The Washington State Supreme Court ruled recently that state employees’ birthdates associated with their names are not exempt from disclosure pursuant to a freedom of information records request. In so holding, the Court strictly construed the applicable statute that did not expressly exempt birthdates from disclosure. Wash. Pub. Emps. Assn. v. State Ctr for Childhood Deafness & Hearing Loss. Private and public entities across the country that respond to countless requests for information may want to rethink their approach.
In 2016, the Freedom Foundation (Foundation) sent public records access requests to several state agencies seeking disclosure of records for union-represented employees, including their full names, associated birth dates, and agency work e-mail addresses. Upon reviewing the Foundation’s requests, the agencies determined that all of the requested records were disclosable and indicated that, absent a court order, they intended to release the requested records. Several unions filed motions for preliminary and permanent injunctions to prevent disclosure of the requested records based (among other things) on privacy concerns.
In its decision, the Court stated, “We appreciate the Unions’ concern that disclosing birth dates with corresponding employee names may allow . . . requesters or others to obtain residential addresses and to potentially access financial information, retirement accounts, health care records or other employee records. Yet, we cannot judicially expand the [law’s] narrow exemptions beyond the boundaries set by the legislature, lest we step beyond our interpretive role and risk disrupting the balance of public policies the [law] reflects.”
Significantly, the Court noted that it had long ago defined the “right to privacy” by referring to the common law tort of invasion of privacy through public disclosure of private facts citing, Hearst Corp. v. Hoppe (1978). The State legislature subsequently codified a “right to privacy” as being invaded or violated “only if disclosure of information about the person: (1) Would be highly offensive to a reasonable person, and (2) is not of legitimate concern to the public.”
The Court did go on to acknowledge legitimate concerns about the misappropriation of birth dates that echo the concerns related to Social Security numbers. However, the Court ruled that this does not mean that names and associated birth dates have become private—only that this information is personally identifying. The fact that information is personally identifying, alone, is insufficient to warrant its exemption from disclosure.
Ultimately, the Court noted that the Union’s argument was a policy-based one concerned with the wide abuse of personal identifiers for criminal purposes which was not its to make. While the Court was constrained by the statute at issue that specifically exists for the purpose of allowing the public to obtain information about government, the Court did acknowledge concern generally for the misappropriation of personally identifying information. This concern should be instructive for public and private sector entities alike.
Notably, there has been an increase across the country in state laws that have created or expanded on privacy rights (despite Washington’s failed effort earlier this year to pass the Washington Privacy Act, a European-style data protection law). These laws are expanding the categories of personal information that warrant protection – it is no longer just the Social Security number. When not compelled by law, such as a freedom of information law, public and private entities should consider disclosing only what is minimally necessary to respond to a request with particular attention to data elements that facilitate identify theft.