It’s important that you understand the facts surrounding the city of Minneapolis investigation into a potential data breach related to the leak of a draft report by the Office of Police Conduct Review (OPCR) examining Minneapolis Police Department (MPD) involvement in pre-hospital sedation (“City looks for leak in report on ketamine,” Aug. 1).
The responsible authority, in this case the city clerk, is mandated under the Minnesota Data Practices Act (Section 13.055) to investigate such leaks to determine if any private or confidential data were breached.
The first outcome of any such investigation is to determine if a data breach occurred. If a breach is determined to have happened, then the responsible authority (the city clerk) is required to determine the extent of that breach and who was affected and to provide notice to those individuals.
Suggestions that investigating the scope and circumstances of a potential data breach somehow goes against the spirit of the Minnesota Free Flow of Information Act misunderstands that act, the investigation and the Data Practices Act — the foundational law for government transparency in Minnesota.
The Free Flow of Information Act provides important protection for journalists and provides a “privilege not to reveal sources of information or to disclose unpublished information.” There has not been, and will not be, any effort to obtain any information related to the breach from the Star Tribune.
The Data Practices Act sets the framework for government transparency. The DPA protects the work of the oversight body (in this case the OPCR) by making it confidential data while the work is in progress. This helps insulate the work from any potential internal or external pressures. Once completed, the audit becomes public. This ensures transparency.
The DPA also protects transparency from efforts to shut down or suppress an audit. If, for some reason, the audit is abandoned without publication, the law makes the draft work public once the audit is no longer actively pursued. If, for some reason, the final version of the audit was substantially revised, the law safeguards transparency by making draft versions public upon final publication. In all these scenarios, the Data Practices Act provides for transparency.
Once the Star Tribune obtained and wrote about the leaked study (“Mpls. cops ordered suspects drugged,” June 15, and other coverage), the OPCR auditors concluded “it is no longer possible to finish an independent analysis of the issues involved” (page 6 of the published report). If events had followed the framework envisioned in the DPA, the public would have benefited from effective oversight as well as transparency.
The city must perform an investigation. The Star Tribune, as the purported recipient of leaked information, has more insight into the circumstances and scope of a possible breach than the city.
Without performing an investigation, the city can merely speculate on the scope of a possible data breach, whether more data are still at risk and what steps are needed to ensure that city data are appropriately and securely managed.
Casey J. Carl is the Minneapolis city clerk.