
    DELAWARE COUNTY v. Mari A. SCHAEFER, on behalf of The PHILADELPHIA INQUIRER. Appeal of: Mari A. Schaefer.
    Commonwealth Court of Pennsylvania.
    Argued Dec. 14, 2011.
    Decided March 22, 2012.
    Publication Ordered May 15, 2012.
    
      Michael E. Baughman, Philadelphia, for appellants Mari A. Schaefer and The Philadelphia Inquirer.
    Patricia S. Biswanger, Media, for appel-lee.
    Andrea L. Bowman, Deputy General Counsel, Harrisburg, for amicus curiae Office of General Counsel.
    BEFORE: LEADBETTER, President Judge, and McGINLEY, Judge, and PELLEGRINI, Judge, and COHN JUBELIRER, Judge, and SIMPSON, Judge, and LEAVITT, Judge, and McCullough, Judge.
    
      
      . This case was assigned to the opinion writer before Judge Pellegrini succeeded Judge Le-adbetter as President Judge.
    
   ORDER

OPINION BY

Judge McGINLEY.

Mari Schaefer (Schaefer), on behalf of The Philadelphia Inquirer, appeals the January 26, 2011, order of the Court of Common Pleas of Delaware County (trial court) that reversed the Pennsylvania Office of Open Records’ (OOR) denial of Schaefer’s request under the Right-To-Know-Law (RTKL) for the home addresses and dates of birth of all Delaware County (County) employees.

On May 6, 2009, Schaefer, a reporter for The Philadelphia Inquirer, requested from the County “a complete and current list of the Delaware County Government payroll information in electronic spreadsheet or database format ... [including] employee name, position and department, home address and full date-of-birth information.” Letter from Mari Schaefer to Anne Coogan, Right-To-Know-Law Official, May 6, 2009, at 1; Reproduced Record (R.R.) at 27a. Schaefer requested the birth date and home address of each of the County’s 8,126 employees because it would provide a “unique identifier” to differentiate employees with common names, and allowed reporters to “search and match” with other computer databases, such as those containing campaign finance, property tax, or criminal history information. Schaefer’s Brief at 5. She also sought this information to analyze trends and statistics about the County’s work-force, such as whether employees live in the county where they work.

The County’s Open Records Officer, Anne M. Coogan (Coogan), provided Schaefer with the County’s government employee names, titles and salaries in digital form as a PDF file, but denied Schae-fer’s request for home addresses and dates of birth on the basis that such information was not a “record” as that term is defined in the new RTKL. And even if the information constituted a “record,” it fell within the exceptions in the new RTKL, at Section 305(a)(3), 65 P.S. § 67.305(a)(3) (relating to common law privacy rights); Section 708(b)(l)(ii), 65 P.S. § 67.708(b)(l)(ii) (relating to personal harm and personal security) and Section 708(b)(6)(i), 65 P.S. § 67.708(b)(6)(i) (relating to personal identification information). Schaefer appealed to the OOR.

On October 21, 2010, OOR granted Schaefer’s appeal and ordered the County to provide the County’s employees’ home addresses and birth dates within 30 days. The OOR concluded that the new RTKL “only exempts the home addresses of a law enforcement officer or judge and the home address of a child 17 years of age or younger,” and found that the County failed to meet its burden to demonstrate that the requested records were exempt under the law. Decision of Office of Open Records, October 21, 2010, at 4-5; R.R. at 4a-5a. The OOR’s order was consistent with its previous decisions that found that “home addresses of individuals who fell outside of the statute’s narrow exemption(s)” were public records that must be disclosed. Decision of Office of Open Records, October 21, 2010, at 5; R.R. at 5a.

The County appealed to the trial court, which reversed the OOR on January 26, 2011. In its Opinion in support of its decision, the trial court concluded that the home addresses and full birth dates of County employees were exempt from disclosure. It applied a “balancing test” which weighed the personal security and privacy interests of the County employees against the benefits of public disclosure. Trial Court Opinion, April 8, 2011, at 5. The balancing test employed by the trial court was judicially created under the pri- or RTKL. The trial court concluded that the test was not “abolished” by the new RTKL. The test, according to the trial court, was developed because the personal security exception of the former RTKL included a right to privacy. The trial court went on to find that the County established, based on extensive federal research, that the release of home addresses and birth dates would directly expose the employees to identity theft. The trial court concluded that the information requested by Schaefer was “exactly the type of information that ‘would be reasonably likely to result in substantial and demonstrable risk of physical harm to or the personal security of the [employees of Delaware County].” Trial Court Opinion, April 8, 2011, at 8.

On appeal, Schaefer raises three issues: (1) whether the plain language of the new RTKL and its legislative history establish that the Legislature considered and rejected exempting public employee addresses and birth dates from disclosure; (2) whether there is a constitutional or public policy justification to diverge from the clear text of the new RTKL and prohibit disclosure of addresses and dates of birth; and (3) whether the trial court abused its discretion and committed errors of law when it sua sponte reversed the OOR without notice to the parties, briefs, hearing or argument.

The Current RTKL

In 2008, the General Assembly passed the present RTKL, which made significant changes to the accessibility of public records. As this Court explained in Pennsylvania State Education Association v. Commonwealth Department of Community and Economic Development, 4 A.3d 1156 (Pa.Cmwlth.2010) (hereinafter “PSEA”), the revisions to the RTKL changed the method of access to an individual’s personal information and set forth new criteria to determine whether information is protected from disclosure.

All records held by an agency are now presumed to be “public records” under Section 305(a) of the new RTKL, 65 P.S. § 67.305(a), except records that are: (1) exempt under Section 708; (2) protected by a privilege; or (3) exempt from disclosure under any other Federal or State law or regulation or judicial order or decree.

Section 708(a)(1) of the new RTKL, 65 P.S. § 67.708(a)(1), entitled “Exceptions for public records,” now places the burden on the agency to prove by a preponderance of the evidence that a particular record is exempt from public access.

In the revision of the RTKL, thirty exceptions were added, two of which are relevant to this controversy, which limit the disclosure of information about individual, public employees.

The first is found at Section 708(b)(6)(i) of the RTKL which exempts certain specific “personal identification” information (hereinafter “Personal Identification Exception”). It exempts from disclosure the following personal identification information:

(A) A record containing all or part of a person’s Social Security number, driver’s license number, personal financial information, home, cellular or personal telephone numbers, personal e-mail addresses; employee number or other confidential personal identification number.
(B) A spouse’s name, marital status, or beneficiary or dependent information.
(C) The home address of law enforcement officer or judge.

Section 708(b)(6) of the RTKL, 65 P.S. § 67.708(b)(6).

The second exemption relevant to this appeal is found at Section 708(b)(1)(h) of the new RTKL (hereinafter “Personal Harm/Personal Security Exception”) which exempts a record, the disclosure of which “would be reasonably likely to result in a substantial and demonstrable risk of physical harm or to the personal security of an individual.” Section 708(b)(1)(h) of the RTKL, 65 P.S. § 67.708(b)(l)(ii) (Emphasis added).

Schaefer’s Argument

Plain Language of Personal Identification Exception

Schaefer argues that the plain language of the “Personal Identification Exception” in Section 708(b)(6) of the new RTKL, 65 P.S. § 67.708(b)(6), supports the OOR’s conclusion that the County employees’ home addresses and birth dates are “public records.”

Schaefer argues that the Legislature, in its overhaul of the new RTKL, specifically carved out specific “personal identification” information which it intended to exempt from disclosure. Home addresses and birth dates were not included. She contends that a fundamental tenet of statutory construction is that “exceptions expressed in a statute shall be construed to exclude all others.” 1 Pa.C.S. § 1924. She argues that if the Legislature intended to provide an exception for home addresses and birth dates it would be in the personal identification section. That exemption excludes from disclosure the home addresses of law enforcement officers and judges in Section 708(b)(6)(C) of the new RTKL, 65 P.S. § 67.708(b)(6)(C), and to minor children in Section 708(b)(30) of the new RTKL, which exempts “name, home address or date of birth of a child 17 years of age or younger.” (emphasis added). These detailed exceptions show that the Legislature carefully considered the type of identifying information that is subject to public disclosure. Applying the principles of statutory construction, it is clear that the Legislature chose not to include all other date-of-birth and home address information.

Schaefer further contends, to the extent this Court finds the statute to be ambiguous, the legislative history demonstrates that lawmakers intended that addresses and dates of birth of all public employees, except judges and law enforcement officers, to be public.

Initially, this Court agrees with Schaefer that the Personal Identification Exception provides a subset list of specific items of personal identification information which the legislature concluded should be granted a blanket exemption, with no need for “proof’ otherwise required under the current RTKL. The Legislature recognized that specific types of information should not and, under the law, will not be subject to disclosure. Tribune Review Publ’g Co. v. Bodack, 599 Pa. 256, 961 A.2d 110 (2008). This Court does not agree that Section 708(b)(6) of the current RTKL, 65 P.S. § 67.708(b)(6), prevents consideration of any and all other personal information which may be in the possession of an agency.

“Personal identification information” is not defined in the current RTKL. However, based on the context in which it is referenced in the present RTKL, it clearly refers to information that is unique to a particular individual or which may be used to identify or isolate an individual from the general population. It is information which is specific to the individual, not shared in common with others; that which makes an individual distinguishable from another. Often such information is required by financial institutions prior to approving loan or credit card applications. In the wrong hands, personal information may be subject to improper use and might lead to identity theft and the theft of money or credit.

Clearly, the fifteen exclusions listed in the Personal Identification Exception of Section 708(b)(6)(i) of the new RTKL, 65 P.S. § 67.708(b)(6)(i), do not comprise the entire realm of possible personal identification information in an agency’s possession which could be misappropriated or misused. In addition to birth dates and home addresses, which are at issue here, it is easy to envisage a myriad of other personal identification information which might, in conjunction with other information, be misappropriated or used to harm a public employee’s interests, such as mother’s maiden name, place of birth, and photo/picture ID.

Nevertheless, because there is no mention of birth dates and home addresses of “all other” public employees in the Personal Identification Exception, these items are not entitled to the unconditional protection afforded the home addresses and birth dates of certain vulnerable or at-risk individuals such as law enforcement officers, judges and minor children. They are, therefore, not categorically exempt under the Personal Identification Exception.

This does not end the inquiry. A record which may not be protected under one statutory exemption may be protected under another. Section 708(e) of the new RTKL, 65 P.S. § 67.708(e), provides: that “[i]n determining whether a record is exempt from access under this section, an agency shall consider and apply each exemption separately.” (Emphasis added).

As noted above, there is a separate category of information which is protected under the Personal Harm/Personal Security Exception found at Section 708(b)(1)(h) of the new RTKL, 65 P.S. § 67.708(b)(1)(h). This section exempts a record which “would be reasonably likely to result in a substantial and demonstrable risk of physical harm or to the personal security of an individual.” (Emphasis added). The question, then, is whether the protection of the personal information at issue here, birth dates, and home addresses of County employees, was legislatively contemplated under the Personal Harm/Personal Security Exception.

Personal Harm/Personal Security

Exception — Risk of Physical Harm Only ?

Schaefer contends that the Personal Harm/Security Exception applies where there is a risk of physical harm only. She contends that the County failed to establish that disclosure of its employees’ birth dates and home addresses would result in “a substantial and demonstrable risk of physical ham.” In arriving at this conclusion, Schaefer rigidly interprets the term “personal security” to mean personal “physical ” security.

This Court interprets the statute entirely differently. It is well-settled that in the construction of a statute, presumably every word, sentence or provision therein is intended for some purpose, and accordingly must be given effect. Commonwealth v. McHugh, 406 Pa. 566, 178 A.2d 556 (1962).

In Governor’s Office of Administration v. Dylan Purcell, 35 A.3d 811 (Pa.Cmwlth. 2011), a three-judge panel of this Court concluded that, based on the plain language of the present RTKL, the Personal Harm/Personal Security Exception embraces two notions: risk of physical harm and the risk to one’s personal security. There, Dylan Purcell, the computer-assisted reporting editor for The Philadelphia Inquirer asked the Governor’s Office of Administration (GOA) for ten categories of information about state employees, including names, salaries, job titles, hire dates and dates of birth. The issue was whether public employees’ birth dates were protected from disclosure under the “Personal Harm/Personal Security Exception” of the RTKL. Purcell, like Schaefer, argued that the protection afforded under this exception only attaches to the risk of physical harm.

As noted by the Purcell Court, the RTKL includes, in the disjunctive, both the risk of “physical harm” and the risk to “personal security.” The Court presumed that the Legislature intended “distinct interests by each term.” Purcell, 35 A.3d 811, 820 (Pa.Cmwlth.2011). The Court went on to conclude that there was no justification for construing the legislation as if the words “or to the personal security of’ did not exist.

This Court agrees, and is persuaded by the Purcell Court’s rationale. Schaefer has provided this Court, en banc, with no reason to deviate from our Purcell Court’s conclusion on facts and arguments which were virtually identical to those presented in this controversy. Schaefer’s interpretation of the Personal Harm/Personal Security Exception, which would exempt only records which pose risks of physical harm, would render the Legislature’s inclusion of the phrase “personal security ” meaningless. Because her approach runs contrary to the plain language of the new RTKL, Schaefer’s argument that the risk of physical harm is a prerequisite to the applicability of the “Personal Harm/Personal Security Exception” must be rejected.

Personal Security

The question remains, however, what does “personal security” mean under the new RTKL? The Legislature inserted “personal security” into the new RTKL, but the term was not defined. The nature or type of information which may substantially risk an individual’s “personal security” was also not defined or explained.

By way of comparison, under the former RTKL, the definition of “public record” excluded those records that “would operate to the prejudice or impairment of a person’s reputation or personal security. See Section 1(2) of the former RTKL, formerly 65 P.S. § 66.1(2). In the present version of the RTKL, the word “reputation” was deleted and “physical harm” was added in its place. The term “personal security” remained in the current RTKL.

In construing statutory language, it is appropriate to apply judicial construction when the term is used in both a prior and current statute. If the Legislature, in a later statute, uses the same language used in a prior statute which has been construed by the courts, there is a presumption that the language thus repeated is to be interpreted in the same manner such language had been previously interpreted when the court passed on the earlier statute. Commonwealth v. Sitkin’s Junk Co., 412 Pa. 132, 194 A.2d 199 (1963).

Here, because the term “personal security” was used in both the former and current RTKL, prior judicial authority is controlling in the interpretation of that term.

To begin, there is no one, fixed definition of “personal security” that our Courts have consistently applied to determine whether information must be deemed to be public. This is because these two seemingly innocuous words have been interpreted, depending on the particular circumstances presented, to comprise innumerable rights, including the right to privacy and confidentiality, and the right to be secure in one’s possessions, monies, investments and benefits, and the freedom from identity theft.

In Times Publishing Company, Inc. v. Michel, 159 Pa.Cmwlth. 398, 633 A.2d 1233, 1236 (1993), appeal denied, 538 Pa. 618, 645 A.2d 1321 (1994), an en banc panel of this Court held that home addresses, telephone and social security numbers contained on applications for licenses to carry firearms were protected by the personal security exception. In the case of telephone numbers, the threat was in the nature of an intrusion into a person’s privacy. In the case of the disclosure of an applicant’s address, the threat was in the nature of a threat to personal security because the information could be used to obtain a firearm illegally by burglarizing the applicant’s home. In the case of social security numbers, the threat was in the nature of both personal privacy and personal security because use of a social security number may be used to retrieve extensive amounts of personal data.

The Court regarded the risk to a person’s “personal security” as encompassing a threat to privacy, and a threat to one’s financial well-being. The Court observed that a person’s social security number may be “misused” to “obtain a person’s welfare benefits or Social Security benefits, order new checks at a new address on that person’s checking account, obtain credit cards, or even obtain a person’s paycheck.” In sum, the disclosure of one’s social security number is “potentially financially ruinous.” Times Publishing, 633 A.2d at 1238, citing Greidinger v. Davis, 988 F.2d 1344 (4th Cir.1993).

Our courts have recognized that while equally susceptible to harm, especially in this internet era, the myriad of rights invoked under the “personal security” portion of the exception are distinct from the preservation and protection of one’s physical well-being. Based on prior judicial construction of the term “personal security” this Court concludes that an agency has an alternative recourse under the “Personal Harm/Security Exception” of the present version of the RTKL to seek to protect personal identification information, such as birth dates from disclosure.

The agency, however, must meet its burden of proving by a preponderance of the evidence that disclosure of such “would be reasonably likely to result in a substantial and demonstrable risk of physical harm to or the personal security of an individual.” 65 P.S. § 67.708(b)(1)(h) (emphasis added). A preponderance of the evidence standard, the lowest evidentiary standard, is tantamount to a more likely than not inquiry. Jaeger v. Bureau of Workers’ Compensation Fee Review Hearing Office (American Casualty of Reading do CHA), 24 A.3d 1097 (Pa.Cmwlth.2011).

With these principles in mind, this Court will address Schaefer’s requests by examining, in context, the plain language of the Personal Harm/Personal Security Exception. Again, under this exception, the agency must demonstrate, by a preponderance of the evidence that: (1) a “reasonable likelihood” of (2) a “substantial and demonstrable risk” to a person’s personal security. If the County meets burden, the information will be exempt from disclosure.

Date of Birth

Schaefer, on behalf of The Philadelphia Inquirer, requested the month, day and year of birth of every employee of the County. Because this information is in the County’s possession, it is presumed to be a public record under the new RTKL.

In Purcell, Purcell, on behalf of The Philadelphia Inquirer, requested this same information from the GOA, i.e., full birth dates, of all state employees. The GOA asserted that full birth dates were protected under the RTKL’s personal security exception. The GOA offered the following in support of its denial: (1) letter from Philadelphia County District Attorney which addressed the “staggering” increase in identity theft and noted that full names, combined with dates of birth and addresses were the tools criminal could use to obtain financial information and commit identity theft; (2) Affidavit from Joseph E. Compana, Ph.D., and expert in the field of identity theft, privacy and information security which explained that a person’s date of birth is one of the most sensitive pieces of personally identifiable information; (3) Affidavit of the Commonwealth’s Chief Information Security Officer, Erik Avaldan, who opined that “divulging of a consolidated list containing birth date information for each employee would likely result in a substantial and demonstrable risk to the personal security of individual employees by creating such a significant and predictable increase in the amount of social engineering, targeted, and well-crafted phishing attacks (known as spear-phishing) against commonwealth employees.” He also opined that making this information public “is likely to result in a substantial and demonstrable risk of identity theft and fraud, as evidenced by the number of employees involved and current figures regarding the proliferation of such crimes once birth dates are accessed; and (4) Management Directive from Governor’s Office dated July 26, 2010, which addressed prospective handling of RTKL requests for state employee information.

The Purcell Court concluded, based on its review and acceptance of that record evidence, that the GOA proved, by a preponderance of the evidence, that disclosure of dates of birth would result in a substantial and demonstrable risk to the personal security of state employees because the risk of identity theft through disclosure would be substantially heightened. In Purcell the Court made specific findings of fact and declared, based on credible, official statements, studies and expert opinions, that full birth dates of state employees are exempt from disclosure under the Personal Security Exception of the current RTKL. That holding is equally applicable to the birth dates of County employees. The Philadelphia Inquirer has provided no convincing reason why this case, which involves County employees, must be treated differently than one that involves state employees. To the extent that it argues that it “needs” this information to distinguish individuals with like names, it will have to find an alternative way to accomplish that without using the full birth dates of public employees. Accordingly, this Court concludes that the trial court did not err when it denied Schaefer’s request because birth dates of County employees are not public records which must be disclosed under the new RTKL.

Home Addresses

Next, Schaefer requested the home addresses of all County employees. In support of the County’s partial denial, the County’s Open Records Officer, Coogan provided the following explanation, in part:

[t]here exists Pennsylvania common law protections available to individual employees to both protect their privacy and protect them from the risks of identity theft which could result from the public disclosure of your request for ‘employee home address and full date of birth information.’ For a general discussion of the risks of identity theft, please see The President’s Identity Theft Task Force: Combating Identity Theft, Volume I Strategic Plan and Volume II Supplemental Information, April 2007; http://www.idtheft.gov/. Page 3 of the Strategic Plan details how identity thieves use home addresses and dates of birth to perpetrate new financial account fraud (also see incident outlined on page 26). See also The President’s Identity Theft Task Force Report; October 21, 2008 http://www.idtheft.gov.reports/ IDTReport2008.pdf, linked on the website. Data breach notification laws are such that a private sector would most likely be required by law to notify all of the effected individuals if home addresses and dates of birth information was mistakenly released to the public (or to an unauthorized individual. See, Federal Information Security and Data breach Notification Laws, Congressional Research Service, January 29, 2009 (www. crs.gov 7-5700 RL34120).

Letter to Mari Schaefer from Anne Coo-gan, June 12, 2009, at 3 (Emphasis added).

Schaefer appealed the denial to the OOR pursuant to Section 1101 of the present RTKL, 65 P.S. § 67.1101, and the agency assigned an appeals officer to review the denial. The appeals officer requested the County to “explain and substantiate the grounds for withholding the information” and stated that “all facts relied upon must be supported by an Affidavit made under penalty of perjury by someone with personal knowledge.” Letter from Lucinda Glinn, Appeals Officer, to Christopher Casey, Esq. and Anne Coogan, October 1, 2010, at 1; R.R. at 54a. The County, however, did not submit any additional material or evidence in support of its denial. A hearing was not held before the Appeals Officer, although one was not required. See Section 1101(b)(3), 65 P.S. § 67.1101(b)(3) (“Prior to issuing a final determination, a hearing may be conducted.”)

A general reference to a report which ostensibly explains how identity thieves use home addresses and dates of birth to perpetrate new financial account fraud is not sufficient to constitute the proof envisioned by the current RTKL. General, broad-sweeping conclusions will not be a substitute for actual evidence of the likelihood of a demonstrable risk to the individuals involved posed by a particular disclosure. A denial under the RTKL must be supported by demonstrable evidence, such as the sworn Affidavits submitted in Purcell that the release of the specific information about a person would be reasonably likely to result in substantial risk to his personal security. This is not to say that an agency or its witnesses may not rely, to an extent, on outside reports and statistics such as the ones cited by the County. However, the agency must explain how the data was used to arrive at the agency’s conclusion that the information requested was exempt.

There is no evidence available in the record to enable this Court to evaluate whether the disclosure of the home addresses of County employees would be reasonably likely to result in a substantial and demonstrable risk of physical harm to or the personal security of those individuals. In light of the relative newness of the RTKL and the dearth of case law to guide the parties in this respect, this Court will follow the Court’s chosen course in Allegheny County Department of Administrative Services v. Parsons, 13 A.3d 1025 (Pa.Cmwlth.2011), and remand the matter to allow the County the opportunity to develop the record and submit evidence to support its position that disclosure of home addresses of its employees would place their personal security at risk. As observed by the Court in Allegheny County Department of Administrative Services, one’s personal security is a serious matter “that deserves thoughtful consideration on a complete record.” 13 A.3d at 1042. The trial court shall then determine whether the exemption applies based on the record evidence.

Based on the foregoing, this Court vacates that portion of the trial court’s order which pertains to home addresses and remands the matter for further proceedings consistent with this opinion. The trial court’s order is affirmed in part, insofar as it held that dates of birth are exempt. Jurisdiction is relinquished.

ORDER

AND NOW, this 22nd day of March, 2012, the portion of the Court of Common Pleas of Delaware County’s order which pertains to home addresses is vacated in part. The matter is remanded for further proceedings regarding home addresses. The Order is affirmed in part, insofar as it held that dates of birth are exempt. Jurisdiction is relinquished. 
      
      . Act of February 14, 2008, P.L. 6, 65 P.S. §§ 67.101-67.3104, which repealed the former Right-to-Know-Law (former RTKL), Act of June 21, 1957, P.L. 390, as amended, formerly 65 P.S. §§ 66.1-66.4.
     
      
      . The scope of review for a question of law under the RTKL is plenary. Hearst Television v. Norris, 8 A.3d 420 (Pa.Cmwlth.2010).
     
      
      . 65 P.S. § 67.708.
     
      
      . Such as the doctor-patient or attorney-client privileges.
     
      
      . Previously, the burden was on the requester.
     
      
      . 65 P.S. § 67.708(b)(6)(i).
     
      
      . 65 P.S. § 67.708(b)(1)(h).
     
      
      . Neither is "physical harm.” However, the meaning of "physical harm” is easily discern-able from its common and approved usage. 1 Pa.C.S. § 1903.
     
      
      . Schaefer argues drat with the current RTKL the Legislature abolished the judicially-created “balancing test” which courts employed under the former RTKL's Personal Harm/Personal Security Exception. She asserts that elimination of the "balancing test” means that a right to privacy no longer exists under the current RTKL. This Court does not agree.
      The “balancing test” to which Schaefer refers required courts to weigh the benefit of disclosure and the public’s need-to-know against a person’s personal security interests, which unquestionably encompassed his reputation and privacy interests in non-disclosure. Penn. State University v. State Employees' Retirement Board, 594 Pa. 244, 935 A.2d 530 (2007) ("Pennsylvania courts have interpreted this reputation and personal security exception as creating a privacy exception to the RTKA's general disclosure rule”). See also Cypress Media, Inc. v. Hazleton Area School District, 708 A.2d 866 (Pa.Cmwlth.1998) (there exists a privacy exception to the RTKL's general rule of disclosure); Tribune-Review Publishing Co. v. Allegheny County Housing Authority, 662 A.2d 677 (Pa.Cmwlth. 1995) (a right to privacy exists in the RTKL). Because the "personal security exception” historically encompassed, among other things, a right to privacy, the Legislature's continued use of the "personal security" language strongly indicates the Legislature intended to preserve the right to privacy under the current RTKL.
      The Legislature, in effect, incorporated this "balancing test” into the Personal Harm/Personal Security Exception by requiring the agency to prove that disclosure of the requested information would, more likely than not, result in a substantial and demonstrable risk to the person's personal security. If the agency is successful, the presumption that the public has a right to know is overcome and the balance is tipped in favor of denying access.
     
      
      . Schaefer relies on Commonwealth v. Duncan, 572 Pa. 438, 817 A.2d 455 (2003) which held that there is no reasonable expectation of privacy in one’s name and address in a criminal matter. However, this Court has previously held that "Duncan, a criminal case, is not applicable to a civil proceeding arising under the [RTKL].” Hartman v. Dept. of Conservation, 892 A.2d 897, 905, n. 19 (Pa.Cmwlth.2006).
     
      
      . Specifically, the Court in Allegheny County Department of Administrative Services, reasoned: "[tjhough we see nothing in the record to indicate that ASCI was somehow prevented from developing a record on the personal security exemption, we see no harm in allowing it another opportunity to do so on remand. If ASCI’s employees' physical safety and personal security could truly be at risk if the information sought is placed into the public domain, it is a serious matter that deserves thoughtful consideration on a complete record.” 13 A.3d at 1042.
     
      
      . Based on this Court’s disposition and remand, it is unnecessary to address Schaefer’s final issue which was whether the trial court erroneously issued its decision without briefing, oral argument, hearing or notice of its intent to rule.
     