From Casetext: Smarter Legal Research

Wash. Pub. Emps. Ass'n, UFCW Local 365 v. Wash. State Ctr. for Childhood Deafness & Hearing Loss

SUPREME COURT OF THE STATE OF WASHINGTON
Oct 24, 2019
450 P.3d 601 (Wash. 2019)

Summary

applying a rational basis test to several agencies’ disclosure of state employees’ names and birthdates pursuant to a public records request

Summary of this case from Catlett v. Teel

Opinion

NO. 95262-1

10-24-2019

WASHINGTON PUBLIC EMPLOYEES ASSOCIATION, UFCW Local 365, a labor organization, and Professional & Technical Employees Local 17, a labor organization, Respondents, v. WASHINGTON STATE CENTER FOR CHILDHOOD DEAFNESS & HEARING LOSS, Respondent, Evergreen Freedom Foundation d/b/a/ Freedom Foundation, Petitioner. International Brotherhood of Electrical Workers, Local 76, a labor organization, and United Association, Local 32, a labor organization, Respondents, v. State of Washington Department of Labor & Industries, Respondent, Evergreen Freedom Foundation d/b/a Freedom Foundation, Petitioner. Teamsters Local Union No. 117, a labor organization, Respondent, v. State of Washington; Christopher Liu, in his capacity as Director, Department of Enterprise Services ; and Dick Morgan, in his capacity as Secretary, Department of Corrections, Respondents, Evergreen Freedom Foundation d/b/a Freedom Foundation, Petitioner. Service Employees International Union Healthcare 1199NW, a labor organization, Respondent, v. State of Washington; Department of Social and Health Services, an agency of the State of Washington; and Department of Health, an agency of the State of Washington, Respondents, Evergreen Freedom Foundation d/b/a Freedom Foundation, Petitioner.

Greg Overstreet, Security Services N.W., 250 Center Park Way, Sequim, WA 98382-3463, Jennifer Matheson, James Abernathy, Sydney Paige Phillips, Freedom Foundation, P.O. Box 552, Olympia, WA 98507, Eric Rolf Stahlfeld, Attorney at Law, 145 S.W. 155th Street, Suite 101, Burien, WA 98166-2591, Hannah Sarah Sells Marcley, Attorney at Law, 111 21st Avenue S.W., Olympia, WA 98501-2809, for Petitioners. Kristen Laurel Kussmann, Jacob Fox Metzger, Paul Drachler, Douglas Drachler McKee & Gilbrough LLP, 1904 3rd Avenue, Suite 1030, Seattle, WA 98101-1170, Edward Earl Younglove, III, Younglove & Coker, PLLC, P.O. Box 7846, 1800 Cooper Point Road S.W., #16 Olympia, WA 98507-7846, Kathleen Phair Barnard, Laura Elizabeth Ewan, Dmitri L. Iglitzin, Schwerin Campbell Bamard Iglitzin & Lavitt, 18 W. Mercer Street, Suite 400, Seattle, WA 98119-3971, Kristina Marie Detwiler, Robblee Detwiler PLLP, 2101 4th Avenue, Suite 1000, Seattle, WA 98121-2346, for Respondents. Morgan B. Damerow, Washington State Attorney, General's Office, P.O. Box 40100, Olympia, WA 98504-0100, Ohad Michael Lowy, Attorney General's Office, 7141 Cleanwater Drive S.W., Tumwater, WA 98501-6503, for Other Party.


Greg Overstreet, Security Services N.W., 250 Center Park Way, Sequim, WA 98382-3463, Jennifer Matheson, James Abernathy, Sydney Paige Phillips, Freedom Foundation, P.O. Box 552, Olympia, WA 98507, Eric Rolf Stahlfeld, Attorney at Law, 145 S.W. 155th Street, Suite 101, Burien, WA 98166-2591, Hannah Sarah Sells Marcley, Attorney at Law, 111 21st Avenue S.W., Olympia, WA 98501-2809, for Petitioners.

Kristen Laurel Kussmann, Jacob Fox Metzger, Paul Drachler, Douglas Drachler McKee & Gilbrough LLP, 1904 3rd Avenue, Suite 1030, Seattle, WA 98101-1170, Edward Earl Younglove, III, Younglove & Coker, PLLC, P.O. Box 7846, 1800 Cooper Point Road S.W., #16 Olympia, WA 98507-7846, Kathleen Phair Barnard, Laura Elizabeth Ewan, Dmitri L. Iglitzin, Schwerin Campbell Bamard Iglitzin & Lavitt, 18 W. Mercer Street, Suite 400, Seattle, WA 98119-3971, Kristina Marie Detwiler, Robblee Detwiler PLLP, 2101 4th Avenue, Suite 1000, Seattle, WA 98121-2346, for Respondents.

Morgan B. Damerow, Washington State Attorney, General's Office, P.O. Box 40100, Olympia, WA 98504-0100, Ohad Michael Lowy, Attorney General's Office, 7141 Cleanwater Drive S.W., Tumwater, WA 98501-6503, for Other Party.

STEPHENS, J.

¶1 This case requires us to decide whether state employees have a protected privacy interest against disclosure of public records containing their birth dates associated with their names. We conclude that the Public Records Act (PRA), chapter 42.56 RCW, does not exempt these records from disclosure. Nor does Washington Constitution article I, section 7 preclude disclosure, given that names and birth dates are widely available in the public domain and that their disclosure here does not violate privacy rights. We reverse the Court of Appeals and reinstate the superior court decision denying a permanent injunction.

FACTS AND PROCEDURAL HISTORY

¶2 In 2016, the Freedom Foundation (Foundation) sent PRA requests to several state agencies seeking disclosure of records for union-represented employees, including their full names, associated birth dates, and agency work e-mail addresses. Upon reviewing the Foundation's PRA requests, the agencies determined that all of the requested records were disclosable and indicated that, absent a court order, they intended to release the requested records.

¶3 Several unions filed motions for preliminary and permanent injunctions to prevent disclosure of the requested records. The Thurston County Superior Court granted a temporary injunction as to most of the requested records but ultimately denied the Unions' motion to permanently enjoin release of state employee names, birth dates, and e-mail addresses. Order Denying Pls.' Mot. for Permanent Inj., No. 16-2-01547-34 (Thurston County Super. Ct. Wash., July 29, 2016) at 3; Verbatim Report of Proceedings (July 29, 2016) (VRP) at 20-21, 25. It concluded that no PRA exemption applied and that the Unions had not demonstrated grounds to permanently enjoin disclosure. VRP at 25.

The named plaintiff unions include Washington Public Employees Association, United Food and Commercial Workers Local 365, and Professional and Technical Employees Local 17 (collectively Unions).

¶4 On appeal, a Court of Appeals commissioner granted a stay preventing release of the state employees' full names associated with their birth dates. Comm'r's Ruling, Wash. Fed. State Emps. v. State, No. 49248-2-II (Wash. Ct. App. Aug. 16, 2016). A panel of the Court of Appeals thereafter reversed the superior court and held that Washington Constitution article I, section 7 creates a privacy interest against public disclosure of state employees' full names associated with their birth dates. Wash. Pub. Emps. Ass'n v. Wash. Ctr. for Childhood Deafness & Hearing Loss, 1 Wash. App. 2d 225, 229, 404 P.3d 111 (2017) (WPEA ). In light of its holding, the court declined to consider the Unions' arguments premised on various statutory provisions. Id. at 229 & n.2, 404 P.3d 111.

¶5 We granted the Foundation's petition for review. 190 Wash.2d 1002, 413 P.3d 15 (2018). Before this court, the Unions assert all claimed grounds for nondisclosure, both statutory and constitutional, of the state employees' names and corresponding birth dates. The employee work e-mail addresses have been disclosed and are no longer at issue. See Clerk's Papers (CP) at 2182 (Comm'r's Ruling, Wash. Pub. Emps. Ass'n v. State Ctr. for Childhood Deafness & Hearing Loss, No. 48972-4-II (Wash. Ct. App. June 6, 2016)).

ANALYSIS

¶6 The PRA "begins with a mandate of full disclosure of public records; that mandate is then limited only by the precise, specific, and limited exemptions which the Act provides." Progressive Animal Welfare Soc'y v. Univ. of Wash., 125 Wash.2d 243, 258, 884 P.2d 592 (1994) (plurality opinion) (PAWS). The PRA requires that "[e]ach agency, in accordance with published rules, shall make available for public inspection and copying all public records, unless the record falls within the specific exemptions of subsection (8) of this section, this chapter, or other statute which exempts or prohibits disclosure of specific information or records." RCW 42.56.070(1). " ‘The "other statutes" exemption incorporates into the [PRA] other statutes which exempt or prohibit disclosure of specific information or records.’ " Lyft, Inc. v. City of Seattle, 190 Wash.2d 769, 778, 418 P.3d 102 (2018) (quoting PAWS, 125 Wash.2d at 261-62, 884 P.2d 592 (citing former RCW 42.17.260(1) (1992), recodified as RCW 42.56.070(1) )). Where other statutes mesh with the PRA, they operate to supplement it. See Planned Parenthood of Great Nw. v. Bloedow, 187 Wash. App. 606, 619, 350 P.3d 660 (2015) ("The ‘other statute’ exemption avoids any inconsistency and allows other state statutes and federal regulations to supplement the PRA's exemptions" (citing Ameriquest Mortg. Co. v. Office of Att'y Gen., 170 Wash.2d 418, 440, 241 P.3d 1245 (2010) )). However, in the event of a conflict between the PRA and other statutes, "the provisions of [the PRA] shall govern." RCW 42.56.030 ; PAWS, 125 Wash.2d at 261-62, 884 P.2d 592. The PRA must be liberally construed and its exemptions narrowly construed to promote the public policy of keeping Washington residents informed and in control of their public institutions. RCW 42.56.030. "The language of the [PRA] does not authorize us to imply exemptions but only allows specific exemptions to stand." Brouillet v. Cowles Publ'g Co., 114 Wash.2d 788, 800, 791 P.2d 526 (1990).

A " ‘public record’ includes any writing containing information relating to the conduct of government or the performance of any governmental or proprietary function prepared, owned, used, or retained by any state or local agency regardless of physical form or characteristics." RCW 42.56.010(3).

¶7 Courts are often called on to determine whether records that are exempt under the PRA or an "other statute" should be enjoined from disclosure. See Lyft, 190 Wash.2d at 790, 418 P.3d 102. The PRA injunction statute contemplates that disclosure may not be enjoined unless a party to which the record pertains establishes that disclosure is clearly not in the public interest and in fact poses substantial and irreparable harm. RCW 42.56.540. The lower courts in this case expressed uncertainty as to which injunction standard applies: CR 65 or the PRA standard. They appear to have applied both, in an abundance of caution. See WPEA, 1 Wash. App. 2d at 231-32 ; 1 VRP at 6. Our recent decision in Lyft clarifies that the PRA standard, not the general injunction standard, applies. See Lyft, 190 Wash.2d at 796, 418 P.3d 102.

¶8 A party seeking to prevent disclosure of agency records under the PRA bears the burden of proof. Confederated Tribes of Chehalis Reservation v. Johnson, 135 Wash.2d 734, 744, 958 P.2d 260 (1998). Whether requested records are exempt from disclosure presents a legal question that is reviewed de novo. PAWS, 125 Wash.2d at 252, 884 P.2d 592 ; RCW 42.56.550(3). A trial court's ultimate decision on whether to grant an injunction is reviewed for abuse of discretion. Kucera v. Dep't of Transp., 140 Wash.2d 200, 209, 995 P.2d 63 (2000). Findings of fact based on the testimonial record are reviewed for substantial evidence. Zink v. City of Mesa, 140 Wash. App. 328, 336-37, 166 P.3d 738 (2007).

¶9 The Unions' principal argument against disclosure is privacy—they assert both specific PRA exemptions and article I, section 7 privacy rights. They make an additional constitutional argument based on article I, section 5 associational rights. Though the Court of Appeals addressed only article I, section 7, we believe it is appropriate to begin our review with the statute's provisions, as we have previously concluded in the PRA context that reviewing courts " ‘should not pass on constitutional issues unless absolutely necessary to the determination of the case.’ " Bellevue John Does 1-11 v. Bellevue Sch. Dist. No. 405, 164 Wash.2d 199, 208 n.10, 189 P.3d 139 (2008) (Bellevue John Does II) (quoting State v. Hall, 95 Wash.2d 536, 539, 627 P.2d 101 (1981) ).

I. The PRA Provides No Exemption from Disclosure of State Employees' Birth Dates Associated with Their Names

¶10 The efficacy of the PRA depends on judicial adherence to its mandates in the face of valid arguments about the effects of public disclosure. We appreciate the Unions' concern that disclosing birth dates with corresponding employee names may allow PRA requesters or others to obtain residential addresses and to potentially access financial information, retirement accounts, health care records or other employee records. Appellants' Opening Br. at 3-5 (Wash. Ct. App. No. 49224-5-II (2016)). Yet, we cannot judicially expand the PRA's narrow exemptions beyond the boundaries set by the legislature, lest we step beyond our interpretive role and risk disrupting the balance of public policies the PRA reflects. See PAWS, 125 Wash.2d at 259-60, 884 P.2d 592 ("The Legislature takes the trouble to repeat three times that exemptions under the Public Records Act should be construed narrowly. The Legislature leaves no room for doubt about its intent." (citations omitted) (citing former RCW 42.17.010(11) (2012)), recodified as RCW 42.17A.001 ; former RCW 42.17.251 (2006), recodified as RCW 42.56.030 ; former RCW 42.17.920 (2012), recodified as RCW 42.17A.904 ). The requested name and birth date information at issue in this case is not exempt from disclosure under any statutory provision.

A. RCW 42.56.250(4) and RCW 42.56.230(7)

¶11 If the PRA contained an exemption for birth dates of state employees, that exemption would likely be found in RCW 42.56.250(4), which addresses the exact category of records requested here. Personnel and employment related records exempt from disclosure under RCW 42.56.250(4) include birth dates of dependents of employees, but not birth dates of employees themselves. The plain language of the statute is unambiguous; the legislature exempted only the birth dates of dependents. See Nissen v. Pierce County , 183 Wash.2d 863, 881, 357 P.3d 45 (2015) ("Statutory interpretation starts with the plain meaning of the language; the plain meaning controls if it is unambiguous." (citing Dep't of Ecology v. Campbell & Gwinn, LLC, 146 Wash.2d 1, 11-12, 43 P.3d 4 (2002) )). We cannot assume that the legislature simply neglected to include employee birth dates within the scope of exempted employee records. See Bour v. Johnson , 122 Wash.2d 829, 836, 864 P.2d 380 (1993) ("Legislative inclusion of certain items in a category implies that other items in that category are intended to be excluded."). Our precedent is clear and unwavering that this court cannot interpret the PRA to imply broad exemptions that have not been expressly delineated. See PAWS, 125 Wash.2d at 258, 884 P.2d 592 ; Brouillet, 114 Wash.2d at 800, 791 P.2d 526.

RCW 42.56.250(4) exempts from disclosure "[t]he following information held by any public agency in personnel records, public employment related records, volunteer rosters, or included in any mailing list of employees or volunteers of any public agency: Residential addresses, residential telephone numbers, personal wireless telephone numbers, personal email addresses, social security numbers, driver's license numbers, identicard numbers, and emergency contact information of employees or volunteers of a public agency, and the names, dates of birth, residential addresses, residential telephone numbers, personal wireless telephone numbers, personal email addresses, social security numbers, and emergency contact information of dependents of employees or volunteers of a public agency.").

¶12 The Unions reason that subsection .250(4) does not mention employee birth dates because records of "age" are already exempted under RCW 42.56.230(7). Setting aside the fact that the same argument can be made for records of an employee's dependent's age, the driver's license exemption is not so broad. It plainly prevents disclosure of copies of birth certificates, adoption papers, Social Security cards, or similar documents that individuals provide in connection with getting state identification cards. RCW 42.56.230(7) does not apply to the employee records at issue here.

This provision exempts "[a]ny record used to prove identity, age, residential address, social security number, or other personal information required to apply for a driver's license or identicard." RCW 42.56.230(7)(a).

¶13 Moreover, this exemption provides no basis to imply a broad rule of nondisclosure for all records containing a state employee's birth date, especially when the specific provision addressing employee records, RCW 42.56.250(4), does not exempt employee birth dates. We must read RCW 42.56.540(4) for what it is: a list of specifically exempted personal information, not an illustrative description of a broader, implied exemption for all personal information. See Simpson Inv. Co. v. Dep't of Revenue, 141 Wash.2d 139, 156, 3 P.3d 741 (2000) (" ‘In other words, the precise terms modify, influence or restrict the interpretation or application of the general terms where both are used in sequence or collocation in legislative enactments.’ " (quoting State v. Thompson, 38 Wash.2d 774, 777, 232 P.2d 87 (1951) )). This is not the first time we have been asked to imply a broader exemption than is expressed, and we decline to do so. See PAWS, 125 Wash.2d at 259-60, 884 P.2d 592 ("The Legislature's response to our opinion in [ In re Rosier, 105 Wash.2d 606, 717 P.2d 1353 (1986) ] makes clear that it does not want judges any more than agencies to be wielding broad and malleable exemptions.").

B. RCW 42.56.230(3)

¶14 The Unions also rely on RCW 42.56.230(3), which exempts from public disclosure "[p]ersonal information in files maintained for employees, appointees, or elected officials of any public agency to the extent that disclosure would violate their right to privacy." RCW 42.56.230(3). The Foundation counters that no privacy right is implicated by its public records request, observing that individual voter's names, birth dates and addresses are already publicly available upon request from the Washington secretary of state. To determine whether disclosure of the records at issue here falls within the RCW 42.56.230(3) exemption, we must decide (1) whether the records constitute personal information, (2) whether the employees have a right to privacy in the personally identifying records, and (3) whether disclosure of the employees' personally identifying records would violate their right to privacy. Bellevue John Does II, 164 Wash.2d at 210, 189 P.3d 139.

The PRA does not define "personal information." Generally, "personal" means "of or relating to a particular person : affecting one individual or each of many individuals : peculiar or proper to private concerns : not public or general." Webster's Third New International Dictionary 1686 (1981). We have previously recognized that personal information concerns or affects an individual, information associated with private matters, or information that is not public in general or embodies personal information under former RCW 42.17.310(l)(b) (2002) (recodified at RCW 42.56.230(2) ). Bellevue John Does II, 164 Wash.2d at 211, 189 P.3d 139.

¶15 In Hearst, we defined "right to privacy" in RCW 42.56.230(3) by referring to the common law tort of invasion of privacy through public disclosure of private facts. Hearst Corp. v. Hoppe, 90 Wash.2d 123, 135, 580 P.2d 246 (1978). We adopted the common law definition of "invasion of privacy" set out in Restatement (Second) of Torts § 652D (Am. Law Inst. 1977), which provides, " ‘One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person and (b) is not of legitimate concern to the public.’ " Id. at 135-36, 580 P.2d 246 (quoting RESTATEMENT § 652D ); see also id. at 135, 580 P.2d 246 ("Inasmuch as the statute contains no definition of the term, there is a presumption that the legislature intended the right of privacy to mean what it meant at common law."). The legislature later embraced this formulation. RCW 42.56.050 (" ‘[R]ight to privacy[ ]’ ... is invaded or violated only if disclosure of information about the person: (1) Would be highly offensive to a reasonable person, and (2) is not of legitimate concern to the public."). The term "legitimate" in the context of the PRA means "reasonable." Dawson v. Daly, 120 Wash.2d 782, 798, 845 P.2d 995 (1993).

¶16 No Washington case has ever held that employee birth dates associated with names are private. The privacy protection afforded by the PRA is narrow, and it extends an individual the right to privacy "only in ‘ "matter[s] concerning [their] private life." ’ " Predisik v. Spokane School Dist. No. 81, 182 Wash.2d 896, 904, 346 P.3d 737 (2015) (first alteration in original) (quoting Hearst Corp., 90 Wash.2d at 135, 580 P.2d 246 (quoting RESTATEMENT § 652D )). Tort law principles "fill this definitional void and define the contours of the PRA's privacy right." Id. As noted, this court looks to the Restatement to determine what kind of information falls within the scope of private matters under the PRA:

" ‘Every individual has some phases of his life and his activities and some facts about himself that he does not expose to the public eye, but keeps entirely to himself or at most reveals only to his family or to close personal friends. Sexual relations, for example, are normally entirely private matters, as are family quarrels, many unpleasant or disgraceful or humiliating illnesses, most intimate personal letters, most details of a man's life in his home, and some of his past history that he would rather forget.’ "

Id. at 905 (quoting Hearst Corp., 90 Wash.2d at 136, 580 P.2d 246 (quoting RESTATEMENT § 652D cmt. b at 386)). The "nature of facts" protected by the privacy provision within the PRA "taken in context makes clear that the PRA will not protect everything that an individual would prefer to keep private." Id. (emphasis omitted). Instead, "[i]ndividuals have a privacy right under the PRA only in the types of ‘private’ facts fairly comparable to those shown in the Restatement ." Id. Our adoption of the Restatement privacy test in Hearst Corp. leaves no room for including birth dates within the common law sphere of protected privacy. The same comment to the Restatement quoted above explains:

Thus there is no liability for giving publicity to facts about the plaintiff's life that are matters of public record, such as the date

of his birth, the fact of his marriage, his military record, the fact that he is admitted to the practice of medicine or is licensed to drive a taxicab, or the pleadings that he has filed in a lawsuit. On the other hand, if the record is one not open to public inspection, as in the case of income tax returns, it is not public, and there is an invasion of privacy when it is made so.

RESTATEMENT § 652D cmt b (emphasis added).

¶17 The Unions and supporting amici point out that notions of privacy have evolved since the Restatement was written. For example, payors no longer routinely print Social Security numbers on personal checks, nor are the numbers commonly used for financial, student, and health account numbers. Increasing misuse of Social Security numbers eventually transformed this personal identifier from an innocuous individual attribute to what is widely regarded as highly sensitive information. See Br. of Amicus Curiae Am. Civil Liberties Union of Wash. (ACLU) at 16-18. The Unions and amici argue that birth dates now fulfill a similar identifying role insofar as they are necessary to authenticate criminal histories, driver's license address changes, medication prescriptions, and online password change requests, making birth dates targets for identity thieves. Id.

¶18 We acknowledge that there are legitimate concerns about the misappropriation of birth dates that echo the concerns related to Social Security numbers, but this does not mean that names and associated birth dates have become private—only that this information is personally identifying. The fact that information is personally identifying, alone, is insufficient to warrant its exemption from disclosure under the PRA. Predisik, 182 Wash.2d at 904, 346 P.3d 737 ("The existence of ‘personal information’ in a public record is necessary to the exemption, but it is not sufficient alone to withhold the record."); accord Bellevue John Does II, 164 Wash.2d at 212, 189 P.3d 139. As the parties' references to voter registration databases and Department of Health vital records confirm, birth dates continue to be a matter of public record consistent with the understanding of the Restatement drafters.

¶19 Moreover, to be exempt under the PRA, birth date information must be classified as "not of legitimate concern to the public." RCW 42.56.050. However, birth dates are often important in matters of public concern. Amicus Allied Daily Newspapers of Washington (Allied) points out that disclosure of public employee birth dates has helped the Seattle Times to track abusive high school coaches and teachers who moved from one district to another after prior reprimands, warnings, or dismissals for sexual misconduct. Br. of Amicus Curiae Allied et al. at 18-19. The Seattle Times has also obtained birth dates from state pension and payroll data that exposed government employees who drew pension and employment income simultaneously. Id. at 19. These examples underscore that disclosure of birth dates often serves the public interest in transparency and oversight.

¶20 At its core, the Union's argument is policy based: because birth dates are widely used personal identifiers and there is a proliferation of misuse for criminal purposes, this information about state employees should be protected from public disclosure. That policy decision is not ours to make. The ubiquity of birth date information simply confirms that it is not recognized as private. Even if state employees today would find the disclosure of their birth dates to be "highly offensive," this is not sufficient grounds for exemption under RCW 42.56.230(3) unless a right of privacy in the information exists in the first instance. Predisik, 182 Wash.2d at 904, 346 P.3d 737 ("Employees must also demonstrate that they have a right to privacy in personal information contained in a record and if such a right exists that disclosure would violate it."); RCW 42.56.050 ("The provisions of this chapter dealing with the right to privacy in certain records do not create any right of privacy beyond those rights that are specified in this chapter as express exemptions from the public's right to inspect, examine, or copy public records."). ¶21 The PRA also leaves no room for the Unions' "linkage" argument, which asserts that the ability to link personal information that is not sensitive with other public records to obtain additional personal information renders disclosure highly offensive. Amicus ACLU notes that a state employee's home address is exempt from disclosure pursuant to RCW 42.56.250(4), but if a requester obtains an employee's birth date and full name, this can be used to obtain the state employee's home address from the secretary of state's voter registration database. Br. of Amicus ACLU at 19. This possibility underscores a valid concern that PRA requests may be used to circumvent express statutory privacy protections. However, the ability to leverage publicly available personal information in a way that erodes privacy is not unique to this context, and the PRA provides no exemption on this basis. As we have recognized time and again, it is simply not this court's prerogative to rewrite the PRA to address such concerns. See Serv. Emps. Int'l Union Local 925 v. Freedom Found., 197 Wash. App. 203, 219-20, 389 P.3d 641 (2016) ( SEIU 925 ) (rejecting creation of exemption for provider contact information even though disclosure could make it possible to discover exempt personal information under RCW 42.56.230(2)(a)(ii) pertaining to children enrolled in childcare programs); SEIU Healthcare 775NW v. Dep't of Soc. & Health Servs., 193 Wash. App. 377, 385, 377 P.3d 214 (holding RCW 42.56.230(1) exemption for welfare recipients does not preclude the Department of Social and Health Services (DSHS) from disclosing lists of individual providers because the linked provider list is not personal information maintained in the exempt welfare recipient files), review denied, 186 Wash.2d 1016, 380 P.3d 502 (2016) ; Koenig v. City of Des Moines, 158 Wash.2d 173, 182-83, 189, 142 P.3d 162 (2006) (rejecting denial of a PRA request that referenced exempt information under former RCW 42.17.31901 (2006) (recodified at RCW 42.56.240(5) ) (name of child sexual assault victim), given court's lack of authority to "look beyond the four comers of the records at issue to determine whether they were properly withheld"); King County v. Sheehan, 114 Wash. App. 325, 346, 57 P.3d 307 (2002) (rejecting county's linkage argument because "release of public employees' names, without more, is not highly offensive").

The Court of Appeals has concluded that disclosing personnel information containing unique employee identification numbers could be highly offensive. See Tacoma Pub. Library v. Woessner, 90 Wash. App. 205, 222-23, 951 P.2d 357 (1998) ("release of employee names, salaries, publicly funded fringe benefits, and vacation and sick leave pay is not ‘highly offensive,’ but only if not coupled with employee identification numbers, release of which would be ‘highly offensive’ " (footnote omitted)). This case is distinguishable from Woessner . The records at issue there contained secret internal employee numbers, but birth dates are hardly secret and are readily available in the public domain.

¶22 While preventing identity theft and the misuse of personal information is an important policy objective, we must recognize that the PRA embodies a critical public policy in its own right. Resident Action Council v. Seattle Hous. Auth., 177 Wash.2d 417, 432, 327 P.3d 600 (2013) ("the PRA's purpose of open government remains paramount"). In plain terms, the PRA requires courts to uphold its policies above others when there is a conflict among competing objectives or statutes. Worthington v. WestNET, 182 Wash.2d 500, 507, 341 P.3d 995 (2015) ("With respect to the scope of the act, the statute unambiguously provides for a liberal application of its terms, explicitly subordinating other statutes to its provisions and goals." (quoting RCW 42.56.030 )). Having been rebuffed in past efforts to read expansive exemptions into the PRA, we must exercise judicial restraint and leave it to the legislative branch to consider how best to address growing concerns about public records being misused for improper or criminal purposes. The legislature is more than capable of modifying or expanding PRA exceptions to address any apparent "loopholes" that exist in current exemptions. We hold that the requested birth date information of state employees is not exempt from disclosure under RCW 42.56.230(3). C. Other Statutory Provisions Invoked by the Unions

See PAWS, 125 Wash.2d at 258-59, 884 P.2d 592 ("In Rosier , this court interpreted general language in a procedural section of the [PRA] concerning personal privacy to create a general personal privacy exemption. 105 Wash.2d at 611-14, 717 P.2d 1353. The Legislature specifically overturned that holding.").

¶23 The Unions rely on several additional statutes to claim exemption of the requested records from public disclosure. We agree with the superior court that none of the asserted statutory grounds for exemption apply.

¶24 First, the Unions argue that the requested records are exempt from disclosure because the Foundation is seeking them for impermissible "commercial purposes." RCW 42.56.070(8). In the specific case of records requested for a commercial purpose, agencies may inquire as to future uses of the requested documents. Id.; SEIU Healthcare 775NW, 193 Wash. App. at 400-08, 377 P.3d 214. Courts employ a case-by-case review based on the identity of the requester, the nature of the records requested, and any other information available to the agency. SEIU Healthcare 775NW, 193 Wash. App. at 405, 377 P.3d 214. The Foundation indicates that it intends to use the requested records for outreach, education, and advocacy purposes, with revenue generation as a possible secondary use. Suppl. Br. of Pet'r at 2-3. The lower court correctly concluded that the records request, on its face, is not commercial. See VRP at 16-17 (The Foundation's stated direct purpose is "to contact state employees [and] advise them of their constitutional rights. That's not a commercial purpose; that's a political speech purpose; and it's not barred by the commercial purposes exemption."). RCW 42.56.070(8) does not apply here.

¶25 The Unions' reliance on RCW 42.56.250(9) (recodified as 42.56.250(8) (2019)) is also misplaced as to most of the affected employees. This provision exempts from disclosure certain employees' month and year of birth from their personnel files, namely employees and workers of criminal justice agencies as defined in RCW 10.97.030. Appellant's Opening Br. at 27 (Wash. Ct. App. No. 49224-5-II (2016)). Within DSHS, the Juvenile Rehabilitation Administration (JRA) serves high-risk youth who are committed to JRA custody by county juvenile courts. DSHS correctly regarded RCW 42.56.250(9) as applicable only to those SEIU 1199NW-represented employees working at the JRA facilities but not applicable to employees in other departments with missions involving therapeutic evaluation and treatment of individuals facing criminal charges. CP at 3748-49. This exemption is not applicable to the remaining state employees outside of this DSHS classification.

A "criminal justice agency" is a court or "a government agency which performs the administration of criminal justice pursuant to a statute or executive order and which allocates a substantial part of its annual budget to the administration of criminal justice." RCW 10.97.030(5)(b).

In July 2019, the JRA was renamed Juvenile Rehabilitation. It was removed from DSHS and now operates under the new Department of Children, Youth and Families.

¶26 We also reject the Unions' underdeveloped argument that any agency disclosure of records under the PRA would constitute interference with employee rights granted under the Personnel System Reform Act of 2002, chapter 41.80 RCW, and would violate state ethics laws under chapter 42.52 RCW. Appellant's Opening Br. at 34, 38. The Unions offer no legal authority demonstrating how this provision operates as an exemption through the "other statutes" provision of the PRA, RCW 42.56.070(1).

¶27 In sum, we hold that the records requested in this case are not exempt from disclosure under the PRA or any other statutory provision the Unions invoke. We now turn to the Unions' argument, accepted by the Court of Appeals, that article I, section 7 precludes disclosure of the requested records.

II. State Employees' Birth Dates Associated with Their Names Are Not Exempt from Disclosure under Article I, Section 7

¶28 Article I, section 7 of Washington's constitution provides that "[n]o person shall be disturbed in his private affairs, or his home invaded, without authority of law." We have identified two constitutional interests protected by this right to privacy: the right to autonomous decision-making and the right to nondisclosure of intimate personal information, or confidentiality. O'Hartigan v. Dep't of Pers. , 118 Wash.2d 111, 117, 821 P.2d 44 (1991) (citing Whalen v. Roe, 429 U.S. 589, 599-600, 97 S. Ct. 869, 51 L. Ed. 2d 64 (1977) ).

¶29 Recognized as a fundamental right, the autonomy interest confers heightened constitutional protection. "This right involves issues related to marriage, procreation, family relationships, child rearing and education." Id. (citing Whalen, 429 U.S. at 600 n.26, 97 S.Ct. 869 ). Government action that infringes on this right receives strict scrutiny, and the State must identify a compelling governmental interest to justify such action. This fundamental right is not at issue here.

¶30 The interest in confidentiality, or nondisclosure of personal information, has never been recognized by this court as a fundamental right. Instead, we engage in a balancing analysis and allow the State to require disclosure of personal information when it serves a legitimate governmental interest. For example, in Peninsula Counseling Center v. Rahm, 105 Wash.2d 929, 936-37, 719 P.2d 926 (1986), we held that under both the Washington and federal constitutions, the State has a legitimate governmental interest in the disclosure of patient records in order to comply with federal statutory requirements for receiving federal funds. In so holding, we applied rational basis analysis to conclude that "disclosure of intimate information to governmental agencies is permissible if it is carefully tailored to meet a valid governmental interest, [and provided] the disclosure [is no] greater than is reasonably necessary." Id. at 935, 719 P.2d 926 ; see also O'Hartigan, 118 Wash.2d at 117, 821 P.2d 44 (citing Peninsula Counseling Ctr., 105 Wash.2d at 935, 719 P.2d 926 (same)); Ino Ino, Inc. v. City of Bellevue, 132 Wash.2d 103, 124, 937 P.2d 154 (1997) (plurality opinion) ("Because the interest in confidentiality or nondisclosure of personal information is not ‘a fundamental right requiring utmost protection[,]’ we conclude that a rational basis test applies to Respondents' privacy claim in this case. The rational basis test requires that a regulation be carefully tailored to meet a legitimate governmental goal." (citation omitted) (quoting O'Hartigan, 118 Wash.2d at 117, 821 P.2d 44 )).

¶31 In the PRA context specifically, we have employed a rational basis analysis that aligns with the common law test described above. See, e.g. , Bellevue John Does II, 164 Wash.2d at 212-13, 189 P.3d 139 ; see also Bellevue John Does 1-11 v. Bellevue Sch. Dist. No. 405, 129 Wash. App. 832, 861, 120 P.3d 616 (2005) (Bellevue John Does I) ("The analysis described in O'Hartigan does not yield a different result than the privacy definition in the [PRA]."), reversed in part by Bellevue John Does II, 164 Wash.2d at 227, 189 P.3d 139 ; RCW 42.56.050 ("right to privacy" is "invaded or violated only if disclosure of information about the person: (1) [w]ould be highly offensive to a reasonable person, and (2) is not of legitimate concern to the public"). This stands to reason because article I, section 7 has been incorporated into the PRA via the "other statutes" exception. See Bellevue John Does I, 129 Wash. App. at 861, 120 P.3d 616. There is, accordingly, no conflict between the PRA and article I, section 7.

¶32 The Unions urge us to depart from our rational basis test and embrace the approach of the Court of Appeals, which applied a stricter standard derived from criminal cases. See Resp't Unions' Suppl. Br. at 2 (quoting State v. Hinton, 179 Wash.2d 862, 878, 319 P.3d 9 (2014) ); see also WPEA , 1 Wash. App. 2d at 232-37, 404 P.3d 111. Under this approach, a record requester bears the burden to establish authority of law for any disclosure because " ‘art. I, § 7 "clearly recognizes an individual's right to privacy with no express limitations." ’ " Resp't Unions' Suppl. Br. at 2-3 (quoting In re Pers. Restraint of Maxfield, 133 Wash.2d 332, 340, 945 P.2d 196 (1997) (plurality opinion) (quoting State v. Young, 123 Wash.2d 173, 180, 867 P.2d 593 (1994) )). We disagree that this is the appropriate test for considering whether public records are exempt from disclosure when they contain personally identifying information.

The criminal cases the Unions rely on suggest a two-part analysis. See State v. Puapuaga, 164 Wash.2d 515, 522, 192 P.3d 360 (2008). The first step considers whether the State unreasonably intruded into a person's "private affairs." Id. If so, then the second step determines whether authority of law, such as a valid warrant, justifies the intrusion. Id. Private affairs, "in part, are determined by examining the historical treatment of the interest asserted." Id. at 522-24, 192 P.3d 360 (holding that pretrial detainees lack a protectable privacy interest in property properly inventoried and held by state officials). If a historical analysis does not demonstrate whether an interest is protected under article I, section 7, then courts consider whether the expectation of privacy is one that a citizen of this state is entitled to hold. Id. at 522, 192 P.3d 360. "This analysis includes a review of (1) the nature and extent of the information that may be obtained as a result of the governmental conduct and (2) the extent that the information has been voluntarily exposed to the public." SEIU 925, 197 Wash. App. at 222, 389 P.3d 641 (citing Puapuaga, 164 Wash.2d at 522, 192 P.3d 360 ). Private affairs are those that reveal intimate or discreet details of a person's life. State v. Jorden , 160 Wash.2d 121, 126, 156 P.3d 893 (2007). Private affairs do not include what a person voluntarily exposes to the general public. Young, 123 Wash.2d at 182, 867 P.2d 593. Notably, even under this analysis, the party asserting an unlawful intrusion into private affairs bears the burden of proving such a disturbance. SEIU 925, 197 Wash. App. at 223, 389 P.3d 641 (citing State v. Cheatam, 112 Wash. App. 778, 787, 51 P.3d 138 (2002), aff'd, 150 Wash.2d 626, 81 P.3d 830 (2003) ).

¶33 Initially, the Unions have not established the predicate for such a test by showing that birth date information constitutes a private affair. See State v. Miles, 160 Wash.2d 236, 243-44, 156 P.3d 864 (2007) ("We begin by determining whether the action complained of constitutes a disturbance of one's private affairs. If there is no private affair being disturbed, no article I, section 7 violation exists."). As discussed above, birth date information is widely available in the public domain and does not involve the same level of intimacy as, for example, mental health records or sexual history, which have been deemed private affairs.

¶34 Moreover, the Unions' approach would require us to overrule long-standing precedent applying a rational basis analysis in this very context, involving public disclosure of personal or confidential matters. See O'Hartigan, 118 Wash.2d at 117, 821 P.2d 44 ; Ino Ino, 132 Wash.2d at 124, 937 P.2d 154. Because the privacy interest at stake—disclosure of personally identifying birth date information—is nonfundamental in nature, the rational basis review best accommodates the competing interests at issue. See Ino Ino , 132 Wash.2d at 124, 937 P.2d 154 ; Peninsula Counseling Ctr., 105 Wash.2d at 935-36, 719 P.2d 926 ; O'Hartigan, 118 Wash.2d at 117, 821 P.2d 44. Unlike in the criminal cases the Unions cite, the context here does not involve a direct government intrusion into a person's home, effects, or other private affairs, i.e., a "search or seizure." Rather, the requested records contain personally identifying information validly obtained for government administrative purposes, and their disclosure serves important governmental interests, including those expressed in the PRA.

In rejecting the Unions' argument premised on invasion of a fundamental privacy interest, it is important to note that we disagree with the Foundation and Amicus Allied that " ‘an individual has no constitutional privacy interest in a public record.’ " Suppl. Br. of Pet'r Freedom Found. at 5 (quoting Nissen v. Pierce County, 183 Wash.2d 863, 883, 357 P.3d 45 (2015) ); see Br. of Amicus Curiae Allied at 7 (same). This absolutist argument stretches Nissen beyond its facts, which involved a "challenge ... necessarily grounded in the constitutional rights [a person] has in personal information comingled with those public records" on a prosecutor's personal cellular phone. Nissen, 183 Wash.2d at 883, 357 P.3d 45. Nissen simply did not involve any disclosure of personal information in public records. Cases such as Bellevue John Does are more on point. Indeed, the rational basis standard we apply to article I, section 7 claims in this context mirrors the common law and statutory analysis of the PRA privacy exemption at issue there.

¶35 Adhering to our rational basis test, we conclude that the disclosure of state employees' names with corresponding birth dates does not violate any right to privacy under article I, section 7. Disclosure of birth date information is not "highly offensive" under our precedent, and it serves legitimate public interests, furthering the policy of the PRA to promote transparency and public oversight.

We also reject the Unions' cursory argument that disclosure of the requested records would violate constitutional rights under article I, section 5 of the Washington State Constitution. It is true that "the PRA must give way to constitutional mandates." Freedom Found., v. Gregoire, 178 Wash.2d 686, 695, 310 P.3d 1252 (2013) (recognizing limited executive communication privilege that operates as a PRA exemption based on separation of powers doctrine). However, the Unions offer no authority for creating an exemption from disclosure of employee names and associated birth dates based on their broadly asserted freedom of association.

CONCLUSION

¶36 The trial court properly held that the records requested by the Foundation are subject to disclosure under the PRA. No statutory exemption precludes disclosure, nor do state employees' privacy interests under article I, section 7 support nondisclosure. We reverse the Court of Appeals and reinstate the superior court decision.

Because we conclude that the records at issue here are not subject to exemption under any statutory or constitutional provision, we need not address the injunction standard under RCW 42.56.540. This standard requires not only an applicable exemption but also a showing "that disclosure is clearly not in the public interest and in fact poses substantial and irreparable harm." Lyft, 190 Wash.2d at 778, 418 P.3d 102.

WE CONCUR:

Fairhurst, C.J.

Johnson, J.

Madsen, J.

Yu, J.

WIGGINS, J. (dissenting)

¶37 It is axiomatic to say that we live in the age of technology. From our jobs to our social lives, from communication to healthcare, from how we get our news to how we pay our bills—technology has transformed and continues to alter our lives. Although technology has brought many and varied benefits to society, it has also created consequences. The most imminent and far-reaching is the intrusion of technology into our personal privacy. The majority opinion declines to engage in this intrusion, holding that disclosures of public records containing state employee names and birth dates associated with each name do not violate our state's constitutional guaranty of privacy. I respectfully disagree.

¶38 Government and the private sector alike have come to use technology to collect and store substantial amounts of intimate details. While usually collected for nominal purposes, like internal employee tracking, these digital records are fertile fields for wrongdoers to plow. Ironically, the key to unlocking access to this sensitive information is personal information itself. In the past, Social Security numbers were the key; today, birth dates have taken their place. The ease with which criminal actors can use these keys to unlock our personal details is shocking; the ruination it can cause is even worse. Identity theft, credit card fraud, hacking, phishing—cybercriminals use our names and birth dates to do all of this and worse. To protect against these threats, it is critical to safeguard personally identifying information like names and birth dates.

¶39 Fortunately, our state constitution provides just such protection. In my view, article I, section 7 protects from disclosure employees' full names and corresponding birth dates. WASH. CONST. , art. I, § 7. Similarly, the Public Records Act (PRA), chapter 42.56 RCW, provides statutory protection for incursions into that right by exempting the disclosure of personal information contained in employment files if it would be "highly offensive to a reasonable person" and is not of "legitimate concern to the public." RCW 42.56.050, .230(3). Disclosure of state employee names and corresponding birth dates is "highly offensive" because of the reasonable fear that the information will be used by bad actors for nefarious purposes, such as identity theft or other financial misconduct. Nor are names and birth dates of employees of "legitimate concern to the public" because they relate nothing about the functioning of government.

¶40 Therefore, I would hold that the PRA exempts state employees' full names associated with their corresponding birth dates from disclosure as violations of their right to privacy. WASH. CONST. , art. I, § 7 ; RCW 42.56.050, .230(3). Because the majority opinion applies only the most basic protection to the sensitive information in question and allows its disclosure, I respectfully dissent. I. The right to privacy in article I, section 7 of the Washington Constitution protects disclosure of personal information

¶41 Although the United States Supreme Court has not yet recognized the right to confidentiality under the federal constitution, our state constitution affords a more robust privacy guaranty. The writers of our constitution insightfully drafted article I, section 7 to protect individual rights. Here, article I, section 7 guarantees a citizen's privacy right in the nondisclosure of personal information in the form of employee names and associated birth dates.

¶42 In its simplest form, privacy is the right to be let alone. Myrick v. Bd. of Pierce County Comm'rs, 102 Wash.2d 698, 703, 677 P.2d 140, 687 P.2d 1152 (1984) (citing Whalen v. Roe, 429 U.S. 589, 97 S. Ct. 869, 51 L. Ed. 2d 64 (1977) ). Samuel Warren and Louis Brandeis popularized the idea of a legal right to privacy in the celebrated law review article The Right to Privacy. 4 HARV. L. REV. 193 (1890). The article drew national attention to the recognition of the "new rights" to privacy. Id. at 193.

¶43 Warren and Brandeis recognized what our state's founders already understood: that privacy is a fundamental right that must be jealously guarded from intrusive government action. Indeed, Washington State's earliest lawmakers did more than pass a mere law protecting the citizens' right to privacy—they enshrined the right in our constitution. Article I, section 7 states that "[n]o person shall be disturbed in his [or her] private affairs ... without authority of law." In 1889, our state constitutional convention rejected a proposal to adopt a provision identical to the federal constitution, adopting instead a "strikingly different provision that does not expressly refer to searches, seizures, and warrants but which emphasize[s] the individual's privacy rights ." ROBERT F. UTTER & HUGH D. SPITZER, THE WASHINGTON STATE CONSTITUTION 31 (2d ed. 2013) (emphasis added). The drafters of our constitution "recognized that the term ‘private affairs’ would encompass privacy interests threatened by future technological developments." Indeed, the drafters were concerned with the "rapid advances in technology taking place in the late nineteenth century [that had] created new methods for invading the private affairs of individuals that were not explicitly protected by existing common law and statutory doctrines or by the Fourth Amendment [to the United States Constitution]." Charles W. Johnson & Scott P. Beetham, The Origin of Article I, Section 7 of the Washington State Constitution, 31 SEATTLE U. L. REV. 431, 445, 447 (2008).

¶44 Unlike the privacy protections of article I, section 7, the federal constitution does not support a " ‘general right to nondisclosure of private information.’ " Bedford v. Sugarman, 112 Wash.2d 500, 511-12, 772 P.2d 486 (1989) (quoting J.P. v. DeSanti, 653 F.2d 1080, 1090 (6th Cir. 1981) ); see also Katz v. United States, 389 U.S. 347, 350-51, 88 S. Ct. 507, 19 L. Ed. 2d 576 (1967) (stating that the protection of a person's right to privacy is "left largely to the law of the individual States"). The United States Supreme Court has established that the right to privacy protects only "fundamental" privacy interests. Whalen, 429 U.S. at 599, 97 S.Ct. 869 ; Roe v. Wade, 410 U.S. 113, 152, 93 S. Ct. 705, 726, 35 L. Ed. 2d 147 (1973). The Court has distinguished between two privacy interests: an individual's autonomous decision-making and the nondisclosure of private details. Whalen, 429 U.S. at 605, 97 S.Ct. 869. Only autonomous decision-making has been recognized as "fundamental." Id.; O'Hartigan v. Dep't of Pers., 118 Wash.2d 111, 117, 821 P.2d 44 (1991) (recognizing the nondisclosure of personal information has not been deemed "fundamental"); cf. id. at 125-28, 821 P.2d 44 (Utter, J., dissenting in part) (finding nondisclosure of private information constitutes a fundamental privacy interest under federal law).

Although declining to find a federal fundamental privacy right in nondisclosure of personal information, the Court acknowledged in 1977 that it was "not unaware of the threat to privacy implicit in the accumulation of vast amounts of personal information in computerized data or other massive government files. ... The right to collect and use such data for public banks purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures." Whalen, 429 U.S. at 605, 97 S.Ct. 869. In Washington, we have no such concomitant law protecting unwarranted disclosures. Fortunately, our state constitution provides such protection.

Justice Robert Utter authored a compelling dissent in O'Hartigan , exploring federal privacy protection. 118 Wash.2d at 125-32, 821 P.2d 44 (Utter, J., dissenting in part). In that case, a prospective state patrol employee challenged the State's use of polygraph test questions as an invasion of privacy. 118 Wash.2d at 114-16, 821 P.2d 44. Justice Utter disagreed with the majority opinion's holding that the requested information was not protected as a fundamental right and also disagreed with the application of rational basis review of the State's action. Id. at 114, 131-32, 821 P.2d 44. The dissent noted that the United States Supreme Court has recognized federal constitutional protection for "zones of privacy." Id. at 125-26, 821 P.2d 44 (citing federal cases in support). Because the State's polygraph questions involved personal matters, they would fall under those protected privacy zones. Id. at 127, 821 P.2d 44. Justice Utter would have applied strict scrutiny, requiring the State to show a compelling government interest, no less intrusive means of protecting its interest, and narrowly tailored means to meet the interest. Id. at 128, 821 P.2d 44.

¶45 Regardless of federal protections, our state constitution guarantees citizens' fundamental privacy interest in avoiding disclosure of personal details. WASH. CONST. art. I, § 7. This court has long recognized that article I, section 7 often affords greater privacy than does the federal constitution. E .g. , Blomstrom v. Tripp, 189 Wash.2d 379, 399-400, 402 P.3d 831 (2017) ; State v. Athan, 160 Wash.2d 354, 365, 158 P.3d 27 (2007) ; State v. Gunwall, 106 Wash.2d 54, 64-67, 720 P.2d 808 (1986).

¶46 While we have largely focused on article I, section 7 in the context of search and seizure, the right to privacy is not confined to criminal matters. The text of our constitution recognizes an individual's privacy rights explicitly and irrespective of categories such as civil or criminal. WASH. CONST. art. I, § 7 ; State v. Chacon Arreola, 176 Wash.2d 284, 291, 290 P.3d 983 (2012) ( article I, section 7 "is grounded in a broad right to privacy"). As Justice Vernon Pearson noted in a remarkably prescient dissent over 30 years ago, "nondisclosure of personal information is an essential element of an individual's ‘private affairs’.... [and] is necessarily protected by article [I], section 7." Peninsula Counseling Ctr. v. Rahm, 105 Wash.2d 929, 942, 719 P.2d 926 (1986) (Pearson, J., dissenting); see also O'Hartigan, 118 Wash.2d at 131-32, 821 P.2d 44 (Utter, J., dissenting in part) (stating that personal information requested in state polygraph questions is protected under both the state and federal constitutions). Thus, I would hold that article I, section 7 of our state constitution protects as private citizens' names and associated birth dates.

II. The PRA exempts from disclosure public records containing state employee names and corresponding birth dates

¶47 To be exempt from disclosure, the challenged data must satisfy three requirements under RCW 42.56.230, First, it must be the type of "personal information" immune from release. RCW 42.56.230 (listing specific exemptions). Second, disclosure would be "highly offensive to a reasonable person." RCW 42.56.050. Third, disclosure would not be of "legitimate concern to the public." Id. The release of state employees' full names and associated birth dates satisfies all three requirements.

a. "Personal information"

¶48 Among other things, the PRA exempts from disclosure "[p]ersonal information in files maintained for employees, appointees, or elected officials of any public agency to the extent that disclosure would violate their right to privacy." RCW 42.56.230(3).

¶49 Although not defined in the PRA, we have defined "personal information" as "information relating to or affecting a particular individual, information associated with private concerns, or information that is not public or general." Bellevue John Does 1-11 v. Bellevue Sch. Dist. No. 405, 164 Wash.2d 199, 211, 189 P.3d 139 (2008). Employees' full names and corresponding birth dates are contained in personnel files and relate to specific individuals because they identify state workers. RCW 42.56.230(3). Therefore, it is logical to conclude that data containing full names with associated birth dates qualify as "personal information" under subsection .230(3). b. "Highly offensive"

¶50 RCW 42.56.050 also provides that information will be withheld only if disclosure would be highly offensive to a reasonable person. We should recognize a simple modern truth: given its context and consequences, involuntary disclosure of names and corresponding birth dates is highly offensive to a reasonable person. RCW 42.56.050. The release of this information can destroy the financial and social lives of unsuspecting users. We have previously protected this type of personally identifying information. In Progressive Animal Welfare Society v. University of Washington , this court recognized that the disclosure of public employees' social security numbers would be highly offensive to a reasonable person and not of legitimate public concern. 125 Wash.2d 243, 254, 884 P.2d 592 (1994) (plurality opinion); see also Hearst Corp. v. State, 24 Misc. 3d 611, 882 N.Y.S.2d 862, 875 (2009) (concluding that "a reasonable person would find the disclosure of [their] precise birth date[s], taken together with [their] full name and other details of [their] State employment, to be offensive and objectionable"). Employee names and associated birth dates, like Social Security numbers, easily meet the requirement of "highly offensive."

¶51 Understanding how we use modern technology is essential to determining whether the release of names and birth dates would be "highly offensive." With the rise of technology has come the endless proliferation of electronic records, collected about us "from the time we are born until the day we die." JOHN Q. NEWMAN, IDENTITY THEFT: THE CYBERCRIME OF THE MILLENNIUM 5 (1999). Where once "[t]he small details" of life were "captured in dim memories or fading scraps of paper," they are "now preserved forever in the digital minds of computers, vast databases with fertile fields of personal data." Daniel J. Solove, Privacy and Power: Computer Databases and Metaphors for Information Privacy, 53 STAN. L. REV. 1393, 1394 (2001).

¶52 In our age of technology, information is fuel. And personal information is collected and shared around the world—with good and bad actors alike. Governments collect information about their workers for useful and innocuous goals, such as identifying and tracking workers; but public disclosure of that information risks exposing those employees to cybercrime. On the "dark web," bad actors can purchase stolen Social Security numbers, online payment login information, credit or debit cards, driver's licenses, and medical records for just a few dollars. See Brian Stack, Here's How Much Your Personal Information Is Selling for on the Dark Web , EXPERIAN (Dec. 6, 2017) (noting that Social Security numbers can be bought for $1, credit cards from $5-$30, and driver's licenses for $20 on the dark web), https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/ [https://perma.cc/5RSU-5XXK].

The "dark web" is the term used to denote parts of the Internet largely unseen by the average user. Characterized as a " ‘private global computer network that enables users to conduct anonymous transactions without revealing any trace of their location,’ " the dark web requires specialized tools or interfaces to access. United States v. Werdene, 883 F.3d 204, 206 n.1 (3d Cir.) (quoting Ahmed Ghappour, Searching Places Unknown: Law Enforcement Jurisdiction on the Dark Web, 69 Stan. L. Rev. 1075, 1087 (2017) ), cert. denied, ––– U.S. ––––, 139 S. Ct. 260, 202 L.Ed.2d 174 (2018) ; A. Dominick Romeo, Comment, Hidden Threat: The Dark Web Surrounding Cyber Security, 43 N. Ky. L. Rev. 73, 75 (2016).

¶53 Perhaps even more alarming is the reality that bad actors need not purchase our personal information when it may be revealed inadvertently by trusted institutions through unauthorized access (hacking) of personal data. Over the past two years, the credit reporting agency Equifax and social media website Facebook have reported massive data breaches that exposed the birth dates and personal information of nearly 200 million Americans. See Tara Siegel Bernard et al., Equifax Says Cyberattack May Have Affected 143 Million in the U.S., N.Y. TIMES , Sept. 7, 2017, http://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html[https://perma.cc/UAG6-VFDA]; Mike Issac & Sheera Frenkel, Facebook Security Breach Exposes Accounts of 50 Million Users, N.Y. TIMES , Sept. 28, 2018, https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html[https://perma.cc/758T-6Y7J]. ¶54 Whether by buying or hacking, cybercriminals can access our personal information to wreak havoc. In 2017, there were over 16.7 million victims of identity fraud. Susan Grant, Identity Theft, Fraud Statistics Give Consumers No Cause To Celebrate, CONSUMER FED'N OF AM. (Mar. 13, 2018), https://consumerfed.org/identitytheft-fraud-statistics-give-consumers-no-cause-to-celebrate/[https://perma.cc/D7NY-NNVL], Sadly, even children have fallen prey to identity thieves. In 2018, more than 1 million American children were victims of identity theft. Kelli B. Grant, Identity Theft Isn't Just an Adult Problem. Kids Are Victims, Too. CNBC (Apr. 24, 2018, 9:23 AM), https://www.cnbc.com/2018/04/24/child-identity-theft-is-a-growing-and-expensiveproblem.html [https://perma.cc/9CNM-SUNY]. Many of the state employees that will be affected by the disclosure of their personal information have already been victims of identity theft. E.g., Clerk's Papers (CP) at 1417 (Deck of Jacqueline Simms) ("My identity has been compromised in the past, when someone tried to use my credit card."), 1565 (Deck of Daniel Walters) ("My identity has been stolen several times, and used against me.").

Institutions from banks to credit bureaus have exposed consumer data, and likely bad actors have accessed it. But individuals often will not see the negative effects of the unauthorized of their personal information until it is too late—until the identity thief has opened credit use card accounts in a user's name or, worse, used them for crimes that may not come to light for years. Lily Hay Newman, The Wired Guide to Data Breaches, Wired (Dec. 7, 2018), https://www.wired.com/story/wired-guide-to-data-breaches/[https://perma.cc/9FRW-SC46 ].

¶55 With the advent of technology and the collection of personally identifying information, fraudsters and bad actors may access our most sensitive details without our consent and, most frighteningly of all, without our knowledge. "[T]here is little question that one ‘can take personal information [that is] not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.’ " Tex. Comptroller v. Att'y Gen., 354 S.W.3d 336, 344-45 (2010) (quoting Hadley Legget, Social Security Numbers Deduced From Public Data, WIRED (July 6, 2009)). The combination of state employee names and birth dates creates this type of sensitive and confidential information.

¶56 For example, the Washington State Department of Retirement Systems uses personal information to access online employee retirement accounts. CP at 3881. State workers input their personal user identification and password in order to view funds, change beneficiaries, and alter investment activity. Id. at 3881-82. Importantly, if employees forget usernames or passwords, they may request new ones by "offering identifying information in the form of their birthday, residential zip code, and the last four digits of their Social Security number." Id. at 3882 (emphasis added). Not only has technology made procuring this information unsettlingly easy, disclosing employee names and associated birth dates will provide information fraudsters need to access state accounts and steal or hold hostage a worker's retirement funds. Id.

¶57 Like Social Security numbers, birth dates are now routinely used to track individuals and, relevant to the instant case, websites often require a user to input a birth date to access his or her accounts. See Data Tree, LLC v. Meek, 279 Kan. 445, 462, 109 P.3d 1226 (2005) ("An individual's social security number, date of birth, and mother's maiden name are often used as identifiers for financial accounts or for obtaining access to electronic commerce."); Glenn Fleishman, How Facebook Devalued the Birthday, FASTCOMPANY (Apr. 6, 2018), https://www.fastcompany.com/40550725/how-facebook-devalued-the-birthday [https://perma.cc/22XY-V3Q3]; Bob Sullivan, Your Social Security Number Isn't a Secret, N.Y. TIMES , Sept. 13, 2017, https://www.nytimes.com/2017/09/13/opinion/your-social-security-number-isnt-a-secret.html [https://perma.cc/8C2E-J7GH].

¶58 Here, state workers have little say in whether they disclose personal information to the State upon employment but they likely expect that information to be used only for internal purposes. E.g., CP at 1392 (Decl. of Brendan Magee) (stating employee's discomfort with releasing work e-mail that was not made available to the public and used only in the state network). The disclosure of names and birth dates to the public will occur without employee consent and will inevitably make these employees vulnerable to cybercriminals searching for personal details at cut-rate prices online.

¶59 Like Social Security numbers, given modern realities, the disclosure of names and associated birth dates would be highly offensive to the reasonable person. RCW 42.56.050 ; Progressive Animal Welfare Soc'y, 125 Wash.2d at 254, 884 P.2d 592 (holding that disclosure of Social Security numbers was highly offensive),

The majority's refusal to engage with the implications of modern technology and personal privacy is further illustrated in its reliance on the Restatement (Second) of Torts and its nonbinding comments. Majority at 608. The majority is correct that Hearst Corp. v. Hoppe, 90 Wash.2d 123, 135, 580 P.2d 246 (1978), characterizes the right to privacy in RCW 42.56.230(3) by referring to common law torts. Majority at 608–09. Hearst , however, does not hold that this is the only permissible characterization. Moreover, we should consider whether adhering to the Restatement is appropriate in light of technology's intimate interaction with personal privacy. The majority relies in part on the Restatement 's comment concerning privacy, which states that no liability arises from " ‘giving publicity to facts about the plaintiff's life that are matters of the public record, such as the date of ... birth.’ " Majority at 608 (quoting Restatement § 652D emt b.) (emphasis omitted). But we do not strictly follow Restatement comments as if they set out binding state law. In re Estate of Toland, 180 Wash.2d 836, 849, 329 P.3d 878 (2014). Furthermore, the second Restatement and its comments were written well before the rise of technology. The majority's perfunctory reliance on this comment ignores society's changed conception of privacy, technology, and the modern risks they pose to individuals—risks that did not exist in 1977 when the Restatement was drafted.

c. "Not of legitimate concern to the public"

¶60 Disclosure of public records containing employee names and associated birth dates is not of legitimate public concern. RCW 42.56.050. The only conceivable public concern in disclosing this information is that it furthers some general open government interest by helping the public better know who works for the State. But ensuring state workers are "who they say they are," Br. of Amicus Curiae Allied Daily Newspapers of Wash, et al. at 18, hardly touches on open government and says nothing about the function of state government. Nor, for that matter, does it even necessarily accomplish that goal, for if a state employee had some hypothetical elaborate scheme to conceal personal identity from the State, the employee would of course have misrepresented a name and birth date to the State as well. While identifying state workers could potentially advance a third-party interest, such as easing the job of news reporting, that interest alone does not qualify as a legitimate public concern—especially in light of the significant harm that may befall state employees by the disclosure of their names and birth dates. Accordingly, I would hold that the employees have "demonstrate[d] that they have a right to privacy in personal information ... [and] that disclosure would violate it." Predisik v. Spokane Sch. Dist. No. 81, 182 Wash.2d 896, 904, 346 P.3d 737 (2015).

III. State employees retain constitutionally protected privacy rights

¶61 State employees maintain their constitutional rights regardless of state employment or whether their private information may be accessible from sources other than the State. As noted by amicus curiae American Civil Liberties Union of Washington, unlike the federal constitution, which does not protect information voluntarily turned over to third parties, our state constitution safeguards personal data even when shared with others. Smith v. Maryland, 442 U.S. 735, 743-44, 99 S. Ct. 2577, 61 L. Ed. 2d 220 (1979) (explaining the federal third-party doctrine); State v. Hinton, 179 Wash.2d 862, 873, 319 P.3d 9 (2014) ("the mere fact that an individual shares information with another party and does not control the area from which that information is accessed does not place it outside the realm of article I, section 7's protection"); Bainbridge Island Police Guild v. City of Puyallup, 172 Wash.2d 398, 259 P.3d 190 (2011) (plurality opinion) (holding that a police officer maintains his right to privacy in his identity despite media coverage); Gunwall, 106 Wash.2d at 68, 720 P.2d 808 (holding that the " ‘cloak of privacy’ " is not " ‘shed because [third parties] are aware of this information’ " (quoting State v. Hunt, 91 N.J. 338, 347, 450 A.2d 952 (1982) )). The right to privacy is not extinguished because the information may be available from third parties.

¶62 Nor is the right surrendered upon public service. A potential employee of the State may not be required to forgo his or her constitutional rights simply to gain state employment. Kelley v. Johnson, 425 U.S. 238, 245, 96 S. Ct. 1440, 47 L. Ed. 2d 708 (1976). Government employees and public officials retain their constitutionally protected privacy rights in matters of personal life unrelated to acts done in the public capacity. Nissen v. Pierce County, 183 Wash.2d 863, 883 n.10, 357 P.3d 45 (2015) (quoting Nixon v. Adm'r of Gen. Servs., 433 U.S. 425, 457, 97 S. Ct. 2777, 53 L. Ed. 2d 867 (1977) (noting public officials have "constitutionally protected privacy rights in matters of personal life unrelated to any acts done by them in their public capacity")).

I therefore agree with the majority that our decision in Nissen does not hold that individuals lack a constitutional privacy interest in public records. Majority at 613 n.10.

IV. Rational basis review is not required and is inappropriate in this context

¶63 The majority further holds that article I, section 7 does not apply to names and associated birth dates by applying rational basis review. See generally majority at 611–14. Because we have not yet recognized nondisclosure of personal information (confidentiality) as a fundamental right and have, consequently, applied rational basis review to concerns about confidentiality, the majority says we must therefore apply rational basis in this case as well. See id. at 611–12.

¶64 But the case law the majority relies on for this assertion is not so settled. Peninsula Counseling appears to be the first case to reference rational basis in the context of confidentiality. 105 Wash.2d 929, 719 P.2d 926. But the term "rational basis review" does not appear in the Peninsula Counseling majority opinion; only the dissent invokes this term. Id. at 944, 719 P.2d 926 (Pearson, J., dissenting). Subsequent cases such as O'Hartigan, 118 Wash.2d at 117-18, 821 P.2d 44, and Ino Ino, Inc. v. City of Bellevue, 132 Wash.2d 103, 124, 937 P.2d 154 (1997) (plurality opinion), problematically rely on the Peninsula Counseling dissent as authority for applying rational basis review. Dissenting opinions are not binding on this court. In re Pers. Restraint of Domingo, 155 Wash.2d 356, 119 P.3d 816 (2005).

¶65 Moreover, the application of rational basis review to the current case is inherently ill suited. O'Hartigan states that "disclosure of intimate information to governmental agencies is permissible if it is carefully tailored to meet a valid governmental interest, and provided the disclosure is no greater than is reasonably necessary." 118 Wash.2d at 117, 821 P.2d 44. Here, the Unions do not challenge the disclosure of employee names and associated birth dates to the State; that information has already been collected. Instead, the Unions challenge the disclosure of this data from the State. Even ignoring this fundamental mismatch, the test offers a confused analysis. Are reviewing courts to look for any conceivable legitimate state interest in the collection of state employee names or in the disclosure of that information? Assuming we analyze the disclosure of the information, since this is closer to the text of the test as set forth in O'Hartigan , do we then examine state interests in the disclosure of names and corresponding birth dates to the State? We are left at an impasse as the parties offer no argument on this point, and I can find no analogous case that offers reasoning on which we can rely.

¶66 Most importantly, these cases concern only the disclosure of information to governmental agencies. See, e.g. , Ino Ino, 132 Wash.2d at 124, 937 P.2d 154. Whether we would conclude that disclosure of private information by the state government to third parties in Ino Ino, O'Hartigan, or Peninsula Counseling is unknown. These cases were not asked to resolve this question. Thus, rational basis review is not inevitably required here. Nor does my approach require overruling Peninsula Counseling, O'Hartigan, and Ino Ino . These cases are distinguishable, and I would not—as the majority asserts—"require us to overrule long-standing precedent applying a rational basis analysis in this very context." Majority at 613.

The majority states, "In the PRA context specifically, we have employed a rational basis analysis that aligns with the common law test.... This stands to reason because article I, section 7 has been incorporated into the PRA via the ‘other statutes’ exception. See Bellevue John Does [1-11 v. Bellevue Sch. Dist. No. 405, 129 Wash. App. [832,] 861[, 120 P.3d 616 (2005) (Bellevue John Does I) ]." Majority at 612. However, the opinion in Bellevue John Does I does not adopt article I, section 7 into the PRA. The court was merely deciding whether John Doe had a privacy interest or due process right that overcame disclosure or required a name clearing hearing. I can find no case from this court expressly incorporating article I, section 7 into the PRA via the "other statutes" provision.

V. Conclusion

¶67 This case presents the immediate question whether the PRA exempts disclosure of state employees' full names and corresponding birth dates. I disagree with the majority's answer to this question. I also disagree with the majority's failure to engage with the larger issues presented—namely, the interaction of technology, privacy, and our state constitution.

¶68 As one commentator noted, "It is not technology, as such, which affects society for good or bad, but its uses, which are ... shaped by the values of society and by the historical context in which the technology is used." Fred W. Weingarten, Privacy: A Terminal Idea, 10 HUM. RTS., vol. 3, Fall 1982, at 18, 56. In isolation, the release of state employee names and birth dates does not generate constitutional fanfare. It is the ubiquity of technology and its uses that implicate privacy and, consequently, state constitutional concerns. Because technology can be easily used for criminal purposes, we must recognize that release of personal information, like names and birth dates, will assist—however indirectly—these cybercriminals.

¶69 The consequences of technology knock ever more loudly at privacy's door. As the ultimate arbiters of our state constitution, we have the duty to answer that door and protect the privacy rights of Washington citizens. Therefore, I would hold that article I, section 7 protects an individual's right to nondisclosure of personal information, such as names and birth dates. The PRA exempts disclosure of this information because it would be highly offensive to a reasonable person and is not of legitimate public concern. Accordingly, I respectfully dissent.

Owens, J.

Gordon McCloud, J.

González, J. (concurring in dissent)

¶70 This case asks us to resolve the "tension between the [Public Records Act]'s mandate of disclosure and the efforts of agencies to protect personal identifying information, the disclosure of which can put citizens at risk for identity theft and other problems." City of Lakewood v. Koenig, 182 Wash.2d 87, 99 n.7, 343 P.3d 335 (2014). I concur with the dissent that article I, section 7 of our state constitution protects an individual's right to nondisclosure of personal information such as names and birth dates. I also concur with the dissent that the Public Records Act (PRA), ch. 42.56 RCW, itself exempts the requested records. I write separately because I cannot believe the legislature intended to allow the PRA to undermine an agency's protection of individuals' personal information.

¶71 The requesters made a PRA request for records for union-represented employees, including their full names and associated birth dates. The PRA exempts from public inspection and copying "[p]ersonal information in files maintained for employees, appointees, or elected officials of any public agency to the extent that disclosure would violate their right to privacy." RCW 42.56.230(3). The majority and dissent conclude that "personal information" is not defined in the PRA. See majority at 607 n.5; dissent at 616–17. I disagree and would give the parties the opportunity to address this important issue.

¶72 The PRA defines "personal information" only once. It defines "personal information" for purposes of its section requiring agencies to notify persons of security breaches. RCW 42.56.590. While this definition exists for a specific purpose, when a term is "undefined elsewhere in the statute, we must look to its dictionary definition and to its context within the statutory scheme as a whole to derive its plain meaning." Rental Hous. Ass'n of Puget Sound v. City of Des Moines, 165 Wash.2d 525, 542, 199 P.3d 393 (2009) (Fairhurst, J., concurring) (emphasis added) (citing Dep't of Ecology v. Campbell & Gwinn, LLC, 146 Wash.2d 1,9, 11, 43 P.3d 4 (2002) ).

¶73 As the majority and dissent recognize, the dictionary defines "personal information" broadly. See also Bellevue John Does 1-11 v. Bellevue Sch. Dist. 405, 164 Wash.2d 199, 211, 189 P.3d 139 (2008). In enacting the security breach section of the PRA, the legislature intended to "strengthen the data breach notification requirements to better safeguard personal information." See LAWS OF 2015, ch. 64, § 1. This section defines "personal information" as an "individual's first name or first initial and last name in combination with any one or more of ... [various] data elements." RCW 42.56.590 (emphasis added). Effective March 1, 2020, those data elements will include "[f]ull date of birth." LAWS OF 2019, ch. 241, § 5. By defining personal information for purposes of security breaches, the legislature is describing the category of personal information that would violate privacy per se under RCW 42.56.230(3).

¶74 Disturbing results will follow if this personal information is not protected by our state agencies. The dissent eloquently explains how cybercriminals rely on such information to ruin lives. Indeed, the legislature has said as much by requiring notification when such information is shared in a security breach. The legislature intends for agencies to secure this personal information "in a manner that meets or exceeds the national institute of standards and technology (NIST) standard or is otherwise modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person." RCW 42.56.590. The majority today undermines that protection; no amount of security precautions will withstand a PRA request.

¶75 Criminals need not hack the government's servers to get personal information when all they need to do is submit a PRA request. Their victims will be none the wiser. With these observations, I concur in dissent.


Summaries of

Wash. Pub. Emps. Ass'n, UFCW Local 365 v. Wash. State Ctr. for Childhood Deafness & Hearing Loss

SUPREME COURT OF THE STATE OF WASHINGTON
Oct 24, 2019
450 P.3d 601 (Wash. 2019)

applying a rational basis test to several agencies’ disclosure of state employees’ names and birthdates pursuant to a public records request

Summary of this case from Catlett v. Teel
Case details for

Wash. Pub. Emps. Ass'n, UFCW Local 365 v. Wash. State Ctr. for Childhood Deafness & Hearing Loss

Case Details

Full title:WASHINGTON PUBLIC EMPLOYEES ASSOCIATION, UFCW LOCAL 365, a labor…

Court:SUPREME COURT OF THE STATE OF WASHINGTON

Date published: Oct 24, 2019

Citations

450 P.3d 601 (Wash. 2019)

Citing Cases

Wash. Educ. Ass'n v. Wash. State Dep't of Ret. Sys.

Id. at 558, 450 P.3d 1181. ¶ 6 That same year, in Washington Public Employees Ass'n v. Washington State…

Wash. Fed'n of State Emps. v. State

Wash. Pub. Emps. Ass'n v. Wash. State Ctr. for Childhood Deafness & Hearing Loss, 194 Wash.2d 484, 508, 450…