With the conclusion of the four security-related exemptions, the “Exemptions, Explained” blog series moves on to the issue of personal information. Section 708(b)(5) protects individual medical information; Deputy Chief Counsel Katie Higgins provided the legal analysis.  As of November 14, 2023, this exemption has been cited in 397 OOR appeals.  

Section 708(b)(5) protects a “record of an individual’s medical, psychiatric or psychological history or disability status, including an evaluation, consultation, prescription, diagnosis or treatment; results of tests, including drug tests; enrollment in a health care program or program designed for participation by persons with disabilities, including vocation rehabilitation, workers’ compensation and unemployment compensation; or related information that would disclose individually identifiable health information.”

Clearly, the public does not have a right to know an individual’s medical history or status. Given the types of records that may exist in some government agencies, a clear-cut and firm exemption is vital to the inviolability of the Right-to-Know Law.

As with all other exemptions, merely stating the requested records are medical and thus exempt is not sufficient. An agency must submit facts to substantiate the claim that records fall into an exemption category. Though it may seem adequate to state, “these are medical records,” the agency is required to provide evidence that they in fact rise to that description. [1]

Most of the case law on medical records affirms the strength of its absoluteness.

Medical records with an individual’s identifiable information redacted are still exempt. The OOR has repeatedly held that an individual’s medical records are not subject to disclosure for any reason and cannot be provided even when de-identified.[2]

The Requester’s relationship to events in the record have no impact on medical exemption. No one gets medical records, period. “…mental health records of the Requester are not subject to disclosure to any person for any reason.”[3] “This individual medical treatment exemption contains no language permitting any third party to waive application of the exemption, nor is the exemption limited in application against the subject of the medical records themselves.”[4]  Therefore, even if a Requester is seeking their own medical records that they may otherwise be entitled to, they still cannot receive the records in response to a RTKL request.

Exemption applies to inmate and police records.

• Health and medical information about inmates. “…the OOR’s denial of Williams’ Request is not based on the fact that the requested medical records belong to an inmate, but rather because medical records are exempt from public disclosure under the RTKL” [5]
• Injured on Duty reports regarding police officers “…the Department has demonstrated that the requested forms and the memorandum contain individually identifiable health information. Consequently, the Department has met its burden of proving that the requested records are not subject to disclosure.”[6]

---

[1] Bojarski v. Nazareth Sch. Dist., OOR Dkt. AP 2023-1413, 2023 PA O.O.R.D. LEXIS 2029; Vargas v. City of Phila. Police Dep’t, OOR Dkt. AP 2023-1153, 2023 PA O.O.R.D. LEXIS 1826. 

[2] See Monaghan v. Downingtown Area Sch. Dist., OOR Dkt. AP 2021-0369, 2021 PA O.O.R.D. LEXIS 1359; Ortiz v. Pa. Dep’t of Corr., OOR Dkt. AP 2017-2193, 2017 PA O.O.R.D. LEXIS 1819; Wishnefsky v. Pa. Dep’t of Corr., OOR Dkt. AP 2011-0171, 2011 PA O.O.R.D. LEXIS 172.

[3] Pryzbeyszewski v. Pa. Dep’t of Corr., OOR Dkt. AP 2012-2112, 2013 PA O.O.R.D. LEXIS 18.

[4] Pingue v. Uwchlan Twp. Police Dep’t., OOR Dkt. AP 2022-2059, 2022 PA O.O.R.D. LEXIS 2524.

[5] Williams v. Pa. Dep’t of Corr., 2016 Pa. Commw. Unpub. LEXIS 432, *4 (Pa. Commw. Ct. 2016).

[6] Fennell v. City of Phila. Police Dep’t, OOR Dkt. AP 2016-0423, 2016 PA O.O.R.D. LEXIS 506. 

The Office of Open Records (OOR) will conduct its annual Right-to-Know Law (RTKL) and Sunshine Act training on Tuesday, Nov. 14, at 10 a.m. This year’s session, which will be held via Microsoft Teams, will include the following topics:

• Case Law and Court Opinion update
• How to determine if a request is sufficiently specific
• OOR E-File Appeal Portal practical tips and commonly used functions

The OOR’s Annual Training is free and open to everyone. Attendees will have ample opportunity to ask questions using the Microsoft Teams chat window.  Questions can also be submitted in advance by emailing RA-DCOORTRAINING@pa.gov.

Join us virtually on November 14 by clicking here to join the Microsoft Teams meeting.

Please test the link prior to the Annual Training. 

You may also listen to the webinar audio by joining via telephone at (267) 332-8737.  The Conference ID is 707 742 721#.

CLE credits are not available this year.

Today the OOR released a report demonstrating that most Pennsylvania government agencies provide Right-to-Know Law (RTKL) information on their websites. However, the compliance rate is lower than in our 2021 review. More encouragingly, all those notified to be out of compliance with this mandate proceeded to post information or pledged to do so in the near future.

The OOR’s report, “2023 Agency Website Review” summarizes the findings of OOR’s review of a sample of 96 state and local agencies’ websites. Just 84 percent of agencies post something about the RTKL on their websites, a decline from 91 percent compared to 2021. As in the past report, compliance for the four specific mandated pieces of information vary significantly:

• 84 percent provide contact information for the agency open records officer;
• 48 percent provide contact information for the Office of Open Records or other applicable appeals officer;
• 80 percent provide a request form; and
• 54 percent provide regulations, policies, and procedures of the agency relating to the RTKL.

Almost three-quarters (73 percent) of agencies provide all of the first three items.

The report includes a sample RTKL webpage posting that can be found here.

Bids are exempt prior to the award of a contract; records of an agency proposal evaluation committee are permanently exempt. 2023-1700

A request may be denied if the requester owes fees from a prior RTKL request.  2023-2074

Agency failed to prove that businesses’ contact information can be redacted from mowing bids. 2023-2066

Phone numbers, home addresses, dates of birth, and private citizens’ names may be redacted from a list of bike registrants. 2023-1684

Real estate appraisals and evaluations regarding a prospective property acquisition and construction project are exempt during the planning stages.  2023-1856

The latest “Exemptions, Explained” blog post is the last of the four security-related exemptions. Section 708(b)(4) covers information technology security (or cybersecurity); Appeals Officer Berk Demiral provides the legal analysis. This exemption is rarely utilized, cited in just 108 appeals as of October 3, 2023. 

Section 708(b)(4) protects a “record regarding computer hardware, software and networks, including administrative or technical records, which, if disclosed, would be reasonably likely to jeopardize computer security.”

The intent behind this exemption is obvious; the release of a record should not lead to the unauthorized use of or access to an agency’s computer systems, network, or hardware.

There are two important points of consideration when assessing the applicability of the exemption under Section 708(b)(4).

Mere speculation of a security risk is not sufficient

As with all security exemptions, the agency must prove that the exemption applies by a preponderance of the evidence. Although the agencies may meet their burden to prove the exemption’s application by submitting affidavits or attestations, the Commonwealth Court has held that “[a]n agency must offer more than speculation or conjecture to establish the security-related exemptions….”[1]

For example, recently, an agency sufficiently defended its decision to withhold a record based on the computer security exemption by submitting an attestation “which provide[ed] extensive detail regarding the multiple possible ways that an actor with bad intent could use the invoice information to compromise or infiltrate the [Agency’s], and ultimately the Commonwealth’s, [Information Technology] systems.”[2] Specifically, the agency provided a verified statement from its Information Technology Security Risk Manager, who stated that, if disclosed, the responsive information would directly lead to cybercriminals identifying particular equipment, such as routers, firewalls, and other computer equipment, and reveal vulnerable information such as account information, contacts, and purchasing information. Such identification and revelation would then allow bad actors to engage in phishing attacks, upload malware to corrupt existing software or place an “imposter” device within the agency’s network.   

In contrast, an agency providing only conclusory and speculative evidence regarding potential risks will not succeed in meeting its burden of proving that the cybersecurity exemption is applicable. An agency must show that the risk of harm caused by the potential disclosure is more than mere speculation; the risk must be substantial, demonstrable, and real or apparent.[3]

In other words, the purported evidence of a potential security threat must be tangible and not easily discredited. As an example, an agency failed to prove that the cybersecurity exemption applied when it claimed that granting access to phone numbers and email addresses of employees would pose a security risk, but a review of the County’s website showed that a large portion of employees highlighted in their various official capacities had their County email addresses and telephone numbers listed for the public’s viewing and use.[4]

In sum, a persuasive attestation or an affidavit will likely come from a person with the skills and information necessary to comment on cybersecurity matters and include a description and explanation of alleged risks and how they directly relate to the potential disclosure of the withheld information. Whereas, if the agency’s evidence is readily discredited, merely states the language of the security exemption without providing relevant background facts, or fails to explain the basis and correlation between the risk and the disclosure, then such evidence will likely fall short of establishing the cybersecurity exemption.

Financial aspects of IT record may not be exempt

It is important to note that the RTKL explicitly and specifically makes financial records public.[5] As such, if financial records are responsive to a request, the computer security exemption only permits the agencies to redact portions directly implicated as causing the security risk. The agencies may not withhold the entirety of the record from public access.

For example, although an agency may meet the burden to prove that the list of items on purchase order invoices is exempt, it has to grant access to the remainder of the responsive invoices without obscuring the dates, quantity figures, and dollar amounts for each item.[6]  

---

[1] California Borough v. Rothey, 185 A.3d 456, 468 (Pa. Commw. Ct. 2018)

[2] Holloway v. Pennsylvania Dep’t of General Services, OOR Dkt. AP 2023-1478, 2023 PA O.O.R.D. LEXIS 1671.

[3] McGinnis v. Neshaminy School District, OOR AP Dkt. 2019-2239, 2020 PA O.O.R.D. LEXIS 1475.

[4] Mezzacappa v. Northampton County, OOR AP Dkt. 2022-2077, 2022 PA O.O.R.D. LEXIS 2501.

[5] 65 P.S. § 67.708(c).

[6] See Holloway ; see also Nolen v. Pa. Office of Admin., OOR Dkt. AP 2018-0377, 2018 PA O.O.R.D. LEXIS 524.

---

A municipality is not required to contact the third-party tax collector for records under Sections 901 or 506(d) of the RTKL. 2023-1553

A school district did not prove that records exchanged between its solicitor and counsel for an entity which purchased real estate are confidential under the Rules of Professional Conduct. 2023-1785

An agency failed to prove that letters of interest the agency received for the position of Solicitor reflect the agency’s internal, predecisional deliberations or are protected by the attorney-client privilege. 2023-1427

A municipality failed to prove that plans submitted as part of a zoning application are protected from disclosure under the Uniform Construction Code. 2023-1656

Employment applications of agency employees are public but certain information may be redacted from them.  2023-1065.

A request may lack sufficient specificity if it requires an agency to make judgments as to which records relate to the request’s subject matter.  2023-1121.

The OOR can determine the public status of election-related records but access to those records are subject to limitations found in the Election Code.  2023-0877.

Internal deliberations among less than a quorum of school board members may be exempt from access.  2023-0735.

Agencies may be required to obtain records from their cellular telephone providers.  2023-1136.

Mugshots are not prohibited from disclosure, although they may contain other criminal history information not subject to release.  2023-1055.

Autopsy and toxicology records can be obtained from coroners and medical examiners upon the payment of a fee.  2023-1213.

Education records that are unable to be redacted of identifying information do not need to be disclosed under FERPA.  2023-0499.

Another “Exemptions, Explained” blog post, another security-related exemption. This one, Section 708(b)(3), centers on infrastructure and the legal analysis is provided by Appeals Officer Bandy Jarosz. This exemption is sparingly used, cited in just 301 appeals as of June 10, 2023.  Recently, it is offered as a rationale by agencies in denying access requests for information related to elections, surveillance of state liquor stores, and levee certifications. 

Section 708(b)(3) protects a “record, the disclosure of which creates a reasonable likelihood of endangering the safety or the physical security of a building, public utility, resource, infrastructure, facility or information storage system, which may include:

(i) documents or data relating to computer hardware, source files, software and system networks that could jeopardize computer security by exposing a vulnerability in preventing, protecting against, mitigating or responding to a terrorist act;

(ii) lists of infrastructure, resources and significant special events, including those defined by the Federal Government in the National Infrastructure Protections, which are deemed critical due to their nature and which result from risk analysis; threat assessments; consequences assessments; antiterrorism protective measures and plans; counterterrorism measures and plans; and security and response needs assessments; and

(iii) building plans or infrastructure records that expose or create vulnerability through disclosure of the location, configuration or security of critical systems, including public utility systems, structural elements, technology, communication, electrical, fire suppression, ventilation, water, wastewater, sewage and gas systems.”

As noted in previous posts, security should not be threatened by the release of a record.  Releasing information or records that could lead to the penetration of cyber or physical structures are not intended for public viewing.

Much of the relevant caselaw discusses the burden of proof an agency must satisfy to prove that the exemption applies.

• An agency must demonstrate a specific threat of endangerment to the safety or physical security of certain structures that is reasonably likely to result from the disclosure of a record.[1]
• The OOR must “look to the likelihood that disclosure would cause the alleged harm, requiring more than speculation.”[2]

For example, in  Allegheny Cty. Dist. Attorney’s Office v. Wereschagin, 257 A.3d 1280 (Pa. Commw. Ct. 2021), the Commonwealth Court held that the evidence submitted by the agency, taken as a whole, was sufficiently detailed enough to support the agency’s contention that releasing non location system information regarding a camera network system would put the physical security of the safety camera system in the district attorney’s office itself at risk.  The agency argued to the court that the system was currently subject to attacks, which revealed motivation to damage the system.  Id. at 1293.  The Requesters argued that cameras can be hacked without the hackers knowing the specific details of the cameras, so the release of such non location information would not increase the risk of hacking.  Id at 1292, 1298.  The court reasoned that the possibility of harm does not make the evidence speculative and the preponderance of evidence standard does not require absolute certainty.  Id. at 1298.  Thus, the court held the agency met its burden of proving that the infrastructure safety exemption applied.  Id. at 1300. 

Clearly, neither an OOR Appeals Officer nor a judge can be an expert in infrastructure security. Thus, the OOR and courts have wisely opined that they will not second guess the judgement of those more familiar with the security issues.  See Knauss v. Unionville-Chadds Ford Sch. Dist., OOR Dkt. AP 2009-0332, 2009 PA O.O. R.D. LEXIS 238 (holding the OOR would not substitute its judgement with an educator with years of experience regarding critical infrastructure and key resources of public school buildings).

---

[1] Smith Butz, LLC v. Pa. Dep’t of Envtl. Prot., 161 A.3d 1049, 1062 (Pa. Commw. 2017) (holding that the agency proved the disclosure of records that reflect the location and quantity of radioactive materials would be reasonably likely to jeopardize public security and/or safety, as the agency provided evidence of incidents involving theft or loss of nuclear and radioactive materials worldwide).

[2] California Borough v. Rothey, 185 A.3d 456, 468 (Pa. Commw. Ct. 2018) (holding that the existence of blind spots in a holding cell do not cause endangerment of safety and security when there was no explanation provided by the agency as to how the blind spots caused the endangerment when prisoners were secured and the cells were searched prior to entry).

During the summer of 2022, we shared the exciting news that the OOR is moving forward with our E-File Appeal Portal, with the goal of having all Right-to-Know Law (RTKL) appeals processed through the E-File Portal in 2023.  Use of the E-File Portal will provide a one-stop location for all records involving all appeals, ending the cumbersome practice of individuals keeping track of numerous documents and contact information.

Over the course of the last year, we have taken steps to move towards a full E-File Portal rollout by proceeding gradually through 2 phases, making improvements and implementing suggested changes along the way.

Today, we are pleased to announce that the OOR is ready to move into Phase 3 – a full implementation of the E-File Portal – on July 31, 2023.   With limited exception, all OOR appeals will proceed through the E-File Portal starting on this date. 

The system allows parties to electronically participate in an appeal and access a single electronic docket that contains all appeal related submissions and communications.  Once a party is granted login credentials, which consist of a person’s email address and an assigned password, they may download, save or print all docket activity.  Please refer to the OOR E-File Appeal Portal User Guide available on the OOR website https://www.openrecords.pa.gov/Documents/Appeals/E-File_AppealPortal-UserGuide.pdf. In addition, an E-File Portal user training video is accessible on the OOR’s website: https://www.openrecords.pa.gov/RTKL/TrainingVideos.cfm.  A Portal Q&A webinar will be scheduled in the near future.  Be sure to check the OOR training calendar: https://www.openrecords.pa.gov/RTKL/TrainingCalendar.cfm.

Please review the information with your relevant staff and stakeholders. OOR staff will be available for questions, resolve any user problems, and receive feedback. We are looking forward to working with all of you towards the goal of ensuring that all appeal participants are able to successfully use the E-File Portal as a speedier and more efficient system for processing RTKL appeals across the Commonwealth.

As always, we encourage any and all feedback.

A requester failed to prove why they needed in-person review of responsive records after the agency provided them via electronic link. 2023-0546

A school district may not redact the names of representatives of organizations in emails exchanged with the board and superintendent. 2023-0468

If an agency fails to respond to an appeal, the records request is automatically granted. 2023-1029

A school district proved that information redacted from a book challenge complaint form relates to a noncriminal investigation. 2023-0852

A school district did not demonstrate that a video recording on a school bus is exempt as relating to a noncriminal investigation, or that it is incapable of redacting the video or audio to satisfy the requirements of FERPA. 2023-0640