Cemerlic v. Canada (Solicitor General), 2003 FCT 133

June 2014

Summary: The Federal Court reviewed a decision by CSIS to refuse to disclose certain records under the Privacy Act, on a number of grounds.

Facts: The applicant believed that at one time he was the target of a CSIS investigation. He therefore filed a Privacy Act request with CSIS. CSIS produced a number of records, but refused to produce other records on the basis of s. 19 (information received in confidence from a foreign government), s. 21 (detecting, preventing or suppressing subversive or hostile activities), s. 26 (personal information about another individual) and s. 28 (medical records) of the Privacy Act. CSIS also refused to confirm whether there was any personal information about the applicant in a particular exempt bank. The Privacy Commissioner investigated and concluded that CSIS acted appropriately, but the applicant applied to Federal Court.

Result: The Federal Court upheld most of CSIS’s exclusions, but concluded that CSIS erred in its approach to the exclusions in ss. 19, 26 and 28.

Decision: The Federal Court dealt with the five issues (the four sections of the Privacy Act, and the decision not to confirm whether there was any personal information in an exempt bank) in order.

First, the Federal Court considered s. 19(1)(a) of the Privacy Act, which prohibits disclosure of information obtained in confidence form a foreign government. While this is a mandatory exemption, information withheld under s. 19(1) may be disclosed if the foreign government from which the information was obtained consents to the disclosure or makes the information public. The Court concluded that this created a positive obligation on the part of CSIS to either ask the foreign government for consent or establish a protocol regarding the release of this type of personal information. CSIS merely asserted that it received the information in confidence; therefore, the Court concluded that CSIS did not properly apply that exemption.

Second, the Court considered s. 21 of the Privacy Act. In order to claim the exemption in s. 21, the government institution must demonstrate there is a reasonable expectation of injury to the conduct of international affairs, the defence of Canada, or national security. The Court concluded that it was not necessary for CSIS to prove that the release of information in this case alone would cause injury; instead, CSIS was successful because it demonstrated that the release of this type of information on a regular basis would threaten the integrity of its national security operations.

Third, the Court considered s. 26 of the Privacy Act. The Court agreed with CSIS that the records contained personal information about other individuals. However, the Court found that CSIS did not consider whether the public interest in disclosure outweighed the invasion of privacy under s. 8(2)(m) of the Privacy Act. The Court concluded that CSIS must conduct this “discretionary balancing” and there was no evidence it had done so. The Court therefore ordered CSIS to reconsider its decision in light of s. 8(2)(m) of the Privacy Act.

Fourth, the Court considered s. 28 of the Privacy Act. This provision permits a government institution to refuse to disclose an individual’s own medical information when doing so would be contrary to the best interests of that individual. The Court concluded that there are two requirements that must be met: the information must relate to the physical or mental health of the individual, and there must be an assessment that the release of that information is not in the best interests of the individual. In this case, the information was clearly about health; however, CSIS did not meet the second element. The Court held that “a government institution bears a heavy onus in justifying an exemption under section 28” because, generally, individuals are entitled to decide what is in their own best interests. There was no evidence that CSIS engaged in any form of analysis into the best interests of the applicant. The Court also concluded that while it is not necessary for CSIS to consult with a medical practitioner before making this decision, the failure to do so is a contributing factor in how CSIS failed to properly analyze the applicant’s best interests.

Finally, the Court considered CSIS’s decision to refuse to confirm or deny the existence of information in an exempt bank under s. 16 of the Privacy Act. The Court was satisfied that if CSIS revealed the existence or non-existence of information in that exempt bank it would in effect be disclosing to an individual whether they were a target of a CSIS investigation. CSIS acted reasonably in adopting a uniform policy of neither confirming nor denying the existence of information in that exempt bank.

Principles:

  1. A government institution must ask a foreign state or other government for permission to disclose a document (either on a case-by-case basis or by way of an established protocol) before refusing to disclose the document under s. 19 of the Privacy Act.
  2. A government institution may refuse to release personal information under s. 21 of the Privacy Act on the basis that releasing information of that type (instead of that precise information) would harm national security.
  3. A government institution must show that it considered releasing personal information about other individuals on the basis of the public interest, and exercised its discretion by balancing the public interest in disclosure against the invasion of privacy that would occur.
  4. A government institution bears a heavy burden in justifying the refusal to release an individual’s own medical information. To meet this burden, a government institution must show that the information relates to the physical or mental health of the individual and the release of that information is not in the best interests of the individual.
  5. A government institution can have a general policy of refusing to confirm or deny the existence of personal information in an exempt bank.
Date modified: