Case Summary: The Privacy Act and access to personal information: Court rejects complaint with the Officer of Privacy Commissioner that it improperly denied the applicant access to his personal information
The applicant made a request for personal information from the Communications Security Establishment. He claimed the response was unsatisfactory. He filed a formal complaint with the Officer of Privacy Commissioner of Canada, claiming that he had been improperly denied access to his personal information. The complaint was rejected by the Privacy Commissioner. The applicant was unsuccessful before the court on judicial review. The court recognized the sensitivity of the information being requested and concluded that, in respect of some of that information, the decision of the CSE to neither deny nor confirm its existence was reasonable.
Administrative law – Decisions reviewed – Privacy Commissioner – National defence – Disclosure of records – Judicial review – Evidence – Standard of review – Reasonableness
Martinez v. Communications Security Establishment,  F.C.J. No. 1190, 2018 FC 1179, Ontario Federal Court, November 23, 2018, S.E. Roussel J.
The Communications Security Establishment (the “CSE”) is administered under the Canadian Department of National Defence and is responsible for, among other things, foreign signals intelligence and protection of Canadian government electronic information and communication networks. The applicant, Alex Martinez, made a formal request under the Privacy Act, RSC 1985, c P-21, of the CSE that it provide him with access to personal information in three personal databanks: PPU 040 (Foreign Intelligence Files), PPU 007 (Cyber Defence), and PSU 913 (Disclosure to Investigate Bodies). In response, the CSE said it had no records in respect of PPU 007 and PSU 913, and with respect to PPU 040, it neither confirmed nor denied the records existed (pursuant to section 16(2) of the Privacy Act).
Mr. Martinez filed a formal complaint with the Officer of Privacy Commissioner of Canada (the “OPC”) asserting the CSE improperly denied him access to his personal information. The OPC investigated the complaint but concluded that it was not well-founded and the CSE searches were appropriately undertaken. Unsatisfied with this response, Mr. Martinez brought an application for judicial review pursuant to section 41 of the Privacy Act.
There were two issues before the court on judicial review. First, whether the CSE erred by informing Mr. Martinez that there was no personal information in databanks PSU 913 and PPU 007. Second, whether the CSE reasonably relied on section 16(2) when it “neither confirmed nor denied” the existence of personal information in PPU 040.
The court began by reviewing the evidence around the purpose of the PPU 007 and PSU 913 databanks. The court referred to affidavit evidence from the director of the CSE wherein it was deposed that “thorough and appropriate searches were undertaken [of these databases] and that no personal information” concerning the applicant was located. In light of this evidence, and without any evidence indicating that the CSE did not undertake the appropriate searches, the court seemed to be left with little choice but to conclude that the CSE did not err in its response to Mr. Martinez that no personal information was found in PSU 913 and PPU 007.
The more contentious issue between the parties dealt with the CSE’s reliance on section 16 of the Privacy Act with respect of the request for disclosure of personal information from PPU 040. This databank (which contains personal information relating to sensitive aspects of Canada’s international relations, security and defence) is designated by the Canadian government as an exempt databank on the basis that disclosure could reasonably be expected to be injurious to, inter alia, the conduct of international affairs, the defence of Canada or any state allied or associated with Canada. The court, relying on previous jurisprudence, noted that the adoption of a policy of neither confirming nor denying the existence of information in a personal databank was reasonable given the nature of the information and that merely revealing whether information of an individual exists may be problematic. Coupled with affidavit evidence from the CSE Director concerning the nature of the injury that may result if the CSE were to acknowledge the existence of information in PPU 040 (this evidence appeared to be relatively detailed and specific), the court was satisfied that the CSE’s discretion to adopt a policy neither confirming nor denying the existence of personal information in PPU 040 was reasonably exercised in the circumstances. Again, the court seemed to have little option but to accept the reasonableness of the decision to neither confirm nor deny the existence of the personal information of the application in PPU 040.
The court dismissed the application for judicial review. The court decided against awarding costs in favour of any party, likely because of the fact the application appeared to be self-represented.
This case was digested by Adam R. Way, and first published in the LexisNexis® Harper Grey Administrative Law Netletter and the Harper Grey Administrative Law Newsletter. If you would like to discuss this case further, please contact Adam R. Way at email@example.com.