State of New York
Department of State
Committee on Open Government

---

One Commerce Plaza
99 Washington Ave.
Albany, New York 12231
(518) 474-2518
Fax (518) 474-1927
http://www.dos.ny.gov/coog/

 

September 9, 1999

Ms. Lorraine O. Taylor
197-25 Fern Place
Jamaica, NY 11433

The staff of the Committee on Open Government is authorized to issue advisory opinions.
The ensuing staff advisory opinion is based solely upon the information presented in your
correspondence.

Dear Ms. Taylor:

I have received your letter of August 20 and the materials attached to it. As a
member of the Institutional Review Board (IRB) for Hutchings Psychiatric Center, you have
questioned the legality and scope of a confidentiality agreement that IRB members are
apparently required to sign. The agreement includes examples of information characterized
as or "reasonably understood" to be confidential and provides that members "agree not to
discuss, disclose, or reproduce any confidential information except to carry out [their]
functions as an IRB member, or as otherwise required by law." In addition, a memorandum
from the Research Foundation for Mental Hygiene, Inc. concerning confidentiality states that
"IRB members have a legal and ethical duty to maintain the confidentiality of all information
they receive in their capacity as members of the IRB."

You raised questions concerning the need to sign the agreement.

In this regard, the general functions of the Committee on Open Government involve
offering advice and opinions concerning public access to and the disclosure of government
information, primarily under the Freedom of Information and Personal Privacy Protection
Laws. Consequently, the question of whether you "need to sign this confidentiality
agreement" is beyond the jurisdiction of this office. However, I offer the following comments
relating to the agreement and the notion of "confidentiality."

First, in general, I believe that the records and other information that come into the
possession of IRB members are acquired in the performance of their official duties that are
carried out directly or otherwise for the Office of Mental Health. By means of example, the
letter that you sent to me may be in my physical possession, but it is in the legal custody of
the Department of State. In the same vein, the information acquired by IRB members in the
performance of their duties is, in my view, the property of the state, and outside the authority
of the members to disclose in their discretion.

The Freedom of Information Law, in terms of its coverage, is consistent with the
foregoing, for it pertains to "agency records." Section 86(4) of that statute defines the term
"record" expansively to mean:

"..."any information kept, held, filed, produced, reproduced
by, with or for an agency or the state legislature, in any
physical form whatsoever including, but not limited to,
reports, statements, examinations, memoranda, opinions,
folders, files, books, manuals, pamphlets, forms, papers,
designs, drawings, maps, photos, letters, microfilms, computer
tapes or discs, rules, regulations or codes."

In a decision rendered by the state's highest court, the Court of Appeals, the matter involved
records in possession of a not-for-profit corporation that carried out certain functions for the
State University pursuant to contract and it was held that the records were held for the
University and, therefore, were agency records that fell within the coverage of the Freedom
of Information Law, even though they were not in the physical custody of the University [see
Encore College Bookstores, Inc. v. Auxiliary Services Corporation of the State University,
87 NY2d 410 (1995)]. In like manner, materials acquired or prepared by IRB members
would be maintained for the Office of Mental Health and would constitute agency records.

While I believe that the Research Foundation of Mental Hygiene, Inc. is an agency
that falls within the requirements of the Freedom of Information Law [see e.g., Buffalo News
v. Buffalo Enterprise Development Corp., 84 NY2d 488 (1994)], irrespective of that issue,
my understanding is that its functions are performed for one or more agencies, such as the
Office of Mental Health, and that , therefore, its records are maintained for an agency and are
subject to rights conferred by the Freedom of Information Law.

In short, I believe that the records that come into the possession of IRB members are
in the legal custody and control of an agency.

Second, although the use of the term "confidentiality" in the agreement is not entirely
clear, the agreement, in general, does not appear to be inconsistent with law. Insofar as there
may be inconsistency, I do not believe that it would be valid or enforceable. I note, too, that
a statement cited earlier in the memorandum is broader, in my opinion, than the agreement
itself. As indicated previously, the memorandum states in part that "IRB members have legal
and ethical duty to maintain the confidentiality of all information they receive in their capacity
as members..." The agreement itself, however, involves the discussion, disclosure, or
reproduction of "confidential information". The term "confidential" is not defined, but
examples of information "reasonably understood" to be confidential are described, such as
human subject identifying data, proprietary information, medical information and the like.

From my perspective, based on judicial decisions, an assertion or promise of
confidentiality, unless it is based upon a statute, is generally meaningless. When
confidentiality is conferred by a statute, an act of the State Legislature or Congress, records
fall outside the scope of rights of access pursuant to §87(2)(a) of the Freedom of Information
Law, which states that an agency may withhold records that "are specifically exempted from
disclosure by state or federal statute". If there is no statute upon which an agency can rely
to characterize records as "confidential" or "exempted from disclosure", the records are
subject to whatever rights of access exist under the Freedom of Information Law [see Doolan
v. BOCES, 48 NY 2d 341 (1979); Washington Post v. Insurance Department, 61 NY 2d 557
(1984); Gannett News Service, Inc. v. State Office of Alcoholism and Substance Abuse, 415
NYS 2d 780 (1979)]. As such, an assertion or promise of confidentiality, without more,
would not in my view serve to enable an agency to withhold a record.

In the context of the kinds of records that may be pertinent to the duties of the
Foundation, the IRB's and the Office of Mental Health, a statute that requires confidentiality
is §33.13 of the Mental Hygiene Law. That statute essentially prohibits the disclosure of
clinical records identifiable to a person receiving treatment except in circumstances that it
prescribes. When records fall within the confidentiality requirements imposed by §33.13, they
would be "specifically exempted from disclosure by...statute" in accordance with §87(2)(a)
of the Freedom of Information Law.

Also pertinent to the duties of those concerned may be the Personal Privacy
Protection Law, which deals in part with the disclosure of records or personal information by
state agencies concerning data subjects. A "data subject" is "any natural person about whom
personal information has been collected by an agency" [Personal Privacy Protection Law,
§92(3)]. "Personal information" is defined to mean "any information concerning a data
subject which, because of name, number, symbol, mark or other identifier, can be used to
identify that data subject" [§92(7)]. For purposes of that statute, the term "record" is defined
to mean "any item, collection or grouping of personal information about a data subject which
is maintained and is retrievable by use of the name or other identifier of the data subject"
[§92(9)].

With respect to disclosure, §96(1) of the Personal Privacy Protection Law states that
"No agency may disclose any record or personal information", except in conjunction with a
series of exceptions that follow. One of those exceptions involves a situation in which a
record is "subject to article six of this chapter [the Freedom of Information Law], unless
disclosure of such information would constitute an unwarranted invasion of personal privacy
as defined in paragraph (a) of subdivision two of section eighty-nine of this chapter." Section
89(2-a) of the Freedom of Information Law states that "Nothing in this article shall permit
disclosure which constitutes an unwarranted invasion of personal privacy as defined in
subdivision two of this section if such disclosure is prohibited under section ninety-six of this
chapter." Therefore, when a state agency cannot disclose records pursuant to §96 of the
Personal Protection Law, it is precluded from disclosing under the Freedom of Information
Law.

When either §33.13 of the Mental Hygiene Law or the Personal Privacy Protection
Law applies, there is essentially no discretion to disclose to the public. In other
circumstances, however, although records may be withheld, there is no obligation to do so.

Reference is made in the materials to "proprietary rights." Depending on the effects
of disclosure, so-called "proprietary" information might properly be withheld under §87(2)(d)
of the Freedom of Information Law. Nevertheless, unlike the provisions cited above, under
§87(2)(d) and the remaining grounds for denial in the Freedom of Information Law, there is
nothing in law that would prohibit disclosure. Section 87(2)(d) permits (but does not require)
an agency to withhold records or portions that:

"are trade secrets or are submitted to an agency by a
commercial enterprise or derived from information obtained
from a commercial enterprise and which if disclosed would
cause substantial injury to the competitive position of the
subject enterprise..."

The mere characterization of a record as "proprietary" or as a trade secret, like a claim of
confidentiality, may be without substance unless there is a provision of law upon which it can
be based; the capacity to deny access involves the extent to which disclosure "would cause
substantial injury to the competitive position" of a commercial enterprise.

As I interpret the memorandum, a key element involves the "standards and
procedures" that have been implemented to deal with requests for and the disclosure of
records. Section 89(1) of the Freedom of Information Law requires the Committee on Open
Government to promulgate regulations concerning the procedural implementation of that
statute (21 NYCRR Part 1401). In turn, §87(1) requires the head or governing body of an
agency to adopt rules and regulations consistent those promulgated by the Committee and
with the Freedom of Information Law. Section 1401.2 of the regulations provides in relevant
part that:

"(a) The governing body of a public corporation and the head
of an executive agency or governing body of other agencies
shall be responsible for insuring compliance with the
regulations herein, and shall designate one or more persons as
records access officer by name or by specific job title and
business address, who shall have the duty of coordinating
agency response to public requests for access to records. The
designation of one or more records access officers shall not be
construed to prohibit officials who have in the past been
authorized to make records or information available to the
public from continuing to do so."

Based on the foregoing, I believe that the records access officer has the duty of coordinating
responses to requests.

From my perspective, it is routine to limit the authority of agency personnel and others
to make disclosures on their own initiative or in response to requests. In many agencies,
requests for records are forwarded as a matter of policy to the designated records access
officer in order that he or she can make an initial determination to grant or deny access in
accordance with applicable law. The direction given in the memorandum appears to be
consistent with that kind of procedure.

In sum, it is likely that many of the records used or maintained by IRB members may
be confidential", but that would be so only when a statute prohibits disclosure. In other
instances, there may be discretion to withhold under the Freedom of Information Law, but
no legal obligation to do so. Perhaps most importantly, the Freedom of Information Law
requires agencies to adopt regulations regarding the procedural implementation of the law.
In accordance with such a procedure, one or more "records access officers" may be given the
duty of coordinating an agency's response to requests and disclosure practices. Unless
authority to disclose is otherwise granted to persons other than the records access officer,
limiting the ability of those other persons to disclose is, in my opinion, within the discretion
of an agency. I note, too, that there is nothing in the agreement which, in my view, limits
access by IRB members or which in any way limits public rights of access in a manner
inconsistent with law.

I hope that I have been of assistance.

Sincerely,

 

Robert J. Freeman
Executive Director

RJF:tt

cc: Susan J. Delano
Robin Goldman
Roger Clingman

 

DOS Home  |  A to Z Index  |  Applications  |  Accessibility  |  Privacy Policy  |  Disclaimer  |  Contact Us  |