Sault Police Reverses Course on Lack of Transparency
Previously Sought to Keep Recipient of Public Funds Anonymous
As a part of research related to the devastating cyberattack on the Sault Ste. Marie Police Service in the summer of 2021, I filed a freedom of information request seeking some basic information.
The request was submitted in December of 2021 and asked for two things: 1) the name of the company helping to rebuild digital infrastructure at the SSMPS; and 2) the total dollar amount billed thus far.
The response from the SSMPS was surprising.
Image Credit: Wikimedia Commons
They denied my request and invoked several sections of the applicable legislation.
According to the SSMPS, releasing the information could:
“Interfere with a law enforcement manner” re: Section 8(1)(a)
“Interfere with an investigation” re: Section 8(1)(b)
“Endanger the life or physical safety of a law enforcement officer or any other person” re: Section 8(1)(e)
“Endanger the security of a building or the security of a vehicle” re: Section 8(1)(i)
“Jeopardize the security of a centre for lawful detention” re: Section 8(1)(k)
“Prejudice significantly the competitive position or interfere significantly with the contractual or other negotiations of a person, group of persons, or organization” re: Section 10(1)(a)
“Result in similar information no longer being supplied to the institution where it is in the public interest that similar information continue to be so supplied” re: Section 10(1)(b)
“Result in undue loss or gain to any person, group, committee or financial institution or agency” re: Section 10(1)(c)
Reveal “trade secrets or financial, commercial, scientific or technical information that belongs to an institution and has monetary value or potential monetary value” re: Section 11(a)
“Reasonably be expected to seriously threaten the safety or health of an individual” re: Section 13
Reveal “personal information” and violate “personal privacy” re: Sections 14(1)(a), 38(a), and 38(b)
Reveal records related to a prosecution that is not yet completed re: Section 52(2.1)
Originally, the SSMPS offered to release partial information (the total dollar amount billed), but wouldn’t budge on revealing the name of the company.
It’s almost unheard of for a recipient of public funds to remain anonymous.
In fact, it strains the mind thinking of a situation in which that would be acceptable to anyone.
Anonymity in this context would mean that public funds are being spent without anybody knowing where it’s actually going (aside from those cutting the cheque).
It raises potential red flags about the process of doling out public funds and all the accountability and transparency that everyone expects.
To make matters worse, the SSMPS invoked sections of the applicable legislation that have absolutely no connection to the information requested.
According to them, the third party involved (the company) wanted to remain anonymous and they were staunch in that position.
I subsequently filed an appeal with the Information and Privacy Commissioner (IPC) of Ontario.
It took over nine months (!), but the appeal has been settled.
On September 30th, the SSMPS finally relented, after consulting with the mediator from the IPC assigned to my appeal.
The company assisting the SSMPS is Aegisys Cloud Solutions of Sudbury. On their website, they describe themselves as ‘disaster recovery specialists.’
Between August and December of 2021, they completed work totalling $38,097.37.
According to the SSMPS, no work was completed by Aegisys after December of 2021.
Had the appeal progressed to the tribunal stage, the SSMPS almost certainly would have lost their bid to maintain the anonymity of the company.
In their letter from September 30, they write:
Exercises of discretion and decisions were arrived at after careful consideration and review of all relevant facts, with each set of circumstances being considered separately. The response by the institution to the requestor has been arrived at in good faith and after much careful consideration without prejudice.
The fact that it took this long to reveal basic details about public expenditure is deeply troubling, especially since so little information has been released about the cyberattack thus far.
Compounding this lack of information - and despite the wide-ranging impacts of the cyberattack - very little has been asked about it within local media.
As I noted in a recent story from Sault This Week, details about the nature and effects of the cyberattack have been few and far between (at best).
For example, neither the SSMPS nor the Ministry of the Solicitor General responded to questions about how the cyberattack may affect the prosecution of criminal cases going forward.
However, it appears as though that’s happening.
Some speculated that the SSMPS may have deliberately withheld public disclosure of criminal charges against Dr. Mark Jenkins after an ordeal including evidence of intoxication, a police pursuit, and a serious collision. Details of Jenkins’s eventual plea deal were first reported by Doug Millroy (at Sault This Week and Sault Online).
A relatively small but important detail in a subsequent story from Kenneth Armstrong (at SooToday) relates to missing evidence at the SSMPS, including photos of the collision and radio communication recordings.
The missing evidence was attributed to “a technology issue affecting the Sault Ste. Marie Police Service” by the Crown.
In 2017, a major accounting firm - KPMG - was contracted to offer a strategic plan for the SSMPS following in-depth analysis of the latter.
The executive summary of the resulting plan included several recommendations related to cybersecurity and digital infrastructure. In a subsection of the summary titled ‘strategic IT investment,’ the first recommendation reads:
Implement a cloud computing solution for software applications that allow for the storage of data on the cloud. The cloud computing would provide increased disaster recovery capabilities, reduce maintenance requirements for the SSMPS IT technicians and increased data access and mobility for cloud based applications such as ‘Track My Crime.’
It’s listed as a ‘medium term’ recommendation that entails an implementation period between two and three years.
Given the voluminous amount of data that’s been erased, it’s unlikely this recommendation was heeded.
A bit later in the report, in the section that includes ‘findings and observations’ related specifically to strategic IT investment, KPMG notes this: “There is limited IT disaster recovery capabilities for the SSMPS.”
One of KPMG’s ‘findings and observations’ in the same section was redacted before the SSMPS released the report. When asked to reconsider the redaction, the SSMPS refused.
If an absence of cybersecurity best practices might affect the Crown’s ability to prosecute criminal cases, the public ought to know about that.
Similarly, if public funds are paying for well-researched recommendations, we shouldn’t expect them to collect dust.