Minnesota Department of Human Services moves to delete emails, worrying transparency advocates
The Minnesota Department of Human Services building on Lafayette Road in St. Paul.
Jiwon Choi | MPR News
Next month, the Minnesota Department of Human Services will begin deleting emails after a year. Staff will decide which emails contain official records that should be saved, the St. Paul Pioneer Press reports.
The DHS says this change will protect privacy, but transparency advocates are concerned that those deleted emails will contain information the public needs to have in order to hold government accountable.
Rep. Jim Nash works in cybersecurity, and he's minority whip of the Minnesota House. He spoke with MPR News host Cathy Wurzer.
Use the audio player above to listen to the full conversation.
Subscribe to the Minnesota Now podcast on Apple Podcasts, Google Podcasts, Spotify or wherever you get your podcasts.
We attempt to make transcripts for Minnesota Now available the next business day after a broadcast. When ready they will appear here.
Create a More Connected Minnesota
MPR News is your trusted resource for the news you need. With your support, MPR News brings accessible, courageous journalism and authentic conversation to everyone - free of paywalls and barriers. Your gift makes a difference.
Audio transcript
INTERVIEWER: Another story we're following. Next month the Minnesota Department of Human Services will begin deleting emails after a year. Now, that might not sound exciting, but it is important. The St. Paul Pioneer Press reports that staff will decide which emails contain official records that should be saved. The agency says this change will protect privacy, but transparency advocates are concerned that those deleted emails will contain information the public needs to have in order to hold government accountable.
Republican state representative Jim Nash works in cybersecurity. He's the minority whip of the Minnesota house. Welcome to the program.
JIM NASH: Kathy, thank you for having me on.
INTERVIEWER: Thanks, representative. The Department of Human Services, as you know, is a massive agency overseeing a lot of money. It's had problems in the past with issues of oversight and accountability. So why does this matter?
JIM NASH: Well, I think you just define the parameters of why it matters is when an agency that is that big, has that much responsibility, and has that much funding going behind it that has also a track record of some failures I think that almost requires a longer retention policy so that when something goes wrong, again, we have the ability to go back and look at the records of what transpired leading up to the problem.
INTERVIEWER: We received a statement from DHS saying that this new policy is designed to protect data, including emails, by categorizing the data, placing it in appropriate secure locations. And additionally, they say this is going to increase efficiency. And then, the spokesperson wrote email box has become a default repository for information containing large volumes of private data that are both difficult to manage plus more data at risk in the event there is a data breach. So might this policy serve to better protect sensitive data from a breach?
JIM NASH: Well, it could, but it also begs the question about what's going to happen to the data that is inside these inboxes once they're deleted. If there is a long-term offsite backup, perhaps in the cloud or on-premises or a combination of the two, then we have a different conversation. But they've not answered that particular question. What they've said is we're going to be deleting emails, and then that's the end of the story.
For people who want to look at a history of what's transpired leading up to an issue, there has to be the ability to go back in time and look at the conversations that led up to this. And you know yourself as a journalist if you've done a data request that's predicated on that data is still being retained. And if it's not there, we can't find out what happened.
INTERVIEWER: Right. In terms of-- you are correct about that. Local county governments, though, have made similar moves in the past 10 years or so, including Saint Paul. The arguments for these changes were that they make public records requests more efficient and save money on data storage. As a guy who works in cybersecurity, does that make sense to you, especially the data storage part?
JIM NASH: Yeah, before I entered cybersecurity, I worked in data storage. I owned an analyst firm, and I can tell you that storage is unbelievably cheap. You can store petabytes yottabytes, that's the largest amount, you can store yottabytes of data for cheap. And simply saying that this is going to make everything better is really sort of a prevarication of the issue.
INTERVIEWER: You know what is the balance, in your opinion, between protecting private data and public access to it? There's clearly a balance here.
JIM NASH: Well, there is a balance. But when you're looking at an organization, let's just pick the most recent and highest profile problem with the feeding our future. If we've-- if we've learned anything from that, it's that we should be holding on to things that we can have a backward view into and learn what happened, when did it happen, who did it, and what decisions were made leading up to all the things that transpired.
Once again, if you're getting rid of that data and you're purging that data, the public is the one that's going to wind up losing. And I would remind the agency, and everybody who's listening to your show is it's the public's money that's funding all of this. And I think the public has a right to be able to follow what's going on.
INTERVIEWER: We're talking about a state agency, but you know, I probably should know the answer to this question when you were talking about seeing how decisions have been made. An email trail is-- can be very interesting and helpful. Is the state legislature subject to similar data retention rules?
JIM NASH: That is an excellent question, and the answer is no. But from my perspective, it should be. I would probably get a fair amount of disagreement from my colleagues. But once again, we're not-- we're not talking about the legislature at this point in time, we're talking about an agency that has a fairly glorious background in high-profile mess-ups. And simply saying that this is this is for the betterment of all, and we're going to make things easier, better, faster, cheaper, I don't think that this is a particularly wise idea.
And once again, I agree with the folks who have made critical statements about this, saying that a year is simply not enough time. And there are appropriate policies that you can set relative to the retention of the data, but a year is not, in my estimation, a particularly good unit of time.
INTERVIEWER: Perhaps maybe it's time to look at the data practices act of 1974 and maybe update it for all agencies, including the legislature perhaps.
JIM NASH: Well, if it-- yeah. It came into existence in 1974, and the whole notion of data has changed dramatically. And I think that that is a thing that we're going to want to look at. And you know, when you have two people who are on antipodal ends of the political spectrum talking about this, myself and senator Marty, I think that you've got something there that has to be actionable. I think that what you'll see in this next legislative session being, the policy session, is probably a bill that would require something longer than the period of time that the agency has defined for itself.
INTERVIEWER: Don Gemberling, who I know you know, is a data privacy expert with state ties, and he is excellent at what he does. He says efforts have been made in the past to try to update the data practices, act and it just has gone nowhere. Why do you think that is? Do you have any opinion on that?
JIM NASH: I think sometimes it falls to the partisanship that we have. But once again, referencing the statement made by senator Marty, I think that there are seasons of time when things become more and more prescient. And I think that we're entering into that time right now. I think that you're going to see democrats, republicans, house members, senators, all come together and say so if we're going to track down the next feeding our future, and there will be something. It's just-- it's, I think, an incontrovertible fact that there will be more problems, we're going to have to have access to that data.
And I think that the legislature being what we are, which is the policy creators for the state, we should wisely come up with a policy that protects both the people who work at the agency but also the taxpayer. And my perspective is the taxpayers should be in the first chair.
INTERVIEWER: All right. I appreciate your time, representative. Thank you so much.
JIM NASH: My pleasure. Thanks for having me on.
INTERVIEWER: We've been talking to republican state representative Jim Nash, who happens to work in cyber security. He's also the minority whip in the Minnesota House.
Republican state representative Jim Nash works in cybersecurity. He's the minority whip of the Minnesota house. Welcome to the program.
JIM NASH: Kathy, thank you for having me on.
INTERVIEWER: Thanks, representative. The Department of Human Services, as you know, is a massive agency overseeing a lot of money. It's had problems in the past with issues of oversight and accountability. So why does this matter?
JIM NASH: Well, I think you just define the parameters of why it matters is when an agency that is that big, has that much responsibility, and has that much funding going behind it that has also a track record of some failures I think that almost requires a longer retention policy so that when something goes wrong, again, we have the ability to go back and look at the records of what transpired leading up to the problem.
INTERVIEWER: We received a statement from DHS saying that this new policy is designed to protect data, including emails, by categorizing the data, placing it in appropriate secure locations. And additionally, they say this is going to increase efficiency. And then, the spokesperson wrote email box has become a default repository for information containing large volumes of private data that are both difficult to manage plus more data at risk in the event there is a data breach. So might this policy serve to better protect sensitive data from a breach?
JIM NASH: Well, it could, but it also begs the question about what's going to happen to the data that is inside these inboxes once they're deleted. If there is a long-term offsite backup, perhaps in the cloud or on-premises or a combination of the two, then we have a different conversation. But they've not answered that particular question. What they've said is we're going to be deleting emails, and then that's the end of the story.
For people who want to look at a history of what's transpired leading up to an issue, there has to be the ability to go back in time and look at the conversations that led up to this. And you know yourself as a journalist if you've done a data request that's predicated on that data is still being retained. And if it's not there, we can't find out what happened.
INTERVIEWER: Right. In terms of-- you are correct about that. Local county governments, though, have made similar moves in the past 10 years or so, including Saint Paul. The arguments for these changes were that they make public records requests more efficient and save money on data storage. As a guy who works in cybersecurity, does that make sense to you, especially the data storage part?
JIM NASH: Yeah, before I entered cybersecurity, I worked in data storage. I owned an analyst firm, and I can tell you that storage is unbelievably cheap. You can store petabytes yottabytes, that's the largest amount, you can store yottabytes of data for cheap. And simply saying that this is going to make everything better is really sort of a prevarication of the issue.
INTERVIEWER: You know what is the balance, in your opinion, between protecting private data and public access to it? There's clearly a balance here.
JIM NASH: Well, there is a balance. But when you're looking at an organization, let's just pick the most recent and highest profile problem with the feeding our future. If we've-- if we've learned anything from that, it's that we should be holding on to things that we can have a backward view into and learn what happened, when did it happen, who did it, and what decisions were made leading up to all the things that transpired.
Once again, if you're getting rid of that data and you're purging that data, the public is the one that's going to wind up losing. And I would remind the agency, and everybody who's listening to your show is it's the public's money that's funding all of this. And I think the public has a right to be able to follow what's going on.
INTERVIEWER: We're talking about a state agency, but you know, I probably should know the answer to this question when you were talking about seeing how decisions have been made. An email trail is-- can be very interesting and helpful. Is the state legislature subject to similar data retention rules?
JIM NASH: That is an excellent question, and the answer is no. But from my perspective, it should be. I would probably get a fair amount of disagreement from my colleagues. But once again, we're not-- we're not talking about the legislature at this point in time, we're talking about an agency that has a fairly glorious background in high-profile mess-ups. And simply saying that this is this is for the betterment of all, and we're going to make things easier, better, faster, cheaper, I don't think that this is a particularly wise idea.
And once again, I agree with the folks who have made critical statements about this, saying that a year is simply not enough time. And there are appropriate policies that you can set relative to the retention of the data, but a year is not, in my estimation, a particularly good unit of time.
INTERVIEWER: Perhaps maybe it's time to look at the data practices act of 1974 and maybe update it for all agencies, including the legislature perhaps.
JIM NASH: Well, if it-- yeah. It came into existence in 1974, and the whole notion of data has changed dramatically. And I think that that is a thing that we're going to want to look at. And you know, when you have two people who are on antipodal ends of the political spectrum talking about this, myself and senator Marty, I think that you've got something there that has to be actionable. I think that what you'll see in this next legislative session being, the policy session, is probably a bill that would require something longer than the period of time that the agency has defined for itself.
INTERVIEWER: Don Gemberling, who I know you know, is a data privacy expert with state ties, and he is excellent at what he does. He says efforts have been made in the past to try to update the data practices, act and it just has gone nowhere. Why do you think that is? Do you have any opinion on that?
JIM NASH: I think sometimes it falls to the partisanship that we have. But once again, referencing the statement made by senator Marty, I think that there are seasons of time when things become more and more prescient. And I think that we're entering into that time right now. I think that you're going to see democrats, republicans, house members, senators, all come together and say so if we're going to track down the next feeding our future, and there will be something. It's just-- it's, I think, an incontrovertible fact that there will be more problems, we're going to have to have access to that data.
And I think that the legislature being what we are, which is the policy creators for the state, we should wisely come up with a policy that protects both the people who work at the agency but also the taxpayer. And my perspective is the taxpayers should be in the first chair.
INTERVIEWER: All right. I appreciate your time, representative. Thank you so much.
JIM NASH: My pleasure. Thanks for having me on.
INTERVIEWER: We've been talking to republican state representative Jim Nash, who happens to work in cyber security. He's also the minority whip in the Minnesota House.
Download transcript (PDF)
Transcription services provided by 3Play Media.