Minnesota Data Practices Act: Minn. Stat. sec. 13.01 et seq.
Subd. 3. General standards for collection and storage.
Collection and storage of all data on individuals and the use
and dissemination of private and confidential data on
individuals shall be limited to that necessary for the
administration and management of programs specifically
authorized by the legislature or local governing body or
mandated by the federal government.
Subd. 4. Limitations on collection and use of data.
Private or confidential data on an individual shall not be
collected, stored, used, or disseminated by political
subdivisions, statewide systems, or state agencies for any
purposes other than those stated to the individual at the time
of collection in accordance with section 13.04, except as
provided in this subdivision.
(a) Data collected prior to August 1, 1975, and which have
not been treated as public data, may be used, stored, and
disseminated for the purposes for which the data was originally
collected or for purposes which are specifically approved by the
commissioner as necessary to public health, safety, or welfare.
(b) Private or confidential data may be used and
disseminated to individuals or agencies specifically authorized
access to that data by state, local, or federal law enacted or
promulgated after the collection of the data.
(c) Private or confidential data may be used and
disseminated to individuals or agencies subsequent to the
collection of the data when the responsible authority
maintaining the data has requested approval for a new or
different use or dissemination of the data and that request has
been specifically approved by the commissioner as necessary to
carry out a function assigned by law.
(d) Private data may be used by and disseminated to any
person or agency if the individual subject or subjects of the
data have given their informed consent. Whether a data subject
has given informed consent shall be determined by rules of the
commissioner. The format for informed consent is as follows,
unless otherwise prescribed by the HIPAA, Standards for Privacy
of Individually Identifiable Health Information, 65 Fed. Reg.
82, 461 (2000) (to be codified as Code of Federal Regulations,
title 45, section 164): informed consent shall not be deemed to
have been given by an individual subject of the data by the
signing of any statement authorizing any person or agency to
disclose information about the individual to an insurer or its
authorized representative, unless the statement is:
(1) in plain language;
(2) dated;
(3) specific in designating the particular persons or
agencies the data subject is authorizing to disclose information
about the data subject;
(4) specific as to the nature of the information the
subject is authorizing to be disclosed;
(5) specific as to the persons or agencies to whom the
subject is authorizing information to be disclosed;
(6) specific as to the purpose or purposes for which the
information may be used by any of the parties named in clause
(5), both at the time of the disclosure and at any time in the
future;
(7) specific as to its expiration date which should be
within a reasonable period of time, not to exceed one year
except in the case of authorizations given in connection with
applications for (i) life insurance or noncancelable or
guaranteed renewable health insurance and identified as such,
two years after the date of the policy or (ii) medical
assistance under chapter 256B or MinnesotaCare under chapter
256L, which shall be ongoing during all terms of eligibility,
for individual education plan health-related services provided
by a school district under section 125A.21, subdivision 2.
The responsible authority may require a person requesting
copies of data under this paragraph to pay the actual costs of
making, certifying, and compiling the copies.
(e) Private or confidential data on an individual may be
discussed at a meeting open to the public to the extent provided
in section 13D.05.
From the sound of the above statute and additional Minnesota law, your agency falls under the Data Release and Personnel Records statutes and cannot be released without your permission. Therefore, a simple solution would be not to give that permission or to give it conditionally upon all personal data being redacted.