Access to Information Orders
Decision Information
NATURE OF THE APPEAL: This appeal concerns a decision of the Limestone District School Board (the Board) made pursuant to the provisions of the Municipal Freedom of Information and Protection of Privacy Act (the Act ). The requester (now the appellant) had sought access to records containing generic data in the following categories, for students attending a Board school who had completed and received a final mark for the most recent three semesters: number of absences by category, school, common course code, credit value, gender, course description, and final mark for each course. He also requested the two most recent year-end statistical reports delivered to the Information and Privacy Commissioner/Ontario (IPC). The appellant subsequently amended his request to also include the name, model, version and brief description of the database server currently used by the Board for student record management and how it is networked, and the name, version and brief description of the software used to input data and generate reports from the database. He also amended the scope of his request to data for the most recent semester. The Board provided copies of the year-end statistical reports delivered to the IPC and denied access to the detailed computer information pursuant to sections 13 and 14 of the Act . Regarding the generic data requested, the Board claimed that this information was not currently available but could be made available through the creation of computer programs and extensive work to collect and compile these records. The Board provided the appellant with two fee estimate options regarding the requested data. The appellant chose to work with the first estimate. The appellant appealed this estimate and the decision relating to the detailed computer information. During the mediation stage, the issue of the fee was resolved. The appellant was, subsequently, provided with information responsive to his request for generic data for the most recent school semester. However, the Board continued to deny access to the detailed computer information (the names of two servers, the names of four software applications and the version number for a database application), pursuant to sections 13 and 14 of the Act . This issue was moved to adjudication. I first sent a Notice of Inquiry to the Board seeking representations. The Board created a record containing the detailed computer information. The Board’s position is that all of the information contained in this document is exempt under sections 13 and 14. The Board acknowledges that the appellant did have a discussion with Board staff during the mediation stage in order to help him narrow another request he had with the Board for information contained in its computer systems. The Board states that as a result of that discussion the appellant became aware of the two software applications that the Board uses for its databases. However, the Board maintains that it has not formally provided the appellant with any “written records”. Accordingly, the Board maintains that all of the information contained in the record is at issue. Under the circumstances, I will conduct my inquiry on the basis that none of the information contained in the record has been disclosed under the Act , and all of it is at issue. The Board also submitted representations on the application of sections 13 and 14 and agreed to share them in their entirety with the appellant. I then sought representations from the appellant and included with a Notice of Inquiry a copy of the Board’s representations. The appellant submitted representations in response. I shared the appellant’s representations with the Board and sought and received reply representations from it. RECORDS: There is one record at issue, a one-page document describing the Board’s computer systems. DISCUSSION: As indicated above, the Board has claimed the application of both sections 13 and 14 to the information at issue. I will first deal with section 14. PERSONAL INFORMATION The exemption under section 14 applies only to information that qualifies as “personal information”, as defined under section 2(1) of the Act . “Personal information” is defined, in part, to mean recorded information about an identifiable individual, including any identifying number assigned to the individual [paragraph (c)], the individual’s address [paragraph (d)] and the individual’s name if it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual [paragraph (h)]. To qualify as personal information, it must be reasonable to expect that an individual may be identified from the information [Order PO-1880, upheld on judicial review in Ontario (Attorney General) v. Pascoe , [2002] O.J. No. 4300 (C.A.)]. The Board submits: While a list of hardware/software does not, per se, include direct personal information, it provides the capacity to gain access to extensive personal information about all [of the Board’s] students. It is analogous to a safe in which valuable information is stored - the combination or key to that safe is not in itself “personal information” but rather the means to access it. The Board states that its “computer systems” contain “extensive personal information” about its students, including “name, school, address, parent/guardian, academic progress [and] attendance…” The Board also includes a report of its Manager of Information Technology Services, which states, in part: Detailed information about software applications utilized and hardware installed is commonly used by hackers to break into computer systems. If a hacker knows what applications are in use and the hardware utilized, it will provide considerable information about security vulnerabilities. Hackers target the known vulnerabilities in specific hardware or software systems. Making detailed information […] about our systems available publicly greatly increases the risk that our information technology systems will be compromised. These systems are used to access, manipulate, and store very confidential information […] about both students and staff. In response, the appellant states that the Board’s safe analogy is “exaggerated”. In support of this view, he states: The passwords used by various users to access the database are more analogous to the combination or key to the safe. The model number of the safe is more analogous to the version number [of the software]. Having the model number would allow someone to look up a description of the safe and see how safe it is – the description would not tell you how to crack the safe. In reply, the Board states: Knowing the specific software and version number used will not only tell you how “safe” or secure the system is but it will also tell you how to “crack” it. Security information about software isn’t made available in the form of generic “this system can be compromised” message – it is provided in the form of “this system can be compromised because of xxx”. For example, a security bulletin release for Microsoft SQL Server 2000 (a database server) is titled “SQL Query Method Enables Cached Administrator Connection to be Reused” (http://www.microsoft.com/technet/treeview/default.asp?url'/technet/security/Bulletin/MS01-032.asp). To continue with
Decision Content
NATURE OF THE APPEAL:
This appeal concerns a decision of the Limestone District School Board (the Board) made pursuant to the provisions of the Municipal Freedom of Information and Protection of Privacy Act (the Act). The requester (now the appellant) had sought access to records containing generic data in the following categories, for students attending a Board school who had completed and received a final mark for the most recent three semesters: number of absences by category, school, common course code, credit value, gender, course description, and final mark for each course. He also requested the two most recent year-end statistical reports delivered to the Information and Privacy Commissioner/Ontario (IPC).
The appellant subsequently amended his request to also include the name, model, version and brief description of the database server currently used by the Board for student record management and how it is networked, and the name, version and brief description of the software used to input data and generate reports from the database. He also amended the scope of his request to data for the most recent semester.