The opinion of the court was delivered by: Opinion BY Judge Simpson
BEFORE: HONORABLE ROBERT SIMPSON, Judge HONORABLE P. KEVIN BROBSON, Judge*fn1 HONORABLE JAMES R. KELLEY, Senior Judge
This appeal concerns the Right-to-Know Law (RTKL).*fn2 The Governor's Office of Administration (GOA) petitions for review from a final determination of the Office of Open Records (OOR) which granted Dylan Purcell's (Requester) appeal from a partial denial (redaction), thereby granting his request for the full birth dates of all Pennsylvania employees.
The case raises an issue of first impression: whether birth dates are protected from disclosure under the current RTKL. GOA argues the RTKL's personal security exception encompasses a right of privacy. GOA argues this right requires a balancing of interests. Requester contends this alleged privacy right was anchored in the prior, substantially different language of the former RTKL's reputation and personal security exception. Requester argues this right ceased on enactment of the current RTKL.
We conclude that GOA proved the personal security exception at Section 708(b)(1)(ii) of the RTKL, 65 P.S. §67.708(b)(1)(ii), applies on these facts and protects from disclosure the month and day of birth of almost 70,000 state employees. Accordingly, on this record we reverse.
Requester requested a list of all active state employees and their salary records. He requested specific fields of information: (1) first and last name; (2) job title; (3) hire date; (4) level of hire (full-time/part-time); (5) employment status (permanent/temporary); (6) salary; (7) county; and (8) birth date.*fn3 He previously received these data fields for every state employee on five different occasions during a six-year period.
Requester sought the birth date for each employee because it provides a unique identifier to differentiate employees with common names, allowing reporters to identify matches with other computer databases, such as those containing campaign finance, property tax, or criminal history information.
GOA's open records officer (Officer) granted the request in part, and denied it in part. Officer redacted the month and day of each employee's birth date so that Requester only received birth years. Officer based her redaction on 65 P.S. §67.708(b)(1)(ii) (personal security exception). This provision exempts from disclosure a record which "would be reasonably likely to result in a substantial and demonstrable risk of physical harm to or the personal security of an individual." Id.
In subsequent exchanges with Requester, Officer explained that the redactions were meant to protect each employee's privacy. Officer referenced a single judge opinion of this Court at the preliminary injunction stage discussing the constitutional right of privacy and the balancing test by which it is applied. Pa. State Educ. Ass'n v. Dep't of Cmty. & Econ. Dev., 981 A.2d 383 (Pa. Cmwlth. 2009) (single judge opinion by Friedman, S.J.), prelim. inj. order aff'd., 606 Pa. 638, 2 A.3d 558 (2010).*fn4 Officer noted the birth date provided little insight into the workings of government, and its small benefit was outweighed by the greater harm to the employees' personal security and privacy.
Requester appealed to the OOR. GOA reasserted redactions were based on the personal security exception and the Pennsylvania Constitution. GOA offered four document groups to support its position.
The first document was a letter from the Philadelphia District Attorney which addressed the "staggering" increase in identity theft. She noted that full names, combined with addresses and dates of birth, were the tools criminals could use to obtain financial information and commit identity theft. She referenced Federal Trade Commission reports on identity theft.
The second document was a lengthy affidavit from Joseph E. Campana, Ph.D., an expert in the field of identity theft, privacy and information security. Campana opined:
A person's date of birth is one of the most sensitive pieces of personally identifiable information. For this reason, some identity theft experts have referred to a person's name, Social Security number and date of birth, as "The Holy
Trinity." These three key pieces of information together can be used by identity thieves to establish new financial accounts in the name of the identity theft victim and to commit a variety of other types of identity fraud. While one cannot hold one's name secret, one can often protect their Social Security number and date of birth .... Organizations that maintain records that contain consumer date of births must protect that personal identifier and other personally identifiable information that the consumer entrusted with the organization.
GOA Response before OOR, Attachment 2; Reproduced Record (R.R.) at 30a. Campana discussed different types of identity theft, and he noted the Federal Trade Commission estimated that between 2007 and 2008 identity theft crimes increased 29% nationally and 19% statewide.
Campana further opined as follows: "disclosure of personally identifiable information such as dates of birth would result in a substantial and demonstrable risk to the personal security of individuals because the risk of identity theft through disclosure would be substantially heightened." Id.
Campana also identified several federal statutes that identify birth dates as personally identifiable information: (1) The Identify Theft and
Assumption Deterrence Act of 1998;*fn5 (2) The Family Educational Rights and Privacy Act of 1974 (a/k/a FERPA or Stuckley Amendment);*fn6 (3) The Health Insurance Portability and Accountability Act (HIPAA) of 1996;*fn7 and (4) Health Information Technology for Economic and Clinical Health (HITECH) Act.*fn8 He noted that, based on HIPAA's terms, many health professionals now only require a person's first and last name and birth date to gain access to medical files. He also stated that date of birth is protected personal health information under the HITECH Act.
The third document was an extensive affidavit from the Commonwealth's Chief Information Security Officer, Erik Avaldan. He noted that various federal and national standards classify birth dates as "Personally
Identifiable Information." GOA Response before OOR, Attachment 3; R.R. at 34a-37a. He opined that "divulging of a consolidated list containing birth date information for each employee would likely result in a substantial and demonstrable risk to the personal security of individual employees by creating such a significant and predictable increase in the amount of social engineering, targeted, and well crafted phishing attacks (known as spear-phishing) against commonwealth employees." Id. at 3; R.R. at 36a. He also opined that making this information public "is likely to result in a substantial and demonstrable risk of identity theft and fraud, as evidenced by the number of employees involved and current figures regarding the proliferation of such crimes once birth dates are accessed ...." Id.
GOA's fourth document was a Management Directive from the Governor's Office dated July 26, 2010, which addressed the prospective handling of RTKL requests for state employee information.
The OOR described each of these documents, but it concluded that birth dates are not exempt from disclosure. It first noted that GOA waived any argument as to Section 708(b)(6) of the current RTKL (exception for personal identification information), 65 P.S. §67.708(b)(6), because GOA failed to identify this subsection in its initial response to Requester's request. Signature Info.
Solutions, LLC v. Aston Twp., 995 A.2d 510 (Pa. Cmwlth. 2010) (local agency not permitted to alter its reason for denying request on appeal to the OOR).
On the merits, the OOR concluded a constitutional right to privacy in birth dates no longer attached. In support, the OOR cited to several of its own decisions. Purcell v. City of Phila., OOR Dkt. No. AP 2009-0263, 2009 PA OORD LEXIS 641 (Pa. OOR 2009); Parsons v. Port Auth. of Pittsburgh, OOR Dkt. No. AP 2009-008, 2009 PA OORD Lexis 252 (Pa. OOR 2009); Lord v. City of Pittsburgh, OOR Dkt. No. AP 2009-0775, 2009 PA OORD Lexis 90 (Pa. OOR 2009). The OOR noted that no Pennsylvania appellate court ruled otherwise.
The OOR concluded there must be specific facts to prove a substantial and demonstrable risk to personal security. For example, where there were specified prior threats to an assistant district attorney, a risk to personal security was shown. Swartzwelder v. Butler Cnty., OOR Dkt. No. AP 2009-0632, 2009 PA OORD Lexis 129 (Pa. OOR 2009). The OOR also reasoned that birth dates were not listed in the RTKL as personal identification information. The OOR observed that privacy and identity theft issues were discussed during the legislative proceedings leading up to the enactment of the RTKL. These debates, however, did not prevent adoption of the ...