The Freedom of Information Act (“FOIA”) plays a crucial role in ensuring the public’s right to access information held by public bodies. As the statute notes, “it is the public policy of the State of Illinois that all persons are entitled to full and complete information regarding the affairs of government…” 5 ILCS 140/1. However, while Illinois encourages broad transparency, local governments must be cognizant of their privacy obligations – toward both employees and members of the public. This set of dual obligations appears in the scope of production and access to the information itself.
Scope of Production:
FOIA is a broadly interpreted statute and public bodies should be hesitant to narrow requests without approval of the requester. Under Section 3(g) of FOIA, a request is only unduly burdensome when “there is no way to narrow the request and the burden on the public body outweighs the public interest in the information.” 5 ILCS 140/3(g). Narrowing a request requires that “the public body extend to the person making the request an opportunity to confer with it in an attempt to reduce the request to manageable proportions.” Id.
However, other privacy-related statutes require a separate analysis. One of the major issues relates to public bodies that handle emergency services – disclosure of medical information. HIPAA has stringent requirements on the disclosure of any personally identifiable information and violations can lead to major consequences. Similarly, information regarding a student can be protected by both state and federal laws. Many of these privacy protection laws have criminal components for violations.
Access to Information:
Under FOIA, the default condition is that the records are available to be accessed by members of the public. There is a definite timeline for production of materials and the production can only be limited based on the statutory exemptions.
Privacy statutes take the opposite approach. Indeed, under the Illinois Personal Information Privacy Act, any entity that holds nonpublic personal information in a database, must implement certain data privacy and security measures. There are no specific standards set, but organizations must implement and maintain “reasonable security measures” in order to comply. 815 ILCS 530/45(a). That holds true whether the data is held by the organization itself or whether it is stored offsite. 815 ILCS 530/45(b). Public bodies that maintain such data are generally safe when they implement the security protocols required under HIPAA and other personal information standards.
It's a Balance
Public bodies should note that transparency and privacy are two sides of the same coin and serve as a balancing test towards one another. Organizations have obligations under both sets of laws and they often reference each other as potential exceptions to the production (or withholding) of material. There is significant nuance in their interactions and potential major consequences if they are not properly complied with. A public body has to balance the public’s right to information against an individual’s right to privacy and the public body’s data protection requirements. Any FOIA request that involves information about a specific person should be carefully considered against the potential exemptions and possible redactions in order to strike the appropriate balance between transparency and privacy.
The attorneys at Airdo Werwas, LLC are available to consult with you on any matter involving FOIA or data protection. If you have any questions or concerns about any issue involving FOIA, or any other local government matter, please do not hesitate to contact Matthew Walters at mwalters@airdowerwas.com or 312-506-4462.