Jan 082013
 
 January 8, 2013  Posted by  Breaches, Govt

Eric Roper of The Star Tribune has been all over the problems with rampant misuse of the Minnesota driver’s license database.  In another report yesterday, he focused on the difficulties of finding out who is accessing citizen’s files:

The Minnesota Department of Public Safety, which oversees the driver’s license database, refuses to tell people the names of users — generally public employees — who have looked up their information. Perhaps the most high-profile citizen getting stonewalled by the state is Hennepin County Sheriff Rich Stanek, who is sparring with the department over what he believes were inappropriate queries into his driver’s license records…. Stanek learned in June that employees at 21 agencies, including his own office, had accessed his records over several years. Some of the queries came from as far away as Wells, Minn., a small town 117 miles south of Minneapolis that he has never visited. The Department of Public Safety would not provide him with the names of the users.

Part of the problem may lie in how the law is written. Roper reports:

Members of the public have rights under the Minnesota Data Practices Act to access government information about themselves.

But the public safety department told Stanek that provisions of the law governing undercover officers and security data prevented it from releasing the names.

In a separate letter a month later, the agency changed its legal reasoning for the refusal and instead cited an obscure section of the law concerning “electronic access data.”

In previous blog entries, I’ve expressed my serious concerns that the state is simply doing a godawful job of controlling and monitoring access to the database. If someone’s records can be accessed 200 times by police officers all over the state and the system never flagged the access as suspicious or worthy of investigation – and protection of the individual’s records – something is seriously wrong in Minnesota data protection.

In a statement, Department of Public Safety spokesman Bruce Gordon said protecting the database from misuse is a priority for the department.

He said the agency has begun random audits to catch inappropriate access and already does regular audits of the heaviest users.

“While we are able to provide the summary of an audit, the department has consistently withheld the names of those who have accessed the data based on Minnesota law, which says the data are private,” Gordon said.

Random audits are not sufficient. Nor is asking an agency to investigate itself for improper conduct of its employees the best way to clean house. The state needs to invest in a system that is constantly monitoring access and flagging inquiries based on some criteria. And employees who misuse the system need to be fired in a highly publicized move so that the word gets out that the state is serious about cracking down on misuse of the database.

Read more on Star Tribune.

Sorry, the comment form is closed at this time.