What Minnesota Schools Should Know About

Why Minnesota Schools Must Understand the MGDPA

The Minnesota Government Data Practices Act (MGDPA) is a state law governing how Minnesota school districts manage government data—including student records, employee files, and emails. Understanding it isn't optional; it's the law.

Quick Answer: What Minnesota Schools Need to Know

• Who it applies to: All Minnesota public school districts, charter schools, and state agencies.
• What it covers: All data collected, created, or maintained by schools, from paper files to emails.
• Key principle: All government data is presumed public unless a law classifies it otherwise.
• Data classifications: Public, Private, Confidential, Nonpublic, or Protected Nonpublic.
• Your obligations: Respond to data requests, provide Tennessen Warnings, and designate a Responsible Authority.
• Response times: 10 business days for data subjects; a "reasonable time" for public requests.
• Penalties: Civil penalties up to $1,000 per violation, plus potential criminal charges.

The MGDPA balances your school's need for data, the public's right to transparency, and individuals' right to privacy. School districts regularly face data requests from parents, reporters, and community members. Failing to comply can lead to lawsuits, fines, and a loss of community trust.

Compliance doesn't have to be complicated. With the right procedures, you can protect student and staff privacy while meeting your legal obligations. Since many data breaches begin with phishing attacks that trick employees, getting a phishing audit is a smart first step to understanding your school's vulnerabilities.

Quick Minnesota Government Data Practices Act (MGDPA) definitions:

• All About FERPA: The Federal Student Privacy Law That Still Matters in 2025
• All About New York’s Education Law § 2-d: Student Data Privacy, Explained
• What to Know About the California Consumer Privacy Act (CCPA) for Schools

Understanding the Minnesota Government Data Practices Act (MGDPA)

Codified in Minnesota Statutes Chapter 13, the Minnesota Government Data Practices Act (MGDPA) is Minnesota's rulebook for government information. It balances government transparency with individual privacy.

The default rule is simple: all government data is presumed public unless a specific law says otherwise. This means anyone can request to see information unless it's explicitly protected. While this ensures accountability, the Act also creates classifications to protect sensitive data like student health records or employee Social Security numbers.

Who Does the MGDPA Apply To?

The MGDPA applies to nearly all Minnesota government entities, including state agencies, counties, cities, and school districts. It can also apply to private companies that perform governmental functions under contract, such as a vendor managing your student information system. The only major exceptions are the legislature and the judicial branch.

What is 'Government Data' in a School Context?

The MGDPA defines "government data" broadly as "all data collected, created, received, maintained, or disseminated by any government entity regardless of its physical form." In a school, this includes:

• Paper documents: Enrollment forms, personnel files.
• Emails: Administrative memos, parent communications.
• Computer files: Digital gradebooks, financial spreadsheets.
• Student and employee records: Transcripts, health information, performance reviews.
• Other media: Security camera footage, audio recordings, photos, and even drafts or notes.

Essentially, if it's recorded in any form and held by the school, it's government data. You can find more details in the Data Practices Laws and Rules.

Core Principles: Access and Privacy

The MGDPA is built on four key principles:

1. Government Accountability: The presumption of public data allows the community to see how schools operate, building trust.
2. Individual Privacy: The Act protects sensitive personal information by classifying it as private or confidential.
3. Limited Data Collection: Schools can only collect data necessary to administer programs authorized by law.
4. Security Safeguards: Districts must establish security measures to protect data. This makes cybersecurity critical, as phishing attacks can lead to breaches of protected data. A phishing audit can help identify and address these vulnerabilities.

Data Classifications: Protecting Student and Staff Information

The Minnesota Government Data Practices Act (MGDPA) uses a detailed classification system to determine who can access what information. The system distinguishes between data on individuals (linked to a specific person) and data not on individuals (general information like budgets).

Understanding these classifications is key to handling data requests correctly.

These classifications are defined in Minn. Stat. §13.02 and Minn. R. 1205.0200. The federal law FERPA also protects student records, and when it overlaps with the MGDPA, the law providing stronger privacy protection generally applies.

Public vs. Private Data in Schools

Public school data is open to anyone. Examples include:

• School board meeting minutes and agendas
• Budgets and financial records
• Vendor contracts
• Policy manuals
• Employee salaries and benefits
• Student directory information (e.g., name, address, activities), but only if parents have been given a chance to opt out.

Private school data is protected and accessible only to the data subject and authorized individuals. Examples include:

• Student educational data (grades, disciplinary records, health information, IEPs)
• Staff personnel data (performance evaluations, medical information)
• Social Security numbers (always private)
• Job application materials (private until the finalist stage)

Understanding Confidential, Nonpublic, and Protected Nonpublic Data

These are the most restrictive classifications for highly sensitive information.

• Confidential data (on individuals) is so sensitive that even the data subject cannot access it, such as certain active criminal investigative data.

• Nonpublic data (not on individuals) is not public but may be accessible to certain parties. Examples include preliminary drafts of documents or data related to ongoing negotiations.

• Protected nonpublic data (not on individuals) is the most restricted category. It includes security information, active investigation data, attorney-client privileged communications, and trade secret data. Releasing this information could jeopardize school safety, legal cases, or district interests. This is why protecting against phishing attacks that target such information is so important, and a phishing audit can reveal your risks.

Rights, Requests, and Responsibilities for Minnesota Schools

The Minnesota Government Data Practices Act (MGDPA) gives individuals rights to access data and places clear responsibilities on school districts to protect it and respond to requests.

The 'Tennessen Warning': A Critical Requirement

When you ask an individual to provide private or confidential data about themselves, you must give them a Tennessen Warning. This notice explains:

1. Why you are collecting the data.
2. Whether they are legally required to provide it.
3. The consequences of providing or refusing to provide it.
4. Who else may have access to it.

This is required when collecting information like a parent's social security number on an enrollment form or a new employee's personal details. The best practice is to include this warning in writing directly on the collection form. Learn more at the official Tennessen Warning page.

Handling Data Requests: A Step-by-Step Guide for the Minnesota Government Data Practices Act (MGDPA)

Handling data requests correctly is crucial for legal compliance and community trust.

• Who can request? Anyone can request public data. A "data subject" (e.g., a parent requesting their child's records) can request both public and private data about themselves.
• How to request? Requests should go to the district's Responsible Authority. The request must be specific enough for you to find the data. You can require proof of identity for private data requests.
• Timelines: You have 10 business days to respond to a data subject's request for their own data. For public data requests, you must respond in a "reasonable amount of time."
• Inspection vs. Copies: Anyone can inspect public data for free. If they want copies, you can charge for them. For the public, you can charge up to $0.25 per page (for 100 or fewer pages) or actual costs for larger requests. For data subjects requesting their own data, you can only charge the actual cost of making copies, not for staff time to search for it.
• Denying a request: If you deny a request, you must cite the specific law that makes the data non-public.

The Role of the 'Responsible Authority' in a School District

Every school district must designate a Responsible Authority (typically the superintendent) to oversee data practices compliance. This person, or their designee, is accountable for:

• Establishing written procedures for handling data requests.
• Ensuring the district only collects necessary data.
• Maintaining data security safeguards.
• Preparing an annual public data inventory describing all private and confidential data the district maintains, as required by Minn. Stat. §13.05.

This role is vital for navigating the line between transparency and privacy. Just as IT security protects data from external threats, the Responsible Authority protects it through proper compliance. A phishing audit can help ensure your security safeguards are effective against common threats.

MGDPA Compliance in the Digital Age and Consequences

The Minnesota Government Data Practices Act (MGDPA) applies to everything from student information systems to email archives. While digital records are efficient, they also present unique compliance and security challenges.

How the MGDPA Applies to School Emails and Digital Records

Many people don't realize that work emails are government records. The MGDPA is clear: data in any "physical form, storage media, or conditions of use" is covered. This means every email sent or received by school employees for official duties is government data and subject to MGDPA classifications and requests.

Personal emails on a work account are not government data, but they are often mixed with official business. This requires a time-consuming review process for data requests, where each message must be checked and redacted if it contains non-public information.

Districts cannot charge requestors for the cost of redacting data. The sheer volume of digital records makes strong data management, clear retention policies, and robust cybersecurity essential. A successful phishing attack could expose vast amounts of private data, leading to MGDPA violations.

Consequences of Non-Compliance with the Minnesota Government Data Practices Act (MGDPA)

Violating the MGDPA carries significant consequences that are both financial and reputational.

• Civil Penalties: A court can order the district to comply with the law and impose a civil penalty of up to $1,000 per violation. The district may also be required to pay the other party's attorney fees and costs.
• Criminal Penalties: An individual who willfully violates the MGDPA can be found guilty of a misdemeanor.
• Disciplinary Action: Public employees who willfully violate the Act can be disciplined, suspended, or dismissed from their jobs.
• Loss of Trust: Beyond legal penalties, non-compliance erodes the trust of parents, staff, and the community. A data breach or improper disclosure can cause severe and lasting reputational damage.

Most violations are preventable and stem from a lack of knowledge or inadequate procedures. Proper training and clear policies are key. Since phishing is a common cause of data breaches, getting a phishing audit is a practical step toward identifying vulnerabilities and ensuring MGDPA compliance.

Frequently Asked Questions about the MGDPA in Schools

Navigating the Minnesota Government Data Practices Act (MGDPA) can be complex. Here are answers to some of the most common questions we hear from Minnesota school districts.

What is the difference between the MGDPA and FERPA?

This is a common point of confusion. The key difference is scope:

• FERPA (Family Educational Rights and Privacy Act) is a federal law that applies nationwide and focuses only on protecting student education records.
• The MGDPA is a Minnesota state law that covers all government data held by state and local entities, including schools. This includes student records, employee files, financial data, emails, and more.

When it comes to student records, both laws apply. FERPA often defines the data as private, and the MGDPA provides the framework for how Minnesota schools must handle it.

Can a school charge me to see my child's data?

It depends on what you're asking for:

• To inspect or review records: No. Inspection of your child's data at the school is always free.
• To get copies of records: Maybe. The school can charge you for the actual cost of making the copies (e.g., paper and toner). However, they cannot charge you for the staff time it takes to find, retrieve, or redact the data.

Many parents find that reviewing records in person and taking photos with their phone is a convenient and free option.

Are the names of people who make data requests public information?

Yes, in most cases. Information about who requests public data—including your name and what you asked for—is itself considered public data. This is part of the MGDPA's core principle of government transparency, as it allows the public to see how government entities are responding to requests.

If you have privacy concerns, you can ask your district's Responsible Authority about their procedures for anonymous requests, though identification is often required when requesting data about yourself or your child.

Understanding these rules is a key part of data security. To see how well your staff can spot threats that could compromise this data, consider getting a phishing audit to identify potential vulnerabilities.

Conclusion: Strengthening Your School's Data Practices and Security

The Minnesota Government Data Practices Act (MGDPA) is the cornerstone of how Minnesota schools manage the balance between public transparency and individual privacy. It's a complex law, but compliance is achievable with the right approach.

Key takeaways for your school:

• Data is Public by Default: Always assume data is public unless a specific law classifies it as private or confidential.
• Compliance is a Team Effort: From the superintendent to the front office, every staff member who handles data has a role in MGDPA compliance.
• Preparation is Essential: Having clear procedures for handling data requests prevents last-minute scrambling and ensures you meet legal deadlines.
• Cybersecurity is Compliance: The MGDPA requires security safeguards. Protecting your district from phishing attacks and other cyber threats is a legal obligation, not just an IT issue.

Proactive compliance builds trust with your community and protects your district from costly fines and reputational damage. At CyberNut, we know your biggest vulnerability is often the human element. A single click on a phishing email can undermine all your MGDPA procedures.

Want to know where your school stands? Get a complimentary phishing audit to see how your team responds to simulated, real-world phishing attempts. You'll gain concrete insights into your vulnerabilities and learn where to focus your training.

Cybersecurity training is central to MGDPA compliance. Learn more about cybersecurity training for schools and find how our gamified, low-touch approach can keep your staff vigilant without adding to their workload. Protect the data you're entrusted with every day.