Access to Information Orders

Decision Information

P-756

Collection Access to Information Orders
Date 1994-09-14
File Numbers P-9400159
Adjudicators John Higgins
Type Order
Applicable Legislation FIPPA; FIPPA - 14(1)(i); FIPPA - 21(3)
Summary:

NATURE OF THE APPEAL: This is an appeal under the Freedom of Information and Protection of Privacy Act (the Act ). Management Board Secretariat (the Secretariat) received requests for names and Internet addresses for all computer network systems operated by several ministries and the Secretariat. The requester also sought access to the name of every machine connected to the Internet with all user names and full Unix-to-Unix Copy Program (UUCP) addresses. The requests relating to other ministries were transferred to the Secretariat pursuant to section 25(1) of the Act . The Secretariat disclosed the Government of Ontario Internet address, as well as some user names, to the requester. Access was denied to the remaining information which was identified by the Secretariat as responsive to the request. The requester appealed the decision. During mediation the remaining user names were disclosed. The responsive records which were not disclosed are at issue in this appeal. These consist of the name and address of every machine connected to the Internet in relation to the Secretariat and the other ministries named in the requests. In its decision letter, the Secretariat claimed that the following exemption contained in the Act applies to the records: security - section 14(1)(i). A Notice of Inquiry was provided to the Secretariat and the requester. Representations were received from the Secretariat only. DISCUSSION: SECURITY Section 14(1)(i) of the Act reads: A head may refuse to disclose a record where the disclosure could reasonably be expected to, endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required; In my view, the phrase "could reasonably be expected to" in section 14(1) of the Act requires that there exist a reasonable expectation of probable harm. The mere possibility of harm is not sufficient. Previous orders have held that, at a minimum, the institution must establish a clear and direct linkage between the disclosure of the specific information and the harm which is alleged (Orders P-557 and M-202). The representations of the Secretariat provide details as to how disclosure of the information contained in the records could endanger the security of a system established to protect items for which protection is reasonably required. These items consist of the data stored on Ontario government computers. This information requires protection, since much of it is sensitive. A substantial amount of the data consists of personal information pertaining to members of the public. The system established for the protection of this data is the Ontario government's Internet gateway, which allows outside users access to the public section of the government's network but not the private section. The Secretariat outlines a number of ways in which the security of data stored in its computer systems could be endangered if the information at issue is disclosed, and provides evidence to support the reasonable expectation that this harm could arise in the circumstances of this appeal. I am satisfied that sufficient evidence has been provided to demonstrate a direct linkage between the disclosure of the information at issue and the harm alleged in section 14(1)(i) of the Act . ORDER: I uphold the Secretariat's decision. Original signed by: September 14, 1994 John Higgins Inquiry Officer

Decision Content

ORDER P-756

 

Appeal P‑9400159

 

Management Board Secretariat

 

NATURE OF THE APPEAL:

 

This is an appeal under the Freedom of Information and Protection of Privacy Act (the Act).  Management Board Secretariat (the Secretariat) received requests for names and Internet addresses for all computer network systems operated by several ministries and the Secretariat.  The requester also sought access to the name of every machine connected to the Internet with all user names and full Unix-to-Unix Copy Program (UUCP) addresses.  The requests relating to other ministries were transferred to the Secretariat pursuant to section 25(1) of the Act.

 

The Secretariat disclosed the Government of Ontario Internet address, as well as some user names, to the requester.  Access was denied to the remaining information which was identified by the Secretariat as responsive to the request.  The requester appealed the decision.

 

During mediation the remaining user names were disclosed.

 

The responsive records which were not disclosed are at issue in this appeal.  These consist of the name and address of every machine connected to the Internet in relation to the Secretariat and the other ministries named in the requests.

 

In its decision letter, the Secretariat claimed that the following exemption contained in the Act applies to the records:

 

          security - section 14(1)(i).

 

A Notice of Inquiry was provided to the Secretariat and the requester.  Representations were received from the Secretariat only.

 

DISCUSSION:

 

SECURITY

 

Section 14(1)(i) of the Act reads:

 

A head may refuse to disclose a record where the disclosure could reasonably be expected to,

 

endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required;

 

In my view, the phrase "could reasonably be expected to" in section 14(1) of the Act requires that there exist a reasonable expectation of probable harm.  The mere possibility of harm is not sufficient.  Previous orders have held that, at a minimum, the institution must establish a clear and direct linkage between the disclosure of the specific information and the harm which is alleged (Orders P-557 and M-202).

 

 

The representations of the Secretariat provide details as to how disclosure of the information contained in the records could endanger the security of a system established to protect items for which protection is reasonably required.  These items consist of the data stored on Ontario government computers.  This information requires protection, since much of it is sensitive.  A substantial amount of the data consists of personal information pertaining to members of the public.  The system established for the protection of this data is the Ontario government's Internet gateway, which allows outside users access to the public section of the government's network but not the private section.

 

The Secretariat outlines a number of ways in which the security of data stored in its computer systems could be endangered if the information at issue is disclosed, and provides evidence to support the reasonable expectation that this harm could arise in the circumstances of this appeal.

 

I am satisfied that sufficient evidence has been provided to demonstrate a direct linkage between the disclosure of the information at issue and the harm alleged in section 14(1)(i) of the Act.

 

ORDER:

 

I uphold the Secretariat's decision.

 

 

 

 

 

 

 

 

 

 

 

 

Original signed by:                                                                    September 14, 1994              

John Higgins

Inquiry Officer

 You are being directed to the most recent version of the statute which may not be the version considered at the time of the judgment.