Question Submitted by: The Honorable John Waldron, Oklahoma House of Representatives, District 77

2025 OK AG 9

• Court: Oklahoma Attorney General Reports
• Decided: July 1, 2025
• Status: Published

Opinion

OSCN Found Document:Question Submitted by: The Honorable John Waldron, Oklahoma House of Representatives, District 77

Question Submitted by: The Honorable John Waldron, Oklahoma House of Representatives, District 77
2025 OK AG 9
Decided: 07/01/2025
OKLAHOMA ATTORNEY GENERAL OPINIONS

---

Cite as: 2025 OK AG 9, __ P.3d __

---

¶0 This office has received your request for an official Attorney General Opinion in which you ask, in effect, the following:

Is a public body's data log that shows employees' key-card access to its building an open record subject to disclosure under the Oklahoma Open Records Act, 51 O.S.Supp.2024, §§ 24A.1--24A.34?

I.
Summary

¶1 An entrance log, as described in your request, is a record and the Oklahoma Open Records Act ("ORA") generally requires a public body to allow public access to its records so the people "may efficiently and intelligently exercise their inherent political power." 51 O.S.2021, § 24A.2See 51 O.S.Supp.2023, § 24A.2851 O.S.Supp.2024 § 24A.5see also 2023 OK AG 12009 OK AG 33

II.
Background

¶2 The ORA was enacted "to ensure and facilitate the public's right of access to and review of government records so they may efficiently and intelligently exercise their inherent political power." 51 O.S.2021, § 24A.2Citizens Against Taxpayer Abuse, Inc. v. City of Oklahoma City, 2003 OK 6573 P.3d 871¹

¶3 Here, a news organization has sought records from an agency that reflect one employee's key-card entry into the agency's building for the years 2023 and 2024. The agency denied the request, asserting that ORA exceptions relating to terrorism and security monitoring permitted the agency to keep the records confidential. See 51 O.S.Supp.2023, § 24A.28

III.
Discussion

¶4 Any analysis of an ORA request begins by asking whether the requested information is a "record" at all. Here, even without knowing the particulars, it is safe to conclude that a log reflecting key-card access to a government building plainly falls within the ORA's broad definition of record. See 51 O.S.Supp.2024, § 24A.3 e.g., "data files created by or used with computer software"). As such, the log must "be open to any person" unless otherwise exempt by virtue of another provision of the ORA. Id. § 24A.5. ² And "[b]ecause of the strong public policy allowing public access to governmental records" this office must construe the ORA "to allow access unless an exception clearly applies, and the burden is on the public agency seeking to deny access to show a record should not be made available." Oklahoma Ass'n of Broadcasters., Inc. v. City of Norman, Norman Police Dep't, 2016 OK 119390 P.3d 689

¶5 Turning to the agency's response, the ORA allows public bodies to maintain confidentiality of information that relates to efforts to investigate and protect public property from acts of terrorism, ³ as well as other specifically identified government information that the Legislature deemed sensitive enough to keep from public view. See 51 O.S.Supp.2023, § 24A.28 provision cited by the agency allows a public body to keep confidential "[r]ecords including details for deterrence or prevention of or protection from an act or threat of an act of terrorism." Id. § 24A.28(A)(3). Assuming the agency's key-card access log reflects only who enters the building and when, such information does not reveal any detail about the State's measures to deter, prevent, or protect against terrorism, even as the ORA broadly defines that term. See supra footnote 3.

¶6 The second provision cited by the agency allows a public body to withhold access to "information technology...but only if the information specifically identifies:"

a. design or functional schematics that demonstrate the relationship or connections between devices or systems,

b. system configuration information,

c. security monitoring and response equipment placement and configuration,

d. specific location or placement of systems, components, or devices,

e. system identification numbers, names, or connecting circuits,

f. business continuity and disaster planning, or response plans, or

g. investigative information directly related to security penetrations or denial of services;

Id. § 24A.28(A)(5) (emphasis added). As with the prior provision, it is unclear how a record that simply identifies which employees entered the building and when could fall within any of these categories of information. ⁴ But even if, for instance, a key-card access log "specifically identifie[d]" the number and location of building entrances that allow entry by key-card, which ostensibly could be kept confidential under subsections (c), (d), or (e), the ORA does not allow the wholesale denial of access to the record. Rather, if the confidential information is "reasonably segregable" from the rest of the record, then the agency must redact the confidential information and produce the remainder. 51 O.S.Supp.2024, § 24A.5see also 2023 OK AG 12009 OK AG 33

¶7 Aside from the exceptions specifically mentioned in the agency's response, it is possible that employee information included in the entry log is confidential under other provisions of the ORA or separate state or federal laws. For an ORA example, rather than, or in addition to, identifying an employee by name, the log could use the employee's social security or employee identification number. A public body is required to keep the former confidential, see 51 O.S.Supp.2022, § 24A.7Oklahoma Pub. Employees Ass'n v. State ex rel. Oklahoma Office of Pers. Mgmt., 2011 OK 68267 P.3d 83851 O.S.Supp.2005, § 24A.7See 51 O.S.Supp.2024, § 24A.5⁵

¶8 Finally, this office is mindful that information contained in records like a key-card entry log, while required by law to be open to the public, could be misused. Unfortunately, that could be said of many public records. It is up to the Legislature to balance the policy of openness underlying the ORA with the potential for mischief that may result from that policy. The Legislature has included a litany of exceptions to the ORA to protect sensitive information and the privacy of individuals whose information appears in public records. See, e.g., 51 O.S.2021, § 24A.2See, e.g., 2017 OK AG 32014 OK AG 14See also Welsh-Huggins v. Jefferson Cnty. Prosecutor's Office, 2020-Ohio-5371, 163 Ohio St. 3d 337, 170 N.E.3d 768, 784-85 (interpreting whether security camera footage constituted an exempt "security record" based on "the public office's actual use" of the footage, not the potential for the requester to misuse it).

¶9 It is, therefore, the official Opinion of the Attorney General that:

A data log that reflects employees' use of key-cards to access a public body's building is an open record subject to disclosure under the Oklahoma Open Records Act ("ORA"), 51 O.S.Supp.2024, §§ 24A.1--24A.34. If portions of the record are subject to an exception to the ORA, for instance in title 51, section 24A.7 or 24A.28 of the Oklahoma Statutes, and the exempt information is "reasonably segregable" from the rest of the record, the public body must redact the exempt information and provide access to the remainder of the record. 51 O.S.Supp.2024, § 24A.5

Gentner Drummond
Attorney General of Oklahoma

Kyle Shifflett
Deputy General Counsel

FOOTNOTES

¹ The ORA defines "record" in relevant part as:

[A]ll documents including, but not limited to . . . data files created by or used with computer software, . . . or other material regardless of physical form or characteristic, created by, received by, under the authority of, or coming into the custody, control or possession of public officials, public bodies or their representatives in connection with the transaction of public business, the expenditure of public funds or the administering of public property.

51 O.S.Supp.2024, § 24A.3

² This information need only be made accessible in the form in which the public body maintains it. 1999 OK AG 5551 O.S.Supp.1991, § 24A.18

³ The ORA defines "terrorism" in this context--via reference to the Oklahoma Anti-Terrorism Act--in relevant part as:

[O]ne or more kidnappings or other act of violence, or a series of acts of violence, resulting in damage to property, personal injury or death, or the threat of such act or acts that appears to be intended:

• to intimidate or coerce a civilian population,
• to influence the policy or conduct of a government by intimidation or coercion, or

in retaliation for the policy or conduct of a government by intimidation or coercion.

51 O.S.Supp.2023, § 24A.2821 O.S.2021, § 1268.1

⁴ The Ohio Supreme Court interpreted comparable provisions in Ohio's open records statute in State ex rel. Ohio Republican Party v. FitzGerald, 2015-Ohio-5056, 145 Ohio St.3d 92, 47 N.E.3d 124. There, a county declined to provide similar "key-card-swipe data," claiming the data met both the "security records" and "infrastructure records" exemptions under Ohio law. Id. at 129. The court found the "infrastructure records" exemption, which is roughly equivalent to the ORA's information technology exemption in section 24A.28(A)(5), did not apply because the key-card access data showed only when county personnel entered or left the building. It did not reveal anything about the building's infrastructure or critical systems. Id. at 130. Next, the court found the data met the "security records" exemption, but (1) that provision applied only to "information directly used for protecting or maintaining the security of a public office against attack, interference, or sabotage," and (2) confirmed threats against county personnel meant release of the data could compromise law enforcement protection efforts. Id. at 129-30 (quoting Ohio Rev. Code § 149.433(A)(3) (emphasis added)). By contrast, the ORA exception cited here does not turn on how the information is used. Instead, its focus is the record's content: "details for deterrence or prevention of or protection from an act or threat of an act of terrorism[.]" 51 O.S.Supp.2023, § 24A.28

⁵ As noted above, the particular data maintained regarding key-card access is known only to the agency. Thus, questions of fact may need to be resolved to determine whether one or more ORA exemptions apply to this records request. In addition, determinations of fact will be necessary to answer whether the exempt information is "reasonably segregable" such that redactions are feasible without requiring the agency to create an entirely new record simply to satisfy the request, something that the ORA does not demand of public bodies. See Progressive Independence, Inc. v. Oklahoma State Dept. of Health, 2007 OK CIV APP 127174 P.3d 1005supra. This office cannot resolve these fact questions, as it may only offer its opinion as to "questions of law." 74 O.S.Supp.2024, § 18b