Ezel / AG Opinions / NC
NC NC AG Advisory Opinion (1999-09-20) 1999-09-20

Can a researcher force the NC Employment Security Commission to rebuild its workforce-tracking database to use anonymized identifiers so the data can be analyzed without exposing Social Security numbers?

Short answer: No. NC's Public Records Act does not require a state agency to create a new database it does not already maintain. The Common Follow-Up System links student and worker records by Social Security number. Federal law (42 USC 405(c)(2)(C)(viii)) makes those SSNs confidential, and the underlying education records carry FERPA confidentiality on top. G.S. 132-6.1(c) specifically says the Public Records Act does not require an agency to create a computer database it has not otherwise created. ESC can decline the request.
Currency note: this opinion is from 1999
Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: This is an official North Carolina Attorney General advisory opinion. AG opinions are persuasive authority but not binding precedent like a court ruling. This summary is for informational purposes only and is not legal advice. Consult a licensed North Carolina attorney for advice on your specific situation.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official AG opinion. The original opinion (linked at the bottom of this page) is the authoritative source for any reliance.

Plain-English summary

The Employment Security Commission's Common Follow-Up System (CFS) tracks people through NC's job-training, education, and placement programs to study workforce outcomes. Multiple state agencies feed records into it: public schools (student records), community colleges, UNC (student records), and workforce agencies. The CFS links those records together using Social Security numbers, the one identifier that appears across every data source.

A party asked ESC to replace the SSN linking field with a non-identifying code so that researchers could analyze the linked data without anyone (including ESC staff) seeing the underlying SSNs. ESC asked the AG whether the Public Records Act forced it to honor the request. The AG said no.

The federal floor. Two layers of federal law protect the records ESC holds. FERPA (20 USC 1232g) makes student records confidential, including the records ESC receives from public schools, community colleges, and UNC. 42 USC 405(c)(2)(C)(viii) makes Social Security numbers obtained or maintained by authorized persons under any law enacted after October 1, 1990 confidential. So even if an agency wanted to disclose linked data, the federal floor blocks releasing the SSNs.

The state confidentiality overlay. NC's General Assembly recognized the confidentiality problem when it created the CFS. G.S. 96-33(b) provides that "[i]nformation obtained by the ESC from the agency or entity shall be held by ESC as confidential and shall not be published or open to public inspection other than in a manner that protects the identity of individual persons and employers." G.S. 96-32(a) reinforces the same point. NC's public schools confidentiality statute (G.S. 115C-114) and the public-records carveout for student records (G.S. 115C-402) layer on top.

The "must create a new database?" question. The request was not to release records ESC already had. It was to make ESC rebuild the CFS using a different uniform identifier. G.S. 132-6.1(c) addresses that scenario directly: "Nothing in this section shall require a public agency to create a computer database that the public agency has not otherwise created or is not otherwise required to be created." Replacing SSNs with a non-identifying code would create a new database ESC does not otherwise maintain. The Public Records Act does not require it.

The result. ESC is not legally required to honor the reformatting request. That does not foreclose ESC from undertaking such a project if it chooses to (or if the legislature later directs it). It simply means that the Public Records Act, by itself, does not force the new build.

Currency note

This opinion was issued in 1999. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.

The Common Follow-Up System still exists as a workforce-research data linkage tool. NC's modern workforce data analytics work (NC TOWER, Longitudinal Data Studies) builds on the CFS legacy. The G.S. 132-6.1(c) "no duty to create" rule remains a foundational principle of NC public-records law and has been reaffirmed in subsequent opinions and decisions. The federal SSN-confidentiality statute has been amended, and FERPA has been amended many times. Anyone analyzing a current data-access request should check the present text of all three federal/state confidentiality statutes plus the agency's own policies.

Common questions

Q: Does the Public Records Act ever require an agency to build something new?
A: Generally no. G.S. 132-6.1(c) explicitly says the Act does not require creation of new computer databases. The Act compels disclosure of existing records, not the creation of new ones. An agency that has a record must produce it; an agency that does not have a record is not obligated to build it.

Q: But the data is already there. Why can't ESC just export it without the SSNs?
A: ESC might be able to produce certain aggregated reports or anonymized extracts within its existing systems. The 1999 opinion specifically addresses the request to rebuild the CFS itself with a different uniform identifier, which is a database-creation project. A request for an anonymized statistical extract is a different question and might or might not be feasible under existing systems.

Q: Why does federal law care about SSNs in NC's workforce database?
A: Because the Privacy Act of 1974 (and the 1990 amendments at 42 USC 405) extended federal confidentiality protections to SSNs collected by state and local governments under post-1990 statutory authority. Congress was concerned that SSNs had become a de facto national identifier and that state agencies were exposing them to misuse.

Q: Why was SSN used as the linking field if it is so sensitive?
A: Because in 1992 (when the CFS was authorized) SSN was the only identifier appearing across all the source datasets. Public schools collect SSNs (or did at the time); UNC and the community colleges had SSNs as student identifiers; the Department of Labor had SSNs as the worker identifier. Without SSNs, the records could not have been linked at all.

Q: Can a researcher get anything useful out of the CFS?
A: Aggregated and de-identified statistics, yes. Individual-level linked data, no. ESC's standard products are reports that show outcomes for groups (high school graduates by region, by program type, by demographic) without individual identifiers. Researchers seeking finer-grained access have generally needed a separate authorizing agreement and IRB oversight.

Q: Could the legislature change the rule?
A: Yes. The General Assembly could direct ESC to build an anonymized version, fund the build, and authorize researcher access under appropriate confidentiality terms. That is a policy choice, not a legal compulsion under the existing Public Records Act.

Background and statutory framework

The Common Follow-Up System dates to the early 1990s and reflects NC's effort to measure the workforce outcomes of state-funded education and training. The basic idea: take all the people NC's public schools, community colleges, UNC, and workforce programs serve, follow them into the labor market through the ESC's unemployment-insurance wage records, and study what works.

That is conceptually clean and analytically powerful, but it created an immediate confidentiality problem. The source datasets are individually subject to strict confidentiality regimes (FERPA for education, federal SSN protection for SSNs, state confidentiality for workforce records). Linking them at the individual level required a single identifier across all sources, and the only practical option was SSN.

The legislature solved the confidentiality problem on the publication side: G.S. 96-32 and 96-33 require ESC to hold the linked records confidentially and to publish only aggregated, de-identified results. ESC has operated within that constraint ever since.

The 1999 opinion confirms that NC's Public Records Act does not let a researcher pry open the system by demanding a different design. The Act guarantees access to existing records, subject to confidentiality exemptions; it does not guarantee a different system.

The opinion is one of the most-cited modern applications of G.S. 132-6.1(c), the "no duty to create" rule. Most subsequent NC public-records litigation about computer-database structure traces back to this rule.

Citations

  • N.C. Gen. Stat. § 132-1 et seq. (Public Records Act)
  • N.C. Gen. Stat. § 132-6.1(c) (no requirement to create new database)
  • N.C. Gen. Stat. § 96-32(a) (Common Follow-Up System purpose)
  • N.C. Gen. Stat. § 96-33(a) (agency duty to provide data to ESC)
  • N.C. Gen. Stat. § 96-33(b) (ESC confidentiality requirement)
  • N.C. Gen. Stat. § 115C-114 (public school records confidentiality)
  • N.C. Gen. Stat. § 115C-402 (student records public-records exception)
  • 20 U.S.C. § 1232g (Family Educational Rights and Privacy Act, FERPA)
  • 42 U.S.C. § 405(c)(2)(C)(viii) (Social Security number confidentiality)

Source

Original opinion text

September 20, 1999

Mr. T.S. Whitaker
Deputy Chairman for Programs
Employment Security Commission of N.C.
Post Office Box 25903
Raleigh, North Carolina 27611

Re: Advisory Opinion: Public Records: N.C.G.S. § 132-1 et al; Release of data from the Common Follow-Up System: N.C.G.S. § 96-33

Dear Mr. Whitaker:

You have requested our opinion as to whether the Employment Security Commission (ESC) is required by the Public Records Act, N.C.G.S. § 132-1 et al, to reformat the Common Follow-Up System (CFS) in order to allow the data in the system to be reviewed and analyzed without revealing confidential, personally identifiable information.

N.C.G.S. § 96-32(a) discusses the establishment, maintenance, and purpose of the CFS.

The Employment Security Commission of North Carolina shall develop, implement, and maintain a common follow-up information management system for tracking the employment status of current and former participants in State job training, education, and placement programs. The system shall provide for the automated collection, organization, dissemination, and analysis of data obtained from State-funded programs that provide job training and education and job placement services to program participants.

Numerous state agencies are required to submit information to the ESC to carry out the CFS. In fact, N.C.G.S. § 96-33(a) requires that:

Every State agency and local government agency or entity that receives State or federal funds for the direct or indirect support of State job training, education, and placement programs shall provide to the Employment Security Commission of North Carolina all data and information available to or within the agency or entity's possession requested by the ESC for input into the common follow-up information management system authorized under this Article.

Much of the information provided by these agencies to the ESC is personally identifiable information required to be kept confidential by state and federal laws. For example, the system includes personally identifiable data about public school, community college, and UNC system students which are made confidential by state and federal laws. See 20 U.S.C. § 1232 et al: Family and Educational Privacy Act (FERPA); N.C.G.S. § 115C-114; & N.C.G.S. § 115C-402. The need to protect the confidentiality of this data was recognized by the General Assembly. N.C.G.S. § 96-33(b) states: "[i]nformation obtained by the ESC from the agency or entity shall be held by ESC as confidential and shall not be published or open to public inspection other than in a manner that protects the identity of individual persons and employers." See also N.C.G.S. § 96-32(a).

The CFS matches the confidential, personally identifiable information provided by the participating agencies regarding individuals by using social security numbers. The social security numbers are the uniform character linking the databases from the various agencies that place information into the CFS. Under federal law, social security numbers are not open to public access. 42 U.S.C. § 405(c)(2)(C)(viii) (1990) provides that "Social Security account numbers and related records that are obtained or maintained by authorized persons pursuant to any provision of law, enacted on or after October 1, 1990, shall be confidential, and no authorized person shall disclose any such Social Security account numbers or related record." This statute makes clear a federal policy favoring the confidentiality of social security account numbers.

A party has requested the ESC to replace the confidential social security numbers with a non-identifying code in order to allow the analysis of the data without revealing confidential, personally identifiable information. Nothing in the General Statutes would require the ESC to comply with such a request. N.C.G.S. § 132-6.1(c) specifically addresses the issue of creating new databases: "[n]othing in this section shall require a public agency to create a computer database that the public agency has not otherwise created or is not otherwise required to be created. . ." Therefore, the ESC is not required to replace the social security numbers with a different uniform identifying character, to do so would be to create another database which the ESC "has not otherwise created or is not required to be created." N.C.G.S. § 132-6.1(c).

Sincerely,

Wanda Bryant
Senior Deputy Attorney General

C. Ruffin Poole
Associate Attorney General