17-ORD-135

Opinion

Opinion By: Andy Beshear,Attorney General;James M. Herrick,Assistant Attorney General

Open Records Decision

The question presented in this appeal is whether the Glasgow Electric Plant Board ("EPB") violated the Open Records Act in partially denying Jeff Jobe's May 30, 2017, request for "a printed copy or access to an electronic [ sic ] of [d]etails for the 350 property owners who participated in the [SET] program and details associated with the charges tied to those properties." For the reasons stated below, we find a violation of the Act insofar as names were not disclosed.

The Smart Energy Technologies ("SET") project is a research initiative of the Tennessee Valley Authority (TVA), in cooperation with local power companies, "to reduce emissions by managing real-time energy demand through integrated technology. " 1 The Glasgow EPB was awarded $ 7,430,000.00 by TVA as a partner in the SET project "to test the integration of ultra-efficient homes with smart grid technologies, " which included upgrades to insulation, heating, cooling, and other technologies in approximately 350 "occupied homes in the Glasgow area." 2

As related by attorney H. Jefferson Herbert, Jr., in Glasgow EPB's response to this appeal dated June 22, 2017, Mr. Jobe's May 30 request was preceded by two requests made on his behalf by Mr. Sam Terry. In response to those requests, Mr. Herbert states, Glasgow EPB provided "all of the information relating to the SET Project ? with the sole exception of the names of the participants." (Emphasis in original.) Mr. Jobe, in his May 30 letter, explained the basis for his latest request as follows:

I understand there are some 350 individuals who have participated in the program by getting upgraded appliances, thermostats, and various other items associated with the $ 7.4M program. I have reason to believe there are 5 pages of data regarding numbers and amounts charged with each of these customers. I have been told some have as much as $ 50,000 charged to the specific address/participant.

In the interest of full disclosure, Mr. [William] Ray [Superintendent of Glasgow EPB] has disclosed that he received service and products himself .. ..

?

[B]ecause our elected official [ sic ], employees, contractors, their employees and even the media in our community could be part of the protected identities of the $ 7.4M project[, I believe] that any of us not wanting this disclosure could have a shadow of doubt cast upon us.

(Emphasis added.)

In a response dated June 1, 2017, Glasgow EPB Superintendent William Ray contended that Mr. Jobe's request was "too broad" and did not request "specific documents." He further asserted:

[A]ccount holder names associated with the work order information already provided to you [constitute] information of a personal nature, the public disclosure of which would constitute a clearly unwarranted invasion of personal privacy, and thus [are] excluded from the application of the Open Records Act, pursuant to KRS 61.878(1)(a) ?

In response to further correspondence from Mr. Jobe, Mr. Ray gave a more detailed response on June 8, 2017:

The only information we have withheld is Personally Identifiable Information (PII) which would tie property owners to the work order numbers for each participant site. ? We feel that KRS 61.878(1)(a) clearly makes that PII exempt. We further direct you to the additional exemption language in KRS 61.878(1)(c)(2)(a), as this PII was gathered during the process of performing the requirements of a grant from Tennessee Valley Authority (TVA).

Mr. Ray cited four "excerpts from documents that form the core of EPB's contractual requirement to protect the personal information," which he described as "four layers of privacy requirements dictated by TVA to Glasgow EPB." Mr. Jobe initiated this appeal on June 12, 2017.

Sufficiency under KRS 61.872(3)(b)

We address first the EPB's argument that Mr. Jobe's request was insufficiently specific. With regard to requests to receive copies by mail, KRS 61.872(3)(b) provides, in pertinent part:

The public agency shall mail copies of the public records to a person whose residence or principal place of business is outside the county in which the public records are located after he precisely describes the public records which are readily available within the public agency. 3

(Emphasis added.) "A request must be specific enough so that a public agency can identify and locate the records in question." OAG 89-8. It must not be "so nonspecific as to preclude the custodian from determining what, if any, existing records it might encompass." 96-ORD-101. At the same time, "an open records request should not require the specificity and cunning of a carefully drawn set of discovery requests."

Com. v. Chestnut, 250 S.W.3d 655, 662 (Ky. 2008) (internal quotation omitted). In this case, Mr. Jobe alluded to "5 pages of data regarding numbers and amounts charged with each of these customers, " and the EPB by its own admission had already located records containing all the requested information, withholding only the names of the property owners. Accordingly, we do not find that Mr. Jobe's follow-up request was insufficiently precise under KRS 61.872(3)(b).

Applicability of KRS 61.878(1)(c)2.a .

Next, we examine Glasgow EPB's argument under KRS 61.878(1)(c)2.a. This subsection exempts from public disclosure:

records confidentially disclosed to an agency or required by an agency to be disclosed to it, generally recognized as confidential or proprietary, which are compiled and maintained [i]n conjunction with an application for or the administration of a loan or grant[.]

In relying on this exception, a public agency must establish that the records withheld: (1) are confidentially disclosed to the agency or required by the agency to be disclosed to it; (2) are generally recognized as confidential or proprietary; and (3) are compiled and maintained in conjunction with an application for or the administration of a loan or grant. 04-ORD-171. It appears that the withheld information satisfies the third "prong" of this three-part test, inasmuch as the names of participating property owners were compiled and maintained in conjunction with the administration of the TVA grant. The question that remains is whether those names were "confidentially disclosed" to Glasgow EPB and constitute information that is "generally recognized as confidential or proprietary. " 4

In support of its argument, the EPB cites four purported "layers of privacy requirements" from documents associated with the SET project. The first of these is language from Section 5.6 of TVA's Request for Proposals (RFP) requiring certain types of protection for personally identifiable information:

The proposal must describe the system or process whereby the proposing entity [Glasgow EPB] shall preserve all data, invoices, proof of payment, and expense accounting related to implementation of the SET project ? At a minimum, the document retention system must provide encryption for data storage, must provide data encryption for the transfer of data (SSL), and must comply with federal regulations for personally identifiable information (PII).

As a definition of PII, attaches a July 15 2011, document by "DON CIO Privacy Team" titled "What Is Personally Identifiable Information?" This document breaks down PII into "sensitive" and "non-sensitive" categories with a view to "reporting a loss or compromise of PII ? or determining when a Privacy Impact Assessment (PIA) is required for an information technology system."

The "sensitive PII elements" category includes "[n]ame and other names used," whereas the "non-sensitive" list includes a catch-all item for "[o]ther information that is releasable to the public."

For purposes of determining whether individual notifications would be required if there were a PII breach or whether a PIA was required for an IT system that collects PII, PII elements are categorized as PII (i.e., if this information was lost or compromised it could potentially result in harm or identity theft) or non-sensitive PII, also known as Internal Government Operations or business related PII (i.e., the risk of harm or identity theft associated with the loss or compromise would be minimal to non-existent). Non-sensitive PII is considered releasable to the public per DoD 5400, 11-R (see paragraph C4.2.2.5).

The context of any loss or compromise of PII must be taken into account when determining risk. For example, a list of personnel with office phone numbers would be considered non-sensitive PII. However, if this same list also indicated that these individuals had contracted a terminal disease it would now be considered sensitive PII.

We construe this "first layer" in the RFP as its context indicates, which is merely a requirement for the electronic protection of sensitive PII against accidental "loss," "breach," or "compromise." Glasgow EPB has provided no citation to any federal regulation mandating PII to be categorically withheld from disclosures pursuant to state open records laws. Therefore, we find nothing in this document to pose any per se prohibition against disclosure of the names in question.

"Layer 2," as described by the EPB, is an excerpt from its response to the RFP, indicating, inter alia , that "[a]ll documents regarding the project will be stored in GEPB's accounts receivable software which is located on a non-public network only accessible by GEPB authorized personnel" and "[a]ny requests for documentation will be provided to authorized parties via email and PGP using the public signing key of the requesting party." Again, the document is addressed to the electronic protection of project documents, with no indication of the confidentiality of any information vis-`-vis requests from the public.

"Layer 3," from the contract between TVA and Glasgow EPB, contains the following language:

The Contractor [Glasgow EPB] shall cooperate with TVA or its authorized representative (s) in performing evaluation, measurement, and verification (EM&V) of the Work. Information accessed for EM&V may include, but is not limited to, electricity metering data, onsite verification of installations and program compliance, project records, and project site billing records. All information collected will be held confidentially and will only be used by TVA or its authorized representative (s) for program analysis purposes .

(Contract, Section 9.1(b) (emphasis added).) In context, we construe this language as referring only to EM&V data, as defined in that paragraph. Furthermore, the use of "will" rather than "shall" appears to be an assurance from TVA about the use it will make of the data, as opposed to a duty imposed by TVA upon Glasgow EPB. The contract additionally states:

Contractor agrees not to divulge to third parties, without the prior written consent of TVA, any information that a prudent business person would consider sensitive or which is designated by TVA as proprietary or confidential , obtained from or through TVA or developed or obtained by Contractor in connection with the performance of this Contract. Access to sensitive TVA information must be approved in advance by TVA's Contracting Officer and CTS. If so requested by TVA, Contractor further agrees to require its employees to execute a nondisclosure agreement prior to performing any services under this Contract. Notwithstanding the above, the preceding shall not apply if the information was public knowledge, already known by Contractor, was obtained by Contractor from a third party who did not receive the information from TVA , was independently developed by Contractor's employees who did not have access to such information, or the information was disclosed as required by law provided that any [sic] prior to any such disclosure Contractor shall provide advance written notice to TVA before any disclosure is made. . . .

(Contract, Section 11.4(a) (emphasis added).)

While there is still no indication that TVA has designated the names of property owners as "proprietary or confidential, " let us assume for the moment that these names are "information that a prudent business person would consider sensitive." Two exceptions in the contractual language would immediately come into play. First, the agreement "not to divulge to third parties" is inapplicable if the information was obtained by Glasgow EPB "from a third party who did not receive the information from TVA." Presumably Glasgow EPB obtained the identities of its customers from the customers themselves, who certainly did not learn their own names from TVA. Second, any sensitive information may be "disclosed as required by law" upon written notice to TVA. Therefore, Section 11.4(a) of the contract creates no obstruction to disclosure of names if required by the Open Records Act.

Finally, "Layer 4" identified by the EPB consists of paragraphs 9 and 10 of the contract executed by each property owner participating in the SET program:

9. I understand that EPB or TVA may publish or disclose to others information obtained from the Project, but that they will not voluntarily release, other than to those employees or agents of EPB or TVA, or other parties necessarily involved in conducting the Project, information which could personally identify me, or members of my family, except as required by law .

10. Applicant shall cooperate with TVA or its authorized representative in performing evaluation, measurement, and verification (EM&V) of the Project. Information accessed for the EM&V may include, but is not limited to, electricity metering data, onsite verification of installations and Program compliance, Project records, and project site billing records. All information collected will be held confidentially and will be used by TVA or its authorized representative for Program analysis purposes only. . . .

(Emphasis added.) We find in paragraph 10 the same type of language as in "Layer 3" with regard to EM&V data, and likewise construe it as applying only to such data. Paragraph 9 contains the only direct assurance of confidentiality as to personally identifiable information; yet even that assurance allows disclosure "as required by law." Thus, access under the Open Records Act is not impeded unless an exception applies.

Returning to the three-prong test under KRS 61.878(1)(c)2.a., while the names of property owners may have been "confidentially disclosed" to Glasgow EPB (except where disclosure to others is required by law), there is nothing in the record to establish that the information is " generally recognized as confidential and proprietary ." (Emphasis added.) Glasgow EPB has presented certain documents relevant to this specific set of transactions showing that there was some limited assurance of confidentiality, but nothing to indicate a general custom or usage regarding such confidentiality. Nor has any argument been made as to why the names of property owners who participated in the SET project should be regarded as "proprietary" information of Glasgow EPB. We therefore find that Glasgow EPB has not met its burden of proof with respect to KRS 61.878(1)(c)2.a.

Applicability of KRS 61.878(1)(a)

We turn, therefore, to Glasgow EPB's argument that the names of the participating property owners are protected from disclosure by KRS 61.878(1)(a), which excludes from the application of the Open Records Act "[p]ublic records containing information of a personal nature where the public disclosure thereof would constitute a clearly unwarranted invasion of personal privacy. " This language "reflects a public interest in privacy, acknowledging that personal privacy is of legitimate concern and worthy of protection from invasion by unwarranted public scrutiny," while the Open Records Act as a whole "exhibits a general bias favoring disclosure" and places the burden of establishing an exemption on the public agency.

Kentucky Board of Examiners of Psychologists v. Courier-Journal and Louisville Times Co., 826 S.W.2d 324, 327 (Ky. 1992). A privacy analysis therefore necessitates a "comparative weighing of the antagonistic interests. Necessarily, the circumstances of a particular case will affect the balance. [T]he question of whether an invasion of privacy is 'clearly unwarranted' is intrinsically situational, and can only be determined within a specific context." Id. at 327-28.

The public interest in open records has been analyzed as follows by the Kentucky Court of Appeals:

At its most basic level, the purpose of disclosure focuses on the citizens' right to be informed as to what their government is doing. That purpose is not fostered however by disclosure of information about private citizens that is accumulated in various government files that reveals little or nothing about an agency's own conduct.


Zink v. Com., Dept. of Workers' Claims, Labor Cabinet, 902 S.W.2d 825, 829 (Ky. App. 1994). In this case, it must be said that the selection of individual property owners to receive technological upgrades to their homes is a matter that does reveal important information about Glasgow EPB's own conduct. Therefore, the public interest in disclosure is substantial.

As to the privacy interest, we begin by considering "whether the subject information is of a 'personal nature.'" Zink, 902 S.W.2d at 828. We have long recognized that "a person's name is personal but it is the least private thing about him." OAG 82-234. The fact that an individual was selected for the SET project does not reveal any invasive details, such as health or financial information, but only whether a benefit was conferred on that person with TVA funds. Therefore, the invasion of privacy from disclosing the names is minimal.

Nor is the privacy interest heightened by any assurances of anonymity made in the contract signed by the property owners. In

Cape Publications, Inc. v. University of Louisville Foundation, Inc., 260 S.W.3d 818, 824 (Ky. 2008), the Supreme Court of Kentucky recognized a heightened privacy interest in the identities of anonymous donors to a foundation because "each donor believed, at the time of the gift, that the donation was being made to a private entity." Here, by contrast, the participating property owners knew they were dealing with a public agency in the Glasgow EPB. Furthermore, any assurances of anonymity were qualified by a notification that identifying information could be disclosed as required by law. Accordingly, the privacy interest is not significant.

In 98-ORD-189, we found that the public interest in disclosure outweighed any privacy interest in the names of Lawrence County residents who received free sewer taps. On that occasion we cited OAG 78-828, which stated:

There is no general law protecting the privacy of . . . benefits received from public agencies. On the contrary the public is granted access to such information by the Open Records Law. A receiving of public benefits is not a matter of personal privacy as referred to in KRS 61.878(1)(a).

See also OAG 89-36 ("the public is entitled to inspect public records regarding improvement of private property with federal grant monies").

Moreover, in the present appeal, the public interest is heightened by Mr. Jobe's uncontested allegation that the Superintendent of Glasgow EPB was one of the property owners who benefited from the SET project, which understandably calls into question the basis on which participants were selected. "Government action should be open and subject to review in order to foster confidence and trust as well as to ensure that public funds are properly spent." OAG 96-43. We therefore find that the substantial public interest in disclosure of the names of participants in the SET project outweighs any minimal privacy interest under KRS 61.878(1)(a).

Conclusion

The agency's burden of proof under KRS 61.880(2)(c) has not been met as to the applicability of KRS 61.878(1)(c)2.a. or KRS 61.878(1)(a). For this reason, we find that Glasgow EPB violated the Open Records Act by withholding the names in question. 5

A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General must be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.

Footnotes

Footnotes

1 TVA press release, September 3, 2015, "Projects Target Energy Efficiency in Five TVA-Served Communities."

2 TVA press release, April 28, 2015, "Glasgow EPB, Partners Receive Smart Energy Technologies Award."

3 Glasgow EPB has not argued that Mr. Jobe does not qualify to receive copies of records by mail.

4 We take into account the public agency's burden of proof in sustaining its action under KRS 61.880(2)(c), along with the admonition in KRS 61.871 that "free and open examination of public records is in the public interest and the exceptions provided for by KRS 61.878 . . . shall be strictly construed, even though such examination may cause inconvenience or embarrassment to public officials or others."

5 Mr. Jobe's request also sought the identities of contractors who worked on the SET project. According to the responses from Glasgow EPB, Mr. Jobe was given that information, although Mr. Jobe at times seems to imply that he was not. To the extent those identities may have been withheld, in whole or in part, we find nothing in the record to justify such an omission.

Disclaimer:
The Sunshine Law Library is not exhaustive and may contain errors from source documents or the import process. Nothing on this website should be taken as legal advice. It is always best to consult with primary sources and appropriate counsel before taking any action.
Requested By:
Jeff Jobe
Agency:
Glasgow Electric Plant Board
Type:
Open Records Decision
Lexis Citation:
2017 Ky. AG LEXIS 95
AG Original File:
Original on AG Site
Cites:
Neighbors

Support Our Work

The Coalition needs your help in safeguarding Kentuckian's right to know about their government.

Give to the Coalition