In celebration of Sunshine Week 2024, the Office of Open Records is joining other stakeholders on March 13 from 9-12 for a great discussion:

• Sunshine Act Update. Learn more about the state’s open meetings law, the Sunshine Act. This discussion will include a review of recent Commonwealth Court decisions.  Valuable tips and trends essential for both legal practitioners and news organizations will be shared.
• Investigative Journalists & the Right-to-Know Law. We’ll hear from seasoned investigative reporters who explain the challenges they’ve had in obtaining records as well as best practices for getting information that is deemed public.
• The First Fifteen. The “new” Right-to-Know Law was signed in 2008 with the Office of Open Records beginning its work the next year. Let’s hear how things have changed over the last 15 years. All three OOR executive directors – past and present – will reflect.

You may join us virtually or in person in Harrisburg at the beautiful new State Archives Building.

There is an opportunity for 2.5 CLE credits for attorneys.

For registration and more details, please visit the PA NewsMedia Association Website:

https://panewsmedia.org/event/sunshine-week-summit

An inmate was granted access to email communications between prison officials about movies and tv series. 2024-0023

The names of individuals who played golf at a course operated by a township are not public records. 2023-3106

An agency may charge copying fees if it only keeps physical copies of a requested record. 2023-3129

Vehicle crash reports are protected from disclosure under the Pennsylvania Motor Vehicle Code. 2023-2906

An agency may redact bank account and routing numbers on financial records to prevent unauthorized access. 2023-2422

The Department of Corrections proved that it did not have records related to the price it paid for a certain shampoo. 2023-2231

A request for the “last time [a] robotic stopwatch was calibrated” and the corresponding costs provided enough guidance to enable an agency to search for responsive records.  2023-2237

The OOR lacks jurisdiction over records that contain confidential security information under the Public Utility Confidential Security Disclosure Protection Act (“CSI Act”), 35 P.S. §§ 2141.1-2141.6. 2023-2785

The full names of correctional officers are exempt from public access because their disclosure would jeopardize the officers’ personal safety. 2023-2851

Temple University is a State-related institution, 65 P.S. 67.102, and is not an agency subject to the OOR’s jurisdiction.  2023-2958

A fire inspector’s report is found to be related to a noncriminal investigation and can be withheld.  2023-1964

The Department proved that the Request asked questions rather than seeking records, thus properly denying the request.  2023-2460

While fees cannot be assessed for the provision of electronic records, agencies are not required to convert records that only exist as hard copies into electronic form. 2023-1973

Complaints about a University volleyball coach found to be exempt because NCAA rules and regulations automatically trigger a noncriminal investigation into complaints.  2023-1746.

An email chain between employees of two different government agencies may still be exempt as internal, deliberative, and pre-decisional. 2023-2044

With the conclusion of the four security-related exemptions, the “Exemptions, Explained” blog series moves on to the issue of personal information. Section 708(b)(5) protects individual medical information; Deputy Chief Counsel Katie Higgins provided the legal analysis.  As of November 14, 2023, this exemption has been cited in 397 OOR appeals.  

Section 708(b)(5) protects a “record of an individual’s medical, psychiatric or psychological history or disability status, including an evaluation, consultation, prescription, diagnosis or treatment; results of tests, including drug tests; enrollment in a health care program or program designed for participation by persons with disabilities, including vocation rehabilitation, workers’ compensation and unemployment compensation; or related information that would disclose individually identifiable health information.”

Clearly, the public does not have a right to know an individual’s medical history or status. Given the types of records that may exist in some government agencies, a clear-cut and firm exemption is vital to the inviolability of the Right-to-Know Law.

As with all other exemptions, merely stating the requested records are medical and thus exempt is not sufficient. An agency must submit facts to substantiate the claim that records fall into an exemption category. Though it may seem adequate to state, “these are medical records,” the agency is required to provide evidence that they in fact rise to that description. [1]

Most of the case law on medical records affirms the strength of its absoluteness.

Medical records with an individual’s identifiable information redacted are still exempt. The OOR has repeatedly held that an individual’s medical records are not subject to disclosure for any reason and cannot be provided even when de-identified.[2]

The Requester’s relationship to events in the record have no impact on medical exemption. No one gets medical records, period. “…mental health records of the Requester are not subject to disclosure to any person for any reason.”[3] “This individual medical treatment exemption contains no language permitting any third party to waive application of the exemption, nor is the exemption limited in application against the subject of the medical records themselves.”[4]  Therefore, even if a Requester is seeking their own medical records that they may otherwise be entitled to, they still cannot receive the records in response to a RTKL request.

Exemption applies to inmate and police records.

• Health and medical information about inmates. “…the OOR’s denial of Williams’ Request is not based on the fact that the requested medical records belong to an inmate, but rather because medical records are exempt from public disclosure under the RTKL” [5]
• Injured on Duty reports regarding police officers “…the Department has demonstrated that the requested forms and the memorandum contain individually identifiable health information. Consequently, the Department has met its burden of proving that the requested records are not subject to disclosure.”[6]

---

[1] Bojarski v. Nazareth Sch. Dist., OOR Dkt. AP 2023-1413, 2023 PA O.O.R.D. LEXIS 2029; Vargas v. City of Phila. Police Dep’t, OOR Dkt. AP 2023-1153, 2023 PA O.O.R.D. LEXIS 1826. 

[2] See Monaghan v. Downingtown Area Sch. Dist., OOR Dkt. AP 2021-0369, 2021 PA O.O.R.D. LEXIS 1359; Ortiz v. Pa. Dep’t of Corr., OOR Dkt. AP 2017-2193, 2017 PA O.O.R.D. LEXIS 1819; Wishnefsky v. Pa. Dep’t of Corr., OOR Dkt. AP 2011-0171, 2011 PA O.O.R.D. LEXIS 172.

[3] Pryzbeyszewski v. Pa. Dep’t of Corr., OOR Dkt. AP 2012-2112, 2013 PA O.O.R.D. LEXIS 18.

[4] Pingue v. Uwchlan Twp. Police Dep’t., OOR Dkt. AP 2022-2059, 2022 PA O.O.R.D. LEXIS 2524.

[5] Williams v. Pa. Dep’t of Corr., 2016 Pa. Commw. Unpub. LEXIS 432, *4 (Pa. Commw. Ct. 2016).

[6] Fennell v. City of Phila. Police Dep’t, OOR Dkt. AP 2016-0423, 2016 PA O.O.R.D. LEXIS 506. 

The Office of Open Records (OOR) will conduct its annual Right-to-Know Law (RTKL) and Sunshine Act training on Tuesday, Nov. 14, at 10 a.m. This year’s session, which will be held via Microsoft Teams, will include the following topics:

• Case Law and Court Opinion update
• How to determine if a request is sufficiently specific
• OOR E-File Appeal Portal practical tips and commonly used functions

The OOR’s Annual Training is free and open to everyone. Attendees will have ample opportunity to ask questions using the Microsoft Teams chat window.  Questions can also be submitted in advance by emailing RA-DCOORTRAINING@pa.gov.

Join us virtually on November 14 by clicking here to join the Microsoft Teams meeting.

Please test the link prior to the Annual Training. 

You may also listen to the webinar audio by joining via telephone at (267) 332-8737.  The Conference ID is 707 742 721#.

CLE credits are not available this year.

Today the OOR released a report demonstrating that most Pennsylvania government agencies provide Right-to-Know Law (RTKL) information on their websites. However, the compliance rate is lower than in our 2021 review. More encouragingly, all those notified to be out of compliance with this mandate proceeded to post information or pledged to do so in the near future.

The OOR’s report, “2023 Agency Website Review” summarizes the findings of OOR’s review of a sample of 96 state and local agencies’ websites. Just 84 percent of agencies post something about the RTKL on their websites, a decline from 91 percent compared to 2021. As in the past report, compliance for the four specific mandated pieces of information vary significantly:

• 84 percent provide contact information for the agency open records officer;
• 48 percent provide contact information for the Office of Open Records or other applicable appeals officer;
• 80 percent provide a request form; and
• 54 percent provide regulations, policies, and procedures of the agency relating to the RTKL.

Almost three-quarters (73 percent) of agencies provide all of the first three items.

The report includes a sample RTKL webpage posting that can be found here.

Bids are exempt prior to the award of a contract; records of an agency proposal evaluation committee are permanently exempt. 2023-1700

A request may be denied if the requester owes fees from a prior RTKL request.  2023-2074

Agency failed to prove that businesses’ contact information can be redacted from mowing bids. 2023-2066

Phone numbers, home addresses, dates of birth, and private citizens’ names may be redacted from a list of bike registrants. 2023-1684

Real estate appraisals and evaluations regarding a prospective property acquisition and construction project are exempt during the planning stages.  2023-1856

The latest “Exemptions, Explained” blog post is the last of the four security-related exemptions. Section 708(b)(4) covers information technology security (or cybersecurity); Appeals Officer Berk Demiral provides the legal analysis. This exemption is rarely utilized, cited in just 108 appeals as of October 3, 2023. 

Section 708(b)(4) protects a “record regarding computer hardware, software and networks, including administrative or technical records, which, if disclosed, would be reasonably likely to jeopardize computer security.”

The intent behind this exemption is obvious; the release of a record should not lead to the unauthorized use of or access to an agency’s computer systems, network, or hardware.

There are two important points of consideration when assessing the applicability of the exemption under Section 708(b)(4).

Mere speculation of a security risk is not sufficient

As with all security exemptions, the agency must prove that the exemption applies by a preponderance of the evidence. Although the agencies may meet their burden to prove the exemption’s application by submitting affidavits or attestations, the Commonwealth Court has held that “[a]n agency must offer more than speculation or conjecture to establish the security-related exemptions….”[1]

For example, recently, an agency sufficiently defended its decision to withhold a record based on the computer security exemption by submitting an attestation “which provide[ed] extensive detail regarding the multiple possible ways that an actor with bad intent could use the invoice information to compromise or infiltrate the [Agency’s], and ultimately the Commonwealth’s, [Information Technology] systems.”[2] Specifically, the agency provided a verified statement from its Information Technology Security Risk Manager, who stated that, if disclosed, the responsive information would directly lead to cybercriminals identifying particular equipment, such as routers, firewalls, and other computer equipment, and reveal vulnerable information such as account information, contacts, and purchasing information. Such identification and revelation would then allow bad actors to engage in phishing attacks, upload malware to corrupt existing software or place an “imposter” device within the agency’s network.   

In contrast, an agency providing only conclusory and speculative evidence regarding potential risks will not succeed in meeting its burden of proving that the cybersecurity exemption is applicable. An agency must show that the risk of harm caused by the potential disclosure is more than mere speculation; the risk must be substantial, demonstrable, and real or apparent.[3]

In other words, the purported evidence of a potential security threat must be tangible and not easily discredited. As an example, an agency failed to prove that the cybersecurity exemption applied when it claimed that granting access to phone numbers and email addresses of employees would pose a security risk, but a review of the County’s website showed that a large portion of employees highlighted in their various official capacities had their County email addresses and telephone numbers listed for the public’s viewing and use.[4]

In sum, a persuasive attestation or an affidavit will likely come from a person with the skills and information necessary to comment on cybersecurity matters and include a description and explanation of alleged risks and how they directly relate to the potential disclosure of the withheld information. Whereas, if the agency’s evidence is readily discredited, merely states the language of the security exemption without providing relevant background facts, or fails to explain the basis and correlation between the risk and the disclosure, then such evidence will likely fall short of establishing the cybersecurity exemption.

Financial aspects of IT record may not be exempt

It is important to note that the RTKL explicitly and specifically makes financial records public.[5] As such, if financial records are responsive to a request, the computer security exemption only permits the agencies to redact portions directly implicated as causing the security risk. The agencies may not withhold the entirety of the record from public access.

For example, although an agency may meet the burden to prove that the list of items on purchase order invoices is exempt, it has to grant access to the remainder of the responsive invoices without obscuring the dates, quantity figures, and dollar amounts for each item.[6]  

---

[1] California Borough v. Rothey, 185 A.3d 456, 468 (Pa. Commw. Ct. 2018)

[2] Holloway v. Pennsylvania Dep’t of General Services, OOR Dkt. AP 2023-1478, 2023 PA O.O.R.D. LEXIS 1671.

[3] McGinnis v. Neshaminy School District, OOR AP Dkt. 2019-2239, 2020 PA O.O.R.D. LEXIS 1475.

[4] Mezzacappa v. Northampton County, OOR AP Dkt. 2022-2077, 2022 PA O.O.R.D. LEXIS 2501.

[5] 65 P.S. § 67.708(c).

[6] See Holloway ; see also Nolen v. Pa. Office of Admin., OOR Dkt. AP 2018-0377, 2018 PA O.O.R.D. LEXIS 524.

---

A municipality is not required to contact the third-party tax collector for records under Sections 901 or 506(d) of the RTKL. 2023-1553

A school district did not prove that records exchanged between its solicitor and counsel for an entity which purchased real estate are confidential under the Rules of Professional Conduct. 2023-1785

An agency failed to prove that letters of interest the agency received for the position of Solicitor reflect the agency’s internal, predecisional deliberations or are protected by the attorney-client privilege. 2023-1427

A municipality failed to prove that plans submitted as part of a zoning application are protected from disclosure under the Uniform Construction Code. 2023-1656