June 19, 2001
The staff of the Committee on Open Government is authorized to issue advisory opinions. The
ensuing staff advisory opinion is based solely upon the information presented in your
I have received your letter, as well as the materials attached to it. You have asked that the
Committee "investigate" with respect to the collection and dissemination of records by the State
University College at Oswego that include your social security number.
In this regard, the Committee on Open Government is authorized to offer advice and opinions
concerning public access to and the disclosure of government records. This office, however, has
neither the staff nor the statutory capacity to conduct what may be characterized as an
"investigation." Nevertheless, in an effort to provide assistance to you and guidance to officials at
the College, I offer the following commentary, much of which is a reiteration of an advisory opinion
prepared at the request of another member of the College faculty more than five years ago.
An initial issue, in my view, involves the authority of the College to require the submission
of a social security number. Pertinent to the matter is the federal Privacy Act (5 USC §552a).
Although the Privacy Act generally applies only to federal agencies, provisions within the Act
concerning the ability of government to obtain social security numbers also apply to entities of state
and local government. Section 7 of the Act states that:
"(a)(1) [I]t shall be unlawful for any Federal, State or local
government agency to deny to any individual any right, benefit, or
privilege provided by law because of such individual's refusal to
disclose his social security number.
(2) the provision of paragraph (a) of this subsection
shall not apply with respect to --
(A) any disclosure which is required by Federal Statute, or
(B) the disclosure of a social security number to any Federal,
State, or local agency maintaining a system of records in existence
and operating before January 1, 1975, if such disclosure was required
under statute or regulation adopted prior to such date to verify the
identity of an individual
(b) Any Federal, State, or local government agency which requests
an individual to disclose his social security account number shall
inform that individual whether that disclosure is mandatory or
voluntary, by what statutory or other authority such number is
solicited, and what uses will be made of it."
The quoted provision places limitations upon the collection and use of social security numbers by
government, and unless "grandfathered in" under the Privacy Act, agencies cannot require the
submission of social security numbers, except in conjunction with social security or other statutorily
Next, with respect to the disclosure or dissemination of a social security number of an
employee, two state statutes, the Freedom of Information Law and the Personal Privacy Protection
Law (respectively Articles 6 and 6-A of the Public Officers Law), are relevant to an analysis of the
matter. Because of the language of those statutes, they must be construed together and in relation
to one another.
By way of background, the Freedom of Information Law includes within its coverage all
agency records and is based upon a presumption of access. Stated differently, all records of an
agency are available, except to the extent that records or portions thereof fall within one or more
grounds for denial appearing in §87(2)(a) through (i) of the Law.
The Personal Privacy Protection Law deals in part with the disclosure of records or personal
information by state agencies concerning data subjects. A "data subject" is "any natural person about
whom personal information has been collected by an agency" [Personal Privacy Protection Law,
§92(3)]. "Personal information" is defined to mean "any information concerning a data subject
which, because of name, number, symbol, mark or other identifier, can be used to identify that data
subject" [§92(7)]. For purposes of that statute, the term "record" is defined to mean "any item,
collection or grouping of personal information about a data subject which is maintained and is
retrievable by use of the name or other identifier of the data subject" [§92(9)].
With respect to disclosure, §96(1) of the Personal Privacy Protection Law states that "No
agency may disclose any record or personal information", except in conjunction with a series of
exceptions that follow. One of those exceptions involves a situation in which a record is "subject
to article six of this chapter [the Freedom of Information Law], unless disclosure of such information
would constitute an unwarranted invasion of personal privacy as defined in paragraph (a) of
subdivision two of section eighty-nine of this chapter." Section 89(2-a) of the Freedom of
Information Law states that "Nothing in this article shall permit disclosure which constitutes an
unwarranted invasion of personal privacy as defined in subdivision two of this section if such
disclosure is prohibited under section ninety-six of this chapter." Therefore, if a state agency cannot
disclose records pursuant to §96 of the Personal Protection Law, it is precluded from disclosing to
the public under the Freedom of Information Law.
From my perspective, based on judicial interpretations, public disclosure of a social security
number, absent the consent of a data subject, constitutes an unwarranted invasion of personal
privacy. One element of a series of decisions is the finding that public officers and employees enjoy
a lesser degree of privacy than others, for it has been found in various contexts that those individuals
are required to be more accountable than others. The courts have determined that, as a general rule,
records that are relevant to the performance of the official duties of a public officer or employee are
available, for disclosure in such instances would result in a permissible rather than an unwarranted
invasion of personal privacy [see e.g., Farrell v. Village Board of Trustees, 372 NYS 2d 905 (1975);
Gannett Co. v. County of Monroe, 59 AD 2d 309 (1977), aff'd 45 NY 2d 954 (1978); Sinicropi v.
County of Nassau, 76 AD 2d 838 (1980); Geneva Printing Co. and Donald C. Hadley v. Village of
Lyons, Sup. Ct., Wayne Cty., March 25, 1981; Montes v. State, 406 NYS 2d 664 (Court of Claims,
1978); Powhida v. City of Albany, 147 AD 2d 236 (1989); Scaccia v. NYS Division of State Police,
530 NYS 2d 309, 138 AD 2d 50 (1988); Steinmetz v. Board of Education, East Moriches, Sup. Ct.,
Suffolk Cty., NYLJ, Oct. 30, 1980); Capital Newspapers v. Burns, 67 NY 2d 562 (1986)].
Conversely, to the extent that items relating to public officers or employees are irrelevant to the
performance of their official duties, it has been found that disclosure would indeed constitute an
unwarranted invasion of personal privacy [see e.g., Matter of Wool, Sup. Ct., Nassau Cty., NYLJ,
Nov. 22, 1977, dealing with membership in a union; Minerva v. Village of Valley Stream, Sup. Ct.,
Nassau Cty., May 20, 1981, involving the back of a check payable to a municipal attorney that could
indicate how that person spends his/her money; Seelig v. Sielaff, 200 AD 2d 298 (1994), concerning
disclosure of social security numbers].
Because the State University is a state agency subject to the Personal Privacy Protection Law,
I believe that it and the College, as a component of the University, are precluded from releasing
records to the public the disclosure of which would constitute an unwarranted invasion of personal
privacy. Pertinent to the matter is a decision cited earlier, Seelig v. Sielaff, supra. In Seelig, the
lower court enjoined a New York City agency from releasing the social security numbers of
correction officers without their written consent. While the Appellate Division agreed that
disclosure of social security numbers would result in an unwarranted invasion of correction officers'
privacy, the Court unanimously reversed and vacated the judgment because the agency involved is
an entity of local government. Specifically, it was found that:
"The injunctive relief granted by the IAS Court was based upon
Public Officers Law §92 (1), part of this State's Personal Privacy
Protection Law. That law by its own terms excepts the judiciary, the
State Legislature, and 'any unit of local government' from its purview.
Consequently, the relief granted against the respondents was
improper" (id., 299).
While a local government may opt to disclose personal information, even when disclosure would
result in an unwarranted invasion of personal privacy, a state agency subject to the Personal Privacy
Protection Law would be prohibited from so doing.
In sum, I do not believe that a state agency, such as the College, can validly disseminate the
social security numbers of its employees (or others, such as students) to the public, without the
consent of the subjects of those items, for the Personal Privacy Protection Law essentially forbids
Also pertinent to the matter is §96(1)(b) of the Personal Privacy Protection Law. That
provision permits, but does not require, the disclosure of personal information relating to a data
subject when the disclosure is:
"to those officers and employees of, and to those who contract with,
the agency that maintains the record if such disclosure is necessary to
the performance of their official duties pursuant to a purpose of the
agency required to be accomplished by statute or executive order or
necessary to operate a program specifically authorized by law..."
Based on the foregoing, in order to disclose social security numbers to staff or employees at the
College, I believe that two conditions must be met: first, that those items are "necessary to the
performance of [the] official duties" of the staff or employees who seek or acquire the social security
numbers; and second, that disclosure of those items is accomplished in order to comply with law or
necessary to "operate a program specifically authorized by law."
In my view, it is questionable whether either of conditions can be met in the circumstances
that you presented.
I hope that I have been of assistance.
Robert J. Freeman
cc: William Brown
John F. Lalande, II