Though public records stand among the pillars of an open society, the information economy is challenging traditional notions of what should be considered readily accessible to the general community. As information brokers collect and store greater amounts of information, public agencies implement e-government initiatives and telecommunications systems improve the ease with which information flows across the globe, should the line around what constitutes public data be reassessed?

A number of recent incidents may be exposing fault lines that could call for a different mode of thinking.

What’s public? What’s private?

In early March, a New Jersey appellate court ruled that an individual’s right to obtain documents under the state’s Open Public Records Act (OPRA) “trumped” the right to privacy of home addresses. In the case, the plaintiff requested a list of addresses of senior citizens who had signed up to receive mailings from Union County, NJ, for the purpose of expressing her views on the contents within county mailings. To protect the recipients, Union County officials redacted the addresses. In response, the plaintiff argued that she had the right to those addresses under the OPRA. The state appellate court agreed with the plaintiff, and now citizens who provide personal information to the mailing list are subject to the OPRA and may have their data shared with other third parties upon request.

One local official fears the ruling sets a dangerous precedent for companies that want to mine data on the cheap. Also, some are concerned that the precedent could “put a chill on people seeking” government services once citizens realize their names and addresses could be shared with third parties.

Similar red flags have been raised about whether emergency call transcripts should be available to the public. George Washington University Law School Prof. Daniel Solove points out in a Concurring Opinions piece that 911 calls often involve the disclosure of personal medical information. “Doctors and nurses are under a duty of confidentiality,” opines Solove, “so why not 911 call centers, especially when people are revealing medical information?”

Though 911 call centers are not regulated under HIPAA, Solove argues the public release of 911 calls without the consent of the caller “violates people’s constitutional right to information privacy.”

Deborah Peel of Patient Privacy Rights argues in a GovInfoSecurity report that public release of emergency calls is a violation of HIPAA because 911 operators “are in effect working on behalf of hospitals and emergency centers as part of the patient’s treatment team.”

Some argue that public release of 911 calls promotes transparency and provides citizens with a window into the effectiveness of call centers. Yet, Solove has said this can be done without violating the privacy of callers. “I would think,” writes Solove, “that if 911 operators didn’t handle the call well, most people would consent to disclosure so the 911 center could be held accountable.”

In light of the recently publicized 911 call of actress Demi Moore, California Assemblywoman Norma Torres (D-Pomona) plans to introduce legislation to bar the disclosure of such calls. Missouri, Pennsylvania, Rhode Island and Wyoming all have laws that keep 911 calls private, and lawmakers in Alabama, Ohio and Wisconsin are considering similar rules.

The pros and cons of e-Government

Mining of public agencies’ data is also being used for identity theft. Media reports show that the Social Security Administration’s Death Master File (DMF) has been under recent scrutiny by citizens and lawmakers because of alleged inaccuracies within the list and the ease with which identity thieves can access the public data.

The government-backed database lists more than 87 million deceased Americans, including their names, addresses and Social Security numbers. Intended to assist medical research and help government, financial, investigative and credit reporting organizations fight identity fraud and verify a citizen’s death, the DMF can be purchased and distributed online. In some cases, using the Freedom of Information Act, information in the file is sold to private companies and posted on the Internet. The information is also commonly used for genealogy research.

Identity thieves have used data gleaned from the DMF to file bogus tax returns, and the practice has become widespread enough to gain the attention of those in public policy.

According to Fox 6 Now, the National Consumers League (NCL) has expressed concern over the availability of DMF data. NCL Vice President of Public Policy John Breyault said, “While NCL generally supports transparency of government data…In this case, we believe the risk that DMF data can be used for nefarious purposes outweighs the benefit.”

SSA Inspector General Patrick P. O’Carroll, Jr., testified in February that as many as 1,000 cases each month have involved a living individual mistakenly being added to the DMF. Additionally, a 2008 Social Security audit revealed that as many as 20,000 living Americans’ Social Security numbers were publicly disclosed through the DMF. Though O’Carroll suggested that public disclosure be limited, it would take an act of Congress, he said.

In response to these issues, LifeHealthPro reports Rep. Sam Johnson (R-TX) has introduced the Keeping IDs Safe Act of 2011. Pending in the House Ways and Means Committee, the legislation would limit the public disclosure of DMF data.

Court records are also public data, serving legal scholars, investigative journalists and others. As New York University Prof. Helen Nissenbaum writes in her book Privacy in Context, “With few exceptions, court records of both civil and criminal cases are also part of the larger class of public records and contain a great deal of personal information.” In addition to plaintiffs and defendants, court records can also reveal personal information about jurors and jury member pools and can include Social Security numbers, financial, medical and other “exquisitely personal” information.

These records--once only on paper--were concealed in what some call “practical obscurity.” Because material documents were housed in specific locales, accessing the records required some degree of physical limitation. In digital form, court documents are not only easily accessible, Nissenbaum writes, they “can be rapidly retrieved, searched and reassembled in novel ways not previously imagined.” A simple query on a search engine by a potential employer could return compromising information that might not appropriately reflect a job applicant’s current situation, for example.

Nissenbaum also notes that, as a consequence, the twofold combination of public record digitization and e-Government initiatives that are making access to public records easier across government agencies, allows “interested parties, from journalists and information brokers to identity thieves and stalkers,” to “avail themselves of these services.”

A shifting privacy paradigm?

According to a recent article by Alexis Madrigal in The Atlantic, NYU’s Nissenbaum has “played a vital role in reshaping the way our country’s regulators think about consumer data.” The concept of context--or what she refers to as “context-relative informational norms”--was used in the Federal Trade Commission’s recently released privacy report 87 times.

Rather than treat what is public and private as a strict binary, Nissenbaum has put forth a need for recognizing “contextual integrity” with a “reasonable expectation of privacy.” Over the course of time, society’s norms and values change, and, depending on the social situation, expectations of privacy change.

For example, new technologies such as facial recognition are challenging our notions of privacy while in public. When entering the public sphere, we are not only letting ourselves be identified, but we can also identify other people. It’s a two-way street, and while not everyone knows everyone else, facial recognition can potentially collect, store and identify individuals in the public sphere and connect those images with a vast database. In this latter context, our expectation of privacy most likely does not match the flow of information captured from images of our face to a database. Yet, the expectation changes when this same technology is employed in a casino to help troubled gamblers who have opted in to the gambling-prevention program.

As Madrigal writes, “Nissenbaum puts the context--or social situation--back into the equation.” What we decide to share with our friends, we might not share with our boss. What we share with a doctor, we might not share publicly, and so on. “Furthermore,” he adds, “these differences in information sharing are not bad or good: they are just the norms…Perhaps most importantly, Nissenbaum’s paradigm lays out ways in which sharing can be a good thing.” Using facial recognition to prevent an addiction to gambling could be one such example.

Rethinking traditional notions of what is private has also made its way to the U.S. Supreme Court.

In United States v. Jones, justices countered the government’s argument that “citizens have no privacy interests in their public movements.” The placement of a GPS monitoring device without a warrant was essentially trespassing on private property. Yet, as Kashmir Hill points out in a Forbes report, what if a suspected criminal used a GPS navigation device in his vehicle? According to the third-party doctrine, privacy is lost once information is shared with a third party, as are any Fourth Amendment protections against illegal searches and seizures.

The concurring opinion of Justice Sonia Sotomayor, in this case, however, suggests a potential reconsideration of the third-party doctrine.

Noting that “an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties,” Sotomayor queried whether the doctrine is “ill suited to the digital age” since so much information is now shared with third parties during “the course of carrying out mundane tasks.”

As an American Criminal Law Review blog post  points out, “It’s unclear whether other justices on the court share” Sotomayor’s concurring opinion, “but this will probably affect arguments in future information privacy cases before the court.”


Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»