Opinion
Opinion Delivered July 15, 2008
The Honorable Ruth Whitaker State Senator Post Office Box 349 Cedarville, Arkansas 72932-0349
Dear Senator Whitaker:
I am writing in response to your request for an opinion of the following questions:
1. Does the Arkansas Code Annotated incorporate or require compliance with the provisions of the Privacy Act of 1974, 5 U.S.C. § 552a, as amended?
2. What Arkansas Code protects the privacy rights of citizens of Arkansas from the disclosure of social security numbers and birth dates to third parties who are not listed as one of the "exemptions" in the Privacy Act?
3. May a city administrator release the social security number and birth date of the spouse of a municipal employee to a private audit firm engaged by the city to conduct a forensic audit on the municipal employee?
4. May a public agency (Airport Commission) deny a citizen ready access to public records in accordance with the Arkansas Freedom of Information Act by requiring the requester to go to the office of the public agency's attorney to view records selected by the agency and its attorney?
RESPONSE
With regard to your first question, Section 25-19-105(a)(1)(A) (Supp. 2007) of the Arkansas Freedom of Information Act ("FOIA"), which opens "public records" to public inspection "[e]xcept as otherwise specifically provided by . . . laws specifically enacted to provide otherwise," is sufficiently broad to encompass the federal Privacy Act, 5 U.S.C. § 552a. It must be recognized, however, that the Privacy Act generally applies to federal agencies, and not state or local governmental entities. As discussed further below, one section of the Privacy Act pertaining to social security numbers does apply to state and local agencies; but the applicability of this act to prohibit the release of social security numbers by state and local officials is somewhat unclear. In response to your second question, A.C.A. § 4-86-107 (Supp. 2007) provides, inter alia, that no person or entity may "publicly post" or "publicly display" an individual's social security number. Additionally, various other Arkansas Code sections protect the confidentiality of social security numbers in connection with specific records, but no single Arkansas law comprehensively regulates social security number protection. Similarly, regarding birth dates, there is no comprehensive protection for this information under the Arkansas Code. The answer to your third question regarding release of a social security number and birth date in connection with a forensic audit of a city employee is in all likelihood "yes," in my opinion; but like the city, the private audit firm would be bound by the FOIA if it received a request for records of the city audit. In my opinion, the FOIA generally requires the redaction of social security numbers and birth dates from "personnel records." I am somewhat uncertain as to the precise focus of your fourth question, but if the concern is that the citizen was not able to immediately inspect the requested records, it must be noted that the agency is charged with the initial determination whether the records are covered by the FOIA or are exempt from disclosure. Consultation with legal counsel for the purpose of separating exempt from nonexempt information may be justified as a consequence, although the question will ultimately turn on the specific facts of each individual case.
Question 1 — Does the Arkansas Code Annotated incorporate or require compliance with the provisions of the Privacy Act of 1974, 5 U.S.C. § 552a, as amended?
The Arkansas Freedom of Information Act ("FOIA"), requires that "public records" be open to public inspection ""[e]xcept as otherwise specifically provided by . . . la w s specifically enacted to provide otherwise." A.C.A. § 25-19-105(a)(1)(A) (Supp. 2007). This section of the FOIA is sufficiently broad to encompass the federal Privacy Act, 5 U.S.C. § 552a, but that act generally applies to federal agencies, and not state or local governmental entities. See Op. Att'y Gen. 2004-295 (and cases cited therein). Accordingly, a freedom of information request under the Arkansas FOIA ordinarily will not implicate the Privacy Act. Accord Op. Att'y Gen. 97-199.
One section of the federal Privacy Act does apply, however, to local entities. Section 7 of the original act places restrictions on the use of social security numbers and is applicable to "any Federal, State or local government agency. . . ." P u b . L. No. 93-579, § 7, reprinted at 5 U.S.C. § 552a, note ("Disclosure of Social Security Number"). One recognized commentator on the Arkansas FOIA has observed the following regarding this section of the Privacy Act and previous opinions issued by this office:
This section states:
(a)(1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number.
(2) the provisions of paragraph (1) of this subsection shall not apply with respect to-(A) any disclosure which is required by Federal statute, or
(B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.
(b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.
5 U.S.C. § 552a, note.
It is not clear, however, what constitutes an agency of a state or local government for purposes of this part of the Privacy Act. While another section of the act defines the term `agency' with reference to federal entities, state and local agencies are not addressed. See generally Krebs v. Rutgers, 797 F. Supp. 1246, 1253-56 (D.N.J. 1992). Noting the definitional problem, the Attorney General has by analogy applied the federal definition to state entities. See Ark. Op. Att'y Gen. Nos. 96-307 (opining that the Teacher Retirement System may be an "independent regulatory agency" and thus subject to the act), 96-291 (opining that state courts are not agencies because they are not part of the executive branch of government), 95-262 (concluding, without discussion, that the Workers' Compensation Commission is an agency subject to the act) . . . .
Watkins and Peltz, THE ARKANSAS FREEDOM OF INFORMATION ACT (4th ed. m m Press 2004) at 15 n. 42.
In addition to there being some question concerning covered state and local agencies, there appears to be a lack of agreement among the courts on whether this section of the federal Privacy Act prohibits the release of social security numbers by state and local officials. See, e.g., Tribune-Review Publishing Company v. Allegheny County Housing Authority, 662 A.2d 677, 682 (Pa. 1995) (concluding that "the Privacy Act of 1974 limits the availability of social security numbers and creates an expectation of privacy in the minds of all employees concerning the use and disclosure of their social security numbers."); In Re Crawford, 194 F.3d 954, 962 (9th Cir. 1999) ("Section 7(b) has no bearing on the public disclosure of SSNs by the government. . . ." Emphasis original). The view that Section 7 of the Privacy Act does not bear on the disclosure of social security numbers appears to find support in the actual language of the section, which is expressly addressed to the collection of social security numbers, as opposed to their general dissemination.
Nevertheless, consistent with at least some of the case law, this office has invoked the Privacy Act in many instances to opine that social security numbers should be excised from records that are otherwise public under the Arkansas FOIA. See, e.g., Op. Att'y Gen. Nos. 2001-091 and 99-451 (and opinions cited therein). It should perhaps be noted, however, that the remedies under the Privacy Act are limited as against state or local agencies. See, e.g., Pontbriand v. Sundlum, 699 A.2d 856, 869 (R.I. 1997) (stating that "[e]ven though the act may indicate a congressional intent that Social Security numbers remain confidential, [citations omitted], it affords no express retrospective remedies save as against federal agencies" and finding no precedential authority for the award of remedies other than injunctive relief).
As a final note in response to your first question, some mention should be made of 42 U.S.C. § 405(c)(2)(C)(viii), a provision of the Social Security Act stating that "[s]ocial security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law enacted on or after October 1, 1990, shall be confidential, . . ." and defining "authorized person" to include state and local officers and employees. This section might also be encompassed by the Arkansas FOIA's exception for "laws specifically enacted to provide otherwise." A.C.A. § 25-19-105(a)(1)(A). Somewhat similar concerning the Privacy Act, however, authorities are not in complete agreement regarding the effect of 42 U.S.C. § 405(c)(2)(C)(viii). It appears that some courts have required the redaction of social security numbers from certain records based upon this federal law, see, e.g., State ex rel. Jenkins v. City of Cleveland, 82 Ohio App.3d 770, 613 N.E.2d 652 (1990), whereas others have concluded that while this provision in the Social Security Act may prohibit further disclosure of numbers acquired under the authority of 42 U.S.C. § 405, it does not prohibit the disclosure of numbers not obtained for the purposes described in the Social Security Act. See AFSCME v. City of Albany, 81 Ore. App. 231, 725 P.2d 381 (1986). Several Attorneys General have also observed that 42 U.S.C. § 405(c)(2)(C)(viii) only applies to records obtained pursuant to laws passed after 1990, and only by entities that obtained the information pursuant to 42 U.S.C. § 405. See Iowa Op. Att'y Gen. 99-10-1L and 47 Ore. Op. Att'y Gen. 1 (1993).
Section 42 U.S.C. § 405(c)(2)(C)(i) provides:
It is the policy of the United States that any State (or political subdivision thereof) may, in the administration of any tax, general public assistance, driver's license, or motor vehicle registration law within its jurisdiction, utilize the social security account numbers issued by the Secretary for the purpose of establishing the identification of individuals affected by such law, and may require any individual who is or appears to be so affected to furnish to such State (or political subdivision thereof) or any agency thereof having administrative responsibility for the law involved, the social security account number (or numbers, if he has more than one such number) issued to him by the Secretary.
Section 42 U.S.C. § 405(c)(2)(C)(i) provides:
It is the policy of the United States that any State (or political subdivision thereof) may, in the administration of any tax, general public assistance, driver's license, or motor vehicle registration law within its jurisdiction, utilize the social security account numbers issued by the Secretary for the purpose of establishing the identification of individuals affected by such law, and may require any individual who is or appears to be so affected to furnish to such State (or political subdivision thereof) or any agency thereof having administrative responsibility for the law involved, the social security account number (or numbers, if he has more than one such number) issued to him by the Secretary.
For a more extensive review of court decisions and Section 7 of the Privacy Act, 42 U.S.C. § 405(c)(2)(C)(viii), and other laws concerning the collection, use, and dissemination of social security numbers, see Komuves, A Perspective on Privacy, Information and Technology, and the Internet — "We've Got Your Number: An Overview of Legislation and Decision to Control the Use of Social Security Numbers as Personal Identifiers, " 16 J. Marshall J. Computer Info. L. 529 (Spring 1998).
Question 2 — What Arkansas Code protects the privacy rights of citizens of Arkansas from the disclosure of social security numbers and birth dates to third parties who are not listed as one of the "exemptions" in the Privacy Act?
Social Security Numbers
With regard, first, to social security numbers, Arkansas Code Annotated § 4-86-107(b)(1) (Supp. 2007) provides that no person or entity may "publicly post" or "publicly display" an individual's social security number. "Publicly post" and "publicly display" are defined as "to intentionally communicate or otherwise make available to the general public." Id. at (a)(2). This Code section also prohibits the printing of a social security number on any card required to access products and service, on a postcard or other mailer not requiring an envelope, or in a manner in which the number is visible on an envelope or without the envelope wing opened. Id. at (b)(2) and (3). It also makes it unlawful to require anyone to transmit their social security number over the Internet unless the connection is secure or the number is encrypted. Id. at (b)(4).
Various other Arkansas Code sections protect the confidentiality of social security numbers in connection with specific records, but there is no Arkansas law that comprehensively protects against the disclosure of social security numbers. See, e.g., A.C.A. § 25-19-105(b)(12) (Supp. 2007) (provision of the FOIA exempting "personnel records" from disclosure "to the extent that disclosure would constitute a clearly unwarranted invasion of personal privacy," which has consistently been interpreted by this office to require the redaction of social security numbers from such records, see, e.g., Ark. Op. Att'y Gen. 2008-046 (and opinions cited therein); A.C.A. § 6-18-208(d)(1) (Supp. 2007) (proscribing the use of a student's social security number as a student identification number, beginning with the 2005-2006 school year); A.C.A. § 17-1-104(f) (Repl. 2001) (protecting the confidentiality of social security numbers that are collected and transmitted by licensing entities to the state Office of Child Support Enforcement); A.C.A. § 4-110-108 (Supp. 2007) (the Personal Information Protection Act, establishing procedures to protect "personal information" — defined to include social security numbers, Id. at-103(7) — of individuals who provide such information to a business for the purpose of purchasing or leasing a product or obtaining a service).
There is some support in case law for the proposition that the federal Privacy Act provides a basis for concluding that social security numbers are protected by the constitutional right to privacy. See State ex rel. Beacon Journal Publishing Co. v. City of Akron, 70 Ohio St.3d 605, 640 N.E.2d 164 (1994) (disclosure of city employees' social security numbers in response to a request for payroll records would violate the federal constitutional right to privacy). But judicial authority to the contrary also exists. See Pontbriand v. Sundlun, supra, 699 A.2d at 869-70) (finding no constitutional right to privacy in social security numbers); Al-Beshrawi v. Arney, No. 5:06CV2114 (N.D. Ohio 2007) ( 2007 WL 1245845) (same). As one court has observed: "The constitutional right to privacy in a SSN has not been clearly established, and its parameters have not been clearly defined . . ." Arakawa v. Sakata, 133 F. Supp.2d 1223, 1230 (D. Hawaii 2001) (noting cases that have explored constitutional informational privacy rights.) The success of a claim based upon the constitutional right to privacy may also depend upon the particular factual context. Id. See also Hart v. City of Little Rock, 432 F.3d 801, 805 (8th Cir. 2005) (assuming, without deciding, that the City of Little Rock's release of plaintiff police officers' personnel files — which included home addresses, social security numbers, and other personal information — "created sufficient danger to implicate constitutionally protected privacy interests[,]" but denying relief because the state actor did not possess the requisite culpability for a claim under 42 U.S.C. § 1983).
Reference should also be made, finally, to Administrative Order 19 of the Arkansas Supreme Court — "Access to Court Records" (effective July 1, 2007), which establishes the confidentiality of social security numbers found in "case records." Id. at Section VII.A.(4). The Order defines "case record" as "any document, information, data, or other item created, collected, received, or maintained by a court, court agency or clerk of court in connection with a judicial proceeding." Id. at Section III.A.(2). The Order also makes confidential certain information in "administrative records," Id. at B.1, with "administrative record" defined as "any document, information, data, or other item created, collected, received, or maintained by a court, court agency, or clerk of court pertaining to the administration of the judicial branch of government." Id. at III.A.(3). This confidentiality provision extends to "[i]nformation that is excluded from public access pursuant to Arkansas Code Annotated. . . ." As noted above, A.C.A. § 25-19-105(a)(1)(A), which is part of the Arkansas FOIA, excludes from public access any records that are excluded "by laws specifically enacted to provide otherwise." As also noted above, this section of the FOIA is sufficiently broad to encompass the federal Privacy Act, which according to some authorities prohibits the disclosure of social security numbers.
Date of Birth
With regard to birth dates, there is no provision in the Arkansas Code comparable to A.C.A. § 4-86-107 protecting against the public posting or public display of citizens' dates of birth. In the specific context of public records, this office has opined that the Arkansas FOIA requires the redaction of birth dates from public employees'"personnel records." See, e.g., Ark. Op. Att'y Gen. 2007-226. But as this office has also previously noted, the FOIA contains no general privacy exemption protecting personal information outside the personnel records context. See Ark. Op. Att'y Gen. 2003-015. Act 608 of 1981 added a clause to the FOIA to provide a general privacy exemption for information "o f a personal nature." See Acts 1981, No. 608, § 1. However, that clause was deleted by Act 468 of 1985. See Acts 1985, No. 468, § 1.
The Arkansas Supreme Court has recognized that a federal constitutional right of privacy can supersede the specific disclosure requirements of the FOIA, at least with respect to the release of documents containing constitutionally protectable information. See McCambridge v. City of Little Rock, 298 Ark. 219, 766 S.W.2d 909 (1989). As the Eighth Circuit Court of Appeals has observed, however, "the exact boundaries of this right are, to say the least, unclear." Eagle v. Morgan, 88 F.3d 620, 625. See also Arakawa v. Sakata, supra, 133 F. Supp.2d at 1226 (noting that "courts have struggled to define the limits of a constitutional right to privacy, especially with respect to disclosure of personal matters.") Accordingly, while I believe the release of a birth date could potentially rise to the level of a federal constitutional violation, the matter is far from clear. Indeed, some courts have held that there is no constitutional privacy right inherent in the release of birth dates. See State ex rel. Beacon Journal Publishing Co. v. City of Akron, supra; Al-Beshrawi v. Arney, supra; Texas v. Atty. Gen., 244 S.W.3d 629 (Tex.App. 3rd 2008). Question 3 — May a city administrator release the social security number and birth date of the spouse of a municipal employee to a private audit firm engaged by the city to conduct a forensic audit on the municipal employee?
In my opinion, the answer to this question is in all likelihood "yes." I have no specific information regarding the referenced audit, but I assume this is an undertaking that would otherwise fall upon the city administrator, pursuant to his or her authority to "inquire into the conduct of any municipal office, department, or agency. . . ." A.C.A. § 14-48-117(3) (Supp. 2007). It reasonably follows that the private audit firm takes on the character of the city administrator when conducting the audit, in which case access to the social security number and birth date, along with other information in the city's files, would seem beyond question. See generally Ark. Op. Att'y Gen. 2001-172 (noting that where an entity has contracted with a public entity to provide services for that public entity, the Arkansas Supreme Court has viewed the retained entity as the "functional equivalent" of the public entity, citing Swaney v. Tilford, 320 Ark. 652, 898 S.W.2d 462 (1995), City of Fayetteville v. Edmark, 304 Ark. 480, 830 S.W.2d 275 (1990), and Waterworks v. Kristen Invest. Prop., 72 Ark. App. 37, 32 S.W.3d 60 (2000)). See also Ark. Op. Att'y Gen. 96-386 (opining that a city attorney may have access to records that he would not otherwise be able to obtain as a member of the public because of an exemption under the FOIA.)
Subsection 14-48-117(3) states in full:
[The city administrator] may inquire into the conduct of any municipal office, department, or agency which is subject to the control of the board. In this connection, he or she shall be given unrestricted access to the records and files of any office, department, or agency and may require written reports, statements, audits, and other information from the executive head of the office, department, or agency[.]
It should be emphasized, however, that like the city administrator, the private audit firm would be bound by the FOIA, and any applicable exemptions, if it received a request for records of the city audit. See Ark. Op. Att'y Gen. 2001-172 ("If an entity is the `functional equivalent' of a public entity to which it provides services, it follows that . . . the exemptions that are applicable to the public entity should be applicable to the entity providing the services.") . Id. at 2. In this regard, the FOIA's exemption for "personnel records" would in my opinion likely apply to records containing the social security number and birth date of an employee's spouse. This office has historically opined that social security numbers should be redacted from personnel records prior to the records' release. See, e.g., Op. Att'y Gen. 2007-226 (and opinions cited therein). With regard to the date of birth, as I explained in Opinion 2007-064, earlier opinions of the Attorney General generally upheld the release of birthdates of public employees ( see, e.g., Op. Att'y Gen. Nos. 2005-004, 2000-306, and 95-080), but relatively recent case law from other jurisdictions supports the redaction of this information under similarly-worded exemptions.
Question 4 — May a public agency (Airport Commission) deny a citizen ready access to public records in accordance with the Arkansas Freedom of Information Act by requiring the requester to go to the office of the public agency's attorney to view records selected by the agency and its attorney?
The focus of this question is not entirely clear, but if the concern is that the citizen was not able to immediately inspect the requested records, it must be recognized that the agency is charged with the initial determination whether the records are covered by the FOIA or are exempt from disclosure. Watkins and Peltz, THE ARKANSAS FREEDOM OF INFORMATION ACT, supra at 253, citing Gannett River States Publishing Co. v. Arkansas Indus. Dev. Comm'n, 303 Ark. 684, 689, 799 S.W.2d 543 (1990); Op. Att'y Gen. Nos. 2001-145 and 90-324. The FOIA provides:
(f)(1) No request to inspect, copy, or obtain copies of public records shall be denied on the ground that information exempt from disclosure is commingled with nonexempt information.
(2) Any reasonably segregable portion of a record shall be provided after deletion of the exempt information.
(3) The amount of information deleted shall be indicated on the released portion of the record and, if technically feasible, at the place in the record where the deletion was made.
(4) If it is necessary to separate exempt from nonexempt information in order to permit a citizen to inspect, copy, or obtain copies of public records, the custodian shall bear the cost of the separation.
As a practical matter, therefore, it may be impossible to afford immediate, unrestricted access to the requested records. The question will turn on the specific facts of each individual case, but consultation with legal counsel for the purpose of "separate[ing] exempt from nonexempt information" may be justified, although a delay for this purpose should not exceed three working days. See Op. Att'y Gen. 98-223.
Because the question posed also mentions the need to view the records at the office of the agency's attorney, it perhaps bears noting that in accordance with A.C.A. § 25-19-105(a)(2)(A) (Supp. 2007), "[a] citizen may make a request to the custodian to inspect, copy, or receive copies of public records." (Emphasis added). This section provides, additionally, that "[t]he request may be made in person, by telephone, by mail, by facsimile transmission, by electronic mail, or by other electronic means provided by the custodian." Id. at (B) (emphasis added). Although the intent to afford citizens the right to receive copies of records by mail is not expressly set forth in the statute, I believe such intent may be fairly implied. Accordingly, to the extent your question also suggests some concern that the citizen was not able to request that copies of the selected records be provided by mail, such concern may in my opinion be warranted. The question of whether any citizen has been denied rights granted by the FOIA will, however, ultimately depend upon the specific facts. See generally Op. Att'y Gen. 2000-059.
Assistant Attorney General Elisabeth A. Walker prepared the foregoing opinion, which I hereby approve.
Sincerely,
DUSTIN McDANIEL Attorney General