Request By:
[NO REQUESTBY IN ORIGINAL]
Opinion
Opinion By: Albert B. Chandler III, Attorney General; James M. Ringo, Assistant Attorney General
Open Records Decision
This matter is before the Attorney General on Barry Johns' May 4, 1999 open records appeal from the Office of Education Accountability's (OEA) denial of his open records requests for "an inventory of [Dr. Ken Henry's] office equipment, denial to inspect his computer for pornographic or possibly obscene material, refusing to state name of state official who said I hired a hacker to access Dr. Henry's . . . [computer]."
As authorized by KRS 61.880(2) and 40 KAR 1:030, Section 2, Ava Crow, OEA Counsel, provided this office with a response to the issues raised in the appeal. In her response, Ms. Crow provided the following background information relating to this appeal:
By way of background, in mid-December 1997, Dr. Ken Henry, Director of the Office of Education Accountability (OEA), was visited by two citizens concerned about student access to inappropriate Internet sites. They asked the OEA to look into the issue and support strong and effective controls on student access to Internet sites. Additionally, a superintendent had expressed serious concerns about this issue to Dr. Henry and communicated the range of potential problems in a district as technology has become more widely available. There was also legislative interest in this area. Dr. Henry, within the scope of his job duties as defined by KRS 7.410, attempted to familiarize himself with these issues and to prepare himself for questions from legislators. Subsequently, information was conveyed to a news reporter relative to these efforts and the then-director of LRC and Dr. Henry were contacted by the reporter. These contacts became the basis of brief news stories. We assume these stories have resulted in Mr. Johns' various requests for information about Dr. Henry accessing, in Mr. Johns' words, "pornographic sites. "
Addressing the issues raised in the appeal, Ms. Crow sets forth the following chronology of events surrounding Mr. Johns' requests and OEA's responses to those requests:
Mr. Johns' current appeal will be addressed sequentially. By fax of April 17, 1999, Barry Johns requested the "name, location, and serial number of computer used by Ken Henry in the commission of his pornographic site visits." By timely answer of April 21, 1999, Mr. Johns was informed that we were unable to determine from his request "the specific sites about which you are interested and we are, therefore unable to respond to your request." See , OAG 91-72 regarding the requirement that requests be stated with particularity. Further, we noted that we had been informed by a state official that Mr. Johns had stated to that individual that he had hired a "hacker" to attempt to access Dr. Henry's computer. Thus, the letter continued, we were further denying the request based on the provisions of KRS 61.872(6), in that non-governmental access to the LRC computer system would disrupt the essential functions of this agency.
In an April 23, 1999 request to OEA, Mr. Johns repeated this request for information about Dr. Henry's computer equipment, expanding it to a request for copies of "inventory records of the equipment including all computer and computer-related equipment in the office of Dr. Henry . . . ." In response to that, by timely letter of April 28, 1999, Mr. Johns was again informed that no information related to the LRC or OEA computer system would be provided to him pursuant to KRD 61.872(6). It is noteworthy that in addition to the extensive generalized disruption that would be caused by unauthorized individuals accessing state government computers, substantial information exists on the OEA network related to the Pike County School District investigation. Thus, there is specific material that would be available to Mr. Johns that is protected under a variety of Open Records Act exemptions as well as KRS 7.410(3). See , OEA's March 12, 1999 response to 109-item request that was filed with the Office of the Attorney General in response to Log. No. 199900269.
Mr. Johns also asked that OEA "inform (him) of the state official" who talked with our staff person regarding Mr. Johns' dealings with a computer hacker. Mr. Johns stated he would be "receptive to confronting this individual . . . ." OEA declined to release an intra-office memorandum identifying the state official, stating we were not interested in a confrontation and further, citing attorney-client privilege, attorney work product, KRS 61.878[1](i), (j) because it was a preliminary document, and citing KRS 61.878(1)(h) and KRS 7.410(3), as interpreted and applied by 98-ORD-149 currently on appeal in the case of Taylor v. Office of Education Accountability , Action No. 98-CI-01169, Franklin Circuit Court. Reliance upon KRS 61.878(1)(h) and KRS 7.410(3) was based on the fact that the individual was an informant and preferred to have their identity remain confidential.
Then on April 27, 1999, a request was received from Mr. Johns to permit the technology coordinator for the Pike County School District to "inspect" Dr. Henry's computer in his office. The stated purpose of the "inspection" was to "view the pornographic material" on the computer. On April 30, 1999, Dr. Henry denied the request.
[Footnote omitted.]
We are asked to determine whether the OEA's denials were consistent with the Open Records Act. For the reasons which follow, we conclude that they were.
We address first Mr. Johns' request for an inventory of Dr. Henry's office equipment. Initially, he requested the name, location, and serial number of the computer used by Dr. Henry. Relying on KRS 61.872(6), Ms. Crow denied this request, advising that OEA had been informed by a state official that he had hired a "hacker" to try to access Dr. Henry's computer and, because hacking the computer system was likely to disrupt essential functions of the agency, no information would be provided him related to OEA or LRC computers.
After this denial, Mr. Johns requested copies of the inventory records of "all computer and computer related equipment in the office of Dr. Ken Henry Director (OEA) since Oct. 1, 1997." Again citing KRS 61.872(6), OEA denied this request, stating:
As previously indicated in our letter of April 21, based on information we have received about possible attempts by you to hack our computer system, we decline to release any information that would indicate the status of any equipment in Dr. Henry's office. We believe your attempts to obtain this data are designed to facilitate your efforts to disrupt the essential functions of our office. See, KRS 61.872(6).
In her response to the letter of appeal, Ms. Crow expanded on her argument that OEA's denial of the request for these records under KRS 61.872(6) was legitimate and appropriate. She explained:
OEA has information from a credible source that Mr. Johns intended to attempt to access the hard drive of Dr. Henry's computer. This computer is networked to the larger LRC system and contains thousands of pages of documents with sensitive and confidential information. Mr. Johns' requests are clearly designed to elicit information to facilitate access. "Administrative notice" should be taken that computer access can be accomplished from remote sites, in addition to in-person "inspection. " It is noteworthy that Mr. Johns sought in-person inspection only after he was unable to get information specific to identify Dr. Henry's computer, information that might facilitate remote access. As previously noted, on July 8, 1998, Mr. Johns was informed that "no record of Dr. Henry's visits to Internet sites" exists. Although entitled to that knowledge, he has no entitlement to information being sought for the purpose of him or his agent freely perusing the hard drive on a state government computer, very likely disrupting and very possibly disabling the computer system in Kentucky's legislative offices.
KRS 61.872(6) provides:
If the application places an unreasonable burden in producing public records or if the custodian has reason to believe that repeated requests are intended to disrupt other essential functions of the public agency, the official custodian may refuse to permit inspection of the public records or mail copies thereof. However, refusal under this section shall be sustained by clear and convincing evidence.
Pursuant to KRS 61.880(2)(c), this office requested additional information from OEA to substantiate its basis for denial. OEA indicated that it learned from a credible informant that Mr. Johns had hired a hacker to seek to obtain remote access to Dr. Henry's computer and possibly to the entire network of computers of OEA and LRC to which it is connected. The agency explained that this could expose sensitive and confidential information, much of which is exempt from disclosure under KRS 7.410(3) and the disclosure of which would undermine and disrupt the essential functions of that agency.
Ms. Crow further argues, and we agree, that ordinarily the motives of a requester are not relevant, but in this situation they cannot be ignored. This is particularly so where OEA was informed by an informant that Mr. Johns had hired a hacker to access Dr. Henry's computer and possibly the agency's entire computer network. Those circumstances, in our view, justify a denial of access to records of computer and computer related equipment, which could possibly enable the accomplishment of that threat and disrupt the essential functions of the agency. KRS 61.872(6). This position finds support in 98-ORD-137, in which this office held:
that a public agency may properly invoke KRS 61.872(6) to deny a request for public records . . . if release of those records would compromise a significant governmental interest, thereby necessitating an immediate revision of policy or practice so as to avoid the subversive use of the records, or information contained therein. Such a request may be treated as unreasonably burdensome within the meaning of KRS 61.872(6)
. . .
If the agency can establish, by clear and convincing evidence, that an application for public records would place an unreasonable burden on it because the agency would be forced to overhaul an existing system each time the records were requested and released, it may properly invoke this provision. The clear and convincing standard which is built into this provision is sufficient, in our view, to discourage abuse by public agencies.
Under these facts, we conclude OEA has established that access to these records could compromise a significant governmental interest and properly denied Mr. Johns access to a copy of the inventory of Dr. Henry's computer and computer related equipment.
Next we address the request to have access to Dr. Henry's computer or to allow the Technology Coordinator of the Pike County Board of Education to have access to Dr. Henry's computer to search for pornographic material.
In her response, Ms. Crow provided this office with documentation that Mr. Johns had made a related request in July 1, 1998, in which he had asked for a copy of the history cache or records of Dr. Henry's visits to pornographic sites. The agency responded to that request that there were no records of Dr. Henry's visits to Internet sites. Apparently, Mr. Johns does not believe this earlier response and now seeks access to the OEA's files to search for the records himself.
The Open Records Act does not permit a person to search through an agency's files to determine the truth of an agency's response that it does not have the requested records or that they do not exist. Moreover, in general, it is not our duty to investigate in order to locate documents which the requesting party maintains exist but which the public agency states do not exist. In the instant appeal, we have no reason to doubt the agency's response that the records do not exist.
Ms. Crow states that this request for permission for access to Dr. Henry's computer "is akin to a request to freely peruse government file cabinets, scanning files that may look interesting." She further argues there is no authority in the Open Records Act for such a request. We agree. The Open Records Act is not a search warrant statute. It is a records statute. It requires that an agency respond to a request to inspect reasonably identified public records and make the records available for inspection, or if any or all of the request is denied, to cite a specific exception that authorizes the nondisclosure of the records and a brief explanation as to how the cited exception applies to the records withheld. KRS 61.880(1). Alternatively, if records for which inspection is sought do not exist, the agency should so state. 99-ORD-43; OAG 91-101. OEA has indicated that no such record exists. The Open Records Act does not require more. Accordingly, we conclude the OEA properly denied Mr. Johns' request for access to Dr. Henry's computer.
Finally, we address OEA's denial of Mr. Johns' request for the name of the state official who stated he had hired a hacker to try to access Dr. Henry's computer. To begin, this was a request for information, rather than a request for records. As we have so often observed:
Requests for information, as distinguished from records, are outside of the scope of the open records provisions. See, e.g., OAG 89-77. Our position is premised on the notion that "open records provisions address only inspection of records . . . [and] do not require public agencies or officials to provide or compile specific information to conform to the parameters of a given request."
95-ORD-131, p. 2, citing OAG 89-77, p. 4. Simply stated, "The purpose of the Open Records Law is not to provide information, but to provide access to public records which are not exempt by law." OAG 79-547, p. 2. We conclude OEA properly denied this request for information.
In its response to this office, OEA acknowledges the existence of an intra-office memorandum, prepared under the direction of an LRC attorney, summarizing the information provided by the informant, which included the informant's identity, and denies access to this document under authority of KRS 7.410(3); KRS 61.878(1)(h), which authorizes nondisclosure of an informant's identity; attorney-client privilege, or alternatively, attorney work-product doctrine; and as preliminary intra-office memorandum, under KRS 61.878(1)(i) and (j).
KRS 7.410(3) provides:
The provisions of KRS 61.878 or any other statutes, including Acts of the 1992 Regular Session of the General Assembly to the contrary notwithstanding, the testimony of investigators, work products, and records of the Office of Education Accountability relating to duties and responsibilities under subsection (2) of this section shall be privileged and confidential during the course of an ongoing investigation or until authorized, released, or otherwise made public by the Office of Education Accountability and shall not be subject to discovery, disclosure, or production upon the order or subpoena of a court or other agency with subpoena power.
This office has construed this statute to vest virtually unfettered discretion in the Office of Education Accountability to withhold records relating to its duties and responsibilities while an investigation is pending and even after it has been included. 98-ORD-149. In that decision, we stated:
The broad scope of the language found at KRS 7.410(3), as well as its importance and urgency, are underscored by the fact that the General Assembly elected to make the confidentiality provision retroactive to July 13, 1990, and to include an emergency clause making the provision effective upon passage and approval by the Governor. OEA's investigative records, including records which it obtains from the school district or other agencies, are thus absolutely shielded from public inspection and are not "subject to discovery, disclosure, or production upon the order or subpoena of a court or other agency with subpoena power. "
KRS 7.410(3) clearly authorizes OEA to deny Mr. Johns access to either the intra-office memorandum or the identity of the informant, which relates to his attempt to hack into or invade the agency's computer system. Accordingly, we conclude that OEA's denial of this request on the basis of KRS 7.410(3) was proper and not a violation of the Open Records Act.
Because OEA's reliance upon KRS 7.410(3) is dispositive of this issue, we need not address other bases relied upon by the agency for denying access to the document.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.