Disclosure of Canadian Forces members’ medical records by DND authorized under Privacy Act although record retention practices were insufficient
Complaint under the Privacy Act
June 4, 2018
Summary of Investigation
- The complainants allege that the Department of National Defence’s (DND) Directorate of Access to Information and Privacy (DAIP) is improperly granting full access to deceased Canadian Forces (CF) members’ medical records under paragraph 8(2)(e)Footnote 1 of the Privacy Act (the Act) upon request by Military Police (MP) investigators with the Canadian Forces National Investigation Service (CF-NIS) when conducting “sudden death suicide investigations.”
- The complaint was investigated in accordance with subparagraph 29(1)(h)(ii) of the Act, which states that the Privacy Commissioner shall receive and investigate complaints in respect of any matter relating to the use or disclosure of personal information under the control of a government institution. As such, our investigation focused on the DAIP’s policies and procedures with respect to its handling of requests for disclosure of personal information under paragraph 8(2)(e) by the CF-NIS for the purposes of sudden death investigations, including suicides.
- The complainants made the following specific allegation with respect to the DAIP’s practices regarding the disclosure of personal information to the CF-NIS:
CF-NIS Sudden Death Investigation policy is found in the Military Police Policies and Technical Procedures Guide, and in investigating a suicide, a sudden death investigation is limited to determining whether or not a victim died at their own hand, or whether foul play was involved. Where the death is a suspected suicide, the CF-NIS Standard Operating Procedures (SOP) states that the focus of a suicide investigation should be limited to “determining that the wounds to the subject were in fact, self-inflicted.”
We believe that currently, section 8(2)(e) Privacy Act requests, made by CF-NIS investigators in support of a suicide investigation, are being honoured by [DAIP] staff without giving due consideration to the necessity for these records.
- The complainants take the position that the wording of paragraph 8(2)(e) creates a positive obligation for the government institution holding the personal information being requested to ensure that the records are disclosed only if they would aid in a lawful investigation.
- The complainants allege that despite this obligation, the DAIP routinely discloses the full medical history of deceased CF members on request by CF-NIS investigators without fully considering the necessity of the records to the investigation.
- In support of this position, the complainants refer to the CF-NIS “Suicide and Attempted Suicide Investigation” policy found in the Military Police Policies and Technical Procedures (MPPTP),Footnote 2 which states:
The investigation into suicide or attempted suicide should focus on determining that the wounds to the subject were in fact, self-inflicted. National Counter-intelligence Unit (NCIU) should be notified of incidents where the subject holds a security clearance of level 3 or higher or where there are indications that the employee may have been involved in a security violation, breach or offence. Administrative details (previous attempts, possible causes, marital status, alcohol or drug dependencies, etc.) need not be actively pursued and should only be reported if they are offered unsolicited to MP. It must be recognized that a Board of Inquiry or Summary Investigation designed to determine the administrative details will be initiated and will report relevant facts to the appropriate departmental authority.
- Similarly, the CF-NIS Standard Operation Procedure, Chapter 2: “Police Operations – Sudden Death Investigations & Next of Kin Briefings,” states at paragraph 3:
All suspicious deaths will be handled [in accordance with] the same stringent standard as a sudden death until determined otherwise by the investigative process. Classifications of death include: Homicide, Suicide, Accidental ([Motor Vehicle Accident] and Industrial) and Natural. [In accordance with] MPPTP the investigation into attempted suicide or suicide should focus on determining that the wounds to the subject were in fact, self-inflicted. It must be recognized that a Board of Inquiry or Summary Investigation is designed to determine the administrative details and will report relevant facts to the appropriate departmental authority. Notably, investigation of apparent suicides is a difficult process. Do not make assumptions or lose evidence based on misconceptions and inexperience. A thorough investigation may be required, prior to making a determination of suicide.
- By way of example, the complainants provided a copy of the “Request for Disclosure to Federal Investigative Bodies” form (“the 8(2)(e) request form”) that was submitted to the DAIP by the CF-NIS relating to the investigation of the death of their son, a CF member, who took his own life at a CF Base. The request, which was ultimately approved by the DAIP, asked for all records pertaining to the complainants’ son’s mental health and personal or family medical history. The request provided the following justification:
This information is required by this investigative body as part of the CF-NIS investigation into the apparent suicide of [the deceased CF member]. These documents will assist in determining [the deceased CF member’s] state of mind, and any condition or medications that may have affected his mental state, prior to his death. They will also provide evidence to assist in determining if [the deceased CF member’s] actions were influenced by medications, alcohol, their side effects, or withdrawal symptoms. This information will be useful to show what medications may have been in his system at the time of death and can be compared with toxicology results to determine if any non-prescribed substances may have played a role in [the deceased CF member’s] death.
- The complainants take the position that requests of this type for the disclosure of such sensitive personal medical information by CF-NIS investigators are not permissible under paragraph 8(2)(e) and should therefore be denied by the DAIP. They argue that the investigation of a suspected or attempted suicide is limited to the determination of whether injuries were self-inflicted and that requesting access to personal medical records is not necessary for making such a determination.
- At the outset of our investigation, we asked that DND provide us with all policies relating to the DAIP’s handling of personal information disclosure requests under paragraph 8(2)(e) of the Act for the purposes of sudden death and suicide investigations. In response to our request, DND advised:
Ultimately all decisions regarding disclosure of personal information within DND/CAF for the purpose of any investigation is managed under paragraph 8(2)(e). As such, this is the overriding “policy” on the subject. Currently, the authority for the consideration of such disclosure is limited to only the Director and/or the Deputy Director Privacy Operations, and so no formal “operating procedure” has been deemed necessary. As part of an ongoing business process review (BPR) DAIP is currently considering the benefit of recording and formalizing the steps inherent in the process.Footnote 3
- DND provided us with a copy of its “Access to Information Act and Privacy Act Designation Order,” signed July 28, 2011, by the Minister of National Defence. The Designation Order states that the person or persons holding the position of Director or Deputy Director Access to Information and Privacy is designated under section 73 of the Privacy Act to exercise or perform all of the powers, duties, and functions of the head of the government institution under the Act.
- DND also provided us with copies of several relevant policies describing how disclosure requests to the DAIP under paragraph 8(2)(e) of the Act should be made.
- DND identified Defence Administrative Orders and Directive (DAOD) 1002-3, “Management of Personal Information,”Footnote 4 which outlines general DND/CF policies with respect to the disclosure of personal information to federal investigative bodies. According to DAOD 1002-3, a request for personal information from a federal investigative body (such as the MP) under paragraph 8(2)(e) of the Act must be in written form, it must describe the information required, and it must describe the purpose for which it is required. Such requests may only be authorized by the DAIP. DAOD 1002-3 also states that a copy of every written request received and the personal information disclosed (if any) must be retained for a minimum of two years.
- Similarly, DND’s Medical Directive 1/04, “Disclosure of Personal Health Information,” details the same considerations relating to requests to the DAIP by specified investigative bodies under paragraph 8(2)(e) of the Act, which includes requests by the MP.
- DND also identified PPE 810 (Medical Records) as the appropriate personal information bank (PIB) where the information and its consistent uses are described. According to DND PPE 810, this bank describes personal information related to assessments of medical fitness to perform duties as a serving CF member, as well as information related to care given to CF members and other individuals at CF Medical Clinics. The consistent uses of information held in DND PPE 810 include:
Specific information relevant to an incident of death or injury may be disclosed to a Summary Investigation and any other mandated DND/CF accident or hazardous occurrence investigation to a Board of Inquiry (Personal Information Bank no. DND PPU 832, Boards of Inquiry/Summary Investigations), the CF MP (Personal Information Bank no. DND PPE 835, Military Police Investigation Case Files), and specified Investigative Bodies for the purpose of carrying out a lawful investigation, to Provincial and Municipal Authorities according to existing statutes, and as required for use in judicial proceedings.
- In addition to the consistent uses of personal medical information described in DND PPE 810, DND cited subsection 45(1) of the National Defence Act as the legislative authority for its disclosure to a Board of Inquiry. This particular provision does not appear to be relevant to the matter at hand, since the complaint does not relate to disclosures to a Board of Inquiry.
- During the course of the investigation, we asked for data regarding 8(2)(e) disclosure requests handled by the DAIP. DND advised that the total number of disclosures made by the DAIP in response to requests made under 8(2)(e) was 647 between fiscal years 2008/2009 and 2012/2013. DND also advised that, consistent with the aforementioned policies, the DAIP retains records relating to 8(2)(e) requests for a minimum of two years. However, it does not classify disclosure by type (e.g., “sudden death” or “suicide”) in its electronic case management system.
- DND provided us with access to all of the records that the DAIP had retained relating to 8(2)(e) requests received for fiscal years 2010/2011 and 2011/2012, as well as two additional requests from fiscal year 2009/2010. The investigator identified and reviewed all requests where the apparent purpose for the request was the investigation of a sudden death or suicide by the CF-NIS. In total, records relating to nine requests for personal information for the purposes of sudden death or suicide investigations were located, relating to six deceased CF members.
- Our review of the records relating to the nine CF-NIS disclosure requests revealed that one was for an applicant file, one was for a personnel file, and one request was subsequently cancelled by the requester before it was processed. The remaining six requests were for CF member medical files, which are squarely within the scope of our investigation. Five of those requests were made in 2011 and one was made in 2012.Footnote 5
- The records relating to each of the six requests at issue consist of printed emails to which a completed “Request for Disclosure to Federal Investigative Bodies” form had been attached and sent to the Deputy Director of the DAIP by the either the CF MP Access to Information and Privacy (ATIP) Coordinator or Manager, who submitted the requests on behalf of CF-NIS investigators. However, in only three cases was DND able to provide us with copies of the 8(2)(e) request forms that had been attached to the emails. In two of those cases, the versions that were provided to us had been approved and signed off by the DAIP. In the third case, the form was incomplete and had not been signed off by the DAIP.
- In the three remaining cases where the 8(2)(e) request forms were not retained on file, the records provided to us by DND consisted solely of emails between the Deputy Director of the DAIP and the CF MP ATIP Coordinator regarding the requests.
- We note that the emails on file demonstrate that in three of the six cases at issue, the Deputy Director of the DAIP requested additional information from the CF MP ATIP Coordinator in order to establish the necessity of the personal information being requested before exercising its discretion to disclose. Also, in three cases, there were handwritten notations made on the printed emails or signed request forms regarding the resulting disclosures, but in one case, the notation was illegible.
- According to the information on file, in sum, the justifications for the requests for medical records that we reviewed – either in the 8(2)(e) request forms themselves or in the emails kept on file – is that they were made for the purposes of determining the individual’s physical and mental health prior to their death, and/or to assist in determining the reason for the sudden death.Footnote 6
- For example, in one instance, the Deputy Director of the DAIP asked the CF MP ATIP Coordinator to make the following inquiry with the CF-NIS investigator:
Would you please inquire why they would need the complete files instead of specific information in order to comply with their investigations. I will await the above additional information prior to approve [sic] these requests.
Thank you for your query into the request. The investigator is conducting a lawful investigation into the sudden death of a CF member. The investigator is attempting to ascertain if there is anything from the member’s past history, employment, conduct records, career, travel – basically complete military life, that would assist him in determining the reason for the sudden death.... is there a connection / pattern with what occurred years past with the cause of the sudden death.
- In another instance, the Deputy Director of the DAIP made the following request for clarification to the CF MP ATIP Coordinator:
Since there are many [sic] medical information requested, we will need the Investigator to be more specific on the kind of investigation [in which the subject member] is involved.
I have spoken to the investigator and reviewed the GO [General Occurrence report] in question. I can confirm this investigation is into the death (suicide) of the member named and described in the 8(2)(e). Please contact me to obtain further information.
- As detailed above, both the CF-NIS “Suicide and Attempted Suicide Investigation” policy and the CF-NIS Standard Operation Procedure state that the primary focus of an investigation into suicide or attempted suicide should be on determining whether the wounds to the subject were in fact self-inflicted, and that administrative details such as previous attempts, possible causes, marital status, alcohol or drug dependencies, should not be actively pursued as part of a suicide investigation. The policy further states that these administrative details are properly dealt with by a Board of Inquiry or Summary Investigation.
- Implicit in the complainants’ allegations is that the CF-NIS investigators were in fact focusing on the administrative details that should not have been actively pursued as per CF-NIS policy and procedure. Therefore, the investigators’ requests for medical records ought to have been denied by the DAIP.
- DND takes the position that
(a) an investigation conducted contrary to CF MP or CF-NIS policies should not automatically be considered an unlawful investigation, since the MP may have the lawful authority to conduct an investigation despite a policy stating that it will not exercise that authority; and
(b) a breach of an MP policy is a matter for the MP chain of command, a professional standards review, or the Military Police Complaints Commission (MPCC) to consider and address, not the DAIP. Specifically, DND’s written representations stated:
Unless the request is invalid on its face this office ought not to look behind the request to attempt to determine the appropriateness of the request or the necessity of information to the investigation. It’s sufficient if the requesting body specifies the purpose and describes the information sought. It is also important not to equate ‘carrying out a lawful investigation’ with ‘carrying out an investigation in a lawful manner’. We would suggest that the former relates to the facial validity of the request, while the latter remains the purview of the oversight agencies (such as professional standards and the MPCC) and the court.
- DND believes that the DAIP need not “look behind a facially valid 8(2)(e) request from the MP in the course of an investigation, as this risks interfering with police independence and the mandate of existing oversight bodies, such as the CF MP chain of command, professional standards, and the MPCC.” DND then went on to state:
When an investigative body has the authority to carry out such an investigation, the institution head can assume that the investigation being carried out is a lawful investigation … Accordingly, when exercising its discretion on para. 8(2)(e) matters, we (DAIP) should assume that the CF-NIS has the authority to conduct the investigation and that we don’t need to make sure the MP (and the CF-NIS) are in compliance with their own internal policies (this is not our mandate).
- In support of this position, DND argued that the policies in question were found by the MPCC to be deficient in 2015 in the matter of the Fynes Public Interest Hearing.Footnote 7 The provisions of the CF-NIS policies that stated that administrative details need not be explored in suicide investigations have since been removed from the policy because the MPCC concluded that they placed undue limitations on an investigator in collecting information that was both relevant and necessary for the purposes of their investigation.
- More precisely, the MPCC recommended the deletion of the portion of the MPPTP “Suicide and Attempted Suicide” (Chapter 7, Annex I), which stated that “Administrative details (previous attempts, possible causes, marital status, alcohol or drug dependencies, etc.) need not be actively pursued and should only be reported if they are offered unsolicited to MP …” and that this deletion be replaced with a provision instructing investigators to “gain a comprehensive understanding of the background of the deceased, including medical and psychological state (medication or alcohol consumption)” (Recommendation 6, page 938).
- DND also asserted that, in disclosing personal medical information under paragraph 8(2)(e) of the Act, it follows the Treasury Board Secretariat (TBS) Directive on Privacy PracticesFootnote 8 (the “TBS Directive”) as the appropriate authority when considering such a disclosure, since all government institutions must comply with the directive.
- Appendix C of the TBS Directive requires that the written 8(2)(e) requests contain the following information:
- the name of the investigative body;
- the name of the individual who is the subject of the request or some other personal identifier;
- the purpose of the request and a description of the information to be disclosed;
- the section of the federal or provincial statute under which the investigative activity is being undertaken; and
- the name, title, and signature of the member of the investigative body filing the request.
- The TBS Directive also requires that government institutions retain a record of disclosure for all fulfilled 8(2)(e) requests and that a separate PIB be maintained for all records of disclosure to federal investigative bodies, including copies of the information that was disclosed to the requester. Accordingly, the record of disclosure should contain the following:
- clear indication as to whether the request was granted or refused;
- the date the request was received;
- the PIBs in which the disclosed information is held;
- the specific personal information, record or file that was disclosed;
- the name, title, and signature of the official who authorized the response; and
- the name of the institution to which the information was disclosed.
- DND takes the position that the DAIP adhered to the terms of each of these specific conditions as well as the requirements set out in paragraph 8(2)(e) of the Act.
- When we asked the DAIP to review copies of the records that were disclosed to the CF-NIS, we were advised that it did not retain copies of the records for the following reasons:
DAIP did not seek, obtain, or retain any copies of the actual records of personal information about the named individuals specific to the authority we granted to the CF MP under paragraph 8(2)(e) of the Privacy Act. Our position is that we “granted authority for disclosure” of the records requested … we did not administer that disclosure. Further, as the original records would be retained in their proper place (within the medical system, or personnel office, etc.), to retain an additional copy of these records in DAIP systems would not represent a privacy protective strategy (any individual concerned may request access of the records related to the DAIP function … that is, the authorization of disclosure and/or to the overall original records). Therefore, we have no records to provide to OPC that would specifically answer your question more accurately than what has already been given.
If what you would like to see are the complete files for which authority was granted (for example, the complete medical and personnel files of [one of the deceased CF members], our office will request that copies be provided by the relevant OPI [Office of Primary Interest]. But again, to be clear these would be the complete files, and not any specific records retained by DAIP of what the CF MP viewed or collected.
- DND advised us that in all cases, unless otherwise noted on the approved versions of the 8(2)(e) request forms, all of the requested records would have been disclosed to the CF-NIS. We confirmed that the “Request Disposition” field in the DAIP’s electronic case management system indicated “All disclosed” for all six of the requests in question.
- In making our determination, we considered sections 3 and 8 of the Act, as well section 7 of the Privacy Regulations (SOR/83-508).
- Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
- The information at issue includes medical and mental health information residing in DND PPE 810 (Medical Records). This is personal information as defined in section 3 of the Act. This Office considers medical information to be particularly sensitive personal information.
- The Act states that personal information can only be disclosed with an individual's consent – subsection 8(1) – or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.
- As detailed above, our investigation focused on requests for personal medical information made by the CF-NIS to the DAIP under paragraph 8(2)(e) of the Act specifically for the purpose of sudden death investigations, including suicides.
- The wording of paragraph 8(2)(e) sets out the preconditions in order for a disclosure to an investigative body to be authorized under this provision without the consent of the individual to whom the information relates:
8(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed
(e) to an investigative body specified in the regulations, on the written request of the body, for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation, if the request specifies the purpose and describes the information to be disclosed.
- Also relevant to our analysis is subsection 8(4) of the Act, which imposes an obligation on the institution to retain records relating to requests and disclosures made under paragraph 8(2)(e):
The head of a government institution shall retain a copy of every request received by the government institution under paragraph (8)(2)(e) for such period of time as may be prescribed by regulation, shall keep a record of any information disclosed pursuant to the request for such period of time as may be prescribed by regulation and shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner.
- Section 7 of the Privacy Regulations provides a minimum retention period of two years for information relating to requests under paragraph 8(2)(e) of the Act:
The head of a government institution shall retain for a period of at least two years following the date on which a request for access to personal information is received by the institution under paragraph 8(2)(e) of the Act
- a copy of every request received; and
- a record of any information disclosed pursuant to such a request.
Were the disclosures authorized under paragraph 8(2)(e)?
- Paragraph 8(2)(e) allows for disclosures of personal information without the consent of the individual concerned within the circumstances enumerated in the provision. This provision does not provide investigative bodies with a right of access to personal information. Rather, as noted in the TBS Directive, paragraph 8(2)(e) “leaves the disclosure decision to the discretion of the institution that has control of the information once the relevant criteria have been met.”
- In terms of the relevant criteria to be met, with respect to the first precondition set out in paragraph 8(2)(e) of the Act, the CF MP is an investigative body as specified in Schedule II of the Privacy Regulations (SOR/83-508). The CF-NIS is the investigative arm of the MP.
- With respect to the second precondition set out in paragraph 8(2)(e) of the Act, although DND only retained copies of three 8(2)(e) request forms, it appears that all six requests in question were made in writing by the CF-NIS to the DAIP.
- We accept that the 8(2)(e) disclosure requests by the CF-NIS fulfill the first two preconditions.
- The third precondition of paragraph 8(2)(e) requires that the request be for the purpose of enforcing any law of Canada or a province or carrying out a lawful investigation and that the request specify the purpose and provide a description of the information requested. Five of the six requests at issue (and/or supporting materials) specified the purpose as being either a sudden death investigation (in four cases) or a suicide investigation (in one case) and provided a description of the requested information. We were not able to determine the specific purpose of the remaining case for which only email records existed.
- Nevertheless, we observed that none of these requests specified the section of the statute under which the investigative action was said to be taken.
- Although not expressly required under paragraph 8(2)(e), the TBS Directive requires that the section of the federal or provincial statute under which the investigative activity is being undertaken be stated in an 8(2)(e) request. Despite the fact that TBS’ “Request for Disclosure to Federal Investigative Bodies” form (TBC 350-56E(93/02)) includes a field for the requester to provide the “Federal or Provincial statute, section, or description of purpose” pursuant to which the request is being made, all three of the requests for which we were provided copies of the 8(2)(e) request forms simply referenced either the National Defence Act or “Sudden Death Investigation” as the authority for the request (see also the justifications cited at paragraphs 24-25 of this report).
- As detailed at paragraph 28 of this report, DND takes the position that it is not required to question the authority of an investigative body, stating that “It’s sufficient if the requesting body specifies the purpose and describes the information sought.” In DND’s view, the responsibility for determining the lawfulness of an investigation rests with the investigative body.
- Specifying the legal source that authorizes the requesting institution to conduct a lawful investigation is more than a mere technical requirement under the TBS Directive. In our view, ensuring that the investigative body has described the authority under which the investigation is being conducted would provide a means for the DAIP to confirm – at least on its face – that the request is for a “lawful investigation.” At the same time, it would promote accountability on the part of the investigative body making the request. This level of due diligence appears to have been recognized in the TBS Directive, which indicates that requests should include a reference to the statutory provision under which the investigation is being undertaken. Accordingly, in addition to confirming the other conditions noted above, we would expect any institution making a disclosure under paragraph 8(2)(e) for purposes of a lawful investigation to ensure that the requesting institution has adequately described the authority to do so.
- The main basis for the complainants’ allegation that the DAIP does not give proper consideration to the necessity of the records prior to disclosure of medical information for purposes of suicide investigations relates to the CF’s investigative policies. The complainants argue that the requests would have been contrary to CF-NIS policies and procedures, which, at the time, limited the scope of the CF-NIS suicide investigations to ensuring whether wounds to a suicide victim were self-inflicted. In response, DND asserts that it was not required to conclusively determine whether the CF-NIS was acting in accordance with its policies and that in any event, these policies have since been found to be overly narrow and have been changed to indicate a broader range of information that may be relevant for suicide investigations.
- We note that with respect to a prior complaint made by the complainants against DND that was investigated by our office in 2012, the former Assistant Privacy Commissioner indicated that an institution disclosing personal information in accordance with paragraph 8(2)(e) is expected to demonstrate and document that the personal information in question is necessary to achieve the specific and legitimate purpose of the requesting party.Footnote 9
- However, with respect to the appropriate scope of information, it is important to bear in mind that the investigative body also has an obligation under the Privacy Act to ensure it collects only personal information that relates directly to its operating program or activity.Footnote 10
- In our view, the primary onus for demonstrating that link lies with the investigative body requesting the information. However, the disclosing organization also has a responsibility for assessing whether the investigative body requesting the personal information meets the requirements of paragraph 8(2)(e), including a prima facie case that the requester is seeking only personal information directly related to its investigation. Based on the requests and related records we were able to review during the course of our investigation, we are satisfied that the DAIP, as a matter of practice, has met its due diligence obligations in this regard.
- In particular, all of the requests we were able to review set out the purpose for the records sought and in some cases provided an explanation of why the information was needed for the stated purposes. Our review of these records revealed that in some cases, the Deputy Director of the DAIP requested more specific information regarding either the scope of the investigation or the breadth of the records being requested before the record retrieval was actioned. Although in some cases, the Deputy Director received very basic justifications for the requests, on the whole it would appear that in the course of approving the requests, a sufficient degree of scrutiny was given to the requests that we reviewed.
- However, if a request was received that was deficient on its face, such as to call into question whether the information sought is directly related to the investigative body’s stated purposes, we would expect the DAIP to subject the request to additional scrutiny.
Are the DAIP’s recordkeeping practices consistent with the Act?
- While not part of the complainants’ allegations, our investigation revealed deficiencies in the DAIP’s recordkeeping practices with respect to the requests received and the information disclosed under paragraph 8(2)(e).
- The wording of subsection 8(4) of the Act states that the institution “shall retain a copy of every request received by the government institution under paragraph 8(2)(e)” and “shall keep a record of any information disclosed pursuant to the request.” Both must be retained “for such period of time as may be prescribed by regulation …” Section 7 of the Privacy Regulations imposes a minimum retention period of two years for these records. Subsection 8(4) goes on to state that the institution “shall, on the request of the Privacy Commissioner, make those copies and records available to the Privacy Commissioner.”
- DND failed to meet its obligations under subsection 8(4) of the Act and section 7 of the Privacy Regulations in that the DAIP failed to retain the 8(2)(e) request forms in three of the six cases that we reviewed.Footnote 11
- In terms of maintaining a record of each disclosure, while were able to determine that the requested medical records were disclosed in all cases, the records regarding these disclosures were found in various locations. For example, to determine the extent of the information that was disclosed in each case, we are left to rely on the “All disclosed” entries made in the DAIP’s electronic case management system along with some hand-written notes made on the request forms or related emails. In our view, DND could improve its record-keeping practices by having one comprehensive record regarding each 8(2)(e) disclosure.
- Based on the foregoing, we find the complainants’ allegation that DND failed to properly assess the necessity of the information sought in response to requests under paragraph 8(2)(e) to be not well-founded for the reasons provided at paragraphs 55-60 of this report.
- However, although not expressly required in the Act, the OPC is of the view that, as a best practice, the DAIP should verify that the investigative body making the request under paragraph 8(2)(e) has indicated the section of the statute under which the investigative activity is being undertaken, in line with the TBS Directive.
- We also find that the DAIP failed to meet its obligations with respect to the retention of requests made under paragraph 8(2)(e) as set out in subsection 8(4) of the Act. In addition, we are of the view that the DAIP could improve its practices for keeping records of disclosures made under paragraph 8(2)(e).
- To address the specific concerns noted above, we formally recommended to DND that it update its policies and procedures to ensure the following:
- In all cases, copies of the 8(2)(e) request forms must be retained on file as per the retention requirements set out in subsection 8(4) of the Act and section 7 of the Privacy Regulations;
- DND confirms that the authority under which the requesting organization’s lawful investigation is being conducted is referenced as part of a request under paragraph 8(2)(e);
- DND keeps a more comprehensive record of disclosures made under paragraph 8(2)(e).
- We also asked that DND report back to this Office within six months to advise of any actions that have been taken to implement these recommendations.
- In a response dated May 17, 2018, the Deputy Minister of National Defence confirmed that DND will conduct a review of its policies and procedures with a view to implementing our recommendations and that DND’s Corporate Secretary will report back to our Office within six months to advise of the status of the review and the implementation of our recommendations.
- Date modified: