Dr. Leland C. Marsh
Dr. James L. Seago, Jr.
SUNY College at Oswego
Oswego, NY 13126
The staff of the Committee on Open Government is authorized to issue advisory opinions. The ensuing staff advisory opinion is based solely upon the information presented in your correspondence.
Dear Drs. Marsh and Seago:
Your memorandum of November 9 transmitted to the Attorney General and the Acting President of SUNY College at Oswego ("the College") has been transmitted to the Committee on Open Government. The Committee, a unit of the Department of State, is authorized to provide advice pertaining to the Personal Privacy Protection and Freedom of Information Laws.
You complained that documents have been disseminated that include the names and social security numbers of employees of the College, and that they can and have been viewed by staff members, students, and others. Neither you nor other employees provided authorization to release your social security numbers. In addition, you wrote that "broad dissemination of [y]our social security numbers as public documents available to the public is now normal practice for this institution."
In my opinion, based on the following analysis, the College cannot publicly disclose its employees' social security numbers without their consent.
Two statutes, the Freedom of Information Law and the Personal Privacy Protection Law (respectively Articles 6 and 6-A of the Public Officers Law), are pertinent to the matter. Because of the language of those statutes, they must be construed together and in relation to one another.
By way of background, the Freedom of Information Law includes within its coverage all agency records and is based upon a presumption of access. Stated differently, all records of an agency are available, except to the extent that records or portions thereof fall within one or more grounds for denial appearing in §87(2)(a) through (i) of the Law.
The Personal Privacy Protection Law deals in part with the disclosure of records or personal information by state agencies concerning data subjects. A "data subject" is "any natural person about whom personal information has been collected by an agency" [Personal Privacy Protection Law, §92(3)]. "Personal information" is defined to mean "any information concerning a data subject which, because of name, number, symbol, mark or other identifier, can be used to identify that data subject" [§92(7)]. For purposes of that statute, the term "record" is defined to mean "any item, collection or grouping of personal information about a data subject which is maintained and is retrievable by use of the name or other identifier of the data subject" [§92(9)].
With respect to disclosure, §96(1) of the Personal Privacy Protection Law states that "No agency may disclose any record or personal information", except in conjunction with a series of exceptions that follow. One of those exceptions involves a situation in which a record is "subject to article six of this chapter [the Freedom of Information Law], unless disclosure of such information would constitute an unwarranted invasion of personal privacy as defined in paragraph (a) of subdivision two of section eighty-nine of this chapter." Section 89(2-a) of the Freedom of Information Law states that "Nothing in this article shall permit disclosure which constitutes an unwarranted invasion of personal privacy as defined in subdivision two of this section if such disclosure is prohibited under section ninety-six of this chapter." Therefore, if a state agency cannot disclose records pursuant to §96 of the Personal Protection Law, it is precluded from disclosing under the Freedom of Information Law.
From my perspective, based on judicial interpretations, public disclosure of a social security number, absent the consent of a data subject, constitutes an unwarranted invasion of personal privacy. One element of a series of decisions is the finding that public officers and employees enjoy a lesser degree of privacy than others, for it has been found in various contexts that those individuals are required to be more accountable than others. The courts have determined that, as a general rule, records that are relevant to the performance of the official duties of a public officer or employee are available, for disclosure in such instances would result in a permissible rather than an unwarranted invasion of personal privacy [see e.g., Farrell v. Village Board of Trustees, 372 NYS 2d 905 (1975); Gannett Co. v. County of Monroe, 59 AD 2d 309 (1977), aff'd 45 NY 2d 954 (1978); Sinicropi v. County of Nassau, 76 AD 2d 838 (1980); Geneva Printing Co. and Donald C. Hadley v. Village of Lyons, Sup. Ct., Wayne Cty., March 25, 1981; Montes v. State, 406 NYS 2d 664 (Court of Claims, 1978); Powhida v. City of Albany, 147 AD 2d 236 (1989); Scaccia v. NYS Division of State Police, 530 NYS 2d 309, 138 AD 2d 50 (1988); Steinmetz v. Board of Education, East Moriches, Sup. Ct., Suffolk Cty., NYLJ, Oct. 30, 1980); Capital Newspapers v. Burns, 67 NY 2d 562 (1986)]. Conversely, to the extent that items relating to public officers or employees are irrelevant to the performance of their official duties, it has been found that disclosure would indeed constitute an unwarranted invasion of personal privacy [see e.g., Matter of Wool, Sup. Ct., Nassau Cty., NYLJ, Nov. 22, 1977, dealing with membership in a union; Minerva v. Village of Valley Stream, Sup. Ct., Nassau Cty., May 20, 1981, involving the back of a check payable to a municipal attorney that could indicate how that person spends his/her money; Seelig v. Sielaff, 200 AD 2d 298 (1994), concerning disclosure of social security numbers].
Because the State University is a state agency subject to the Personal Privacy Protection Law, I believe that it and the College, as a component of the University, are precluded from releasing records to the public the disclosure of which would constitute an unwarranted invasion of personal privacy. Pertinent to the matter is a decision cited earlier, Seelig v. Sielaff, supra. In Seelig, the lower court enjoined a New York City agency from releasing the social security numbers of correction officers without their written consent. While the Appellate Division agreed that disclosure of social security numbers would result in an unwarranted invasion of correction officers' privacy, the Court unanimously reversed and vacated the judgment because the agency involved is an entity of local government. Specifically, it was found that:
"The injunctive relief granted by the IAS Court was based upon Public Officers Law §92 (1), part of this State's Personal Privacy Protection Law. That law by its own terms excepts the judiciary, the State Legislature, and 'any unit of local government' from its purview. Consequently, the relief granted against the respondents was improper" (id., 299).
While a local government may opt to disclose personal information, even when disclosure would result in an unwarranted invasion of personal privacy, a state agency subject to the Personal Privacy Protection Law would be prohibited from so doing.
In sum, I do not believe that a state agency, such as the College, can validly disseminate the social security numbers of its employees (or others, such as students) to the public, without the consent of the subjects of those items, for the Personal Privacy Protection Law essentially forbids such disclosure.
In an effort to enhance compliance with and understanding of applicable law, a copy of this opinion will be forwarded to the Acting President of the College. I hope that I have been of assistance.
Robert J. Freeman
cc: Deborah Stanley, Acting President, SUNY College at Oswego
Hon. Dennis C. Vacco, Attorney General
Kenneth Roldan, Assistant Attorney General
Carolyn Pasley, SUNY Associate Counsel