leave of Absence, Family Medical Leave Act, Long-term Disability, Surviving Spouse, Terminated   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and persons in other agencies contract with SWT providing service in benefits area, may
PER02000   Long Term Disability Claims/Awards       Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and persons in other agencies contract with SWT providing service in benefits area, may
PER02100   Job Descriptions       Public    
PER02400   Pay Equity: Classification Studies and Working Papers       Public    
PER02500   Pay Equity: Summary       Public    
PER02700   Personnel Files - Individual   Citations, Personal History, References, and Letters of Appointment/Promotion, Performance /Termination/Resignation, I-9 forms, Evaluations, deficiency docs, direction & correction, reprimand,   Public/Private-Nonpublic MS 13.43   Human Resource staff. Supervisors or managers of the position may also see this data
PER02702   Employee's Response Letter to Any Document in Personnel File       Private-Nonpublic MS 13.43 MS122A.40, Subd.19   Human Resource staff. Supervisors or managers of the position may also see this data
PER02800   Recruitment Records   Relating to Posting, Recruitment, Selection, and Appointment to Each Position, Advertising   Public/Private-Nonpublic MS 13.43   Admin Assistants, and supervisors and managers of the position and other persons involved in the hiring process may see this information
PER03000   Unemployment Claims/Compensation   Claims for Unemployment   Public/Private-Nonpublic MS 13.43   Human Resource/Payroll and Finance staff as needed basis.
PER03100   Worker's Compensation - Claims   Injury Reports and Correspondence Dealing With injuries, Injury Reports and Correspondence Dealing With injuries   Private-Nonpublic MS 13.43, MS 176.231   Human Resource/Payroll and Finance staff as needed basis.
PER03200   Worker's Compensation   Claims Summary, Summary information From Carrier   Public/Private-Nonpublic MS 13.43, MS 176.131   Human Resource/Payroll and Finance staff as needed basis.

SECTION: TRANSPORTATION

Item       Name of Record, File, Process, Form or Data Type       Description Data Practices Classifications/Statue       Employee Work Access
TRN00200   Contractor Correspondence/Reporting     Public    
TRN00300   Contracts With Independent Contractors     Public    
TRN00800   Transportation Mileage Records     Public    

Breach Notification Policy

Policy Statement 

The purpose of this Breach Notification Policy is to provide guidance to Sourcewell Technology staff in the event of a potential data breach of Sourcewell Technology system. Generally speaking, under Minnesota law, Minn. Stat. §13.055, subd. 1 (a), a data breach occurs when an unauthorized data access is made with the intent to use the data for a nongovernment purpose. If it is determined that a breach has occurred, the next step ls to decide if and when notification is an appropriate response under Minn. Stat. §13.055, subd. 2 (a) and if so, to whom notification must be sent and the information that must be included.

In addition, as a state agency, Sourcewell Technology is subject to the provisions in Minn. Stat. §3.971, subd. 9, that requires notification to the Office of the Legislative Auditor (OLA) if government data "classified by chapter 13 as not public" (Emphasis added) may have been improperly accessed or used. Under this law, Sourcewell Technology may be obligated to notify the OLA even if notification under Minn. Stat. §13.055 is not required. 

NOTE: Because Sourcewell Technology is a Minnesota joint powers entity organized under Minn. Stat. §471.59, and the majority of its business is conducted in the state of Minnesota with Minnesota school districts and similar customers, the information in this Policy is based solely on applicable Minnesota law. However, Sourcewell Technology also provides software and related technology services to customers located outside of Minnesota. In the event of a data breach (or potential breach) in another state, Sourcewell Technology may be obligated to respond in a manner that complies with local laws. State security breach laws vary, for example, in the definitions of what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and, exemptions (e.g., for encrypted data, unintentional acquisition or inadvertent internal disclosure). Accordingly, the Breach Notification Team will engage local experts or consultants, e.g., legal counsel, as necessary to understand and comply with local applicable data breach laws. 
 


Keywords 

Data breach or breach
As used in this Policy, a data breach or breach is a "Breach of the security of the data" as defined in Minn. Stat. §13.055, subd. 1 (a): an "unauthorized acquisition of data maintained by a government entity that compromises the security and classification of the data. Good faith acquisition of or access to government data by an employee, contractor, or agent of a government entity for the purposes of the entity is not a breach of the security of the data, if the government data Is not provided to or viewable by an unauthorized person." (Emphasis added). 

Unauthorized acquisition
This is when a person has obtained, accessed, or viewed government data without the informed consent of the individuals who are the subjects of the data or without statutory authority - and with the intent to use the data for nongovernmental purposes. Minn. Stat. §13.055, subd. 1 (c).

Unauthorized person
This is any person who accesses government data without a work assignment that reasonably requires access to the data. Minn. Stat. §13.055, subd. 1 {d). 

Government data
This means all data collected, created, received, maintained or disseminated by any government entity (e.g., Sourcewell Technology) regardless of its physical form, storage media or conditions of use. Minn. Stat. 
§13.02, subd. 7. 

Private data
This is data on individuals that is not public and is accessible to the data subject. Private data is available to Sourcewell Technology employees with a legitimate need to know, or whose work assignments reasonably require 
access, and to other entities or individuals authorized by law. Minn. Stat. §13.02, subd. 12. 

Confidential data
This is data on individuals that Is not public and is not accessible to the data subject. Confidential data is available to Sourcewell Technology employees with a legitimate need to know, or whose work assignments reasonably require access, and to other entities or individuals authorized by law. Minn. Stat. §13.02, subd. 3. 
Not public data. For purposes of this Policy, not public data includes private and confidential data as defined above, and government data classified as private or confidential on a temporary basis. Minn. Stat. §13.02, subd. 8 (a). 

Person
This means any individual, partnership, corporation, association, business trust, or legal representative of an organization. Minn. Stat. §13.02, subd. 10. 



Breach Notification Team 

Sourcewell Technology has established a Breach Notification Team (the "Team") which consists of the following employees: 

  • Chief Operating Officer
  • Chief Solutions Officer
  • Principal Security Architect/Principal Enterprise Architect, CISSP
  • Chief Legal Officer
  • Human Resources Director

All Sourcewell Technology employees have an obligation to report a potential breach to one or more members of the Team. Upon notification of a potential incident, the Team will promptly begin an investigation of the incident consistent with this Breach Notification Policy, and similar policies, e.g., Sourcewell Technology Data Privacy and Security Policy. The Team will promptly select an incident lead who will coordinate the investigation as follows (the incident lead may vary depending on each case): 

  • Assign key tasks to each Team member.
  • Manage and coordinate Sourcewell Technology overall investigation and response efforts.
  • Act as the intermediary between the Team and Sourcewell Technology Board of Directors.
  • Manage time lines and ensure that the investigation and response efforts are documented from beginning to end. 
  • Engage the resources needed to manage the investigation and breach (e.g., employees, vendors, customers, consultants, outside legal counsel).

     

Determine Whether a Breach Has Occurred

In general, there has been a breach that triggers notification to affected individuals under Minn. Stat. §13.055, subd. 2 when all of the following apply: 

  • A person,
  • Views or takes private or confidential data,
  • Without permission or statutory authority, and
  • With the intent to use the private 6r confidential data for nongovernmental purposes

NOTE: An important factor to be taken into account by the Breach Notification Team in determining whether there has been a breach is whether or not the private or confidential data is encrypted. If the data is question is encrypted with sufficient complexity and security so that the unauthorized person will be unable to read or understand the data, then a breach of security as defined in Minn. Stat. §13.055, subd. 1 (a) has not occurred. Advisory Opinion 06-030 (Nov. 8, 2006). 

In the event of a breach under Minn. Stat. §13.055, individuals whose private or confidential data has been breached must be notified. Details of the required notice are set forth below on page 4.

 In general, there has been a breach that triggers notification to the OLA under Minn. Stat. §3.971, subd. 9 when all of the following apply: 

  • An entity (e.g., Sourcewell Technology),
  • Has knowledge that not public data may have been improperly accessed or used, and
  • Regardless of how the unauthorized party intended to use the not public data

The duty to notify the OLA is broader than the duty to notify individuals under Minn. Stat. §13.055. Under Minn. Stat. §3.971, the OLA should be notified if there is a possibility of a breach -and regardless of whether the unauthorized party intended to use the not public data for nongovernmental purposes.

Comparison of Minn. Stat. §13.055 and Minn. Stat. §3.971 

Minn. Stat. §13.055        Minn. Stat. §3.971 
  • When a person with no reasonable, work-related need to access private or confidential data,
  • Views or takes the data,
  • With the intent to use the data for purposes unrelated to his/her job, then
  • The subjects of the data must be notified.
 
  • When an entity has knowledge that not public data may have been improperly accessed or used,
  • Regardless of how the unauthorized party intended to use the not public data, then
  • The OLA must be notified .

Examples of when OIA notification is required, but the notice provision in Minn. Stat. §13.055 is not triggered: 

  • Accidental access of a not public database by a government employee
  • Incorrectly typing an email address and sending not public data to the wrong government employee
  • Inadvertently reading a report with not public data without an appropriate work assignment

Each of the above examples require corrective action and notice to the OLA, but does not require notice to affected individuals under Minn. Stat. §13.055 because of the lack of wrongful intent. 

 

How Breaches Often Occur 

Common examples of how breaches occur are described below. This list is not intended to be all inclusive: 

  • Lost or stolen laptops, or removable storage devices (e.g., flash drives), or smartphones that contain private or confidential data. 
  • Databases containing private or confidential data are hacked by individuals outside of Sourcewell Technology.
  • Employees access private or confidential data without a work assignment.
  • Misguided or misaddressed emails or faxes that contain private or confidential data. 
  • An individual outside of Sourcewell Technology deceives an employee into improperly releasing another individual's private or confidential data. 

Requirements of a Breach Notification to Individuals Under Minn. Stat. §13.055, subd. 2 (a) 

Sourcewell Technology may provide written notice to affected individuals by either first class mail per Minn. Stat. § 3.055, subd. 4 (a), or by electronic notice per Minn. Stat. §13.055, subd. 4 (b) (consistent with the provisions regarding electronic records and signatures set forth in Section 7001, U.S. Code Title 15, Electronic Signatures in Global and National Commerce Act). The notice must comply with the following requirements:

  • Be in writing,
  • Inform the individual that a report will be prepared about the breach investigation,
  • State how the individual may obtain access to the report and that he/she may request a copy of the report by mail or email, and 
  • Be sent without unreasonable delay (consistent with: (1) the legitimate needs of a law enforcement agency per Minn. Stat. §13.055, subd. 3, and (2) any measures necessary to determine the scope of the breach and to restore the reasonable security of the data). 

Substitute notice may be provided if the cost of providing written notice exceeds $250,000, or if the group of individuals to be notified exceeds 500,000, or if Sourcewell Technology does not have sufficient contact information for the individuals. Minn. Stat. §13.055, subd. (c). Substitute notice consists of all the following: 

  • Email notice if Sourcewell Technology has the email addresses for the affected individuals,
  • Conspicuous posting of the notice on Sourcewell Technology website, and 
  • Notification to major media outlets that reach the general public within Sourcewell Technology jurisdiction. Minn. Stat. §13.055, subd. (c) (i) (ii) and (iii). 

     

Breach Incident Response 

There is no single way of responding to a data breach and each breach will need to be dealt with on a case-by-case basis. That being said, the Team should complete following Ten Steps in the first 24 hours from learning of a data breach: 

  1. Record the date and time the breach was discovered and when response efforts began.
  2. Contain the breach. Stop any additional data loss. For example, shut down the system that was breached, revoke computer access privileges, and recover mishandled paper files.
  3. Gather and protect evidence that may be needed by law enforcement.
  4. Determine the cause and extent of the breach.
  5. Determine who Is or may be Impacted including the states in which any affected individuals reside.
  6. Document everything known about the breach including who discovered it, who reported it, to whom it was reported, who else knows about it, what type of breach occurred, what data was compromised, what systems are affected, what devises are missing, was the data encrypted, etc. 
  7. Access priorities and risks based on what is known about the breach.
  8. Review protocols regarding the notification process.
  9. Advise the Executive Committee of the breach.
  10. Launch crisis communications process.

After the checklist in the Ten Steps in the first 24 hours is completed, to keep the response plan on track, the following Next Steps should be taken: 

  1. Fix the issue that caused the breach: delete any hacker tools, determine if there are other security gaps or risks, replace any affected hardware with clean equipment, implement security precautions as necessary to prevent the same type of breach, document when and how the breach was contained, etc. 
  2. Continue working with forensics: analyze backup, preserved or reconstructed data sources, ascertain the number of likely individuals affected, determine the type of information that was compromised, begin to align compromised data with school districts or other affected customers and individuals -and addresses for notification.
  3. Identify legal obligations. Review applicable state and federal laws, and contractual obligations that apply to Sourcewell Technology data, determine the people and entities that need to be notified, e.g., individuals, school districts and other customers, state agencies, the OLA, the media, etc., ensure that notifications occur within mandated deadlines.
  4. Reports: maintain daily breach reports, routinely update the overview of priorities and progress as well as problems and risks that could interfere with the process. For example, other projects and business initiatives may need to be delayed within the organization in order to complete the breach response process.
  5. Communication with the Board of Directors of Sourcewell Technology: continue regular reports to the Board of Directors as required.
  6. Continue media communications as necessary.
  7. Consider notifying law enforcement: conduct that constitutes a knowing unauthorized acquisition of not public data is a misdemeanor and willful violations are subject to criminal penalties and are just cause for suspension without pay or dismissal. Minn. Stat. §13.09. If law enforcement is involved, they may request that Sourcewell Technology wait to notify affected individuals in order to avoid impacting their investigation. 

     

Breach Investigation Report, Minn. Stat. §13.055, subd. 2 (b) 

If a breach occurs, Sourcewell Technology is required to complete an report upon completion of the investigation. The report must include the facts and results of the investigation. 

If a breach involved unauthorized access to or acquisition of data by an employee, contractor, or agent of Sourcewell Technology, the report must at a minimum include: 

  • A description of the data that were accessed or acquired, and 
  • The number of individuals whose data was improperly accessed or acquired. 

In addition to the information described above, if there has been a final disposition of disciplinary action against an employee, the report must also include: 

  • The name of each employee responsible for the unauthorized access or acquisition, and 
  • The final disposition of any disciplinary action taken against each employee in response. 

 

ver.2019.10