Purpose

This bill creates a new requirement for state and local agencies to track and log key actions involving not public data (often called private or restricted data). The goal is to improve accountability and oversight by keeping a formal record of how such data is created, received, changed, accessed, shared, or disseminated.

Main Provisions

• Establishment of audit trail procedures: The responsible authority must set up procedures so that every action involving not public data—when it is created, received, changed, accessed, shared, or disseminated—is recorded in a data audit trail.
• What must be recorded:
  • the date of the action
  • the identity of the person interacting with the data
  • if the data came from another government entity or person, the identity of that sending entity or person
  • if the data is shared outside the government entity, the identity of the receiving entity or person
• Data classification: Information stored in the audit trail must have the same classification as the underlying data it tracks.
• Retention period: Audit trails must be kept for at least ten years or until the underlying data is destroyed per the entity’s approved records retention schedule.
• Non-supersession and conflicts: This new requirement does not override other audit trail rules in state law, and any conflicts with other rules are to be resolved based on existing law (section 645.26, subdivision 1).

Scope and Application

• Applies to actions involving not public data, including creation, receipt, changes, access, sharing, and dissemination of that data.

Relationship to Existing Law

• Adds a new subdivision (5a) to Minnesota Statutes 2024, section 13.05.
• Clarifies how this new audit trail interacts with other audit trail requirements and how conflicts should be resolved.

Practical Effects and Requirements

• Agencies will need to implement or update systems and processes to log not public data actions in an audit trail.
• Staff may require training on new procedures.
• The change strengthens traceability and accountability for handling non-public data over time.

Considerations

• Balances enhanced data governance with existing audit trail requirements.
• Emphasizes long-term recordkeeping for data actions, which could affect privacy controls and data management practices.

---

Relevant Terms not public data data audit trail audit trail date of the action identity of the person interacting with the data sending government entity receiving government entity data classification records retention schedule retained for ten years Minnesota Statutes 2024 section 13.05 section 138.17 section 645.26 subdivision 1 responsible authority government entity private data restricted data data governance log of actions