Access to Information Orders
Decision Information
NATURE OF THE APPEAL: The East York Board of Education (the Board) received a request under the Municipal Freedom of Information and Protection of Privacy Act (the Act ),which reads as follows. As per [the Act ], please forward the following: i)Names of all computer networks ... which the Board is connected to. Iwill require every machine name connected to the net with all user names, and inthe case of the Internet full UUCP addresses. ... ii)If the Board is receiving any UseNet (or other network) newsgroups ormailing lists, please provide a listing of all which are received, along with alisting of names of individuals subscribed to each newsgroup. This request applies to both the Administrative offices of the Board, aswell as to each school under [the Board's] authority. The Board responded to the requester and provided him with access to thenames of all computer networks to which the Board is connected. The Boarddenied access to the remainder of the responsive information pursuant to section8(1)(i) of the Act (security). The requester (now the appellant) appealed this decision. During the mediation stage of the appeal, the appellant clarified that he isnot pursuing access to: (1) the names of the machines which are connected to thenet and (2) the full UUCP addresses. He confirmed, however, that he is stillpursuing access to: (1) all user names requested in part (i) of his request and(2) all of the information requested in part (ii) of his request. The appellantalso confirmed that he is not pursuing access to any information which relatesto students. This office provided a Notice of Inquiry to the Board and the appellant. Representations were received from the Board only. DISCUSSION: SECURITY Section 8(1)(i) of the Act reads: A head may refuse to disclose a record if the disclosure could reasonablybe expected to, endanger the security of a building or the security of a vehicle carryingitems, or of a system or procedure established for the protection of items, forwhich protection is reasonably required. In my view, the phrase "could reasonably be expected to" insection 8(1) of the Act requires that there exist a reasonableexpectation of probable harm. The mere possibility of harm is not sufficient. In its representations, the Board provides details with respect to howdisclosure of the lists of user names, newsgroups and mailing lists, and namesof individuals subscribed to each newsgroup could endanger the security of asystem established to protect items for which protection is reasonably required. The items requiring protection consist of information stored on Board computerspertaining to its business, and personnel and student records. Unauthorizedaccess to this information could compromise the security of this system. The Board describes how knowledge of user names and a list of individualssubscribed to each newsgroup, as well as knowledge of the newsgroups to whichthe Board or individuals within it subscribe, could lead to penetration of thesecurity barrier and entry into the internal systems, thereby establishing areasonable expectation of harm in the circumstances of this appeal. The Boardis also particularly concerned about the residual exposure of its students tounwanted and unsolicited information as students have access to many of thenewsgroups subscribed to by the Board. I have carefully reviewed the evidence before me and I am satisfied thatsufficient evidence has been provided to demonstrate that disclosure of theinformation in the records could reasonably be expected to result in the harmenumerated in section 8(1)(i) of the Act . ORDER: I uphold the Board's decision. Original signed by: Laurel Cropley, Inquiry Officer May 29, 1997
Decision Content
ORDER M-944
Appeal M_9700058
East York Board of Education
NATURE OF THE APPEAL:
The East York Board of Education (the Board) received a request under the Municipal Freedom of Information and Protection of Privacy Act (the Act), which reads as follows.
As per [the Act], please forward the following:
i) Names of all computer networks ... which the Board is connected to. I will require every machine name connected to the net with all user names, and in the case of the Internet full UUCP addresses. ...
ii) If the Board is receiving any UseNet (or other network) newsgroups or mailing lists, please provide a listing of all which are received, along with a listing of names of individuals subscribed to each newsgroup.
This request applies to both the Administrative offices of the Board, as well as to each school under [the Board’s] authority.
The Board responded to the requester and provided him with access to the names of all computer networks to which the Board is connected. The Board denied access to the remainder of the responsive information pursuant to section 8(1)(i) of the Act (security).
The requester (now the appellant) appealed this decision.
During the mediation stage of the appeal, the appellant clarified that he is not pursuing access to: (1) the names of the machines which are connected to the net and (2) the full UUCP addresses. He confirmed, however, that he is still pursuing access to: (1) all user names requested in part (i) of his request and (2) all of the information requested in part (ii) of his request. The appellant also confirmed that he is not pursuing access to any information which relates to students.
This office provided a Notice of Inquiry to the Board and the appellant. Representations were received from the Board only.
DISCUSSION:
SECURITY
Section 8(1)(i) of the Act reads:
A head may refuse to disclose a record if the disclosure could reasonably be expected to,
endanger the security of a building or the security of a vehicle carrying items, or of a system or procedure established for the protection of items, for which protection is reasonably required.
In my view, the phrase “could reasonably be expected to” in section 8(1) of the Act requires that there exist a reasonable expectation of probable harm. The mere possibility of harm is not sufficient.
In its representations, the Board provides details with respect to how disclosure of the lists of user names, newsgroups and mailing lists, and names of individuals subscribed to each newsgroup could endanger the security of a system established to protect items for which protection is reasonably required. The items requiring protection consist of information stored on Board computers pertaining to its business, and personnel and student records. Unauthorized access to this information could compromise the security of this system.
The Board describes how knowledge of user names and a list of individuals subscribed to each newsgroup, as well as knowledge of the newsgroups to which the Board or individuals within it subscribe, could lead to penetration of the security barrier and entry into the internal systems, thereby establishing a reasonable expectation of harm in the circumstances of this appeal. The Board is also particularly concerned about the residual exposure of its students to unwanted and unsolicited information as students have access to many of the newsgroups subscribed to by the Board.
I have carefully reviewed the evidence before me and I am satisfied that sufficient evidence has been provided to demonstrate that disclosure of the information in the records could reasonably be expected to result in the harm enumerated in section 8(1)(i) of the Act.
ORDER:
I uphold the Board’s decision.
Original signed by: May 29, 1997
Laurel Cropley
Inquiry Officer