Friday, September 12, 2008

Privacy Rights in Social Security Numbers Clash with Rights to Public Records in Recent Decisions

This posting was written by Tom Long, Editor of CCH Privacy Law in Marketing, and John W. Arden.

Two court decisions weighing the privacy rights in protecting individuals’ Social Security Numbers against the rights to access and publish public documents were issued on August 22 by courts in Virginia and New Jersey.


A decision by the federal district court in Richmond, Virginia held that a state law regulating the use of Social Security Numbers (SSNs) was unconstitutional as applied to a website operated by a privacy-rights advocate, who opposed the posting of land records online without redacting the SSNs contained in the records.

On her website, the advocate posted examples of public records that were available online and that contained SSNs. She stated that her reason for posting the records was to demonstrate to members of the public that their own personal information could be available online.

The Virginia SSN law (CCH Privacy Law in Marketing ¶34,660) provided that "a person shall not ... [i]ntentionally communicate another individual's social security number to the general public." Prior to an amendment that took effect July 1, 2008, the law contained an exception for records required by law to be open to the public.

The advocate sought declaratory and injunctive relief against enforcement of the law, asserting that her activities would be subject to fines, investigative demands, and injunctions should she continue to display the SSNs on her website. That prospect would chill her free speech.

First Amendment v. State Interest

Although the advocate's website was not part of the traditional news media, it undertook a government watchdog role that was protected by the First Amendment, in the court's view. Her site was "analytically indistinguishable from a newspaper."

It would not be difficult to conclude that protection of SSNs from public disclosure should qualify as a state interest of the highest order, the court held. However, the state's assertion of this interest was undercut by its own conduct in making the SSNs publicly available through unredacted release on the Internet, which it had done for several years.

The burden of redacting private information from state records could not be placed on those who would publish truthful information that is in records the state had made available to the public, according to the court.

The decision, Ostergren v. Mcdonnell, appears at CCH Privacy Law in Marketing ¶60,243.

Public Records Act v. Duty to Safeguard Information

In the New Jersey decision, an employee of a company that created computer-based searching tools for the title insurance industry was denied production of government records by a New Jersey county under the New Jersey Open Public Records Act (OPRA) without the redaction and removal of SSNs from the records, at the employee's expense.

The access rights embodied in OPRA were tempered by the state legislature's finding and declaration that "a public agency has a responsibility and an obligation to safeguard from public access a citizen's personal information with which it has been entrusted when disclosure thereof would violate the citizen's reasonable expectation of privacy."

The employee had filed a request for approximately eight million pages of real estate documents that were stored on microfilm. After a dispute arose over the request, the employee filed a complaint with a state trial court, seeking to compel the county to provide microfilmed copies of all land title records from 1984 to the present. The trial court found that, although the records were accessible under both OPRA and the common law, the right of access did not extend to SSNs appearing on the documents.

On appeal, the New Jersey Superior Court, Appellate Division, found that the term "government record" under the OPRA did not include a portion of any document that disclosed a person's SSN.

Redaction of SSNs

Prior to allowing access to a government record, the government custodian of that record was required to redact the portion of the document disclosing the SSN, unless the SSN was part of a record required by law to be made, maintained, or kept on file by a public agency. However, the real estate documents were government records statutorily required to be maintained on file, and SSNs were part of those records, thereby falling within the exception, the court said.

There were competing interests that had to be balanced before a determination could be made as to whether SSNs included in the records should remain unredacted in documents the employee sought. When diverse pieces of information—such as a name, SSN, address, bank or mortgage holder, and simulated signature—were assembled into a package, a privacy interest was implicated, in the court's opinion.

The employee did not provide any significant countervailing interest in the disclosure of SSNs; rather, he argued that reading an exception to disclosure of the SSNs into OPRA as "inimical to the public interest" would create "a huge loophole" that would virtually eliminate OPRA as an independent right of access to records. This argument was rejected. The significant privacy interest clearly outweighed the negligible public interest in disclosure of an individual's SSN to a commercial entity gathering information to compile a database for sale to other commercial entities.

The decision, Burnett v. County of Bergen, appears at CCH Privacy Law in Marketing ¶60,244.

No comments: