Government of Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links

Home

Institutional links



InfoSource Bulletin 2003 - Privacy Act and Access to Information Act


Dzevad Cemerlic v. Solicitor General of Canada
Indexed as: Cemerlic v. Canada (Solicitor General)

File No.:

T-571-01

References:

2003 FCT 133; [2003] F.C.J. No. 191 (QL) (F.C.T.D.)

Date of decision:

February 7, 2003

Before:

Kelen J.

Section(s) of ATIA/PA:

Ss. 8(2)(m)(i), 16(2), 18, 19, 21, 26, 28, 47, 51 Privacy Act (PA); ss. 13(1), 14 Privacy Regulations

Abstract

  • No effort to obtain third party consent under para. 19(2)(a) and no evidence of established protocol
  • No evidence of discretionary balancing of competing interests as mandated under s. 26 and subpara. 8(2)(m)(i)
  • Requirement under s. 28 that head of institution assess requester's best interests
  • Reasonableness of policy of neither denying nor confirming existence of personal information

Issues

Did CSIS err by refusing to disclose personal information pursuant to the exemptions in ss. 19 (foreign government), 21 (international affairs and defence), 26 (third party information) and 28 (medical information) of the Act?

Did CSIS err by refusing to confirm or deny the existence of information in two personal information banks (national security and counterintelligence) pursuant to subs.16(2))?

Did CSIS undertake a proper search of the personal information banks which it claims contain no information on the applicant?

Facts

The applicant requested, pursuant to subs. 12(1) PA, that CSIS produce all information related to him in its personal information banks. CSIS informed the applicant that:

  • there was no information concerning the applicant in Bank Number: SIS PPU 015 (CSIS Records), Bank Number: SIS PPU 020 (Access Request Records), Bank Number: SIS PPU 025 (CSIS Candidates) and Bank Number: SIS PPU 040 (Unlawful Conduct Investigations);
  • respondent was disclosing 32 pages of information found in Bank Number: SIS PPU 005 (Security Assessments / Advice), but was applying exemptions to some of the information pursuant to ss. 19 and 21 of the Act;
  • respondent was disclosing 49 pages of information found in Bank Number: SIS PPU 035 (Complaints Against CSIS or Its Employees), but was applying exemptions to some of the information pursuant to s. 21;
  • respondent was disclosing 5 pages of information found in Bank Number: SIS PPU 055 (Security and Integrity of Government Property, Personnel and Assets), but was applying exemptions to some of the information pursuant to ss. 21, 26 and 28;
  • Bank Number: SIS PPU 045 (CSIS Investigational Records) has been designated an exempt bank and the respondent refused to confirm or deny whether personal information about the applicant existed in the bank; and that
  • in accordance with subs. 16(2) of the Act, the respondent refused to indicate whether personal information about the applicant existed in Bank Number: SIS PPU 050 (Self Protection Activity).

The applicant filed a complaint with the Privacy Commissioner alleging CSIS had denied him access to his personal information in banks 005, 035, 040 and 055. The Commissioner responded that CSIS had the authority to refuse to grant access to some of the requested information held in banks PPU 005, 035 and 055 and confirmed that CSIS searched bank PPU 040 in order to locate personal information about the applicant and that none was found. The Commissioner also confirmed that CSIS had undertaken a search for information in banks 015, 020 and 025, but did not find any information related to the applicant in these banks. The Commissioner was also satisfied that the response received by the applicant from CSIS with respect to banks 045 and 050 was in accordance with the requirements of the Act.

The applicant seeks judicial review of the respondent's refusal to disclose some of the information sought.

Decision

The matter was returned to CSIS for a new review of the application of ss. 19, 26 and 28 to personal information banks 005 and 055. CSIS complied with the Act by searching its records for information about the applicant, and providing almost all of this information to the applicant, and informing the applicant that no information about him existed in its other information banks.

Reasons

The Court addressed two preliminary issues.

Firstly, the hearing was conducted in an open court, with the exception of the details of the exemptions claimed by the government under para. 19(1)(a) and s. 21 PA which were conducted in camera and ex parte as required by s. 51 PA. This process was in accordance with the Supreme Court of Canada decision in Ruby v. Canada (Solicitor General), 2002 SCC 75 (reversing in part [2000] 3 F.C. 589 (C.A.)).

Secondly, with respect to the burden of proof, the Court adopted the approach set out in Kelly v. Canada (Solicitor General) (1992), 53 F.T.R.147 (F.C.T.D.). Hence, mandatory exemptions and factual determinations are to be assessed on a correctness standard. With respect to discretionary decisions, the Court will assess whether the government institution has exercised its discretion "within proper limits and on proper principles": Ruby (F.C.A.), at para. 39, and "in good faith and for some reason which is rationally connected to the purpose for which the discretion was granted": Kelly at p. 149.

Issue 1
(a) S. 19-Information received in confidence from foreign government
Section 19 is a qualified mandatory exemption: disclosure must be refused unless the government institution consents to the disclosure of the information or makes the information public. Paragraph 19(2)(a) creates a "consent requirement" which requires, in the words of the Court of Appeal in Ruby, supra, "a request to the head of that government institution to make reasonable efforts to seek the consent of the third party who provided the information" (para. 110). The evidence did not show that CSIS made any efforts to obtain consent to release the information from the third party who provided it.

The Court did not agree with the respondent's submission that the seeking of consent did not need to be done on a case-by-case basis. The statements of the Court of Appeal in Ruby at para. 110 were interpreted as waiving the requirement for a government institution to seek consent if it is acting pursuant to an established protocol that respects the spirit and the letter of the Act and the exemption. Other than a general statement that this information was received "in confidence", the respondent has not provided the Court with evidence of an established protocol regarding the release of personal information. The respondent must do more than simply assert information received "in confidence" to meet its obligation under para. 19(2)(a).

Moreover, the respondent's assertion that it is within the discretion of the government institution to determine what is appropriate in each case does not respect the spirit of the Act, which requires a government institution to justify the withholding of personal information. To allow a government institution to decide what is appropriate in every case would undermine the very purpose of the "consent requirement" in para. 19(2)(a). As applicants generally do not know the nature of the withheld information or from whom it was obtained, in the majority of cases it will be virtually impossible for an applicant to obtain the consent of the third party. As such, allowing a government institution to determine when consent will be sought renders para. 19(2)(a) meaningless.

(b) S. 21-Information injurious to international affairs and defence
Based on both the public and confidential affidavits of the Director General of Internal Security for CSIS, and in light of MacKay J.'s statement in Ternette v. Canada (Solicitor General), [1992] 2 F.C. 75 (T.D.), pertaining to the "mosaic effect" of information, the respondent successfully demonstrated that the information fell within the exemption found in s. 21. While the release of the exempted information in this case alone might be insignificant, if such information was disclosed on a regular basis, it would undoubtedly threaten the integrity of CSIS operations. Further, the Court reviewed the exempted information and found that it only concerned CSIS' methods of cross-referencing, filing and categorizing information and was not relevant to the applicant's personal situation.

(c) S. 26-Third party information
Section 26 prohibits the disclosure of personal information concerning a third party without the consent of the third party unless one of the circumstances enumerated in subs. 8(2) applies. Section 26, like s. 19, can therefore be described as a qualified mandatory exemption.

Section 26 requires a government institution to consider subpara. 8(2)(m)(i) and to conduct a discretionary balancing of the public interest in disclosure, against the right to privacy of third parties (Ruby (F.C.A.), paras. 121 and 124).

The Court was not satisfied that CSIS conducted a discretionary balancing of the competing interests involved in applying the exemption found in s. 26. The only evidence on this issue was a blanket statement by CSIS that some personal information was exempted pursuant to s. 26 because it concerned identifiable individuals. While the Court accepted that the withheld information concerned third parties and fell within the scope of s. 26, the Court found that CSIS failed to balance the privacy interests of the third parties involved with the fact that the withheld information simply contained names of third persons identified by the applicant in his discussions with CSIS.

(d) S. 28-Medical information
There are two requirements that must be met before s. 28 can be applied. The first requirement is that the information in question must relate to the physical or mental health of the individual who requested it, of which there is no question in this case. The second requirement is an assessment by the head of a government institution on whether the release of the requested information is in the best interests of the individual.

A government institution bears a heavy onus in justifying an exemption under s. 28. Unlike the other exemptions in the Act, which balance an individual's right to personal information with the interests of others, s. 28 involves a balancing of an individual's right to personal information with his or her own best interests as determined by the head of a government institution. In our society, individuals are generally entitled to decide what is in their own best interests. This entitlement should not be taken away lightly.

There was no indication that CSIS engaged in any form of analysis as to what was in the best interests of the applicant. Furthermore, there was no consultation with a duly qualified medical practitioner or psychologist (as authorized under subs. 13(1) of the Privacy Regulations), nor any consideration given to the possibility of allowing the applicant access in the presence of a duly qualified medical practitioner or psychologist (pursuant to s. 14 of the Privacy Regulations). While the failure to consider these two options was not in itself a reason to override CSIS' decision, it contributed to the Court's finding that CSIS failed to properly analyse what was in the best interests of the applicant as required by s. 28.

Issue 2
(a) Bank 045-CSIS investigations (national security)
Pursuant to s. 18, bank 045 has been designated as an exempt bank. Under subs. 18(2), a government institution may withhold information that is contained in an exempt bank.

Subsection 16(2) permits a government institution to adopt a policy of neither confirming nor denying the existence of information in a personal information bank (Ruby (F.C.A.), paras. 65-66). The implementation of a policy of this nature under subs. 16(2) involves an exercise of discretion by the government institution, which must be exercised reasonably in the context of the factual circumstances involved.

Bank 045 contains information on individuals who are or were under investigation by CSIS on the suspicion that they have been involved in activities that constitute a threat to the security of Canada. Like the situation in Ruby (F.C.A.), if CSIS revealed the existence or non-existence of information in bank 045 to a requesting party, it would in effect be disclosing to that individual whether they were a target of a CSIS investigation. In the context of these factual circumstances, the Court found CSIS acted reasonably in adopting a uniform policy of neither confirming nor denying the existence of information in bank 045.

(b) Bank 050-Counter intelligence information
The information in bank 050 is intended to support CSIS' counter intelligence program and allows CSIS to protect itself from infiltration by hostile foreign services and others whose interests are inimical to the interests of Canada. Acknowledging the existence of information in bank 050 would reveal to an individual whether he or she is the subject of a counter intelligence operation and would compromise the security of Canada by detrimentally affecting CSIS' ability to carry out counter intelligence operations. The Court found that the respondent properly exercised its discretion under subs.16(2) by refusing to confirm or deny the existence of personal information concerning the applicant in bank 050.

Issue 3
Based on the evidence, the Court was satisfied that there were no records relating to the applicant in information banks 015, 020, 025 and 040. The applicant reported that he had filed 930 "detailed complaints" with CSIS since 1999. Since the subject of this hearing was an application for access dated August 7, 1997, only personal records in existence on or before that date were relevant.



Date Modified: 2004-05-18
 

Top of Page
Important Notices