Statutory Data Practices Act Report - Redacted
Date: November 30, 2022
To: Theresa Schyma, City Clerk/Data Practices Responsible Authority
From: Surya Saxena
Greene Espel, PLLP
Re: Minnesota Government Data Practices Act Investigation Report
Greene Espel, PLLP was retained by the City of Golden Valley [hereinafter
“Golden Valley” or the “City”] to conduct an investigation into alleged breaches of
security under the Minnesota Government Data Practices Act (“MGDPA”) and to
prepare an investigative report pursuant to Minn. Stat. § 13.055 subd. 2(b). This
investigative report describes the facts required by the aforementioned subsection
of the MGDPA.
EXECUTIVE SUMMARY
Greene Espel concluded that former Golden Valley Police Officer Kristen
Hoefling violated the MGDPA by making, disseminating (both inside and outside of
the City’s secure computer network), and making unauthorized use of
unauthorized recordings of multiple non-public staff meetings attended by City
police officers, City staff, and members of City leadership. The statements and
comments made during the recorded meetings by the attendees constituted
private personnel data protected under the MGDPA.
Hoefling also violated the MGDPA by engaging in the unauthorized
collection, dissemination (both inside and outside of the City’s secure computer
network), and use of private personnel data regarding a candidate for an open
position with the City.
Hoefling was terminated from her employment with the City, in part based
on her violations of the MGDPA. Prior to issuance of this report, the City complied
with and completed all requisite disciplinary procedures in connection with
Hoefling’s termination.
2
In addition to the MGDPA violations by Hoefling, Greene Espel investigated
other violations of the MGDPA related to unauthorized acquisition of the same
private personnel data.
SCOPE AND METHOD OF INVESTIGATION
Greene Espel reviewed the following categories of information in connection
with its investigation:
1) Email 1 collected from the City’s journaled back-up for certain user
accounts, including former Officer Hoefling’s email account and the email address
assigned to the City’s multifunction printer/scanners.
2) Cisco WebEx meeting attendance data;
3) Kristen Hoefling’s City internet browser history;
4) Publicly available information, including information on the Facebook
social media platform; and
5) Video and audio recordings made by Hoefling;
6) Microsoft Outlook meeting attendance tracking information;
7) Applicable City Policies; and
8) Email correspondence and public data collected by City management.
1 Greene Espel received a copy of certain emails from Hoefling’s City email account on or about
April 20, 2022. In early October 2022, the City and Greene Espel determined that the initial
production of Hoefling’s email from the City to Greene Espel was incomplete. Greene Espel
received a revised production of Hoefling’s email on October 19, 2022. Certain additional
relevant emails, including this April 16, 2021 email, were identified from that revised production.
However, Greene Espel determined that the revised production was still incomplete.
Subsequently, on or about November 15, 2022, Greene Espel learned that the City’s productions
of Hoefling’s emails were incomplete as the result of an email system migration conducted by
the City’s IT staff and vendors. Greene Espel received a complete production of Hoefling’s emails
for the period January 1, 2021 through April 30, 2022 on November 15, 2022.
3
Greene Espel also conducted interviews of certain City employees. It should
be noted that Hoefling declined to participate in a City-required interview regarding
her conduct.
DESCRIPTION OF THE TYPE OF DATA THAT WAS ACCESSED AND ACQUIRED.
I. Unauthorized Recordings of Staff Meetings and Distribution of Recordings
Within and Outside the City’s Secure Network.
A. Recording and Dissemination of April 15, 2021 Virtual Meeting Using
Hoefling’s Personal Phone and Storage of the Recordings on the City’s
Network.
On April 14, 2021 at approximately 1:13 p.m., Deputy City Manager/HR
Director Kirsten Santelices sent an email to all Golden Valley employees:
4
Shortly afterward, a police officer sent the following email to all Golden Valley
Employees in response to the above email:
5
In part in response to this email, members of City management attended a
recurring Police Department Webex meeting on April 15, 2021 at approximately
7:00 p.m. All of the regular invitees to this recurring meeting were Golden Valley
Police Department officers and non-officer employees of the police department.
The City’s WebEx account was used to facilitate the virtual meeting.
The meeting was typically held each month at 7:00 p.m. The meeting was
scheduled at 7:00 p.m. because officer shifts changed around that time. Scheduling
the meeting around a shift change allowed a greater number of officers who were
either ending or beginning their shifts to attend the meeting. Police Department
command staff began scheduling the meeting during the pandemic to
communicate with officers regularly.
6
During the April 15, 2021 meeting, the participants’ conversation was limited
exclusively to work-related topics. The participants discussed policing practices
and policies; City policies, including the City’s Equity and Inclusion policy; workplace
morale; public perceptions regarding policing; specific policing incidents,
encounters, and results; certain City management decisions; and policing practices.
The participants’ statements regarding these topics were only relevant because of
their status as City employees and/or City police officers. Further, Hoefling and
other participants were only able to access and participate in the meeting by virtue
of their employment with the City. The meeting was an internal staff meeting, and
it was not open to the public.
Hoefling recorded the April 15, 2021 meeting using her personal cell phone
by pointing the phone’s camera at an iPad that was used to log into the WebEx
meeting. On April 16, 2021, Hoefling sent an email 2 to some, but not all, Golden
Valley Police Officers stating that she had recorded the meeting and had saved files
containing portions of the recording on the “G:” drive, a network location on the
City’s secure network accessible to employees within the Police Department:
2 A segment of the email describing private personnel data has been redacted. Email addresses
and phone numbers have also been redacted.
7
8
The evidence demonstrates that none of the attendees were aware that
Hoefling was recording the meeting. Greene Espel has not found any evidence that
Hoefling requested consent from anyone before beginning to record the meeting.
Although Hoefling states in the above email that she “recorded the meeting last
night for retention purposes,” there is no evidence that anyone asked or directed
her to do so, or that she had the authority to make the recording for any purpose.
The video recording also captured Hoefling’s own exasperated exclamations
and commentary that was not audible to other attendees during the meeting. For
example, at approximately 7:44 p.m., Hoefling stated, while muted on the WebEx,
“I’m going to fucking quit.” This statement was not audible to other meeting
attendees, but was clearly audible on the recording that was saved on the City’s
computer network.
Further, a review of Hoefling’s recording shows that personal text messages
(via iMessage) among Hoefling and other Golden Valley Police Officers can be seen
on the video as they pop up as notifications on Hoefling’s iPad. These personal
text messages were plainly not intended by their senders to be part of the staff
meeting, because the same messages easily could have been sent using the chat
function of WebEx, but were not. These messages provided Officers’ personal
reactions to the subjects being discussed during the meeting.
On October 12, 2021, a Golden Valley citizen posted the following message
on the “Everything Golden Valley” Facebook group page, referencing and quoting
a post made elsewhere by a recipient of the above email from Hoefling:
9
10
In response to this post, on October 12, 2021 at 5:44 p.m., the following was
publicly posted and it referenced the existence of Hoefling’s recording of the April
15, 2021 meeting on the Police Department’s G: drive:
11
12
The next day, October 13, 2021, City administrative staff became aware of
the existence of the recording as a result of this Facebook comment. On October
14, 2021, IT staff were instructed to prevent City employees from being able to
access or modify the recording on the G: drive.
Shortly thereafter, the City decided to seek an advisory opinion from the
Commissioner of Administration as to whether, based on the facts available to the
City at the time, Hoefling’s conduct constituted a violation of the MGDPA.
Accordingly, the City sent two letters to the Commissioner of Administration, dated
October 26, 2021 and November 4, 2021 detailing the City’s understanding of the
relevant facts and analysis of the applicable MGDPA issues at the time. The
Department of Administration issued the requested advisory opinion on November
29, 2021. Minn. Comm’r of Admin. Advisory Opinion [hereinafter “Advisory
Opinion”] 21-007.
Likely on the morning of October 25, 2021 3, after learning that the City was
seeking a Department of Administration Opinion regarding the matter, members
of the command staff interviewed Kristen Hoefling regarding the recording. They
later prepared a memorandum summarizing the conversation. In the
memorandum, they state as follows:
3 On October 25, 2021, one of the interviewers sent an email indicating that the interview
occurred on the morning of October 25, 2021, however in a short memorandum of the
conversation prepared on or about December 7, 2021, the interviewers suggested the meeting
occurred on October 22, 2021.
13
Months later, on or about March 4, 2022, Hoefling sent a Microsoft Teams
chat message to a member of the City’s IT staff asking that person to delete the
recording of the April 15, 2021 meeting that Hoefling had saved to the G: drive:
The IT staff member did not delete the video recording and informed the City
Attorney of Hoefling’s request.
Greene Espel’s investigation revealed that Hoefling disseminated the
recording on several occasions in addition to saving the recording on the City’s G:
drive. In Hoefling’s April 16, 2021 email about her recording of the April 15, 2021
meeting, she noted that the entire recording was still saved on her personal phone,
and she offered to send it to anyone who requested it. She further noted that she
had saved the video in many different formats.
On April 16, 2021, an employee of the City’s police department used their
City email account 4 to request that Hoefling send the employee a segment of the
video recording to what appeared to be the person’s personal cell phone number.
The request appeared to be based on Hoefling’s statement in her email that “I have
it saved in many different formats for safe-keeping…” Greene Espel does not have
any evidence demonstrating whether Hoefling sent the recording to the personal
cell phone number as requested.
Also on April 16, 2021, another employee of the police department
employee emailed Hoefling that the other employee had also audio-recorded the
meeting 5, and to request that Hoefling send the employee a copy of the video clip
expressly referenced in Hoefling’s email. This exchange occurred using both
4 This email and others were not initially available to Greene Espel.
5 The City was not aware of any additional audio recordings of the April 15, 2021 meeting until
approximately October 7, 2022. Further investigation is necessary to determine whether this
audio recording exists and whether this conduct resulted in additional unauthorized acquisitions
of private personnel data.
14
parties’ City email addresses. Again, Greene Espel does not have evidence to
demonstrate whether Hoefling actually sent the requested video to the employee
in response to this request.
On July 21, 2021, Hoefling sent an email using her City email account to an
individual at a gmail.com email address, outside the City’s secure network. In the
email, Hoefling described her personal opinions and understanding of certain City
policies and policing priorities. Towards the bottom of her July 21, 2021 email,
Hoefling provided the Gmail user with a link to a video of the April 15, 2021 meeting
on the public cloud storage website Dropbox.com. The file title of the linked item
on Dropbox.com is consistent with the file title of one of the files comprising the
recording of the April 15, 2021 meeting. Greene Espel attempted to access the link
Hoefling included in this email, but Dropbox.com returned a message stating “This
item was deleted.”
On July 28, 2021, Hoefling used her City email address to send two
Dropbox.com links to two then-current members of police command staff. Greene
Espel attempted to access the link Hoefling provided, but Dropbox.com returned a
message stating “This item was deleted.” City administrative leadership did not
learn of the existence of the recordings until the October 12, 2021 Facebook post.
On August 5, 2021, Hoefling used her City email address to send herself, at
her own City email address, a Dropbox.com link. The link is currently not accessible.
B.Hoefling Also Recorded and Disseminated Staff Meetings held on May
13, 2021 and November 18, 2021.
Greene Espel interviewed certain employees in June 2022. Two
employees verified that Hoefling sent multiple recordings to other employees
from Hoefling’s personal cell phone.
One employee provided Greene Espel with a Dropbox.com link that the
officer received from Hoefling. Greene Espel was able to access the link.
Hoefling’s Dropbox folder was entitled “secret,” and included the following
files and subfolder:
15
16
All of the files in the primary “secret” folder, which the exception of the file entitled
“HR.mov” comprised different segments of Hoefling’s recording of the April 15,
2021 meeting.
The subfolder “may 13” was found to contain several files comprising
segments of a recording Hoefling made of a May 13, 2021 staff meeting. The City
was not aware that Hoefling had recorded the May 13, 2021 meeting until Greene
Espel learned about the Dropbox.com link in June 2022.
The May 13, 2021 meeting was the second of two meetings (the first of which
was held on May 11, 2021) that were scheduled at the request of police command
staff. Approximately half of the then-employed police officers in the department
were invited to each meeting. The May 11 and May 13, 2021 meetings were held
via WebEx. Members of the public were not invited to either of the sessions, and
the discussions during each session were focused on the City’s Diversity, Equity,
and Inclusion (“DEI”) work and policing issues. There is no evidence that the
meeting was recorded by anyone else or that anyone attending the meeting gave
consent for Hoefling to record it.
Hoefling attended the May 13, 2021 meeting and made a recording by
positioning a video camera in view of her City issued laptop computer. Although it
is unclear exactly where Hoefling was located, it appears that she recorded the
meeting in a City building, likely in the Police Department’s offices, in a cubicle or
office space. A desk and file cabinets are visible on the video.
17
As shown above, the main “secret” folder on Dropbox also contained a file
entitled “HR.mov.” This video recording begins by showing the same office that is
visible in Hoefling’s video of the May 13, 2021 meeting. The phone or other video
camera that was used to make the recording is placed inside a bag within a few
moments of the beginning of the recording. After being placed inside the bag, the
video remains dark and nothing can be seen for the vast majority of the
approximately one hour and fifteen minute long recording.
After the video recorder was placed inside the bag, it captured an audio
recording of an in-person meeting among the City Manager, the Deputy City
Manager, Police Department staff, and Officer Hoefling. The in-person meeting
occurred on November 18, 2021, and neither the City Manager or the Deputy City
manager were aware that the meeting was being surreptitiously recorded by
Hoefling using a recording device concealed in a bag. No one provided consent for
the meeting to be recording on the recording itself. During the meeting, the
participants discussed the contents of the April 15, 2021 meeting, policing issues,
City policies, and other work-related matters. During the last two seconds of the
recording, Hoefling removed the recording device from the bag and ended the
recording. A short segment of video is visible when Hoefling removed the recording
device from the bag depicting what appears to be the carpet in a City conference
room.
II. Hoefling Saved and Distributed Federal Court Records Regarding a
Candidate for City Employment Both Inside and Outside the City’s Secured
Network.
In February 2022, Hoefling served on a hiring committee and helped
interview candidates for a position with the City. On February 28, 2022, Hoefling
was informed that the City would be interviewing two finalists for the position, and
the City publicized the names of the finalists. 6
On Tuesday March 1, 2022, Officer Hoefling, using her City network user
account “khoefling” began conducting background research regarding one of the
finalists (“Finalist 1”) using publicly available internet resources. At approximately
11:41 a.m. on March 1, 2022, Hoefling looked at the “Job Opportunities” page on
6 Pursuant to Minn. Stat. § 13.42 subd. 3, “[n]ames of applicants shall be private data
except…when applicants are considered by the appointing authority to be finalists for a position
in public employment.”
18
the Minnesota Department of Safety website. Approximately five minutes later,
Hoefling conducted a google search for information related to Finalist 1 based on
information in the Finalist’s resume and public reporting regarding the candidate.
After visiting the “Golden Valley City Issues / GV Covid-19 Info” group on
Facebook, Hoefling then visited a website based on Finalist 1’s work history and
public information about Finalist 1. She next proceeded to run a Google search for
an individual who was identified as potentially having background information on
Finalist 1.
Hoefling next visited the “contact us” page for a newspaper, which had
reported information regarding Finalist 1’s work history. Next, Hoefling visited the
US Courts’ PACER (i.e. “Public Access to Court Electronic Records”) website and
registered a new account to search for and retrieve public federal court records
from the site. After registering a PACER account, Hoefling appears to have visited
multiple different pages within the PACER site, attempting to find court records
related to Finalist 1. After visiting several different PACER search pages and the
PACER site for a particular court based on Finalist 1’s prior work locations, Hoefling
accessed the link to Finalist 1’s resume that had been sent to Hoefling via her City
email account, and which resided on the City’s network.
Hoefling then accessed US Bankruptcy Court records, followed by numerous
case records filed with a different court with jurisdiction over a location from
Finalist 1’s work history. She then spent time alternating between court records
filed with both of the courts she identified based on Finalist 1’s work history and
public reporting. She then reviewed a post on the “Golden Valley City Issues / GV
Covid-19 Info” Facebook page related to the hiring process. She then returned to
reviewing records filed with the two above-referenced federal districts. Next, she
reviewed dockets and documents filed within the District of Minnesota.
It appears that Hoefling stopped conducting background research regarding
Finalist 1 on PACER using her City network account at approximately 3:17 p.m. on
March 1, 2022.
On the evening of March 1, 2022, Hoefling likely reviewed posts on the
“Everything Golden Valley” Facebook group page prior to searching for court
documents related to Finalist 1, and she also posted in the Facebook group as part
of a discussion regarding the hiring process. This conclusion is based on Hoefling’s
City browser history and the context of posts in a thread on the “Everything Golden
19
Valley” Facebook group page. Hoefling used a pseudonym Facebook account to
view and make posts on March 1.
Hoefling’s browser history shows that on March 2, 2022, Hoefling repeatedly
accessed the Facebook profile page and account settings tools for the user profile
“ronny.mars.3” with the visible screen name of “Roni Macready.” Hoefling
accessed the “MANAGEYOURPOSTS” page and the “GROUPANDEVENT”
management pages for the “ronny.mars.3”/ “Roni Macready” account. Beginning
at approximately 1:39 p.m. and continuing through approximately 3:08 p.m. on
March 2, 2022, Hoefling accessed numerous account-related settings associated
with the aforementioned Facebook account, including privacy and security
settings, account management pages, post management, video searches, “trash”
and deleted items, comments, and profile details. Hoefling also repeatedly
navigated to the profile deletion and deactivation pages, and ultimately deleted
the “ronny.mars.3” account and the “Roni Macready” screenname.
As the result of Hoefling’s deletion of the account (and likely individual
posts), posts and comments made by the screen name “Roni Macready” were not
available to Greene Espel as part of this investigation. However, Facebook posts
that mention “Roni Macready” remain visible on Facebook and strongly indicate
that Hoefling used that screenname and account to review and make posts
regarding the City’s search hiring process. Hoefling commented in a long chain
related to a February 19, 2022 post in the “Everything Golden Valley” group
regarding the identification of the finalists for the position:
20
21
22
23
24
Based on the dates of the surrounding posts, as shown above, it appears that
Hoefling reviewed and posted information related to the hiring process on March
1, 2022 using the pseudonym screen name of Roni Macready.7
On March 2, 2022, between approximately 9:57 a.m. and 10:10 a.m.,
numerous emails and attachments were sent from the Golden Valley Police
Department’s multifunction printer (“MFP”) to members of City Leadership and to
certain others. These emails, sent from the MFP’s general email address did not on
their face disclose the name of the individual who used the device to send the
emails. The emails attached scanned versions (some with limited highlighting) of
PACER downloads of court dockets and documents Hoefling had retrieved from
courts with jurisdiction over Finalist 1’s prior work locations involving Finalist 1 as
a party.
PACER header information on one of the docket sheets that was emailed
from the MFP lists the time the docket was retrieved as March 1, 2022 at 1:59 p.m.
This date and time exactly matches the time and date of Hoefling’s retrieval of a
docket sheet from the PACER site using her City network account.
7 Notably, Hoefling also used at least one other pseudonym Facebook account, with username
“Khrystin Höfling” and the screenname “Korky Hoffman.”
25
In addition to emails sent from the MFP, Greene Espel reviewed emails
containing the aforementioned court documents that were sent to former Golden
Valley police officers at their City email addresses. Notably, the same court
documents were also sent from the MFP to Kristen Hoefling’s City email address.
On March 2, 2022 at approximately 5:48 p.m., Hoefling used her city email
account to send a 103 page document to a yahoo email address. The document
was one of the same sets of court records involving Finalist 1 that had previously
been sent from the MFP to numerous recipients as detailed above. Approximately
one minute later, Hoefling used her City network account to navigate to the Yahoo
webmail account for the aforementioned yahoo email address, indicating that this
email address was used by Hoefling as well. Subsequently, Hoefling also navigated
to the Yahoo webmail site for a “ymail” email address with a portion of Hoefling’s
first and last name in the username. This demonstrated that Hoefling used multiple
Yahoo-based email accounts.
Subsequently, on March 14, 2022, Hoefling accessed the PACER site again.
However, Greene Espel has not identified any similar email traffic sending any
documents that may have been saved during this visit.
On the afternoon of March 2, 2022, after City leaders received the court
documents in emails from the MFP email address, City IT staff was asked to try to
identify the documents that had been sent from the MFP and who had sent the
documents. An IT employee took a screenshot of the log file from the MFP, listing
the emails that had been sent from the MFP that day:
26
27
Notably, this scan log screenshot indicates that an email was sent from the MFP to
an email address at CCX media – a news site that often publishes news stories
regarding Golden Valley city issues – attaching a 103-page document shortly after
a 103 page document was sent to Hoefling and other City leaders and staff. Greene
Espel did not locate the email to “sgoins@ccxmedia.org” in the journaled Microsoft
Exchange back-up of the MFP’s emails, however.
The IT employee who took the MFP log screenshot informed Greene Espel
that the MFP only stores its last 100 print jobs, and therefore that a more complete
version of the log file was not available after Greene Espel began its investigation.
Greene Espel does not have any evidence that explains why there was no copy of
an email to “sgoins@ccxmedia.org” within the City’s email backup for the MFP,
despite that email being listed on the log file. Typically, Microsoft Exchange’s
journaling function should save at least one iteration of every email sent from or
received by a City email address.
LEGAL ANALYSIS AND CONCLUSIONS
I. Hoefling Violated the MGDPA by Collecting and Disseminating the Meeting
Recordings and Court Records.
A. Hoefling’s Recordings and the Public Court Filings She Retrieved
Became Government Data Subject to the MGDPA.
The MGDPA applies to “government data,” and creates a presumption that
government data is generally public, “unless there is federal law, a state statute, or
a temporary classification of data that provides that certain data are not public.”
Minn. Stat. § 13.01 subd. 3. The Act further establishes an obligation for
government entities (and by extension, by government employees) to secure
government data that is deemed “private” or “confidential,” as discussed further
below.
“Government data” is “all data collected, created, received, maintained or
disseminated by any government entity regardless of its physical form, storage
media or conditions of use.” Minn. Stat. § 13.02, subd. 7a. This definition sweeps
broadly and extends to data that is otherwise publicly available that is collected by
a government employee acting in their capacity as a government employee. See
KSTP-TV v. Metro. Council, 884 N.W.2d 342, 347–48 (Minn. 2016) (accepting as an
uncontroversial premise that video recording of the activity on public buses
28
became government data); Cf id. at 351 (Lillehaug, J. dissenting) (disagreeing with
the majority and arguing that public data should not be converted to government
data based solely on government collection of the data); Advisory Opinion 08-028
(a Superintendent’s unannounced and otherwise unauthorized recording of a
public-school board meeting on his personal cell phone became government data).
The Commissioner of Administration has opined that “[t]he most important
factor in determining whether the data are government data is if [the government
employee] was acting in [her] capacity as [a government employee] when [she]
made the recording.” Advisory Opinion 08-028.
1. The Recorded Meetings.
Both the April 15 and May 13 meetings were virtual meetings conducted
using the City’s WebEx platform. The November 18, 2021 meeting was an in-
person meeting in a City conference room. All of the attendees at all three
meetings were employees of the City. The subjects discussed were exclusively
employment-related, including police officer morale, DEI work, and specific
policing incidents. The meetings were not open to the public.
Hoefling was only allowed to attend the aforementioned meetings because
of her role as a police officer and City employee. Further, the comments Hoefling
made during the meetings were work-related. Her role at the meetings was to
receive information about City policies and initiatives, to participate in a dialogue
about those initiatives, and to offer thoughts about how to improve employee
morale within the police department.
Based on the circumstances of the meetings and Hoefling’s own conduct
during the meetings, we conclude that Hoefling was acting in her capacity as a City
employee when she made the recordings of the meetings. Accordingly, we
conclude that the recordings of all three of the meetings constituted government
data because all of the attendees, and the individual who made the recording, were
acting in their capacity as government employees at all relevant times.
This conclusion is consistent with the Commissioner of Administration’s prior
apposite Advisory Opinions, which have established that even data residing on an
employee’s personal device is government data if the data was collected in the
employee’s capacity as a government employee. See Advisory Opinion 08-028
(Superintendent’s recording of public-school board meeting on his personal phone
29
was government data); Advisory Opinion 12-019 (concluding that text messages,
emails, and letters among members of the Duluth Airport Authority were
government data regardless of whether such communications occurred using
private devices or involving mail to personal addresses).
2. The Court Records Involving Finalist 1.
We further conclude that the court documents Hoefling collected from the
public PACER database and subsequently stored and disseminated on the City’s
email system also constitute government data because she was acting in her
capacity as a City employee when she did so. Hoefling collected the court records
regarding Finalist 1 on March 1, 2021, using her City network account and her work
computer – both of which were only issued to her as the result of her employment
with the City. The next day, Hoefling then used a City MFP device to disseminate
the court materials she collected to other employees and elected officials through
the City’s secure network. She disseminated the materials using the recipient’s City
email addresses and the MFP’s City email address. Notably, Hoefling had herself
participated in earlier stages of the hiring process as an interview panelist – a role
she took on only because of her status as a City employee. These circumstances all
lead to the conclusion that Hoefling was acting in her capacity as a City employee
when she collected public court records regarding Finalist 1 and disseminated them
using the City’s email system. Accordingly, we conclude that the court records she
saved and disseminated were government data subject to the MGDPA.
B. The Recorded Meetings and Court Records Are Private Personnel Data.
As discussed below, the MGDPA establishes an obligation for government
entities and government employees not to misuse private personnel data.
Personnel data is “government data on individuals maintained because the
individual is or was an employee of or an applicant for employment by, performs
services on a voluntary basis for, or acts as an independent contractor with a
government entity.” Minn. Stat. §13.43, subd. 1. Other than certain data
specifically enumerated in Minn. Stat. § 13.43, subd. 2, “[a]ll other personnel data
is private data on individuals.” The Commissioner of Administration has clarified
that it is not just data that is “maintained” by a government entity that constitutes
“personnel data,” but that data that is “collected or created…because an individual
is or was an employee of a government entity” constitutes personnel data as well.
See Advisory Opinion 02-003.
30
1. The Recordings.
In response to a request for an advisory opinion regarding Hoefling’s
recording of the April 15, 2021 meeting, the Commissioner of Administration
indicated that the subjects discussed during the April 15 and May meetings (e.g.
discussions about race equity in policing and police officer morale) are likely
“private” under Minn. Stat. § 13.43 subd. 4, because this is not the type of data
expressly described as public under Minn. Stat. §13.43, subd. 2 (e.g. an employee’s
“name,” “job title,” and “work location.”)
The content, audio, and video comprising the data reflected in the recordings
does not constitute public personnel data under Minn. Stat. § 13.43 subd. 2.
Indeed, with the notable exception of the names of the City employees
participating in the meeting (some of whom did not use their real names as screen
names on the WebEx virtual meetings), virtually all of the content of the meetings
constitutes private personnel data. The data was collected and created exclusively
because the individuals present held positions within the City government and
police department, and because the meeting participants were discussing City
policy and police department morale. Hoefling would not have had any reason to
participate in or record the meetings if the statements made during the meetings
were made in the declarants’ personal capacities rather than in their capacities as
City employees and leaders. Indeed, the meetings were only important to Hoefling
because they were discussing work-related issues.
Accordingly, we conclude that all three recordings were primarily comprised
of private personnel data, which was collected because the subjects of the
recordings were employees of the City.
2. The Court Records.
As noted above, data collected or maintained because a person is an
“applicant for employment by…a government entity” is also classified under the
MGDPA as private personnel data. Minn. Stat. §13.43, subd. 1 (emphasis added).
There is little doubt, therefore, that the court records Hoefling collected regarding
Finalist 1 were private personnel data, because the only reason she collected (and
then reviewed and distributed) the records was because Finalist 1 was an applicant
for a position with the City. As explained above, the mere fact that the data was
publicly available on PACER does not prevent the data from becoming private
personnel data under the MGDPA if it was collected or maintained because its
31
subject was an applicant for City employment. See KSTP-TV, 884 N.W.2d at 350
(explaining that otherwise public data (video of activity on a public bus) becomes
private personnel data if the data was maintained because just one subject of the
video was a government employee).
C. Hoefling’s Use and Dissemination of the Recordings and the Court
Records Violated the MGDPA.
Although it should go without saying, private personnel data is not “public”
under the MGDPA and access to such data is restricted. See Minn. Stat. § 13.03
subd. 1; Minn. Stat. § 13.02 subd. 8a (“’Not public data’ are any government data
classified by statute…as confidential, private, nonpublic, or protected nonpublic.”).
The City is required to “establish appropriate security safeguards for all records
containing data on individuals, including procedures for ensuring that data that are
not public are only accessible to persons whose work assignment reasonably
requires access to the data, and is only being accessed by those persons for purposes
described in the procedure.” Minn. Stat. § 13.05, subd. 5(a)(1)–(2) (emphasis
added). Further, “[p]rivate or confidential data on an individual shall not be
collected, stored, used, or disseminated by government entities for any purposes
other than those stated to the individual at the time of collection…[or] except…” as
specifically enumerated in Minn. Stat. § 13.05 subd. 4 (e.g., where the “individual
subject…of the data have given their informed consent” to the disclosure of the
data). None of the exceptions in said subsection apply here.
The MGDPA also imposes certain obligations on the City when there has
been a breach of the security of government data. See Minn. Stat. § 13.055. A
breach of the security of government data occurs when there has been an
“unauthorized acquisition of data maintained by a government entity that
compromises the security and classification of the data.” Minn. Stat. § 13.055,
subd. 1(a). “Good faith acquisition of or access to government data by an . . . agent
of a government entity for the purposes of the entity is not a breach of the security
of the data, if the government data is not provided to or viewable by an
unauthorized person . . .” Id. (emphasis added).
An “unauthorized acquisition” of government data occurs when “a person
has obtained, accessed, or viewed government data without the informed consent
of the individuals who are the subjects of the data or statutory authority and with
the intent to use the data for nongovernmental purposes.” Minn. Stat. § 13.055,
subd. 1(c). An “unauthorized person” is “any person who accesses government
32
data without a work assignment that reasonably requires access, or regardless of
the person's work assignment, for a purpose not described in the procedures
required by section 13.05, subdivision 5.” Minn. Stat. § 13.055, subd. 1(d).
Section 13.09 of the MGDPA establishes a criminal penalty for either willful
or knowing violations8 of the MGDPA and establishes that a willful violation of the
MGDPA constitutes “just cause” for disciplining an employee:
(a) Any person who willfully violates the provisions of this chapter or
any rules adopted under this chapter or whose conduct constitutes
the knowing unauthorized acquisition of not public data, as defined in
section 13.055, subdivision 1, is guilty of a misdemeanor.
(b) Willful violation of this chapter, including any action subject to a
criminal penalty under paragraph (a), by any public employee
constitutes just cause for suspension without pay or dismissal of the
public employee.
Hoefling engaged in multiple “unauthorized acquisitions” of private
personnel data in violation of the MGDPA. First, she recorded three City staff
meetings without obtaining the informed consent of any of the participants,
8 Minnesota Courts have regularly held that the concept of “willfulness” differs between felony
and misdemeanor statutes. “In misdemeanor statutes, [willful] means a voluntary, knowing and
intentional act, as distinguished from accidental, involuntary, or unintentional.” State v. Jama,
908 N.W.2d 372, 376 (Minn. Ct. App. 2018), aff'd, 923 N.W.2d 632 (Minn. 2019) (quoting State v.
Green, 351 N.W.2d 42, 44 (Minn. App. 1984)). In the context of misdemeanor statutes, “willfully”
is “not among the terms used to denote a specific intent.”
However, in connection with the MGDPA, one court suggested that “willfully” means something
slightly more than “knowing and intentional,” indicating that a City employee’s honest belief that
data was private precluded a finding that the employee willfully violated the MGDPA by failing
to disclose what was actually public data in response to a MGDPA request. Demers v. City of
Minneapolis, 486 N.W.2d 828, 832 (Minn. Ct. App. 1992). Accordingly, it is likely that an honest
mistake about the classification of a data likely would not justify a finding of a willful violation of
the MGDPA.
It is well-established, however, that a “knowing” mens rea merely requires a defendant to “know
the facts that make [his or her] conduct illegal.” State v. Schwartz, 957 N.W.2d 414, 419 (Minn.
2021); Minn. Stat. 609.02 subd. 9.
33
without any statutory authority to do so, and without supervisory approval or
knowledge. This amounted to “obtain[ing]” government data.
Second, she disseminated the recordings to advance her own personal views,
and not for any governmental purpose. She first disseminated the April 15, 2021
video. As reflected in her April 16, 2021 email to selected police officers, she sent
a link to the recording of the April 15, 2021 meeting to several of her coworkers for
the purpose of ridiculing the statements made by City staff members during the
meeting. She sarcastically described statements made by a staff member as “the
gem that clearly highlighted what we all knew.” She further entitled the G: drive
folder “A Study in Racial Bias in City Leadership” indicating that she was suggesting
that she was providing a critique of racial biases expressed by members of the City
leadership. Additionally, she used a subject line for her email of “Sociology 101,”
suggesting sarcastically that City leaders had provided pseudo-academic
information during the meeting that she did not find educational or well-founded.
She also closed her email with the words “In Solidarity,” which evoked a sense of
being embattled or oppressed by City leadership, or which was designed to poke
fun of a City staffer’s use of that closing in the prior email.
In both her April 16 email and during her October 25, 2021 interview with
her superior officers, Hoefling stated that her purpose in recording and sharing the
video of the April 15 meeting was “for retention purposes” – i.e. to allow those who
were not able to attend to watch the discussion. However, the circumstances
indicate that her explanation was disingenuous. In addition to the above-described
statements in her April 16, 2021 email, the contents of the recording further
demonstrate that Hoefling was not motivated by preserving the meeting for
posterity. The video reflects Hoefling’s own personal opinions, exasperated
exclamations, and commentary about the comments others made during the
meeting. Moreover, Hoefling stopped the recording on at least one occasion when
she became frustrated with the discussion. She also included personal text
messages that were not visible to all attendees during the meeting on the
recording. The video also depicts chat messages that she drafted but did not send,
and that other attendees could not see during the meeting. Further, Hoefling’s
own July 21, 2021 to a Gmail recipient described the April 15, 2021 meeting as
“required” rather than “voluntary.” And finally, she did not use WebEx’s built-in
functionality that allows meeting participants or organizers to record the meeting
– a function that automatically advises all participants that the meeting is being
34
recorded. Rather, she pointed her personal phone’s video camera at an iPad and
then shared the resulting recording with only some, but not all, of her coworkers.
All of these facts demonstrate that Hoefling did not honestly obtain or
disseminate the recording of the April 15, 2021 meeting for “retention purposes”
or for any recognizable government purpose. Hoefling further was not honest with
her superior officers when they asked her why she made the video.
Hoefling similarly disseminated copies of the recordings for a
nongovernmental purpose when she sent all three of the videos using personal cell
phones and Dropbox.com to other employees. Hoefling made these disclosures
outside of the City’s secure network. She also engaged in these disclosures solely
for the other employees’ personal purposes. There is no identifiable governmental
purpose that would have justified Hoefling sharing the videos outside of the City’s
secure network in this manner.
Hoefling further caused public disclosure of the existence of the April 15,
2021 recording by disclosing the recording to others, which resulted in a Facebook
post disclosing the recording’s existence. Greene Espel does not have any
evidence, however, that Hoefling knew that any particular individual intended to
disclose the existence of the video publicly.
Hoefling also sent the video recording to two other employees of the police
department on or about April 16, 2021. There was no governmental purpose for
the employees to receive copies of the recording.
Hoefling further disseminated the recording outside the City’s secure
network to a Gmail user on or about July 21, 2021, to advance Hoefling’s own
personal dissatisfaction with certain policies Hoefling perceived had been
implemented by City management.
Additionally, Hoefling engaged in the unauthorized acquisition of not public
data when she saved and disseminated federal court records related to Finalist 1.
Hoefling disseminated the records to City employees, outside the City’s secure
network to her own personal email, and apparently, to a CCX media news reporter.
She did not seek or obtain informed consent from Finalist 1 before doing so, and
was not serving any governmental purpose. Rather, she was advancing her own
personal views regarding the City’s hiring process using City computer systems and
networks.
35
Based on all of these circumstances, we conclude that Hoefling knowingly
engaged in the unauthorized acquisition of not public data in violation of the
MGDPA. Hoefling knew all of the facts that made her conduct inconsistent with
the MGDPA. She made surreptitious recordings of three staff meetings because
City employees would be discussing City policies during the meetings – the very
facts that rendered the contents of the meetings private personnel data under the
MGDPA. She did so without informing meeting attendees that she was recording
them, even going so far as to conceal a recording device in her bag before meeting
with other staff. She further disseminated the recordings outside the City’s secure
network in a folder she entitled “secret.” These facts and the circumstances as a
whole leave no doubt that Hoefling acted “knowingly” in violation of the MGDPA.
Further, there is evidence to suggest that Hoefling acted “willfully” in the
sense of knowing that her conduct was wrongful or unlawful. Following the public
disclosure of the existence of her recording of the April 15, 2021 meeting, she asked
an IT professional with the City to delete the copies of her recordings she had saved
the G: drive, indicating that she was trying to conceal her unlawful acts because she
knew they were unlawful. As noted, she described her recordings as “secret” on
Dropbox, indicating that she knew it was wrong for her to have made or kept the
recordings. Additionally, she was dishonest with her superior officers about her
reasons for recording the April 15, 2021 meeting, suggesting that she knew she
could not give an honest explanation of her intent and remain compliant with the
law.
Moreover, she concealed her recording device during the November 18,
2021 meeting in a bag or purse, and did not announce the recording to any of the
participants, who were employees of the City. This further demonstrated that she
was aware that her conduct of recording the meetings was improper.
For these reasons, we conclude that Hoefling’s conduct of recording and
disseminating the videos of the staff meetings constitutes a significant violation of
the MGDPA.
We conclude that Hoefling’s conduct of collecting and disseminating public
court records regarding Finalist 1 to be relatively less serious, but still in violation
of the MGDPA.
36
D. Two Other Officers Also Engaged in the Unauthorized Acquisition of
Private Personnel Data.
As noted above other officers requested and received access to Hoefling’s
recordings of staff. As such, these officers requested and accessed the private
personnel data contained on the recordings for non-governmental, personal
purposes, without any authorization to do so. Accordingly, they acted contrary to
their obligations under the MGDPA.
However, Greene Espel did not recommend any other discipline resulting
from conduct that was discovered during the course of the investigation. Unlike
Hoefling’s conduct, other unauthorized acquisitions of the private personnel data
contained in Hoefling’s recordings did not cause the public or internal disclosure of
the data nor was the data repeatedly accessed.
NUMBER OF INDIVIDUALS WHOSE DATA WAS IMPROPERLY ACCESSED OR
ACQUIRED
Pursuant to MGDPA Section 13.055 subd. 2(b)(2), we conclude that the
following number of individuals’ data was subject to unauthorized acquisitions of
data by Hoefling and two other officers, and may have resulted in the unauthorized
acquisition of data by other City employees upon receipt of Hoefling’s staff meeting
recordings9:
1) 26 individuals who attended the April 15, 2021 meeting, including
Hoefling herself;
2) 23 individuals who attended the May 13, 2021 meeting, including
Hoefling herself;
3) 7 individuals who attended the November 18, 2021 meeting, including
Hoefling herself;
4) 1 individual who was the subject of Hoefling’s collection of public records
regarding an applicant for employment with the City of Golden Valley.
9 As noted above, further investigation is needed as to whether the former police department
employee who claimed to have audio-recorded the April 15, 2021 meeting in an email to Hoefling
in fact did record the meeting, and whether it that resulted in further unauthorized acquisitions
of private personnel data.
37
NUMBER OF INDIVIDUALS WHO IMPROPERLY ACCESSED OR ACQUIRED THE
DATA, IF KNOWN
Greene Espel is unable to precisely determine the number of individuals who
improperly accessed or acquired the data. We have not been able to determine
whether any of the individuals that Hoefling shared her video recordings with
subsequently shared those recordings with others. Further, we have not been able
to determine how many individuals accessed or made copies of the recording of
the April 15, 2021 meeting while it was saved on the City’s G: drive, before access
to the file was restricted. Similarly, we are unable to determine whether Hoefling
continued to share the public court records she collected outside the City’s network
after she emailed them to a personal email address.
With the aforementioned caveats, Greene Espel concludes that individuals
accessed or acquired the private personnel data described above:
1) At least 6 unauthorized persons accessed all or part of Hoefling’s
recording of the April 15, 2021 meeting. It is likely that several more
unidentifiable individuals also accessed this recoding, based on public
reporting that seems to directly quote segments of the recording.10
2) At least 3 unauthorized persons accessed all or part of Hoefling’s
recordings of the May 13, 2021 and November 18, 2021 meetings,
including Hoefling herself. Again, it is likely that others may have also
accessed these recordings, which were likely accessible via Dropbox.com
links that Hoefling shared with others. However, Greene Espel has been
unable to verify which files were shared with particular Dropbox.com
links by Hoefling, because the target files were either deleted or are no
longer accessible.
3) At least 2 unauthorized persons accessed Hoefling’s collection of public
records regarding a candidate for employment with the City of Golden
Valley, Hoefling herself using a personal email address and at least one
individual at a media outlet, ccxmedia.org. It is likely that Hoefling and/or
10 See https://alphanews.org/new-golden-valley-police-chief-has-history-of-suing-his-
employers/
38
others who received these materials disseminated them further to other
unauthorized persons.
Final Disposition of any Disciplinary Action Taken and, if Final Discipline was
Imposed, the Name of the Employee
Kristen Hoefling was terminated in part as the result of her violations of the
MGDPA violations described in this report. All requisite disciplinary procedures
were followed, and all such disciplinary proceedings have now concluded. The
City’s disciplinary decision against Hoefling is now final.
SS