Dear Honorable Edmondson,
The Attorney General has received your request for an official opinion, asking:
"Does a state agency which has computerized its files, the information therein being of public record, have the authority to allow a commercial entity access to specific data in that file in an on-line manner?"
The answer to your question is, at once, both simple and complex. It is simple because, as will be seen from the authorities discussed below, there are no applicable statutory or common-law limits on the means a public officer may choose for providing access to public records. Such matters are committed to the exercise of proper discretion. Yet the problem is also complex, because while allowing reasonable public access, government officers must also safeguard the records in question, and direct, on-line access to electronically stored data presents the most difficult challenges to those charged with safeguarding such information. There is tension between the public's interest in the contents of government records and the need for realistic security for those records. This tension, as well as the balance between law and technology, provides the framework within which the answer to your question will be found.
It seems prudent to begin by defining the nature of this question. Your question is concerned with the legal propriety of affording private parties on-line access to computerized public records of a State agency. The term on-line has no statutory definition under Oklahoma law, and does not seem to have been the basis for any judicial inquiry either. Turning, then, to technological resources, it appears that the meaning of the term is rather broad, and not altogether fixed. For example,Encyclopedia of Computer Science and Engineering, 2d ed., p. 447 (A. Ralston, Ed. 1983), instructs that:
"An on-line database is one which can be directly accessed by a user from a terminal which is usually a visual display device but occasionally is a typewriter-like device. Searching a database on-line has the advantage that the response is prompt and queries can be modified quickly. Databases may contain bibliographic references to books or other documents, or (purportedly) factual information which is the object of the searcher's request, such as in databases used for credit searches."
An even more technical meaning is ascribed to the term by Maynard, J.,Dictionary of Data Processing (2d ed. 1981):
"on-line (1) Pertaining to equipment directly controlled by the central processor. (2) Pertaining to a system with which a user can interact. Also spelt online. See also real time, off-line.
* * *
"on-line system A system in which input data enter the computer directly from the point of origin or in which output data are transmitted directly to where they are used. Usually involves the use of data transmission facilities to remote terminals." Id. at p. 134. (Emphasis added).
Considering these resources, we deem your question to be whether you may permit private parties to directly operate the State's computers to directly manipulate public record data stored by those computers.
The question presumes that the records in question are "of public record." By this it is taken that you mean such records are subject to the public's right of inspection under the Oklahoma Open Records Act, 51O.S. 24A.1 (1985). Your agency's computerized records are expressly covered by the terms of the Open Records Act, which includes in the definition of record any computer "tape, disk and record." 51 O.S.24A.3(1) (1985).
The substance of the Open Records Act is mostly found at 51 O.S.24A.5, the pertinent portions of which provide:
"All records of public bodies and public officials shall be open to any person for inspection, copying, and/or mechanical reproduction during regular business hours; provided:
"1. This act does not apply to records specifically required by law to be kept confidential. . . .
"2. Any reasonably segregable portion of a record containing exempt material shall be provided after deletion of the exempt portions.
"3. A public body may charge a fee only for recovery of the reasonable, direct costs of document copying, and/or mechanical reproduction. However, if the request is:
"a. solely for commercial purpose; or
"b. clearly would cause excessive disruption of the public body's essential functions;
"then the public body may charge a reasonable fee to recover the direct costs of document search.
* * *
"4. A public body must provide prompt, reasonable access to its records but may establish reasonable procedures which protect the integrity and organization of its records and to prevent excessive disruptions of its essential functions.
"5. A public body shall designate certain persons who are authorized to release records of the public body for inspection, copying, or mechanical reproduction. At least one such person shall be available at all times to release records during the regular business hours of the public body."
With the exception of 51 Ohio St. 24A.17, which establishes penalties for violation of the Act, and 51 Ohio St. 24A.18, which recognizes that the Act is not meant to imply the creation of additional record keeping duties, the balance of the Open Records Act merely establishes several classes of records which are, in various ways, exempt from the disclosure requirements provided generally. Consequently, the answer to your question must be derived primarily from the provision quoted above.
As you can see from the language cited, 51 Ohio St. 24A.5 does no more than establish a general duty of records disclosure and provide certain guidelines for the limitation of such disclosure and the exaction of fees.
However, the specific details regarding the exact manner in which the duty of disclosure shall be carried out by any given agency are left almost entirely to the discretion of that agency. In fact, each such agency is expressly given the discretion to "establish reasonable procedures which protect the integrity and organization of its records and to prevent excessive disruptions of its essential functions." Id. at 51O.S. 24A.5(4). Therefore, the direct answer to your question is that no particular means of access to the public records of an agency is denied by law, including direct on-line access to computerized records.
Unfortunately, it is not prudent to conclude an answer to your question with just the foregoing observations. This is because of additional legal duties imposed upon State agencies by other legislative acts such as the Preservation of Essential Records Act, 67 Ohio St. 151 et seq. (1981), and the Records Management Act, 67 Ohio St. 201 et seq. (1981).
For example, the Preservation of Essential Records Act recognizes the importance of the integrity of many State government records, providing:
"The Legislature declares that records containing information essential to the operation of government and to the protection of the rights and interests of persons must be protected against the destructive effects of all forms of disaster and must be available when needed. It is necessary, therefore, to adopt special provisions for the selection and preservation of essential state and local records thereby providing for the protection and availability of such information." 67 Ohio St. 152 (1981).
Of similar effect is 67 Ohio St. 209 (1981), which states:
"All records made or received by or under the authority of or coming into the custody, control or possession of public officials of this state in the course of their public duties shall not be mutilated, destroyed, transferred, removed, altered or otherwise damaged or disposed of, in whole or in part, except as provided by law."
Note that the Attorney General has previously ruled that both the Preservation of Essential Records Act and the Records Management Act govern records created and/or maintained by state agencies in electronic, machine-readable format, i.e. computerized records. A.G. Opin. No. 83-191.
The underlying problem highlighted by your question, then, becomes whether outside parties may be allowed to manipulate public records in the State's computerized databases directly, while at the same time the information in the database remains protected from mutilation, destruction and other damage. Certainly there is great cause for concern over the security of governmental on-line computer systems. See, e.g. Martin, J., Security, Accuracy, and Privacy in Computer Systems (1973). There can be problems with information safety and security even in a single user on-line system, but multi-access computer systems are even more vulnerable and harder to make secure. R. T. Slivka J. W. Darrow,Methods and Problems in Computer Security, 5 Rutgers J. of Computers and the Law, pp. 217, 229.
Whether the legally required guarantees of record security are attainable for any given State agency, with regard to any given computerized record database, in light of economic and technological limitations, is certainly a question beyond the scope of the legal opinion of the Attorney General. It may be said, however, that in the absence of reasonable security for such records, an agency would lack the authority to allow direct on-line manipulation of its computer databases by private parties.
It is, therefore, the official opinion of the Attorney General that astate agency which has computerized its files, the information thereinbeing of public record, has the authority to allow a commercial entityaccess to specific data in that file in an on-line manner, providing thatthe system for permitting such on-line access assures that suchcomputerized records will be fully preserved and safeguarded fromdestruction, mutilation and alteration as otherwise required by Oklahomalaw.
MICHAEL C. TURPEN, ATTORNEY GENERAL OF OKLAHOMA
JAMES B. FRANKS, ASSISTANT ATTORNEY GENERAL CHIEF, TORT DEFENSE DIVISION
