ORDER MO-2456

 

Appeal MA08-88-2

 

City of Vaughan

 

NATURE OF THE APPEAL:

 

The City of Vaughan (the City) received a request under the Municipal Freedom of Information and Protection of Privacy Act (Act) for copies of three audit reports which examined aspects of the City’s computer systems.

 

The City located the following three reports and issued an access decision denying the requester access to them:

 

• “City of Vaughan Forsenic Review of E-mail Activity, dated June 18, 2007 (the first audit)

 

• Firewall Security Assessment, October 10, 2007 (second audit)

 

• Active Directory and Email Security Assessment Report, October 31, 2007 (third audit)

 

The City claimed that the exemptions at sections 6(1)(b)(closed meeting) and 14(1) personal privacy applied to the first audit.  With respect to the second and third audit, the City claimed that sections 8(1)(i) (law enforcement), 10(1) (third party information), 11(c), 11(d) (economic and other interest) and 14(1) (personal privacy).

 

The requester, now the appellant, appealed the City’s decisions regarding the three audit reports to this office and appeal MA08-88 was opened.  The appeal letter states:

 

The fact that three audits were necessary in one year essentially means there are items of significant public importance.  Given the very public nature of the first audit, where the Mayor stated during the 2006 election campaign, that she would disclose the results of the audit, and [the fact that there are] two more audits of the same systems, creates an atmosphere of great risk.  If the public’s information is at risk, then the public has the right to know.

 

During mediation, the City issued two other decisions to the appellant relating to the second and third audit.  In its second decision, the City advised that it no longer relied on the exemption at section 14(1) to deny access to portions of the second and third audit reports.  

 

The two companies which prepared the audit reports (the affected parties) were subsequently contacted by the mediator to obtain their views regarding disclosure to the appellant.  The company which prepared the second audit advised that it had no objections regarding the release of the audit, except the names and contact information of its sale representatives and the author of the report.  This information is contained on page two of the second audit.  The City advised the mediator that the company which prepared the third audit indicated that it had no objections regarding the release of the audit it prepared.  The City advised the mediator that it would issue a third decision letter to the appellant which took into account the positions of the affected parties.

 

The City’s third decision indicates it is prepared to release severed copies of the second and third audit to the appellant, upon payment of the requested fee of $75.50.

 

With respect to the second audit, the City takes the position that the withheld information found at pages 5, 7, 9, 11, 12, 13 and 15-20 is exempt pursuant to sections 8(1)(i), 11(c) and (d) of the Act.

 

With respect to the third audit, the City takes the position that the withheld information found at pages 8-13, 15, 17, 20, 21, 23, 24, 28, 29, 31, 32, 33, 36, 38, 39, 42, 70-93 is exempt pursuant to sections 8(1)(i), 10(1), 11(c) and (d) of the Act.  With respect to the portions of this audit the City claims is exempt under section 10(1) of the Act, the City states that the audit contains the affected party’s technical and commercial information.  However, I note that the affected party does not claim that the audit report contains their technical and commercial information.  In fact, the company takes the position that the entire report but for the portions which contains the names and contact information of three individuals in its employ may be released to the appellant.

 

The City did not revise its position relating to the first audit.

 

No further mediation was possible and the appeal was transferred to adjudication, in which an adjudicator conducts an inquiry under the Act.  I decided to commence my inquiry by sending a Notice of Inquiry, which set out the issues and facts of the appeal to the City, and seeking its representations.  I sought the City’s representations in support of its position to withhold access to all three audit reports.  However, I did not seek the City’s representations regarding the possible application of section 10(1) to the second audit.  The Notice of Inquiry stated the following with respect to the City’s claim that section 10(1) may apply to that record:

 

With respect to the portions of the [second audit] the City claims is exempt under section 10 of the Act, the City submits that this information contains the technical and commercial information of [the affected party].  [The affected party], however, advised this office that it only objects to the identification of individuals on page 2 of the report.  I have reviewed this information and confirm that it contains the name, title, email address, phone or fax numbers for three individuals identified as either sales representatives or the report’s author.  Accordingly, I am satisfied that the third party information exemption has no application to this record as the information relates to individuals.  Should the appellant confirm in her representations that she seeks access to the names and contact information of the three individuals, I will seek [the affected party’s] representations regarding section 2.1 of the Act.  Effective April 1, 2007, the Act was amended by adding sections 2.1 and 2.2.  These amendments apply only to appeals involving requests that were received by institutions after that date.  Section 2.1 modifies the definition of the term “personal information” by excluding an individual’s name, title, contact information or designation which identifies that individual in a “business, professional or official capacity”. 

 

Upon her receipt of the cover letter I sent to the City, the appellant telephoned the Adjudication Review Officer assigned to this appeal to advise that her appeal letter also appealed two other decisions from the City.  She requested that both of these appeals be joined with this appeal.  I did not join these appeals with the present appeal because at the time they had not yet been assigned to me.  One of these appeals resolved in mediation and the other (appeal MA07-278) was later assigned to me for adjudication.

 

After I obtained the City’s representations I made a decision to separate the issues relating to the first audit from those relating to the second and third audits, as I was assigned four other appeals which dealt with the City’s decision to withhold the first audit.  As a result, Appeal MA08-88-2 was opened to deal with the issues arising from the second and third audit.  The City’s decision to withhold the first audit from the appellant was disposed of in Order MO-2374, which also resolved the other four appeals. 

 

This order addresses the City’s decision to withhold access to the second and third audits.

 

The City’s representations were provided to the appellant, along with a Notice of Inquiry seeking her representations in support of her position that the second and third audit reports do not qualify for exemption under sections 8(1)(i), 11(c) and (d).  The Notice of Inquiry also asked the appellant to confirm whether she sought access to the names and contact information of the three individuals identified in the third audit. 

 

The appellant provided representations in response.  However, her representations did not specifically address the issues set out in the Notice of Inquiry, nor did she confirm whether she continues to seek access to the names and contact information of three individuals contained in one of the records.  Instead, the appellant provided general representations in support of her position that the withheld information should be disclosed to her. 

 

As the appellant’s representations did not address the issue whether she continues to seek access to the names and contact information regarding the three individuals contained in the second audit, the affected party’s representations were not sought as it appeared that the appellant was not taking issue with the affected party’s position.  Accordingly, access to the names and contact information is no longer an issue in this appeal and I will not address it further.

 

The appellant’s representations requested that the submissions she provided to this office relating to Appeal MA08-88 be considered in this appeal.  For the remainder of this appeal, any reference to the appellant’s representations refers the materials she filed in support of her position in both this and Appeal MA08-88.

 

RECORDS AT ISSUE:

 

The records remaining at issue are:

 

A)    Firewall Security Assessment, October 10, 2007 (second audit)

 

Pages 5, 7, 9, 11, 12, 13 and 15-20 which contains information identifying:

 

•         name of firewall software products used by the City

•         Internet Protocol (IP) addresses and configuration file information for a specified number of firewalls used by the City

•         network diagram and inventory containing IP address and configuration file information for firewalls

 

B)    Active Directory and Email Security Assessment Report, October 31, 2007 (third audit)

 

Pages 8 – 13, 15, 17, 20, 21, 23, 24, 28, 29, 31, 32, 33, 36, 38, 39, 42, 70-93 which contains information identifying:

 

•         names of messaging, mail, anti-virus, internet-facing, anti-spam software products used by the City and information relating to mail and anti-spam configuration

•         recommendations as to preferred monitoring and security software tools

•         recommended permissions for specified events

•         durations and threshold settings for specified events

•         information relating to a specific virus

•         sample user account information

•         default and recommended password settings

 

DISCUSSION:

 

As noted above, the appellant provided general representations in response to the Notice of Inquiry sent to her.  In particular, her representations state:

 

The City hired three companies to do the same task.  The reports were all to examine the computer system’s security.  When a City hires three companies in the same year, to do the same review, there is a problem.  There is a public important issue here that cannot be denied.  The City released a press release saying there are no problems.  This is of great concern, given why would the [C]ity hire three companies to complete a review of the security systems when there are no problems?  In denying the reports, this proves the City misrepresented the situation to the residents of Vaughan, and the only way to get proper accountability, is to have a copy of the reports, at least the portions of the reports that [the Information and Privacy Commissioner/Office determines] think should be released.

 

… I am very concerned that my emails and computerized data is not properly protected.  I do not wish to compromise the security of the computer system of the City by reading technical specs in a report, however there are three reports that essentially outline aspects of security problems, with the City computer systems and as a member of the public I have the right to know this, so I can take necessary steps to protect my own data.

 

I will first address the City’s claims that the withheld portions of the records are exempt under section 8(1)(i) and/or 11(c) and (d).  If any of these exemptions apply to the records, I will go on to consider whether the City properly exercised its discretion to deny the appellant access and whether the public interest override at section 16 applies to the circumstances of this appeal.

LAW ENFORCEMENT

 

Section 8(1)(i) states:

 

A head may refuse to disclose a record if the disclosure could reasonably be expected to endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required.

 

Generally, the law enforcement exemption must be approached in a sensitive manner, recognizing the difficulty of predicting future events in a law enforcement context [Ontario (Attorney General) v. Fineberg (1994), 19 O.R. (3d) 197 (Div. Ct.)].

 

In the case of section 8(1)(i), where section 8 uses the words “could reasonably be expected to”, the institution must provide “detailed and convincing” evidence to establish a “reasonable expectation of harm”.  Evidence amounting to speculation of possible harm is not sufficient [Order PO-2037, upheld on judicial review in Ontario (Attorney General) v. Ontario (Information and Privacy Commissioner), [2003] O.J. No. 2182 (Div. Ct.), Ontario (Workers’ Compensation Board) v. Ontario (Assistant Information and Privacy Commissioner) (1998), 41 O.R. (3d) 464 (C.A.)].

 

It is not sufficient for an institution to take the position that the harms under section 8 are self-evident from the record or that a continuing law enforcement matter constitutes a per se fulfillment of the requirements of the exemption [Order PO-2040; Ontario (Attorney General) v. Fineberg].

Section 8(1)(i):  security of a building, vehicle, system or procedure

 

Although this provision is found in a section of the Act dealing specifically with law enforcement matters, its application is not restricted to law enforcement situations but can be extended to any building, vehicle or system which reasonably requires protection [Orders P-900, PO-2461].

 

The City claims that disclosure of the withheld portions of the audit reports relating to its computer systems could reasonably be expected to endanger the security of City buildings and its computer systems.  Though the City provided representations in support of its position that disclosure could reasonably be expected to endanger the security of City buildings, its main argument is that disclosure of the audit reports could reasonably be expected to endanger the security of its computer system.  In particular, the City advises that the purpose of the audits was to enhance the overall information technology network security framework.  The City advises that third audit also sought to increase the protection of data and improve auditing capabilities for data access.  In support of its position, the City made the following arguments:

 

•         Disclosure of any identified weaknesses in the overall computing environment security framework could reasonably be expected to pose a significant security risk to the City of Vaughan’s computerized environment.  

 

•         Any unauthorized access will endanger the security of the building, including the City’s computer environment, networks and data. 

 

•         Disclosure of the network’s Internet protocol addresses will pose a significant security risk to the City’s computer environment, networks and data.  The City must protect this type of information from disclosure in order to protect the City’s computer environment, networks and data from any unauthorized attempt to access our systems.

 

•         The vulnerability of electronic records to a variety of security breaches needs to be addressed through appropriate security procedures.  Without proper precautions, electronic records are vulnerable to unauthorized access and tampering.  The strategies used by the City to minimize the chances of a security breach include assigned levels of security and authorized access through the use of passwords and sign-on identifiers. 

 

As noted above, the appellant’s representations in this appeal and Appeal MA08-88 did not specifically address the issue whether section 8(1)(i) applies to the records.  However, the appeal letter filed by the appellant states:

 

The [third audit] has been denied under security of building.  The report is an audit report and as such, if there is confidential information on the security design this part of the report can be blacked out and the remaining report disclosed. 

 

…

 

The [second audit] is also denied under security, etc. … If there is any information related [to the] security of the firewalls, such as specific rules for the blocking of the entry for specific IP addresses, etc. – this information can be blocked out.

 

… these reports have been listed as audit reports.  The description of the reports now does not match a description of an audit report.  [An audit report] outlines what the problems are, and sometime goes as far as how to address.  The fact that the City released a statement (press release dated October 20 2006) that states “The City of Vaughan has reviewed its security controls and has confirmed the integrity of its corporate computer network and email system, and its security has not been breached” indicates that the audit reports should not show any security concerns.  If there are concerns with security then the City has misled the public, and the public has the right to know if their data has been compromised.

 

Decision and Findings

 

To establish a valid exemption claim under section 8(1)(i), the City must provide “detailed and convincing” evidence to establish a “reasonable expectation of harm”.  I have carefully reviewed the withheld portions of the audit reports and find that disclosure of the information at issue could reasonably be expected to result in the harms identified by the City.  In particular, I am satisfied that disclosure of information identifying the types of software products and precautions the City relies upon to secure its computers systems could reasonably be expected to lead to a security breach.  In making my decision, I took into consideration that some aspects of the precautions the City has taken to secure its computers may be known to members of the public.  For example, members of the public using the City’s public computers or corresponding with the City by e-mail may have knowledge about the anti-virus program used by the City.  However, in my view, the withheld information consists of the City’s comprehensive approach to secure its computer systems.  For example, the withheld portions of the audit reports contain information and diagrams identifying specific IP addresses and configuration information.  The information at issue also identifies the recommended defaults, permissions, settings and durations for specific events.  Finally, I took into consideration the appellant’s evidence and note that the press release she referred to predates the dates the audit reports in question were completed.

 

Having regard to the above, I am satisfied that disclosure of the withheld portions of the records qualify for exemption under section 8(1)(i).  

 

As a result of my finding, it is not necessary that I determine whether the withheld information could also be reasonably expected to endanger the security of City buildings or qualify for exemption under section 11(c) and (d).  However, I will consider whether the City properly exercised its discretion to deny the appellant access to the information.  In addition, I will consider the appellant’s claim that the public interest override at section 16 applies in the circumstances of this appeal.

EXERCISE OF DISCRETION

 

Section 8(1)(i) is a discretionary exemption which permits an institution to disclose information, despite the fact that it could withhold it.  An institution must exercise its discretion.  On appeal, the Commissioner may determine whether the institution failed to do so.

 

In addition, the Commissioner may find that the institution erred in exercising its discretion where, for example,

 

• it does so in bad faith or for an improper purpose

 

• it takes into account irrelevant considerations

 

• it fails to take into account relevant considerations.

 

In either case this office may send the matter back to the institution for an exercise of discretion based on proper considerations [Order MO-1573].  This office may not, however, substitute its own discretion for that of the institution [section 43(2)].

 

The City’s representations indicated that in making its decision to apply the discretionary exemption at section 8(1)(i) to the records, it determined that its need to protect the security of its computer systems outweighed the appellant’s right to access unsevered copies of the records.  In addition, the City advised that it determined that the records did not contain information relating to the appellant and that it was not satisfied that the appellant has a sympathetic or compelling need to access the information at issue.

 

The appellant’s representations did not specifically address the issue of whether or not the City properly exercised its discretion.  However, the appellant’s representations indicate her view that disclosure of the audit reports would increase public confidence in the City’s operations.  In this regard, she advises that the audit report “outline aspects of security problems, with the City computer systems and as a member of the public I have the right to know this so I can take necessary steps to protect my own data”.

 

I have carefully reviewed the representations of the parties and am satisfied that the City properly exercised its discretion and in doing so took into account only relevant considerations.  I also find that the City did not exercise its discretion in bad faith, for an improper purpose or take into account irrelevant considerations. 

 

In making my decision, I considered that the City applied the exemption at section 8(1)(i) in a limited and specific manner.  As a result, the City is prepared to disclose most of the information contained in the audit reports to the appellant.  In my view, taking into consideration the information the City is prepared to release to the appellant, I am satisfied that there does not appear to be a compelling need for the appellant to access the withheld portions of the audit reports.  In addition, I took into account that the withheld information is significant and sensitive to the City as it relates to the security of its computer systems.  I also considered the factor raised by the appellant and find that it has no application to the information at issue as the information withheld does not outline the City’s “security problems”.  Rather, the information at issue describes the parameters of the City’s security system and recommend various settings and defaults to secure the system.

 

Having regard to the above, I find that the City properly exercised its discretion not to disclose the information I found exempt under section 8(1)(i) of the Act.

 

PUBLIC INTEREST OVERRIDE

 

Section 16 states:

 

An exemption from disclosure of a record under sections 7, 9, 10, 11, 13 and 14 does not apply if a compelling public interest in the disclosure of the record clearly outweighs the purpose of the exemption.

 

In Criminal Lawyers’ Association v. Ontario (Ministry of Public Safety and Security) (2007), 86 O.R. (3d) 259 (leave to appeal granted, November 29, 2007, File No. 32172 (S.C.C.)), the Ontario Court of Appeal held that the exemptions in sections 14 and 19 of the provincial Act, which are equivalent to sections 8 and 12 of the Act, are to be “read in” as exemptions that may be overridden by section 23, the provincial equivalent to section 16 of the Act.  On behalf of the majority, Justice LaForme stated at paragraphs 25 and 97 of the decision:

 

In my view s. 23 of the Act infringes s. 2(b) of the Charter by failing to extend the public interest override to the law enforcement and solicitor-client privilege exemptions.  It is also my view that this infringement cannot be justified under s. 1 of the Charter. … I would read the words “14 and 19” into s. 23 of the Act.

 

For section 16 to apply, two requirements must be met.  First, there must be a compelling public interest in disclosure of the records.  Second, this interest must clearly outweigh the purpose of the exemption.

 

In considering whether there is a “public interest” in disclosure of the record, the first question to ask is whether there is a relationship between the record and the Act’s central purpose of shedding light on the operations of government [Orders P-984, PO-2607].  Previous orders have stated that in order to find a compelling public interest in disclosure, the information in the record must serve the purpose of informing or enlightening the citizenry about the activities of their government or its agencies, adding in some way to the information the public has to make effective use of the means of expressing public opinion or to make political choices [Orders P-984 and PO-2556].

 

A public interest does not exist where the interests being advanced are essentially private in nature [Orders P-12, P-347 and P-1439].  Where a private interest in disclosure raises issues of more general application, a public interest may be found to exist [Order MO-1564].

 

The word “compelling” has been defined in previous orders as “rousing strong interest or attention” [Order P-984].

 

Any public interest in non-disclosure that may exist also must be considered [Ontario Hydro v. Mitchinson, [1996] O.J. No. 4636 (Div. Ct.)].  If there is a significant public interest in the non-disclosure of the record then disclosure cannot be considered “compelling” and the override will not apply [Orders PO-2072-F and PO-2098-R].

 

The existence of a compelling public interest is not sufficient to trigger disclosure under section 16.  This interest must also clearly outweigh the purpose of the established exemption claim in the specific circumstances.

 

As noted above, the appellant submits that the information relating to the audit reports the City had conducted on its computer systems should be disclosed to the public so that members of the public will be in a position to take precautions to protect against security breaches or leaks. 

 

I have carefully reviewed the material submitted by the appellant and though I am satisfied that the appellant’s interest in the information at issue is not a private one, I find that the public interest override in section 16 does not apply.  In my view, there is no evidence before me demonstrating that disclosure of the information I found exempt under section 8(1)(i) would serve the purpose of informing the public about the City’s activities, taking into consideration the portions of the audit reports the City is prepared to release to the appellant.  As stated above, the withheld information does not outline the City’s “security problems”.

 

In my view, the information withheld from the appellant describes technical aspects of the system in place to secure the City’s computers.  Having regard to the nature of the information at issue and the appellant’s representations, I am not satisfied that disclosure of this information would shed further light on the operations of the City.

 

In any event, even if a compelling public interest in the disclosure of the information at issue were to exist, for the section 16 override provision to apply, the compelling public interest must clearly outweigh the purpose of section 8(1)(i) of the Act.  In my view, the interest raised by the appellant does not clearly outweigh the security interest raised by the City.

 

Having regard to the above, I find that the public interest override at section 16 does not apply in the circumstances of this appeal.

 

ORDER:

 

I uphold the City’s decision to withhold the information at issue I found exempt under section 8(1)(i).

 

 

 

 

 

 

 

Original signed by:___________                                                        August 31, 2009        

Jennifer James

Adjudicator