Opinion
Opinion By: Gregory D. Stumbo, Attorney General; James M. Ringo, Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether actions of the Finance and Administration Cabinet relative to the open records request of Mark Schaver, Computer-Assisted Reporting Director, The Courier-Journal, for a copy of "the schema for the database or mainframe that contains state employee job titles, salaries and histories" or "any document or documents that contains the same information that would be contained in such a schema, " violated the Open Records Act. For the reasons that follow, we find that the Cabinet violated the Act by failing to timely respond to Mr. Schaver's July 6, 2005 request; that the failure to address the initial request in its entirety constituted a violation of the Act; that the Cabinet failed to demonstrate that it conducted a search using methods which could reasonably be expected to produce records responsive to the request; and because there appears to be a disagreement between the parties as to what records Mr. Schaver is seeking or a mischaracterization of the description of the records at issue by the parties, we have insufficient information to determine whether not they qualify for exemption under KRS 61878(1)(m) or a "public record" under KRS 61.870(3)(a).
By letter dated July 6, 2005, Mr. Schaver submitted an open records request to the Finance and Administration Cabinet, advising:
In a June 24 letter, Mark D. Honeycutt, the executive director of the Personnel Cabinet's Office of Legal Services, denied my open record request for a schema of the Personnel Cabinet's database containing employee job titles, salaries and histories (see separate fax). Mr. Honeycutt wrote, "no such database exists" and "The information is contained in a mainframe as opposed to a database. ? the Personnel Cabinet does not have the schema in question for the mainframe containing the employee records. The Personnel Cabinet's Systems Management Division does not maintain a schema of the mainframe. We suggest you contact the record custodian for the Commonwealth's Office of Technology ..."
I am now making that request to the Commonwealth's Office of Technology. I would like a copy of the schema for the database or mainframe that contains state employee job titles, salaries and histories. I do not know the name of this database or mainframe, so I cannot be more specific. In a telephone conversation June 30, Mr. Dodd Harris of the COT asked me to send him an email requesting that information which I did (see separate fax), but he never replied and referred my July 6 follow-up phone call to you.
The schema should include the fields in the database or mainframe, the field types, the table structure and any other information generally included in a schema. The Computer Desktop Encyclopedia (http://www.answers.com/schema)) defines a schema as:
If the Cabinet does not have a schema meeting that definition, then I would like any document or documents that contains the same information that would be contained in such a schema, including field names, data types and table structure.
In addition to the schema, I would also like to request copies of the following:
By letter dated July 19, 2005, Joseph B. Howard, Executive Director, Finance and Administration Cabinet, responded to Mr. Schaver's July 6, 2005 request, advising:
In response to your request, please be advised that after review by personnel from the Commonwealth's Office of Technology (hereinafter "COT") your request for a schema of the personnel mainframe must be denied. More specifically, the requested record is not an existing document and compiling and releasing of a responsive custom record presents a major security problem. Pursuant to KRS 61.878 [1](m), said information cannot be provided on the infrastructure by which the data is maintained, stored, or accessed. Neither can or should COT divulge how data for certain applications which are stored (schema, location, etc.) nor the method of accessing it. If you have any questions, please feel free to contact Jill Midkiff.
On August 25, 2005, Mr. Schaver initiated the instant appeal. In his letter of appeal, he explained in relevant part:
The Finance Cabinet denied my request, saying the records I was seeking did not exist and citing exemption KRS 61.878[1](m).
I believe records responsive to my request do exist and the Finance Cabinet is wrong to cite KRS 61.878[1](m) in its denial. In addition, I believe the Finance Cabinet violated the Open Records Act by taking nearly three weeks to respond to my request, instead of three days as required by law, and by failing even to address part of my request at all.
As you will see from the attached correspondence, I originally asked for information about the Personnel Cabinet's state employee database, but was told the information was not contained in a database, but rather a "mainframe. " This seems wrong to me, since a mainframe (http://answers.com/mainframe)) is a type of computer while the term database (http://answers.com/database)) is typically used to describe information stored in a computer in a systematic way. Therefore, for the rest of this letter I will use the term database to describe what I'm seeking, although of course I am willing to be corrected should I be wrong.
?
In other words, I want to know what tables and fields the database contains, the data types of those fields, and how those tables are linked together. To put it even more simply, I want to know what information the state is keeping on state employees.
My request specifically said that if the Cabinet does not have a schema, then "I would like any document or documents that contains the same information that would be contained in such schema, including field names, data types and table structure.
?
A schema is nothing more than a general description of the information contained in a database. All databases have tables, all databases have data types and all databases have a relationship between tables. This is not the sort of infrastructure information useful to terrorists as envisioned by the exemption.
Releasing it to me or anyone else would no more benefit terrorists than would making public the fact that the Personnel Cabinet stores typewritten records on state employees in filing cabinets.
Mr. Howard said in his response "information cannot be provided on the infrastructure by which the data is maintained, stored and accessed."
?
I am not asking for anything of the kind. A schema does not tell me how to access the database, its physical location, passwords or other system-specific information that would in any way help a terrorist. I am simply asking the state to tell me what information it is keeping on state employees. I need to know the data types, field names and data structure of the database so I can better judge the Personnel Cabinet's previous claims to me that it is impossible to use the database to easily trace an individual's job history with the state.
The cabinet seems to be taking the position that it now has to keep secret information on state employees, and that it doesn't have to publicly disclose what information it keeps because doing so would help terrorists. That is preposterous on its face.
And finally, the Cabinet did not respond at all to two parts of my request. It didn't cite an exemption that justifies withholding the records I requested -- it simply ignored that part of my request entirely. Specifically, I asked for "Any manuals, tutorials, guides or other documents that explain how to retrieve information on state employees from the Cabinet's database or mainframe and "An inventory or other summary of all databases maintained by the state of Kentucky." To not even consider or explicitly respond to my request is further evidence that the Finance Cabinet is not living up to the Record Act's unambiguous declaration that "free and open examination of public records is in the public interest."
In a supplemental response provided to this office after the commencement of Mr. Schaver's appeal, Mr. Howard addressed issues raised in the appeal. Addressing first the request for "a copy of the schema for the database or mainframe that contains state employee job titles, salaries and histories" and "any document or documents that contains the same information that would be contained in such schema, including field names, data types and table structure," Mr. Howard argued:
. . . These items should be denied, because they are exempt from the definition of "software" as a "public records" under KRS 61.870. KRS 61.870(3)(a) clearly states:
The items requested are essentially a roadmap to where and how data elements are stored and access controlled on the state mainframe. This clearly falls with the exemption to the definition of "software" as a "public record" under KRS 61.870 and therefore, the items requested are not subject to being released under Open Records law.
Mr. Howard then advances an argument arguendo, that if these items do come under the scope of the Open Records Act, they are exempt from disclosure under KRS 61.878(1)(m). He argues:
As previously mentioned, the items requested are essentially a roadmap to where and how data elements are stored and access controlled on the state mainframe. There is a clear vulnerability associated with releasing such sensitive information about the structure of the Commonwealth's mainframe to the public. In the hands of a properly qualified individual, the information requested could facilitate successful unauthorized access to the state mainframe, through hacking techniques such that denial of service attacks, password directory attacks, password brute force attacks, social engineering and phishing.
?
Unauthorized access may be used to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network for government statewide. As evidenced by KRS 61.878(1)(m), the General Assembly clearly intended for such a roadmap, in other words, information relating to the "location. Configuration, or security" of critical state "information technology systems", to be protected from disclosure in order to prevent unauthorized access and disruption from becoming a reality.
In regard to Mr. Schaver's request for copies of "Any manuals, tutorials, guides or other documents that explain how to retrieve information on state employees from the Cabinet's database or mainframe and "An inventory or other summary of all databases maintained by the state of Kentucky." Mr. Howard advised:
. . . To the best of this agency's knowledge, the items required do not exist in the format requested. Open Records law has consistently recognized that a public agency is not obligated to compile a list or create a record in a specific format to satisfy an open records request. Assuming, arguendo, that such records existed, the same exceptions as stated above would clearly apply.
We are asked to determine whether the Cabinet's actions in response to Mr. Schaver's request violated the Open Records Act. As noted above, we find that the Cabinet violated the Act by failing to timely respond to Mr. Schaver's July 6, 2005 request; that the failure to address the initial request in its entirety constituted a violation of the Act; that the Cabinet failed to demonstrate that it conducted a search using methods which could reasonably be expected to produce records responsive to the request; and because there appears to be a disagreement between the parties as to what records Mr. Schaver is seeking or a mischaracterization of the description of the records at issue by the parties, we have insufficient information to determine whether not they qualify for exemption under KRS 61878(1)(m) or a "public record" under KRS 61.870(3)(a).
The record before us indicates that Mr. Schaver's July 6, 2005 request was stamped "RECEIVED" on July 6, 2005 by both the "Finance - Office of the Secretary" and "Legal & Legislative Services." Mr. Schaver indicated that the Cabinet's response, dated July 19, 2005, was faxed to him on July 25, 2005. In its response to this office, the Cabinet neither addresses nor disputes these facts.
As a public agency, the Cabinet is obligated to comply with both the procedural and substantive provisions of the Open Records Act regardless of the requester's identity or his purpose in requesting access to the records. KRS 61.880(1) dictates the procedure which a public agency must follow in responding to requests submitted pursuant to the Open Records Act. In relevant part, KRS 61.880(1) provides in relevant part:
Each public agency, upon any request for records made under KRS 61.870 to 61.884, shall determine within three (3) days, excepting Saturdays, Sundays, and legal holidays, after the receipt of any such request whether to comply with the request and shall notify in writing the person making the request, within the three (3) day period of its decision. . . . (Emphasis added.)
By its express terms, KRS 61.880(1) requires a public agency to issue a written response within three business days of receiving a request. In general, a public agency cannot postpone this deadline. 04-ORD-144, p. 6. "The value of information is partly a function of time." Fiduccia v. U.S. Department of Justice, 185 F.3d 1035, 1041 (9th Cir. 1999). This is a fundamental premise of the Open Records Act, underscored by the three day response time codified at KRS 61.880(1). Although the burden on the agency to respond within three working days is, not infrequently, an onerous one, the only exceptions to this general rule are found at KRS 61.872(4) and (5), neither of which the Cabinet invoked here. 02-ORD-165, p. 3.
As consistently recognized by the Attorney General, the procedural requirements codified at KRS 61.880(1) "are not mere formalities, but are an essential part of the prompt and orderly processing of an open records request." 03-ORD-067, p. 2, citing 93-ORD-125, p. 5. Public agencies such as the Cabinet may not elect a course of inaction. Failing to respond in a timely and proper fashion as the Cabinet initially did here, constituted a clear violation of KRS 61.880(1). In short, compliance with these procedural guidelines is mandatory, and is as much of a duty owed by a public agency as the provision of other services to the public. Id.
Moreover, a response that fails to address an open records request in its entirety also constitutes a violation of the Open Records Act. 05-ORD-236; 04-ORD-016. The Cabinet's original response to Mr. Schaver's request was deficient as it failed to acknowledge or address his request for "Any manuals, tutorials, guides or other documents that explain how to retrieve information on state employees from the Cabinet's database or mainframe and "An inventory or other summary of all databases maintained by the state of Kentucky." To the extent that the Cabinet failed to respond to this portion of Mr. Schaver's request, we find the original response fell short of the requirement that the public agency notify the requester of its decision relative to the records requested per KRS 61.880(1). 1
In addition to the above, because the Cabinet's supplemental response does not document what steps, if any, were taken to locate the responsive records mentioned above, we conclude that its search was presumptively inadequate. 05-ORD-236.
In 95-ORD-96, this office established a standard by which to measure the adequacy of an agency's search for public records. At page 7, we stated.
In our view, the Open Records Act does not require an agency to conduct "an exhaustive exhumation of records," Cerveny v. Central Intelligence Agency, 445 F. Supp. 772, 775 (D. Col. 1978), or to embark on an unproductive fishing expedition "when the likelihood of finding records that fall within the outermost limits of the zone of relevancy is slight." In re Agency Orange Product Liability Litigation, 98 F.R.D. 522, 529 (E.D. N.Y. 1983). It is, however, incumbent on an agency "to make a good faith effort to conduct a search using methods which can reasonably be expected to produce the records requested." Cerveny, at 775. Thus, the agency must expend reasonable efforts to identify and locate the requested records. And, if the documents do exist, and the public agency cannot locate them, the agency's "good faith [sh]ould not be impugned unless there was some reason to believe that the supposed documents could be located without an unreasonably burdensome search." Goland v. Central Intelligence Agency, 607 F.2d 339, 353 (D.C. Cir. 1979). In assessing the adequacy of an agency search, we "need not go further to test the expertise of the agency, or to question its veracity when nothing appears to raise the issue of good faith." Weissman v. Central Intelligence Agency, 565 F.2d 692, 697 (D.C. Cir. 1977).
95-ORD-96, p. 7 (emphasis added). The record on appeal does not demonstrate that the Cabinet conducted a search which could reasonably be expected to produce the records requested. Its response stated "to the best of this agency's knowledge" no such records exist and assuming arguendo their existence, they would be exempt. The Cabinet's response gives no information on the adequacy of the search it took, if any, to reach the conclusion that no responsive records exist.
In his letter of appeal, Mr. Schaver asserts that records responsive to his request exist and argues:
I find it impossible to believe there is no document of any kind that describes the information contained in the database. I do not know what software the Cabinet uses to store this information, but all modern database software that I am aware of has the built-in ability to generate a description of its tables, including its field names and data types. Even if the cabinet has never printed out such a description, which is doubtful, it is likely it could generate such a list without significant effort using the software's built-in tools. (This also raises the interesting question that if schema information is inherently part of the software, but has never been printed on paper, is it a public record subject to disclosure? To argue otherwise would be to argue that there is a class of information, not otherwise subject to an exemption, that is effectively outside the reach of the Open Records Act and public scrutiny). Even if the computer system used to maintain personnel records is older and less capable than modern systems, it's high unlikely the Cabinet has never produced a document describing the structure of the information it contains. If nothing else, it would have had to generate such a description when it contracted for or created the database.
We agree. Presumably, an agency would have manuals, tutorial, or guides concerning the operation of its software or documents describing the information contained in the database at issue. On the facts before us, we conclude the Cabinet failed to demonstrate that it conducted an adequate search for records responsive to Mr. Schaver's request.
In response to Mr. Schaver's request for a "schema" for the database or mainframe that contains state employee job titles, salaries and histories, the Cabinet advised that no such record existed and to provide a responsive custom record would present a "major security problem." Obviously, an agency cannot provide access to a record that it does not have or which does not exist. The Cabinet complied with the Open Records Act by affirmatively advising Mr. Schaver of that fact. 04-ORD-128.
In its denial of Mr. Schaver's request, the Cabinet stated that providing information on the infrastructure by which data is maintained, stored and accessed would present a major security problem. In his letter of appeal, Mr. Schaver asserts that he is not seeking information of this kind. He states that schema information does not tell one "how to access the database, its physical location, passwords, or other system-specific information that would in any way help a terrorist. In its response to the letter of appeal, the Cabinet states that the information requested by Mr. Schaver is "essentially a roadmap to where and how data elements are stored and access controlled on the mainframe" and releasing such sensitive information about the structure of the states mainframe would make it vulnerable to successful unauthorized attacks on the mainframe.
Because there appears to be a disagreement between the parties as what to records Mr. Schaver is seeking or a mischaracterization of the description of the records at issue by the parties, we have insufficient information to determine whether or not they qualify for exemption under KRS 61878(1)(m), or a "public record" under KRS 61.870(3)(a). See 05-ORD-227. With respect to factual disputes of this nature between a requester and a public agency, the Attorney General has consistently recognized:
This office cannot, with the information currently available, adjudicate a dispute regarding a disparity, if any, between records for which inspection has already been permitted, and those sought but not provided. Indeed, such is not the role of this office under open records provisions. It seems clear that you have permitted inspection of some records [the requester] asked to inspect, and that copies of some records have been provided. Hopefully[,] any dispute regarding the records here involved can be worked out through patient consultation and cooperation between the parties.
03-ORD-61, p. 2, citing OAG 89-81, p. 3. Accordingly, the parties should consult and mutually cooperate to resolve any differences or misunderstandings related to the records sought. If there remain any records in dispute, the requester can initiate another appeal to this office or proceed directly to the appropriate circuit court. KRS 61.880.
The Cabinet asserts that all records to which Mr. Schaver seeks access are excluded from inspection by KRS 61.878(1)(m)1.f. In his letter of appeal, Mr. Schaver states that he wants to know what information the state is keeping on state employees. This office has long recognized that information that the state keeps on state employees is accessible to the public, with some of it being exempt under certain applicable exceptions, such as social security numbers and home addresses under KRS 61.878(1)(a). It is safe to assume that there is some mechanism by which the Cabinet can retrieve records sought containing information that the state keeps on state employees without compromising security per KRS 61.878(1)(m)1.f. Such records have been the subject of numerous decisions issued by the Attorney General through the years and no specter of security threats have ever been raised. Consistent with past decisions, the Cabinet must disclose any and all nonexempt records containing the information Mr. Schaver seeks. Simply stated, the Cabinet must disclose the type of information it maintains on state employees, but not infrastructure records that are reasonably likely to expose a vulnerability through the disclosure of the location, configuration, or security of a critical infrastructure technology system.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Footnotes
Footnotes
1 Although the Cabinet addresses these issues in its supplemental response to this office, the Cabinet should bear in mind that a response pursuant to 40 KAR 1:030 Section 2 should be viewed as an opportunity to supplement rather than supplant its denial. "The Open Records Act presumes that the agency's KRS 61.880(1) response is complete in and of itself." 02-ORD-118, p. 3. Therefore, this office considers supplemental responses which correct misstatements appearing in, or misunderstandings resulting from, the complainant's letter of appeal, or, which offer additional support for the agency's original denial. Id. See also 04-ORD-208.