
    GOVERNOR’S OFFICE OF ADMINISTRATION, Petitioner v. Dylan PURCELL, Respondent.
    Commonwealth Court of Pennsylvania.
    Argued June 6, 2011.
    Decided Dec. 29, 2011.
    Reargument Denied Feb. 14, 2012.
    Andrea L. Bowman, Harrisburg, for petitioner.
    
      Michael E. Baughman, Philadelphia, for respondent.
    BEFORE: SIMPSON, Judge, and BROBSON, Judge, and KELLEY, Senior Judge.
    
      
      . Judge McCullough recused herself after argument. Judge Brobson is substituting for Judge McCullough and is considering the case on briefs.
    
   OPINION BY

Judge SIMPSON.

This appeal concerns the Right-to-Know Law (RTKL). The Governor’s Office of Administration (GOA) petitions for review from a final determination of the Office of Open Records (OOR) which granted Dylan Purcell’s (Requester) appeal from a partial denial (redaction), thereby granting his request for the full birth dates of all Pennsylvania employees.

The case raises an issue of first impression: whether birth dates are protected from disclosure under the current RTKL. GOA argues the RTKL’s personal security exception encompasses a right of privacy. GOA argues this right requires a balancing of interests. Requester contends this alleged privacy right was anchored in the prior, substantially different language of the former RTKL’s reputation and personal security exception. Requester argues this right ceased on enactment of the current RTKL.

We conclude that GOA proved the personal security exception at Section 708(b)(l)(ii) of the RTKL, 65 P.S. § 67.708(b)(1)(h), applies on these facts and protects from disclosure the month and day of birth of almost 70,000 state employees. Accordingly, on this record we reverse.

I. BACKGROUND

A.

Requester requested a list of all active state employees and their salary records. He requested specific fields of information: (1) first and last name; (2) job title; (3) hire date; (4) level of hire (full-time/part-time); (5) employment status (permanent/temporary); (6) salary; (7) county; and (8) birth date. He previously received these data fields for every state employee on five different occasions during a six-year period.

Requester sought the birth date for each employee because it provides a unique identifier to differentiate employees with common names, allowing reporters to identify matches with other computer databases, such as those containing campaign finance, property tax, or criminal history information.

B.

GOA’s open records officer (Officer) granted the request in part, and denied it in part. Officer redacted the month and day of each employee’s birth date so that Requester only received birth years. Officer based her redaction on 65 P.S. § 67.708(b)(1)(h) (personal security exception). This provision exempts from disclosure a record which “would be reasonably likely to result in a substantial and demonstrable risk of physical harm to or the personal security of an individual.” Id.

In subsequent exchanges with Requester, Officer explained that the redactions were meant to protect each employee’s privacy. Officer referenced a single judge opinion of this Court at the preliminary injunction stage discussing the constitutional right of privacy and the balancing test by which it is applied. Pa. State Educ. Ass’n v. Dep’t of Cmty. & Econ. Dev., 981 A.2d 383 (Pa.Cmwlth.2009) (single judge opinion by Friedman, S.J.), prelim. inj. order aff'd., 606 Pa. 638, 2 A.3d 558 (2010). Officer noted the birth date provided little insight into the workings of government, and its small benefit was outweighed by the greater harm to the employees’ personal security and privacy.

C.

Requester appealed to the OOR. GOA reasserted redactions were based on the personal security exception and the Pennsylvania Constitution. GOA offered four document groups to support its position.

The first document was a letter from the Philadelphia District Attorney which addressed the “staggering” increase in identity theft. She noted that full names, combined with addresses and dates of birth, were the tools criminals could use to obtain financial information and commit identity theft. She referenced Federal Trade Commission reports on identity theft.

The second document was a lengthy affidavit from Joseph E. Campana, Ph.D., an expert in the field of identity theft, privacy and information security. Campana opined:

A person’s date of birth is one of the most sensitive pieces of personally identifiable information. For this reason, some identity theft experts have referred to a person’s name, Social Security number and date of birth, as “The Holy Trinity.” These three key pieces of information together can be used by identity thieves to establish new financial accounts in the name of the identity theft victim and to commit a variety of other types of identity fraud. While one cannot hold one’s name secret, one can often protect their Social Security number and date of birth.... Organizations that maintain records that contain consumer date of births must protect that personal identifier and other personally identifiable information that the consumer entrusted with the organization.

GOA Response before OOR, Attachment 2; Reproduced Record (R.R.) at 30a. Cam-pana discussed different types of identity theft, and he noted the Federal Trade Commission estimated that between 2007 and 2008 identity theft crimes increased 29% nationally and 19% statewide.

Campana further opined as follows: “disclosure of personally identifiable information such as dates of birth would result in a substantial and demonstrable risk to the personal security of individuals because the risk of identity theft through disclosure would be substantially heightened.” Id.

Campana also identified several federal statutes that identify birth dates as personally identifiable information: (1) The Identify Theft and Assumption Deterrence Act of 1998; (2) The Family Educational Rights and Privacy Act of 1974 (a/k/a FERPA or Stuckley Amendment); (3) The Health Insurance Portability and Accountability Act (HIPAA) of 1996; and (4) Health Information Technology for Economic and Clinical Health (HITECH) Act. He noted that, based on HIPAA’s terms, many health professionals now only require a person’s first and last name and birth date to gain access to medical files. He also stated that date of birth is protected personal health information under the HITECH Act.

The third document was an extensive affidavit from the Commonwealth’s Chief Information Security Officer, Erik Aval-dan. He noted that various federal and national standards classify birth dates as “Personally Identifiable Information.” GOA Response before OOR, Attachment 3; R.R. at 34a-37a. He opined that “divulging of a consolidated list containing birth date information for each employee would likely result in a substantial and demonstrable risk to the personal security of individual employees by creating such a significant and predictable increase in the amount of social engineering, targeted, and well crafted phishing attacks (known as spear-phishing) against commonwealth employees.” Id. at 3; R.R. at 36a. He also opined that making this information public “is likely to result in a substantial and demonstrable risk of identity theft and fraud, as evidenced by the number of employees involved and current figures regarding the proliferation of such crimes once birth dates are accessed....” Id.

GOA’s fourth document was a Management Directive from the Governor’s Office dated July 26, 2010, which addressed the prospective handling of RTKL requests for state employee information.

D.

The OOR described each of these documents, but it concluded that birth dates are not exempt from disclosure. It first noted that GOA waived any argument as to Section 708(b)(6) of the current RTKL (exception for personal identification information), 65 P.S. § 67.708(b)(6), because GOA failed to identify this subsection in its initial response to Requester’s request. Signature Info. Solutions, LLC v. Aston Twp., 995 A.2d 510 (Pa.Cmwlth.2010) (local agency not permitted to alter its reason for denying request on appeal to the OOR).

On the merits, the OOR concluded a constitutional right to privacy in birth dates no longer attached. In support, the OOR cited to several of its own decisions. Purcell v. City of Phila., OOR Dkt. No. AP 2009-0263, 2009 PA OORD LEXIS 641 (Pa. OOR 2009); Parsons v. Port Auth. of Pittsburgh, OOR Dkt. No. AP 2009-008, 2009 WL 6503685, 2009 PA OORD Lexis 252 (Pa. OOR 2009); Lord v. City of Pittsburgh, OOR Dkt. No. AP 2009-0775, 2009 PA OORD Lexis 90 (Pa. OOR 2009). The OOR noted that no Pennsylvania appellate court ruled otherwise.

The OOR concluded there must be specific facts to prove a substantial and demonstrable risk to personal security. For example, where there were specified prior threats to an assistant district attorney, a risk to personal security was shown. Swartzwelder v. Butler Cnty., OOR Dkt. No. AP 2009-0632, 2009 WL 6503830, 2009 PA OORD Lexis 129 (Pa. OOR 2009). The OOR also reasoned that birth dates were not listed in the RTKL as personal identification information. The OOR observed that privacy and identity theft issues were discussed during the legislative proceedings leading up to the enactment of the RTKL. These debates, however, did not prevent adoption of the current RTKL without a broad exclusion for dates of birth. Accordingly, the OOR directed GOA to provide complete dates of birth. GOA petitioned this Court for review.

II. DISCUSSION

Under the RTKL, records in the possession of an agency are presumed to be public unless: (1) excepted by Section 708 of the RTKL; (2) protected by privilege; or (3) exempted “under any other Federal or State law or regulation or judicial order or decree.” Section 305 of the RTKL, 65 P.S. § 67.305. The Commonwealth agency bears the burden of proving a record is exempt from disclosure. 65 P.S. § 67.708.

A. GOA’s Contentions

Here, GOA acknowledges there is no blanket date-of-birth exception under the RTKL, the federal constitution or the state constitution. Nonetheless, GOA argues one’s birth date is exempt from disclosure under the personal security exception.

GOA first argues that the RTKL’s lack of an explicit exception for birth dates does not necessarily mean agencies must disclose birth dates. The personal security exception affords two protections against substantial and demonstrable risk: (1) of physical harm to the individual; and (2) to the personal security of the individual.

GOA contends that this Court recognized the reputation and personal security exceptions in conjunction with the Pennsylvania Constitution, which created a privacy exception to the former RTKL’s duty to disclose. Rowland v. Public Sch. Employees’ Ret. Sys., 885 A.2d 621 (Pa.Cmwlth.2005) (precluding disclosure of birth dates of annuitants of the state retirement system). GOA argues this Court applied this privacy exception to preclude the release of home addresses and dates of birth of each annuitant of the State Employees’ Retirement System. GOA argues the privacy right is not absolute but requires a balancing of the individual’s private interest against the public interest served by releasing the information. Id. GOA asserts the Pennsylvania Supreme Court adopted and applied this analysis prior to enactment of the current RTKL. Pa. State Univ. v. State Employees’ Ret. Bd., 594 Pa. 244, 935 A.2d 530 (2007).

GOA argues the General Assembly is presumed to know how a previous law was interpreted, which, in the case of the former RTKL, was to require a balancing before disclosure of dates of birth and other personal security information, in order to protect one’s right to privacy. Here, the General Assembly did not provide a new definition for personal security that would alter the existing jurisprudence. Accordingly, it follows that the General Assembly intended personal security to include birth dates.

GOA contends that under both the current RTKL and the former RTKL, the burden on the agency seeking non-disclosure remains the same. The agency must establish the record falls within an available exception. GOA argues that when a Requester asks for a record that is entitled to protection on its face, the question is one of law. Dep’t of Conservation & Natural Res. v. Office of Open Records, 1 A.3d 929 (Pa.Cmwlth.2010). An agency need only identify the record and the provision permitting redaction. GOA argues that a request for birth dates is, on its face, entitled to a balancing.

GOA argues that it may have been better for the current RTKL and the former RTKL to delineate the balancing process. However:

The clear distinction has come from the judicial interpretation of the constitutional right to privacy as embracing dates of birth and home addresses, in the context of disclosure under an open records law, so as to require a balancing of interests and limited protection under the personal security exemption. Nothing in the current RTKL negates that balancing requirement or alters the fact the dates of birth, like home addresses, are encompassed in the personal security exemption and are to be accorded a limited protection under that exemption.

GOA’s Br. at 23.

B. Requester’s Contentions

Requester responds that under the more restrictive former RTKL, he received the same categories of data on five occasions between 2002 and 2008.

In addition, Requester argues that the personal security exception does not apply to birth dates. Rather, the personal identification information exception applies to birth dates. That exception delineates several items of personal data that are excluded from disclosure; however, birth dates are not among those items specifically excluded from disclosure. Under canons of statutory construction, specific inclusion of some items of the same class is presumed to exclude all other items of the same class. 1 Pa.C.S. § 1924.

Requester points to another example which explicitly excepts the birth date, name and address of children. 65 P.S. § 67.708(b)(30) (excepting “A record identifying the name, home address or date of birth of a child 17 years of age or younger.”) From this, Requester extrapolates the General Assembly was aware how to exempt birth dates from disclosure, and it did so when it intended.

Also, Requester contends the legislative history of the RTKL establishes the General Assembly specifically considered birth date information as an exception, and rejected it. Requester notes on the day the General Assembly unanimously passed the current RTKL, a representative offered three amendments that would have allowed agencies to redact birth dates (as well as other personal information). However, the amendments did not pass. Requester argues this shows the General Assembly did not intend to except birth dates.

Moreover, Requester argues the personal security exception is not applicable because there is no threat of physical harm. Requester notes this Court reads the personal security exception to require a threat of physical harm. Allegheny Cnty. Dep’t of Admin. Servs. v. A Second Chance, Inc., 13 A.3d 1025 (Pa.Cmwlth.2011) (en banc); Lutz v. City of Phila., 6 A.3d 669 (Pa.Cmwlth.2010); Pa. State Educ. Ass’n.

Requester observes that the documents produced by GOA do not aver any physical harm would result from the release of birth dates. Additionally, GOA released birth dates for years. If releasing this information entailed a threat, Requester argues, GOA would not have released it.

Requester also applies principles of statutory construction to contend that the personal security exception only addresses physical harm. Requester argues that general provisions of a statute may not be used to expand the more specific provisions. 1 Pa.C.S. § 1933; Maloney v. Valley Med. Facilities, Inc., 603 Pa. 399, 984 A.2d 478 (2009). Here, the personal identification information exception at Section 708(b)(6) details the type of personal information that may be protected. Birth dates qualify as personal identifiers. Their release must be governed by the more specific provisions of the personal identification information exception and not the more general personal security exception.

Additionally, even if personal security encompasses identity theft issues, the opinions offered by GOA do not establish that releasing birth dates will lead to harm. These affidavits establish that birth dates are only one of several items needed for identity theft. Social security numbers, another essential item, are excepted from disclosure.

Requester also contends GOA waived application of a privacy right balancing test. This is because it was not given as a basis for the denial of the birth dates. Even if not waived, GOA’s arguments are wrong. Requester argues the General Assembly did not intend to include the balancing test. The General Assembly could have created a balancing test in the statutory language. It did not. Instead, it conducted its own balancing test and created 30 exceptions. Further, it created the presumption that information was subject to disclosure. It placed the burden on the agency to show by a preponderance of the evidence that one or more of these exceptions were applicable to preclude disclosure.

Citing Bowling v. Office of Open Records, 990 A.2d 813 (Pa.Cmwlth.2010) (en banc), appeal granted in part, 609 Pa. 265, 15 A.3d 427 (2011), Requester contends the Court will apply precedent from an earlier statute only when that statute contains functionally equivalent language. Here, the language of the personal security exception of the current RTKL is markedly different than the text of the personal security exception of the former RTKL. Accordingly, the prior case law is not applicable.

III. ANALYSIS

A. Generally

GOA did not cite the personal identification information exception as a reason for the redaction. Therefore, GOA cannot rely on this exception on appeal. Signature Info, (local agency not permitted to alter its reason for denying request on appeal to the OOR). However, since Requester raises this exception as part of his statutory construction analysis, the exception may be considered to the extent it aids construction of the personal security exception.

Also, we conclude that by failing to reference the issue at the time of initial partial denial, GOA waived application of a balancing test based on a free-standing constitutional right to privacy. Id. However, the record makes evident that Officer’s reliance upon the personal security exception intentionally implicated jurisprudence under the former RTKL in which we construed the reputation and personal security exception “as creating a privacy exception to the [ ] general disclosure rule.” Cypress Media, Inc. v. Hazleton Area Sch. Dist., 708 A.2d 866, 870 (Pa.Cmwlth.1998) (protecting home addresses, home telephone numbers and Social Security numbers as confidential); Rowland, 885 A.2d at 628.

Because we function as a trial court and are charged with making findings and conclusions, we address the GOA document submissions. See Bowling. The documents contain sufficient credible information to support the following findings and conclusions:

1)“Disclosure of personally identifiable information such as dates of birth would result in a substantial and demonstrable risk to the personal security of individuals because the risk of identity theft through disclosure would be substantially heightened.” R.R. at 30a (Campana). Also, “divulging of a consolidated list containing date of birth information for each employee would likely result in a substantial and demonstrable risk to the personal security of individual employees by creating such a significant and predictable increase in the amount of social engineering, targeted, and well crafted phishing attacks (known as spear phishing) against [Commonwealth employees.” R.R. at 36a (Avaldan); “Additionally, making this information public is likely to result in a substantial and demonstrable risk of identity theft and fraud, as evidenced by the number of employees involved and current figures regarding the proliferation of such crimes once dates of birth are accessed .... ” R.R. at 36a (Avaldan); and,
2) Federal Trade Commission statistical reports cited by the Philadelphia District Attorney and by Joseph Campana persuasively establish the quickly growing risk of identity theft in Pennsylvania. R.R. at 25a, 31a; and
3) The records sought by Requester pertain to between 65,000 and 70,000 state employees. R.R. at 9a; and
4) No evidence establishes that the birth year alone will interfere with the public’s right to obtain sufficient information to properly identify state employees; and
5) GOA proved that the redacted information falls within the language of the personal security exception under the current RTKL.

In making our factual findings, we accept as credible the expert opinions of Joseph Campana and of Eric Avaldan. Their opinions track the language of the personal security exception. We also accept use of Federal Trade Commission statistics on identity theft.

We did not embrace the credibility approach of the OOR. That approach required specific facts of a risk to personal security, such as prior threats to an individual. See Swartzwelder. While that may be an appropriate approach under other circumstances, it is an impractical standard when dealing with the records of almost 70,000 state employees. Under the circumstances in this case, the use of statistics and expert opinion is not only reasonable, it is possibly the only available evidence of a risk to personal security of such a large and diverse group.

In addition, we reject the OOR’s suggestion that the expert opinions here were hypothetical or conjectural. Rather, the opinions quoted above are stated with sufficient certainty to be competent evidence. See Pa. R.E. 702 cmt.; McMahon v. Young, 442 Pa. 484, 276 A.2d 534 (1971).

B. Statutory Construction

The parties here advance competing interpretations regarding the meaning of the personal security exception. Moreover, the phrase “personal security” is not defined in the current RTKL. Because the parties offer conflicting interpretations of the relevant statutory provision, the term is ambiguous. See, e.g., Malt Beverages Distribs. Ass’n v. Pa. Liquor Control Bd., 601 Pa. 449, 974 A.2d 1144 (2009) (statute is ambiguous where parties offered conflicting, but plausible interpretations). “As in all cases where a latent ambiguity in [a] statute exists, we resort to the canons of statutory construction to discover the Legislature’s intent.” Id. at 463, 974 A.2d at 1153.

1. Privacy

The former RTKL protected records which “would operate to the prejudice or impairment of a person’s reputation or personal security.” 65 P.S. § 66.1(2) (repealed) (emphasis added). In contrast, the current RTKL protects records, “the disclosure of which would be reasonably likely to result in a substantial and demonstrable risk of physical harm to or the personal security of an individual.” 65 P.S. § 67.708(b)(l)(ii) (emphasis added).

Article I, Section 1 of the Pennsylvania Constitution provides:

All men are born equally free and independent, and have certain inherent and indefeasible rights, among which are those of enjoying and defending life and liberty, of acquiring, possessing and protecting property and reputation and of pursuing their own happiness.

Pa. Const., Art. I, § 1 (emphasis added). Recognizing “reputation” as a right worthy of constitutional protection, the courts construed the former RTKL to contain a privacy exception. Thus, in Tribune-Review Publishing v. Bodack, 599 Pa. 256, 263, 961 A.2d 110, 115 (2008), our Supreme Court recognized that the privacy interest was tied directly to the harm to reputation that could be caused by release of the telephone numbers at issue. Consequently, elimination of the harm to reputation language from the current RTKL renders any case law dependent upon an impairment or prejudice to reputation inapplicable.

Indeed, the General Assembly is presumed to have been aware of prior decisions which read a privacy right into the reputation and personal security exception under the former RTKL. See Pa. State Univ. 594 Pa. at 258, 935 A.2d at 538 (noting “Pennsylvania courts have interpreted this reputation and personal security exception as creating a privacy exception to the RTK[L]’s general disclosure rule.”). However, the General Assembly changed the language of that provision by deleting the express reference to “reputation.” We presume the change means something other than a continuation of prior law. Meier v. Maleski, 670 A.2d 755 (Pa.Cmwlth.1996), aff'd per curiam, 549 Pa. 171, 700 A.2d 1262 (1997) (change of language of statute ordinarily indicates change of legislative intent).

GOA’s primary argument is that the undefined phrase “personal security” gained a special meaning through court interpretations of the former RTKL. GOA also contends that privacy is a right of constitutional dimension that requires special protection. Beyond these arguments, however, GOA offers little in the way of statutory construction analysis based on the language of the current RTKL.

Requester’s statutory interpretation arguments regarding the right of privacy in birth dates are more persuasive, for several reasons. First and foremost, there is no express general protection for the month and day of birth in the current RTKL that applies here. While there is a specific protection for certain birth dates, 65 P.S. § 67.708(b)(30) (excepting “A record identifying the name, home address or date of birth of a child 17 years of age or younger”), that protection does not apply in this case. This statutory structure strongly indicates that the General Assembly considered a general protection for birth dates, but it decided to protect only certain birth dates.

Second, the overall approach to accessing public records, especially the presumption of accessibility, is significantly different under the current RTKL. Bowling.

Third, as the current RTKL is remedial legislation designed to promote access to official government information in order to prohibit secrets, scrutinize the actions of public officials, and make public officials accountable for their actions, the exceptions from disclosure must be narrowly construed. Id. Our analysis employs a narrow construction.

Fourth, we may consider contemporaneous legislative history in determining the General Assembly’s intent. 1 Pa.C.S. § 1921(c)(7). The legislative history recounted by Requester supports his position.

In sum, we hold that there is no privacy exception embedded in the current RTKL applying to all birth dates; consequently, no balancing of interests is contemplated by the current RTKL. As a result, we construe the personal security exception in the current RTKL by examining the plain statutory language.

2. Personal Security Exception

To establish this exception applies, an agency must show: (1) a “reasonable likelihood” of (2) “substantial and demonstrable risk” to a person’s security. “More than mere conjecture is needed.” Lutz, 6 A.3d at 676. “Substantial and demonstrable,” as referring to risk, are not defined in the RTKL. Nor does case law guide the interpretation of these terms in this context. However, construing the plain meaning of these two terms in accordance with the Statutory Construction Act, 1 Pa.C.S. § 1903, the type of risk of harm must be both “of substance,” that is “1 b. real, true; c. important, essential” and “1. capable of being demonstrated; 2. apparent or evident.” See MeRRiam-Webster’s Collegiate Dictionary, 1245, 332 (11th ed.2004). We apply this exception as confined by the meaning of these terms.

We agree with GOA that the plain language of the personal security exception protects two concepts: risk of physical harm and personal security. Because the General Assembly used both terms “physical harm” and “personal security” in the current RTKL in the disjunctive, we presume it intended distinct interests by each term.

Based on the plain language of the exception, we reject Requester’s argument that the only risk against which protection attaches is of physical harm. Indeed, Requester’s approach essentially ignores the phrase “personal security.” We do not have the luxury of pretending statutory language means nothing; rather, we strive to give effect to all the words of a statute. 1 Pa.C.S. § 1921(a).

The cases relied upon by Requester for the proposition that the personal security exception only protects against a risk of physical harm do not command that conclusion. Allegheny Cnty.; Lutz; Pa. State Educ. Ass’n. Our prior cases accurately track the language of the exception, referencing both “physical harm” and “personal security.” No prior case was decided on the basis that only evidence of “physical harm” satisfies the exception.

Regardless of a general right to privacy, the clear language of the personal security exception protects information, including birth dates, to the extent that release “would be reasonably likely to result in a substantial and demonstrable risk ... to the personal security of an individual.” 65 P.S. § 67.708(b)(l)(ii). Here, as set forth in our findings and conclusions above, GOA proved that the personal security exception applies and protects the month and date of birth from disclosure.

Accordingly, because GOA proved the personal security exception at 65 P.S. § 67.708(b) (1) (ii) applies and protects the month and date of birth from disclosure, we reverse.

Judge McCullough did not participate in the decision in this case.

ORDER

AND NOW, this 29th day of December, 2011, the order of the Office of Open Records is REVERSED.

CONCURRING OPINION BY

Judge BROBSON.

I agree with the Majority’s determination that credible evidence of record establishes that the birth dates requested in this case are exempt from disclosure under the personal security exemption of the Right-to-Know Law (RTKL). For this reason, I join in the Majority’s decision to reverse the final determination of the Office of Open Records (OOR).

I write separately, however, because there may come a time where a requester seeks a public record that does not fall under an exemption set forth in the RTKL, but where disclosure of the public record would violate a third-party’s rights under the Pennsylvania Constitution. My concern over this prospect is heightened by the absence of any provisions in the RTKL requiring notice to the affected third-party of such a request and providing the affected third-party with a remedy to challenge disclosure of the constitutionally-protected information. See Allegheny Cnty. Dep’t of Admin. Servs. v. A Second Chance, Inc., 13 A.3d 1025, 1031-33 (Pa.Cmwlth.2011).

The Pennsylvania Constitution represents the fundamental law of our Commonwealth. Commonwealth ex rel. Schnader v. Beamish, 309 Pa. 510, 515, 164 A. 615, 616-17 (1932). In this regard, the General Assembly lacks the authority to compel an agency to disclose a third-party’s information in the agency’s possession where doing so would violate rights afforded the third-party under the Pennsylvania Constitution. Accordingly, I contend that a state agency may deny a request under the RTKL for third-party information where the agency in good faith believes that disclosure of the information would violate rights afforded under the Pennsylvania Constitution. The appropriateness of that denial on constitutional grounds, if challenged, can then be subject to administrative and judicial review under the procedures set forth in the RTKL. Because the RTKL provides no meaningful ability for third-parties to assert their constitutional rights in opposing a request (ieit provides no mechanism for notice, intervention, or right to appeal from an adverse OOR determination), we must recognize the ability of agencies to invoke this separate and independent basis to deny a request under the RTKL. Otherwise, we run the risk of sacrificing personal privacy, liberty, and security in the name of greater governmental transparency. To borrow a phrase from Dr. Benjamin Franklin, those who would sacrifice the former for the latter deserve none of the above. 
      
      . Act of February 14, 2008, P.L. 6, 65 P.S. §§ 67.101-67.3104, which repealed the former Right-to-Know Law (former RTKL), Act of June 21, 1957, P.L. 390, as amended, formerly 65 P.S. §§ 66.1-66.4.
     
      
      .Requester also asked for information in a database format. Instead, he received information in ".pdf” format. In his appeal, Requester challenged the format. He eventually received the information in the requested format, and this issue is no longer contested.
     
      
      . In this case, the Education Association sought to preclude disclosure of the home addresses of school employees. Senior Judge Friedman granted a preliminary injunction. She reasoned there is an independent right to privacy, distinct from the RTKL provisions. Application of this right requires a balancing of the privacy interest in home addresses with the opposing state interest. This is the rationale on which the Officer relied.
     
      
      . Pub.L. 105-318, 112 Stat. 3007 (codified as amended in 18 U.S.C. § 1028).
     
      
      . 20 U.S.C. § 1232g.
     
      
      . Pub.L. 104-191, 110 Stat.1936 (codified as amended in scattered sections of 18, 26, 29 and 42 U.S.C.)
     
      
      .42 U.S.C. §§ 17901-17953.
     
      
      . A reviewing court, in its appellate jurisdiction, independently reviews the OOR’s orders and may substitute its own findings of fact for that of the agency. While reviewing this appeal in our appellate jurisdiction, we function as a trial court, and we subject this matter to independent review. We are not limited to the rationale offered in the OOR's written decision. Accordingly, we will enter narrative findings and conclusions based on the evidence as a whole, and we will explain our rationale. Bowling v. Office of Open Records, 990 A.2d 813 (Pa.Cmwlth.2010) (era banc), appeal granted in part, 609 Pa. 265, 15 A.3d 427(2011).
     
      
      . Requester also contends that another representative, also addressing identity theft issues, noted that the then proposed RTKL already prevented disclosure of social security numbers. This representative argued that four items were needed for identity theft: (1) name; (2) birth date; (3) home address; and (4) social security number. Because social security numbers are protected, the RTKL sufficiently guarded against identity theft. Requester contends this representative's sentiment reflects the sense of the General Assembly and explains why these amendments were not enacted.
     
      
      . We reject Requester's argument that the Court will apply precedent from an earlier statute only when the statute contains functionally equivalent language. Such a conclusion is inconsistent with 1 Pa.C.S. § 1921(c)(7). Of course, the degree to which an earlier statute contains functionally equivalent language affects the usefulness of this approach to statutory construction.
     
      
      . Act of February 14, 2008, P.L. 6, 65 P.S. §§ 67.101-67.3104. The personal security exemption exempts from disclosure a record that “would be reasonably likely to result in a substantial and demonstrable risk of physical harm to or the personal security or the personal security of an individual.” 65 P.S. § 67.708(b)(ii).
     