Sunshine or secrecy? How AI is testing Pennsylvania's Right-to-Know Law

Pennsylvania Right-to-Know Meets AI: A Practical Playbook for Legal Teams

AI systems are now part of routine government operations. That means your Right-to-Know Law (RTKL) strategy has to account for datasets, prompts, model outputs, logs, and vendor contracts that didn't exist a few years ago.

Below is a concise playbook to help counsel shape requests, defend responses, manage exemptions, and negotiate vendor issues without blowing timelines or budgets.

What Counts as a "Record" When AI Is Involved

• Training materials and datasets supplied to or created by the agency.
• Prompts, instructions, and decision policies used to run the tool.
• Outputs, reports, risk scores, and system recommendations.
• Model documentation: version notes, model cards, evaluation results, and audit logs.
• Procurement files: contracts, SOWs, pricing, performance metrics, and deliverables.
• Governance artifacts: impact assessments, DPIAs, bias tests, and retention schedules.

If it documents agency business and is kept by or for the agency, treat it as presumptively a record unless an exemption or privilege applies.

Key RTKL Exemptions Likely to Be Triggered

• Personal privacy and sensitive identifiers embedded in datasets or outputs.
• Security and public safety materials tied to system architecture or defenses.
• Trade secrets and confidential proprietary info asserted by vendors.
• Predecisional deliberations in model selection, threshold setting, or risk scoring.
• Computer security materials tied to source code, vulnerability details, and attack surfaces.

Anchor assertions with sworn declarations. Map each exemption to specific records and explain segregability. A clear index lowers litigation risk.

For Requesters: Make Complex AI Requests Workable

• Scope by system, timeframe, and artifact type (e.g., "final model documentation and evaluation summaries, not raw training corpora").
• Ask for data dictionaries, schemas, and sampling plans before raw data. Stage production.
• Request audit logs and decision rationales where they exist. Specify formats (CSV, JSON, PDF).
• Offer narrowed alternatives for vendor-flagged trade secrets: summaries, redacted docs, or on-site inspection.
• Propose protective orders for sensitive but high public-interest materials.

For Agencies: A Response Workflow That Holds Up

• Issue a hold and inventory systems. Identify owners for IT, legal, procurement, and program ops.
• Segment records by category: governance, procurement, technical, and output. Assign tracks.
• Get vendor cooperation early. Contractual clauses should require timely support for RTKL.
• Run privacy/security triage first, then trade secret review, then predecisional.
• Document segregability decisions. Produce indexes with record types, dates, and exemption grounds.
• Forecast costs and timelines. Offer staged releases to show diligence and reduce disputes.

Metadata, Formats, and Integrity

• Preserve original structure for logs and datasets. Avoid "flattening" JSON that destroys context.
• Keep model/version identifiers and prompt histories where retention policies allow.
• State any format conversions and their impact on searchability or metadata.

Redaction at Scale (Without Leaks)

• Use tools that support pattern-based and rules-based redaction with audit trails.
• Sample pre- and post-redaction outputs. Validate with spot checks by a second reviewer.
• Record redaction rationales at the field level for quick defense if challenged.

Trade Secrets: How to Balance Competing Interests

• Require specific affidavits from vendors detailing competitive harm and the link to each withheld segment.
• Push segregability: release non-sensitive portions, performance summaries, and policy docs.
• Consider summaries, score ranges, and qualitative findings when exact parameters or code are withheld.
• Use protective orders to allow limited access to sensitive material while protecting legitimate interests.

Procurement Clauses You'll Wish You Had

• Open-records cooperation: vendor must assist with searches, affidavits, and segregability at no extra cost for reasonable volumes.
• Deliverables: evaluation reports, model cards, data dictionaries, redaction-ready formats, and retention schedules.
• Export and access: logs, prompts, and outputs in standard formats with documentation.
• Security and privacy: clear controls on training with agency data, prompt retention, and audit rights.
• Transparency fallback: public summaries when trade secrets are invoked, approved by the agency.

Litigation Posture That Reduces Friction

• Build the record: detailed indexes, sworn declarations from system owners and vendors, and sampling evidence.
• Offer in camera review where disputes hinge on narrow technical issues.
• Negotiate staged productions and cost sharing for unusually burdensome data pulls.
• Use protective orders proactively for sensitive but high public-interest materials.

Policy Moves Worth Considering

• AI system inventories with public summaries, risk levels, and points of contact.
• Standardized documentation: impact assessments, evaluation checklists, and bias testing summaries.
• Clear guidance from the Office of Open Records on AI-related records, formats, and exemptions.
• Retention schedules that cover prompts, outputs, logs, and model versions.

Quick Checklists

Requester's Checklist

• Define the system, timeframe, and artifact types.
• Ask for governance docs and evaluations first; negotiate raw data later.
• Request formats, metadata, and indexes. Propose staged delivery.
• Offer protective orders for sensitive but high public-interest material.

Agency Counsel Checklist

• Inventory systems and owners; issue holds.
• Segment records; triage privacy/security, then trade secrets, then deliberative.
• Secure vendor affidavits; document segregability; build an index.
• Validate redactions; communicate timelines and stage releases.

Resources

• Pennsylvania Office of Open Records - procedures, forms, and RTKL guidance.
• NIST AI Risk Management Framework - useful structure for documenting AI risks and controls.
• AI for Legal - legal-focused coverage of AI documentation, vendor issues, and compliance.

The core move is simple: inventory what exists, narrow what you ask for, and document every decision. Do that, and AI-related RTKL disputes become manageable, defensible, and faster to resolve.