Opinion
Opinion By: Andy Beshear,Attorney General;James M. Herrick,Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether the Commonwealth Office of Technology ("COT") violated the Open Records Act by denying Mark Wohlander's February 13, 2019, requests for a CD or DVD of "the electronically stored metadata, and only the metadata, including any stored metadata, for any electronic devices for [three] individual[s] from January 1, 2017 to the present." For the reasons that follow, we find no violation of the Act.
The three individuals for whose electronic devices Mr. Wohlander requested the metadata were "Blake Brickman -- Chief of Staff, Office of the Governor"; "John H. Hodgson -- Executive Director" (also employed by the Office of the Governor); and "Thomas B. Stephens -- Secretary of the Personnel Cabinet." Pursuant to KRS 42.724(1), COT is part of the Finance and Administration Cabinet. Its duties include "[d]eveloping, implementing, and maintaining the technology infrastructure of the Commonwealth and all related support staff, planning, administration, asset management, and procurement for [most] executive branch cabinets and agencies." KRS 42.726(2)(f). Accordingly, COT is responsible for furnishing electronic devices to the Office of the Governor and the Personnel Cabinet and providing information technology services to those agencies.
On February 15, 2019, COT denied the request by letter from Chris Lewis, General Counsel, Finance and Administration Cabinet, asserting that "[a]ny metadata on the electronic devices ? is preliminary in nature and thus protected from disclosure under KRS 61.878(1)(i) and (j)." Citing
Courier-Journal v. Jones, 895 S.W.2d 6, 8 (Ky. App. 1995) (quoting OAG 78-626), COT equated metadata on electronic devices to "[y]ellow pads ? filled with outlines, notes, drafts and doodlings which are unceremoniously thrown in the waste basket or which may in certain cases be kept in a desk drawer for future reference."
Mr. Wohlander initiated this appeal on March 5, 2019, arguing, in part, that his request was not for yellow pads, appointment calendars (as in Courier-Journal v. Jones ), "or for that matter any documents whatsoever." He stated that his request was only for "system metadata, " and referred to the online "Litigators Guide to Metadata" by Craig Ball 1 for a definition of that term. Mr. Wohlander further argued that the public is entitled to know how the three employees use their state-issued devices, and that metadata "has become an evidentiary staple and is both discoverable and admissible in federal court."
COT responded to the appeal on March 18, 2019, characterizing metadata as "preliminary drafts or memoranda" exempt from disclosure under KRS 61.878(1)(i) and (j). Quoting the same Craig Ball definition used by Mr. Wohlander, COT described "system metadata" as "information about the file which is not embedded within the file it describes but is stored externally ? to track file locations and store demographics about each file's name, size, creation, modification and usage." Further quoting the Ball article, COT observed that "tracked changes and commentary in Microsoft Office documents" is "one of '284 distinct metadata properties ? in 28 property categories,' Ball claims exists [ sic ] for each Microsoft file." In addition, COT continued, Ball states that devices contain "'[e]-mail software, word processing applications and spreadsheets, database, web browser and presentation software [that] collectively employ hundreds of additional fields of metadata' per file. Ball admits that accessing, preserving and disclosing metadata may 'require specialized tools and software, custom programming or changes to established workflows,' and recommends hiring forensic computer experts for these purposes."
COT further argued that "tracked changes and commentary in Microsoft Office documents," specifically, are preliminary under KRS 61.878(1)(i) and (j). The agency also asserted that some metadata may be "exempt as personal and private or irrelevant pursuant to KRS 61.878(1)(a) or (p)." Lastly, COT contended that production of "'any and all' metadata on multiple devices with numerous system applications," used over two years, imposed an unreasonable burden under KRS 61.872(6) due to "the extraordinary number of records generated per file ? and the expense and expertise required to preserve, discover, redact, and disclose those records."
Since the application of the Kentucky Open Records Act to electronic metadata is an issue of first impression, and one of potentially far-reaching implications for public agencies in the Commonwealth, we asked the parties to provide their positions on several relevant legal and factual questions. We received a response from COT on April 29, 2019, which addressed many of those issues, but received no such submission from Mr. Wohlander.
Status of metadata as "public records"
A threshold question is whether the definition of "public record" includes metadata. Metadata, in general, may be defined as "information about a particular data set which describes how, when, and by whom it was collected, created, accessed, or modified and how it was formatted."
Kentucky Speedway, LLC v. National Ass'n of Auto Racing, 2006 WL 5097354, at *7 (E.D. Ky., Dec. 18, 2006) (quoting
Williams v. Sprint/United Management Co., 230 F.R.D. 640, 646 (D. Kan. 2005)). In view of the general description of metadata as information, COT urges us to find that metadata is only a public record insofar as it constitutes "software, " and that for all other purposes a request for metadata should be treated as a mere "request for information" which need not be honored. See 02-ORD-88. In support of this argument, COT offers an affidavit from its Chief Information Security Officer, David J. Carter, who characterizes metadata as "information about other information -- not a record about other records." (Carter affidavit, p. 4.)
In cases from other jurisdictions, where state courts have applied their public records laws to requests for discrete sets of metadata associated with specific electronic files, we note a tendency to deem those metadata sets disclosable as public records. See, e.g.,
Irwin v. Onondaga Cnty. Resource Recovery Agency, 895 N.Y.S.2d 262 (N.Y.A.D. 2010);
Lake v. City of Phoenix, 218 P.3d 1004 (Ariz. 2009);
Paint Tp. v. Clark, 109 A.2d 796 (Pa. Commw. Ct. 2015);
O'Neill v. City of Shoreline, 240 P.2d 1149 (Wash. 2010). We must, however, begin any analysis with the language of Kentucky's statutory definition of "public record" :
"Public record" means all books, papers, maps, photographs, cards, tapes, discs, diskettes, recordings, software, or other documentation regardless of physical form or characteristics, which are prepared, owned, used, in the possession of or retained by a public agency. ?
KRS 61.870(2) (emphasis added).
In the case of metadata, COT states that the information "exists on the drive in binary format as internal Operating System data or as fractional sub-parts of the file as a whole. It cannot be natively collected from the drive and must be extracted through the Operating System or a 3rd party application designed for this purpose." (Carter affidavit, p. 4.)
While the difficulty of extracting metadata is an important issue, the most significant fact at this initial stage of our analysis is that the information "exists on the drive" of the device and can in some way be retrieved. This moves metadata beyond the realm of mere abstract "information" and into the category of retained "documentation. " Thus, metadata at least potentially meets the minimum threshold for a "public record" under KRS 61.870(2).
As COT argues on appeal, the category of records most resembling metadata is "software, " even though metadata can actually encompass a broader range of information. We note that the statutory definition of "software" contains certain exclusions and limitations, which are relevant insofar as they may apply to specific metadata. KRS 61.870(3) provides:
(a) "Software" means the program code which makes a computer system function, but does not include that portion of the program code which contains public records exempted from inspection as provided by KRS 61.878 or specific addresses of files, passwords, access codes, user identifications, or any other mechanism for controlling the security or restricting access to public records in the public agency's computer system .
(b) "Software" consists of the operating system, application programs, procedures, routines, and subroutines such as translators and utility programs, but does not include that material which is prohibited from disclosure or copying by a license agreement between a public agency and an outside entity which supplied the material to the agency .
(Emphasis added.)
The definition of "software" follows immediately after the definition of "public record" in KRS 61.870. "We construe statutes within their context and strive to give consistent meaning to related statutory provisions."
Manies v. Croan, 977 S.W.2d 22, 23 (Ky. App. 1998). Accordingly, to the extent that any specific metadata meet the general definition of "software, " but also fall within these specific exclusions, they are also excluded from the definition of "public record. " 2 Metadata which do not constitute software, however, are "public records" under KRS 61.870(2) to the extent that they exist as individual pieces of stored information retained by a public agency. 3
"Precise" description of records "readily available within the public agency"
With regard to requests for copies of public records by mail, as opposed to requests for onsite inspection of records, KRS 61.872(3)(b) provides, in pertinent part:
The public agency shall mail copies of the public records to a person whose residence or principal place of business is outside the county in which the public records are located after he precisely describes the public records which are readily available within the public agency .
(Emphasis added.) A request that does not conform to this standard "places an unreasonable burden on the agency to produce often incalculable numbers of widely dispersed and ill-defined public records. " 99-ORD-14.
In 03-ORD-248, we found that a request for what we described as "a broad range of financial and operational records" for a city, over an extensive period of time, did not meet this requirement of a precise description. We explained that the applicant "did not request a specific record or records, but categories of records such as invoices, check registers, documentation for income received, grant papers, and complaints or summons. [S]uch a description is not 'clear' or 'very specific.'" Similarly, in the present appeal, Mr. Wohlander did not request a discrete set of metadata pertaining to specific documents or files. Cf.
Irwin v. Onondaga Cnty., supra (request for sets of metadata corresponding to certain specific photographs). Rather, he requested all metadata on all devices used by certain individuals during a period of years. Instead of "information about a particular data set," Kentucky Speedway, LLC, 2006 WL 5097354, at *7, Mr. Wohlander sought all metadata about all data sets on the devices. This vast category does not precisely describe a record or set of records for purposes of KRS 61.872(3)(b).
A separate, though closely related, question under KRS 61.872(3)(b) is whether the requested records are "readily available within the public agency. " We interpreted this requirement at length in 97-ORD-46:
The [agency] is obligated to mail [an applicant] copies of the records he requests only if those records "are readily available within the public agency. " This [requirement] permits public agencies to avoid the duty to mail copies if the requested records are widely dispersed or otherwise difficult to access . In such instances, agencies would be forced to make extraordinary efforts to identify, locate, and retrieve the records in order to copy and mail them to the applicant. Consistent with the rule that "[public] agencies and employees are the servants of the people..., but they are the servants of all the people and not only of persons who may make extreme and unreasonable demands on their time," OAG 76-375, p. 4, we believe that if the records ? cannot be readily accessed and retrieved within the public agency , the agency cannot be compelled to deliver copies to him[.]
It is, however, incumbent on the agency to indicate, in at least general terms, the difficulty in identifying, locating, and retrieving the requested records.
(Emphasis added.)
In this case, Mr. Carter's affidavit describes in detail the wide dispersal of metadata on state-issued devices and the difficulty of access it poses:
A request for "all meta-data files on device 'X'" is itself, too broad a request to fulfill? For perspective, a device base operating system consists of in excess of 151,000 files. The base programs installed with the standard Commonwealth workstation consists of in excess of 23,000 files. As a result, there are at least 174,000 files in existence before a user first logs-in to a device generating original data or files. Combined with the exponential nature of collective meta-data permutations, the requests are unfathomably broad to collect, much less review or produce.
(Carter affidavit, p. 3.) Mr. Carter indicates that file "system metadata" contains two categories, "information pertaining to the file" and "information pertaining to file ownership and permissions." The former category "includes the creation date, modification date, and last-touched date of the file. This meta-data is available through the file system as a query -- the information can be created as a new record, but does not exist as an independent ? record that may be accessed in a standard format. Further, this query must be made through the Operating System on a file-by-file basis." Id. The latter category must be accessed in the same manner. 4
Additional types of metadata described in Mr. Carter's affidavit include "file header metadata" and "file content metadata. "
File-header meta-data is descriptive information about the file itself? This varies by file type but generally describes physical attributes like file size, type, or 'finger print' allowing associated application access to open and identify file type? This information does not exist in any consistent format, nor is it easily producible. It exists as a sub-part at the beginning of each file and is not easily extracted for other uses. Any attempts to access this information would require extraction on a file by file basis.
? File content meta-data varies greatly depending [on] the file type? Document type files may contain information such as author, initials, dates, title, tags, etc. Non-document file meta-data may contain things such as version, vendor, dates, etc. Since the formatting of this data varies, as do the elements retained, it is not stored in a consistent manner. This data does not live in a standard format and must be extracted on a file-by-file basis. ?
(Carter affidavit, pp. 3-4.) As to all types of metadata, Mr. Carter states:
The meta-data types I mention above do not exist in a central, standard, or consistent format. Because meta-data is information about other information -- not a record about other records -- data varies by application, is not easily reportable and must be extracted file-by-file. Specific, pre-established variables must be queried for each file to create a new record of a desired data set. This data exists on the drive in binary format as internal Operating System data or as fractional sub-parts of the file as a whole. It cannot be natively collected from the drive and must be extracted through the Operating System or a 3rd party application designed for this purpose.
(Carter affidavit, p. 4.) From Mr. Carter's description of the diffuse form in which these individual sets of metadata exist, and the difficulty of the process necessary to retrieve all metadata on a device, we conclude that Mr. Wohlander's request did not "precisely describe" records "readily available within the public agency. "
Existence of an "unreasonable burden"
As KRS 61.872(6) provides:
If the application places an unreasonable burden in producing public records or if the custodian has reason to believe that repeated requests are intended to disrupt other essential functions of the public agency, the official custodian may refuse to permit inspection of the public records or mail copies thereof. However, refusal under this section shall be sustained by clear and convincing evidence.
(Emphasis added.) In extreme cases, we have sustained refusals under KRS 61.872(6) upon a proper showing that the difficulty of producing and reviewing voluminous records created an unreasonable burden. See, e.g. , 14-ORD-109 (request included at least 6,200 e-mails which must be redacted for information protected by FERPA); 11-ORD-173 (at least 8,500 e-mails required redaction under FERPA); 17-ORD-104 (225 million records required redaction under FERPA).
In this case, Mr. Carter describes the burden of producing all metadata on all devices for three public employees as "tremendous." He states:
For this type of secured-data project, COT would assign personnel within its data-forensics area. Staff with comparable responsibilities/access-rights in that area are Grade 17 salaried state personnel. Without defined criteria for a meta-data query (an "any and all" type of request), staff require 5-10 minutes to manually access and query each file for all possible meta-data available for that file. A search of this scope therefore, would require 29,000 hours per user, per device to gather potentially relevant/responsive records sought (10 minutes per 174,000 files = 29,000 hours).
(Carter affidavit, p. 4.) Therefore, COT estimates that, for even one electronic device, it would take 29,000 hours, or approximately 3.3 years, to extract all metadata. If each of the three employees had only one issued device, then, the entire request would take nearly 10 years of work time to complete. This is in addition to the time necessary to review metadata for possible confidential, privileged, or otherwise exempt material. We find that COT has shown by clear and convincing evidence that fulfilling this request would constitute an unreasonable burden.
Standard or nonstandard nature of request
COT argues that Mr. Wohlander's request is nonstandard under KRS 61.874. Subsection (3) of that statute provides in part:
If a public agency is asked to produce a record in a nonstandardized format, or to tailor the format to meet the request of an individual or a group, the public agency may at its discretion provide the requested format and recover staff costs as well as any actual costs incurred.
With regard to electronically stored information, if a public agency "does not maintain a pre-existing query, filter, or sort capable of extracting the records as requested, it is within the discretion of a public agency to tailor the format of existing records to conform to the parameters of a specific request and to recoup both staff costs and actual costs in the event it exercises its discretion affirmatively. If however, the agency maintains a pre-existing query, filter, or sort capable of extracting the information sought, the agency must produce the records as requested, and can recover only its actual reproduction costs, excluding staff time and programming costs." 12-ORD-028 (citing 05-ORD-116). 5
Mr. Carter states that, in order to produce electronic metadata, "[s]pecific, pre-established variables must be queried for each file to create a new record of a desired data set." (Carter affidavit, p. 4.) It is not clear from the record on appeal, however, whether these "specific, pre-established variables" already exist or would have to be created. To the extent that COT does not already maintain the pre-existing queries necessary to extract the metadata as requested, it is within COT's discretion whether to perform the requisite labor. If it so chose, COT could then recover fees for its staff time and actual programming costs under KRS 61.874(3).
Custodian of agency metadata
A fundamental issue affecting this appeal is the extent of COT's rights with respect to disclosure of data contained on electronic devices supplied to other public agencies for their use. On appeal, COT addresses this issue in detail:
[COT] is obligated to provide executive branch agencies with technology services obligated to provide executive branch agencies with technology services consistent with KRS 42.726. To the extent necessary to fulfill statutory obligations and as otherwise lawful, COT possesses the right to access another agency's information, including metadata, for which they have technical access?
? In furtherance of its mission, COT is directed to provide technical support, develop and implement information technology and enterprise architecture, and establish a geographic information clearinghouse for maps. KRS 42.726(2)? In fact, apart from geographic information, COT's statutory obligations respecting other agencies' information is limited to a service-provider role -- advising, procuring, providing, developing, and facilitating agencies' secured access to technology platforms consistent with KRS 42.726(2).
To meet its statutory obligations, COT possesses a corresponding right to access another agencies' [ sic ] information for which it has access. This right ? is narrowly tailored to meet a legitimate business need of the agency? It is helpful to view COT as a handyman possessing a key to the agency-owner's digital home. The handyman has access and permission to enter the home to provide professional services, but not the right to snoop through drawers or permit public access . In the same manner, COT may not retrieve or view another agency's information -- or take any action whatsoever, divorced from its statutory authority. The breadth and variety of confidentiality issues respecting state government records further advise against any agency's disclosure of information for which they are not the official custodian pursuant to KRS 61.870(5) ? Thus, while COT may technically have access to other agencies' information and records in appropriate circumstances, it does not follow that COT is the proper custodian for those records for purposes of the [Open Records Act] .
(Emphasis added.) In short, COT does not regard itself as the official records custodian for data, or metadata, stored in electronic devices used by other agencies, such as the Personnel Cabinet and the Office of the Governor. We agree.
KRS 61.876(1)(b) requires each public agency to designate an official custodian of its records. KRS 61.870(5) defines "official custodian" as "the chief administrative officer or any other officer or employee of a public agency who is responsible for the maintenance, care and keeping of public records, regardless of whether such records are in his actual personal custody and control." Since COT is neither an officer nor an employee of the Personnel Cabinet or the Office of the Governor, it cannot serve as the official custodian of those agencies' records.
It is clear from the limited statutory role of COT regarding other agencies' information that the data on state-issued devices, used by employees of other agencies, constitute records of the user agencies and not records of COT. A contrary finding would require COT to make confidentiality determinations, or decisions as to responsiveness of records or applicability of exemptions, that require knowledge and expertise resting solely with the user agency which created the record in question. By extension, the metadata on those devices ("data about data"), 6 which potentially implicate all of the same issues, likewise belong to the user agencies. Therefore, we conclude that Mr. Wohlander wrongly addressed his request to COT instead of to the employing agencies of the three individuals whose devices are at issue. 7
Conclusion
In keeping with KRS 61.870(2), we conclude that metadata on public devices are "public records, " except to the extent they constitute "software" that falls within the exclusions in KRS 61.870(3). We find no violation of the Open Records Act by COT in this case. The requests did not precisely identify records readily available within the public agency. The requests imposed an unreasonable burden under KRS 61.872(6). The requests may be nonstandard under KRS 61.874(3). Lastly, COT is not the official custodian of user agencies' metadata pursuant to KRS 61.870(5). Since these issues are dispositive, we need not address COT's arguments under KRS 61.878(1)(a), (i), (j), or (p).
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General shall be notified of any action in circuit court, but shall not be named as a party in that action or in any subsequent proceeding.
Footnotes
Footnotes
1 http://www.craigball.com/metadataguide2011.pdf (last visited May 7, 2019). We note, however, that Mr. Ball's article lists "system metadata" as only one category of metadata, and Mr. Wohlander's request for "the electronically stored metadata" was not so limited in scope.
2 See 05-ORD-250 (implicitly accepting argument that "software" meeting the exemptions from KRS 61.870(3) is not a "public record," though making no finding due to insufficient information). Cf . 17-ORD-268 (declining to make a finding as to whether keywords were exempt from definition of "software" under KRS 61.870(3), where the requested list of keywords existed in a discrete and printable HTML document).
3 This classification of metadata as "public records" does, however, pose unique problems. As Mr. Carter explains, metadata are highly volatile pieces of information which are not "forensically sound," since they "can be easily modified," whether intentionally or unintentionally, "through normal user operations." File content metadata, especially, can be "largely absent or inaccurate in the vast majority of cases." (Carter affidavit, p. 2.) This volatility, which would inevitably affect a public agency's ability to maintain metadata in the same manner as other public records, is perhaps the reason why the word "metadata" does not appear in either the General Schedule for Electronic and Related Records, https://kdla.ky.gov/records/recretentionschedules/Documents/State%20Rec… (last visited May 7, 2019), or COT's own records retention schedule, https://kdla.ky.gov/records/recretentionschedules/Documents/State%20Rec… (last visited May 7, 2019).
4 In addition, "[b]ecause ownership and permissions directly drive file security and data contained therein, and because this data may be modified, ownership permissions data is sensitive and confidential." (Carter affidavit, p. 3.)
5 This rule is in harmony with, while independent of, the general principle that a public agency need not compile a list or create a record in response to an open records request. 12-ORD-026.
6 O'Neill, 240 P.3d at 1151.
7 This does not imply that COT could have no proper role to play in processing a request for electronic metadata made to the agency which owned the data; that role, however, would be secondary and in the nature of technical support, as provided by statute.