ORDER PO-4414

Appeal PA22-00087

Ministry of the Solicitor General

June 29, 2023

Summary: A reporter made an access request for information pertaining to a ransomware attack at Kemptville District Hospital. The Ministry of Solicitor General (the ministry) denied access to the records, in full, claiming the application of the law enforcement exemption at section 14(1)(b) (law enforcement investigation). In this order, the adjudicator finds that the records qualify for exemption under section 14(1)(b) and upholds the ministry’s decision. The appeal is dismissed.

Statutes Considered: Freedom of Information and Protection of Privacy Act , R.S.O. 1990, c. F.31 , as amended, section 14(1)(b).

Orders Considered: Orders PO-4123 and PO-3117

OVERVIEW:

[1] In October 2021, Kemptville District Hospital was the victim of a ransomware attack.

[2] Subsequently, the Ministry of the Solicitor General (the ministry) received an access request, under the Freedom of Information and Protection of Privacy Act  (the Act ), for the following:

All emails and police reports, from the Ontario Provincial Police's cybercrime unit, regarding the ransomware incident at Kemptville District Hospital in October 2021. Responsive records include email messages sent to or from hospital administrators.

[3] The ministry issued a decision denying access to the responsive records, in full, based on a number of law enforcement exemptions at section 14(1) but relevant to this appeal is section 14(1)(b) (law enforcement investigation) of the Act .[1]

[4] The reporter, now the appellant, appealed the ministry’s decision to the Office of the Information and Privacy Commissioner of Ontario (IPC).

[5] During mediation, the ministry provided explanations regarding the ongoing nature of the Ontario Provincial Police (OPP) investigation and why an index of records could not be provided to the appellant describing any of the investigative information. The appellant raised the possible application of the public interest override at section 23  of the Act , which was added to the scope of the appeal. Due to my finding that the responsive records are exempt under section 14(1)(b), I did not consider section 23 as it cannot apply to override section 14(1).

[6] As further mediation was not possible, the appeal was transferred to the adjudication stage of the appeal process, where I conducted an inquiry under the Act .[2] I invited and received representations from the parties.[3]

[7] For the reasons that follow, I find that the responsive records qualify for exemption under section 14(1)(b) and uphold the ministry’s decision.

RECORDS:

[8] There are 20 records at issue. They include police report, supplementary reports, and court documents.

DISCUSSION:

[9] The ministry claims that the discretionary exemption at section 14(1)(b) applies to exempt all the records at issue from disclosure.

[10] Section 14(1)(b) states:

A head may refuse to disclose a record where the disclosure could reasonably be expected to,

…

(b) interfere with an investigation undertaken with a view to a law enforcement proceeding or from which a law enforcement proceeding is likely to result;

[11] Generally, the law enforcement exemption must be approached in a sensitive manner, recognizing the difficulty of predicting future events in a law enforcement context.[4]

[12] It is not enough for an institution to take the position that the harms under section 14 are self-evident from the record or that the exemption applies simply because of the existence of a continuing law enforcement matter.[5] The institution must provide detailed evidence about the potential for harm. It must demonstrate a risk of harm that is well beyond the merely possible or speculative although it need not prove that disclosure will in fact result in such harm. How much and what kind of evidence is needed will depend on the type of issue and seriousness of the consequences. [6]

Parties’ representations

The ministry’s representations

[13] The ministry submits that the records are “law enforcement records” because they were created or collected by the OPP for its investigation. The ministry refers to previous orders where the IPC has recognized that the OPP is an agency which has the function of enforcing and regulating compliance with the law.[7]

[14] The ministry refers to PO-3117, where the adjudicator found that the term “law enforcement” applies to a police investigation into a possible violation of the Criminal Code of Canada  (the Code ).

[15] It submits that the OPP are conducting an open, active and ongoing police investigation to determine who caused the ransomware attack against the hospital. The ministry explains that a specific member of the local OPP detachment with the support of the cybercrime investigation team is investigating who caused the ransomware attack at the hospital. It also explains that when one or more offenders are identified, there is a reasonable expectation that they will be charged under section 342.1 (unauthorized use of computer), section 346(1) (extortion), section 430(1) (mischief), section 380 (fraud), and/or section 402.2 (identity theft) of the Code .

[16] The ministry submits that disclosing the withheld records would interfere with the investigation for the following reasons. First, disclosure would be expected to taint the evidence. The ministry explains that OPP investigators would have no way of knowing when an individual comes forward with information whether that individual learned of the information through the disclosure of the records or because of what they learned firsthand. Second, the investigation cannot necessarily determine the relevance of a record to an investigation while the investigation is ongoing. Third, disclosure and the potential publication by the appellant in the media would arguably make it more difficult to find an unprejudiced jury, were the investigation to proceed to trial. Finally, institutions (organizations), in the future, who are subject to ransomware attacks will be hesitate to come forward, out of concern that their information will also be disclosed (which would interfere with future ransomware attack investigations).

The appellant’s representations

[17] The appellant submits that the records at issue were not compiled for law enforcement purposes. It points out that the named hospital, a medical center, not a police agency, kept these records as a matter of maintaining operations and providing healthcare.

[18] The appellant submits that these records may assist authorities in an investigation but their disclosure hardly would lead to the catastrophic outcome that the ministry envisions. It also submits that it is unreasonable to think that an investigative lead, a suspect interrogative or a potential jury pool could be negatively impacted by the disclosure of contemporaneous records that simply detail struggles to keep a hospital functioning.

[19] The appellant also submits that given the nature of the ransomware attack it is unlikely that any enforcement proceeding will take place at all. It points out that it has been over a year and a half since this attack occurred and the ministry has indicated that those responsible remain unprosecuted. The appellant submits that even if law enforcement were to identify them, the likelihood of them standing trial in a Canadian courtroom is essentially nil. It points out that arrests of foreign hackers are rare for the US Justice Department because many operate in countries that don’t extradite their citizens.

The ministry’s reply representations

[20] In response to the appellant’s argument that the records are not law enforcement records, the ministry submits that the appellant has conflated the records the OPP compiled and collected from their investigation of the ransomware attack at the hospital with the records the hospital maintains. The ministry explains that the withheld records are in the OPP’s control and custody because some were collected and compiled from the hospital for the purpose of the OPP’s investigation, and, therefore, they are law enforcement records.

[21] The ministry also submits that the appellant’s conclusions about the future of the OPP’s investigations are purely speculative.

Analysis and findings

[22] To satisfy section 14(1)(b), the law enforcement investigation in question must be a specific, ongoing investigation. The exemption does not apply where the investigation is completed. The volume of records, alone, is not a reason not to withhold information under section 14(1)(b).

[23] In this appeal, the records at issue were created or gathered in relation to a ransomware attack investigation. I find that these circumstances fall within the definition of “law enforcement.”

[24] On my review of the ministry’s representations and communications, I am satisfied that the ransomware attack investigation is ongoing. The ministry confirmed recently that the OPP’s investigation into this matter remains ongoing.

[25] I find that the records at issue contain sensitive information about the ransomware attack investigation. The records (police report, supplementary reports, and court documents) set out the specific evidence collected by the OPP. These records contain sensitive information about potential suspects and other details of the attack, which understandably the ministry would want to keep confidential.

[26] The IPC has found in previous orders that disclosing records to a requester is deemed to be disclosure to the world.[8] The Act  does not impose any restrictions or limits on what a requester can do with records disclosed to him or her. Consequently, while it is not relevant if the appellant intends to write an article or articles on the matter, disclosing the information would move it into the public domain where it can be freely disseminated.

[27] I find that such disclosure could reasonably be expected to interfere with the ransomware attack investigation because it could make the suspects aware of the evidence that the OPP has collected against them, identify suspects or otherwise provide information about current leads or the leads that are being pursued. This awareness could lead these individuals to take steps to further cover their tracks, or otherwise hinder the investigation.

[28] Similarly, I find that disclosing the records could taint the quality of new evidence that can be gathered. As the ministry points out, if an individual approaches the OPP and presents information about the ransomware attack, the investigators would have no way of knowing whether that individual learned of the information from ransomware attack investigation records that came into the public domain or if that individual had firsthand knowledge of the information.

[29] In short, I find that the ministry has provided sufficient evidence required to prove that disclosing the records could reasonably be expected to interfere with the OPP’s ransomware attack investigation.

[30] The section 14(1)(b) exemption is discretionary, and permits an institution to disclose the records at issue, despite the fact that it could withhold them. An institution must exercise its discretion. On appeal, I may determine whether the ministry failed to do so.

[31] In the circumstances, I am satisfied that the ministry considered the following factors in exercising its discretion: the purposes of the Act ; the wording of the exemption and the interests it seeks to protect; whether the requester is an individual or an organization; whether the requester has a sympathetic or compelling need to receive the information; and the nature of the information and the extent to which it is sensitive to the ministry. I am also satisfied that the ministry did not consider irrelevant factors in its exercise of discretion. Accordingly, I find that the ministry exercised its discretion in an appropriate manner in this appeal, and I uphold it.

[32] Consequently, I find that the records qualify for exemption under section 14(1)(b). Because I have found that section 14(1)(b) applies it is not necessary to address the other exemptions claimed by the ministry.

ORDER:

I uphold the ministry’s access decision and dismiss the appeal.

Original signed by:		June 29, 2023
Lan An
Adjudicator