Recent changes modernizing New Jersey’s Open Public Records Act (OPRA) include expanded protections against the release of certain sensitive information and personal identifying information. While privacy protections were bolstered through these changes, they do not create a total exception to the release of information such as names, email addresses, or phone numbers. Records custodians should be mindful when identifying information that should be redacted. This blog will take a closer look at the updated OPRA law and provide additional insights into these privacy protections.
How have privacy protections been bolstered?
Privacy protections have been bolstered by expanding exclusions on the types of documents or portions thereof that are considered to be government records. This prevents certain documents and information within those documents from being disclosed through an OPRA request.
The amended OPRA also includes a new definition for the term “personal identifying information.” This term is used to further expand on the type of data elements that must be redacted or withheld from specific types of records.
What is personal identifying information?
The updated law defines personal identifying information to mean “information that may be used, alone or in conjunction with any other information, to identify a specific individual. It includes, but may not be limited to, the following data elements: name, social security number, credit card number, debit card number, bank account information, month and day of birth, any personal email address required by a public agency for government applications, services, or programs, personal telephone number, the street address portion of any person’s primary or secondary home address, or driver license number of any person.” (N.J.S.A. 47:1A-1.1)
Personal identifying information specifically does not include any street address, mailing address, email address, or telephone number of a public agency, or the email address of a governmental affairs agent.
While the definition of personal identifying information includes examples of specific data elements, it is worth noting that it may include additional data or information not specifically named. Custodians should be aware in instances where records require redaction of personal identifying information that additional redactions may be necessary if the information provided within the record or in conjunction with other information could lead to the identification of a specific individual. The boundaries of what this could be is something that will likely need to be considered through litigation in challenges to denials of requests.
What documents or portions thereof are no longer considered government records?
One of the key pieces of the OPRA update was to expand upon those documents, or portions thereof, excluded from the definition of government record. Prior to the changes, OPRA excluded social security numbers, credit card numbers, unlisted telephone numbers, and driver license numbers of any person from being considered a disclosable government record.
The updated law expands and amends these exclusions to include social security numbers, credit card numbers, debit card numbers, bank account information, month and date of birth, any personal email address required by a public agency for government applications, services, or programs, any telephone number or driver's license number of any person. (N.J.S.A. 47:1A-5)
Also excluded from being a government record are specific types of records and portions of records that include personal identifying information.
What information must be redacted?
The type of information that must be redacted differs depending on the type of record requested. Custodians should take note that in most instances, only those portions of records that disclose the exempt information or personal identifying information are excluded as a government record. All other portions of such records are eligible for disclosure under OPRA.
All Records
For all records, custodians should continue their practice of redacting social security numbers, credit card numbers, and driver’s license numbers. New under the updated OPRA, custodians must now also redact debit card numbers, bank account information, month and day of birth, personal email addresses required for government applications, services, or programs.
Custodians should note the change in the redaction of telephone numbers. Under the updated OPRA all personal telephone numbers should be redacted, not just unlisted numbers. Custodians should also note that only personal email addresses required for government applications, services, or programs should be redacted. While this is certainly broad it does not create a wholesale exception from disclosure for all email addresses. Custodians must recognize if the email address is a personal address and if it is used on a record required for government applications, services, or programs.
Animal Licenses and Minor Records
For domestic animal permits, licenses, and registrations, and records concerning those under the age of 18, custodians must redact all the information noted above as well as personal identifying information. Again, personal identifying information is defined as “information that may be used, alone or in conjunction with any other information, to identify a specific individual. It includes, but may not be limited to, the following data elements: name, social security number, credit card number, debit card number, bank account information, month and day of birth, any personal email address required by a public agency for government applications, services, or programs, personal telephone number, the street address portion of any person’s primary or secondary home address, or driver’s license number of any person.”
For records concerning those under the age of 18 there is an exception with respect to the disclosure of driver information by the New Jersey Motor Vehicle Commission as permitted by section 2 of P.L.1997, c.188 (C.39:2-3.4) or the disclosure of driver information to any insurer or insurance support organization, or a self-insured entity, or its agents, employees, or contractors, for use in connection with claims investigation activities, antifraud activities, rating, or underwriting, and except with respect to the disclosure of voter information on voter and election records pursuant to section 8 of P.L.2024, c.16 (C.47:1A-5.3).
Official Notifications
Records custodians must now redact any “portion of any document that discloses the personal identifying information of any person provided to a public agency for the sole purposes of receiving official notifications.” This would include services such as Nixle, OnSolve, EventBridge, and other mass notification systems, and would also likely include listservs and other email or mailing lists if used for official notifications.
HIPPA
For the first time, data classified under the Health Insurance Portability and Accountability Act of 1996 (HIPPA), is now specifically excluded from release under OPRA. Generally speaking, HIPPA protects the release of “individually identifiable health information” which is information, including demographic data, that relates to: the individuals past, present or future physical or mental health or condition, the provision of health care to the individual, or the past present or future payment for the provision of health care to the individual. Further discussion on the types of information and date related to HIPPA is beyond the scope of this blog. Readers are encouraged to review additional information related to HIPPA on the U.S. Department of Health and Human Services webpage.
Graphic or Indecent Images
The updated OPRA also provides that any indecent or graphic images of a person’s intimate parts that are captured in photograph or video recording without the prior written consent of the subject of the photograph or video be redacted.
Records custodians are encouraged to review the law in its entirety to ensure their familiarity with the changes discussed here as well as the many other changes in the updated OPRA law. The Government Records Council website contains additional useful information including an updated Exemptions List.
Important: This post is for informational and educational purposes only and is not intended as legal advice or used as a substitute for such. You should always speak to your own attorney for legal advice.