Disclosure of information about complainant's attempted suicide to US Customs and Border Protection not authorized under the Privacy Act

Complaint under the Privacy Act (the Act)

Case Summary

1. The Privacy Commissioner of Canada received a complaint under the Act alleging that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed her personal information to United States (US) border officials via the Canadian Police Information Centre (CPIC). CPIC is a system used by law enforcement agencies to share law enforcement and criminal justice information, operated under the stewardship of the RCMP on behalf of the Canadian law enforcement community.
2. At issue in the complaint was the disclosure of information relating to a suicide attempt made by the complainant, which was uploaded to CPIC by the Toronto Police Service (TPS). This information was then accessed by US Customs and Border Protection (CBP), which it used in deeming the complainant inadmissible to the US under the Immigration and Nationality Act. The complainant took the position that the RCMP was ultimately responsible for the disclosure given its stewardship of CPIC.
3. We subsequently received correspondence from the complainant’s Member of Parliament at the time, which included a more general allegation of systemic abuse of the privacy rights of individuals with mental health issues through the sharing of attempted suicide information with US border officials.
4. Thus, the scope of our investigation focused on the disclosure of personal information relating to suicide attempts to CBP via CPIC.
5. We determined at the outset of our investigation that Canadian and US law enforcement agencies share information via CPIC pursuant to a Memorandum of Cooperation (MOC) between the RCMP and the Federal Bureau of Investigation (FBI). As a signatory to the MOC and steward of CPIC, we are of the view that the RCMP bears responsibility for ensuring that all information shared between Canadian and US agencies is done in accordance with the requirements set out in the MOC and in compliance with the Act.
6. After carefully considering relevant factors and representations submitted during the conduct of our investigation, we find the complaints to be well-founded.
7. During the course our investigation, the RCMP implemented several changes to the functionality of CPIC and to CPIC policies. Although we believe that these changes in functionality are positive, we are of the view that the revised CPIC policies remain unclear, leaving the personal information of individuals who have threatened or attempted suicide still vulnerable to unauthorized disclosure to US border officials.

The Complaints

8. The first complainant in this matter alleged that the RCMP inappropriately disclosed her personal information to the US Department of Homeland Security (DHS), which was then used to deny her entry into the US in November 2013.
9. We also received correspondence from the complainant’s Member of Parliament (MP) at the time,^{Footnote 1} who raised the same allegation about the sharing of the complainant’s personal information with US border officials, but also raised concerns about the privacy rights of Canadians travelling abroad more generally. We therefore undertook to investigate both the specific aspects of the allegations relating to the complainant and the more general aspects of the MP’s allegation as a single investigation.
10. With respect to the first complainant’s specific allegation, paragraph 29(1)(a) of the Act states that the Privacy Commissioner shall receive and investigate complaints from individuals who allege that personal information about themselves held by a federal government institution has been used or disclosed otherwise than in accordance with section 7 (use) or 8 (disclosure) of the Act.
11. With respect to the issues raised by the complainant’s MP, subparagraph 29(1)(h)(ii) of the Act states that the Privacy Commissioner shall receive and investigate complaints in respect to any other matter relating to the use or disclosure of personal information under the control of a government institution. This includes systemic issues in which a complainant’s personal information may not specifically be at issue.
12. Any reference to “the complaint” or “the complainant” hereafter refers to the first complaint discussed at paragraphs 1, 8 and 10 of this report, unless otherwise indicated.

Background to the Complaint

13. According to her letter of complaint, the complainant had a scheduled flight to New York LaGuardia Airport (LGA) from Toronto Pearson International Airport (YYZ) in November of 2013. YYZ is one of several US Customs and Border Protection (CBP)^{Footnote 2} preclearance locations. Travellers departing from YYZ to most destinations in the US need to clear US Customs and pre-board security screening prior to boarding their flights.^{Footnote 3} The complainant was seeking entry into the US for a short period of time while she was in transit to her vacation destination, which was outside of the US.
14. The complainant stated that she failed to clear the initial US Customs security screening process and was sent for a secondary check, where she was detained and questioned by a CBP officer. She alleges that the officer questioned her specifically about her mental health, including the details of a suicide attempt in 2012. She was then given a “Withdrawal of Application for Admission/Consular Notification” which states in part:
    

    System checks on [the complainant] returned positive results for subject. [The complainant] had a medical episode in June 2012. [The complainant] requires a Medical Evaluation for the mental illness episode to determine her clearance for travel to the United States. [The complainant] could not satisfy the inspecting officer of her non-immigrant intent per 214(b) of the INA. [Complainant] inadmissible to the United States under INA Section 212(a)(1)(A)(iii)(I) . . .

15. Subsection 212(a)(1) of the Immigration and Nationality Act (INA) sets out certain “health-related grounds” under which an alien is inadmissible to the US. Under subclause 212(a)(1)(A)(iii)(I) of the INA,^{Footnote 4} an alien who is determined “to have a physical or mental disorder and behavior associated with the disorder that may pose, or has posed, a threat to the property, safety, or welfare of the alien or others” is inadmissible to the US. It was on the basis of this provision that the complainant was denied entry to the US.
16. The complainant withdrew her application for admission to the US. She was then advised that she could apply for a Waiver of Ineligibility after having a US Immigration Medical Assessment performed.
17. During the course of our investigation, the complainant confirmed that she attempted suicide in June 2012 by overdosing on pills. She stated she called 911 for assistance after changing her mind. This involved a response by ambulance services and an intervention by the Toronto Police Service (TPS). According to the complainant, she sought treatment at that time and had not suffered any subsequent mental health crises.
18. The RCMP confirmed that the complainant’s personal information was accessed by CBP via CPIC on the date of the complainant’s scheduled travel from a computer terminal located in the CBP preclearance area at YYZ.
19. CPIC is a system operated by the Canadian Police Information (CPI) Centre under the stewardship of the RCMP’s National Police Services on behalf of the Canadian law enforcement community. CPIC provides public safety information on charges, warrants, persons of interest, and stolen property or vehicles. It is Canada's primary public and officer safety tool, used by law enforcement agencies to share law enforcement and criminal justice information.
20. The information collected by CBP consisted of a “Caution” flag and “Special Interest Police” (SIP) entry that were entered into CPIC by the TPS in July of 2012.^{Footnote 5} The Caution flag indicated that the complainant has “Suicidal Tendencies” and the SIP entry stated “Mental Health” with the additional remark “Attempted Suicide – Drugs.” The entries also contained the complainant’s biographical information, namely, her name, sex, race, age, date of birth, weight, home address, and driver’s license number. The RCMP provided a printout of the relevant CPIC entry as an attachment to its representations to our Office.

THE ONTARIO INFORMATION AND PRIVACY COMMISSIONER’S INVESTIGATION INTO THE DISCLOSURE OF INFORMATION REGARDING ATTEMPTED SUICIDES VIA CPIC

21. Prompted by the complainant’s experience as well as those of other Ontarians whose past suicide attempts were shared with US border officials, the Information and Privacy Commissioner of Ontario (IPCO) conducted an investigation into the issue of the disclosure of information relating to attempted suicides by police services in Ontario – including the TPS – to US border officials via CPIC. During its investigation, the IPCO obtained information from multiple police services in Ontario, the RCMP, as well as several mental health professionals and organizations, in its consideration of whether or not these disclosures are permissible under section 32 of Ontario’s Municipal Freedom of Information and Protection of Privacy Act (“MFIPPA”).
22. The IPCO’s investigation culminated in a report entitled “Crossing the Line: the Indiscriminate Disclosure of Attempted Suicide Information to U.S. Border Officials via CPIC,” which was published on April 14, 2014.^{Footnote 6} In that report, the IPCO found, among other things:
    1. Discrepancies in the practices of Ontario police services in uploading attempted suicide information to CPIC. Some police services, like the TPS, uploaded information about all confirmed suicide attempts, regardless of the circumstances. In contrast, other police services exercised discretion and considered whether the individual may be violent or pose a threat to officer or public safety before adding such information to CPIC.^{Footnote 7}
    2. The primary purpose for which police services collect information related to attempted suicides is to document their involvement in the incident for their own local records, which is a legitimate purpose. In other circumstances, one or more of the following additional purposes may be engaged:
       • assisting officers in determining the appropriate response and actions to be taken when responding to a call for service;
       • determining appropriate responses and actions in relation to individuals who may be in the custody of the police; and
       • protecting the public, police officers, and the individual.
    3. Many incidents of attempted suicide do not present a risk of violence to others or pose a threat to officer or public safety. Furthermore, sharing such sensitive information can have a significant negative impact on individuals and aggravate stigmas associated with mental health.
    4. The disclosure of information related to attempted suicides to other Canadian law enforcement agencies and to US border officials via CPIC should only occur where the information involves a threat to officer or public safety. Such disclosures would be consistent with the law enforcement purpose for which the information was compiled and therefore in compliance with section 32 of MFIPPA. As such, the practice of disclosing information relating to all suicide attempts via CPIC by default is not authorized under MFIPPA.
23. The IPCO ultimately made a number of recommendations, one of which was that police services in Ontario adopt what it called the “Mental Health Disclosure Test,” which outlines the circumstances under which the IPCO believes the disclosure of personal information relating to suicide attempts would be permissible under MFIPPA. The test requires that at least one of the following four circumstances be present before uploading or otherwise sharing any suicide-related information with US border officials via CPIC:
    1. The suicide attempt involved the threat of serious violence or harm, or the Actual use of serious violence or harm, directed at other individuals;
    2. The suicide attempt could reasonably be considered to be an intentional provocation of a lethal response by the police;
    3. The individual involved had a history of serious violence or harm to others; or
    4. The suicide attempt occurred while the individual was in police custody.

Scope of Our Investigation

24. The complaint to our Office involve the sharing of personal information via CPIC between the TPS and CBP, two agencies outside of the jurisdiction of this Office. Although the complainant’s personal information was uploaded to CPIC by the TPS, she argues that the RCMP is ultimately responsible for its disclosure to CBP, which she alleges was in contravention of the Act.
25. We established at the outset from the RCMP that it is the steward of the CPIC system. Our investigation therefore examined the RCMP’s role in managing CPIC, including granting participating law enforcement agencies (“CPIC agencies”) with access to the personal information held in CPIC. The RCMP’s mandate also includes responsibility for any arrangements or agreements under which foreign law enforcement agencies may be granted access to CPIC.
26. The RCMP advised that it publishes both a CPIC Policy Manual (the “Policy Manual”) and a CPIC User Manual (the “User Manual”), which together form the CPIC policies. These manuals are intended to guide CPIC agencies regarding the proper collection, use, and disclosure of information held in CPIC.
27. All CPIC agencies, including domestic police services and foreign law enforcement agencies, are subject to the CPIC policies, which come under the responsibility of the Director General of the CPI Centre. The Director General is responsible for establishing 1) the scope and content of the CPIC data banks, files, categories and records; 2) how the system is used and regulated; and 3) the criteria to determine which agencies are eligible to use the system.
28. CPIC policies are developed in consultation with the National Police Information Services Advisory Board (NPIS AB), which is composed of 16 voting members, including one representative from each Provincial Police Association. The NPIS AB provides strategic oversight, leadership, and direction in the administration of the development and use of CPIC. The NPIS AB is accountable to the RCMP Commissioner, who is ultimately responsible for the administration and operation of CPIC. The RCMP submits that due to this governance structure, the CPI Centre does not unilaterally decide on CPIC functionality and policies.
29. Although we understand the collaborative nature of CPIC governance, we are of the view that as the steward of CPIC – with the RCMP Commissioner being ultimately responsible for the administration and operation of CPIC – the level of control exerted by the RCMP over CPIC is sufficient to engage the application of section 8 of the Act with respect to the disclosure of personal information contained in CPIC to CBP.
30. The issue in this investigation does not concern all investigative or criminal information in CPIC. We recognize the importance of CPIC to policing as a national information sharing tool that enables law enforcement and public safety partners to work together effectively. Rather, we looked at the specific issue of disclosing personal information relating to suicide attempts to CBP via CPIC, the mechanisms by which such information is disclosed (a Caution flag and SIP entry), and the policies and procedures relating to the use of those functions in CPIC.

The RCMP’s Role in Managing CPIC

HOW DID CBP GAIN ACCESS TO CPIC INFORMATION?

31. The RCMP advised that CBP has access to CPIC pursuant to a Memorandum of Cooperation (MOC) between the RCMP and the Federal Bureau of Investigation (FBI), providing for the electronic exchange of information contained in CPIC and the equivalent system in the US, the National Crime Identification Centre/Interstate Identification Index (NCIC/III).^{Footnote 8} The MOC originally took effect on May 6, 1999, and was renewed on July 25, 2008.^{Footnote 9} Unless otherwise noted, all references herein are to the 2008 version, which was in effect at the time of the incident in question.
32. The FBI is the part of the Department of Justice of the United States of America that enforces the laws of the US and facilitates the exchange of information with law enforcement agencies within the US. Pursuant to the MOC, the FBI authorized the DHS, and by extension, CBP, to access CPIC. The RCMP advised that the FBI was provided “read only” access to CPIC, meaning that the CPIC databases were accessible by the FBI and its partner agencies, but they were not able to contribute information directly to CPIC.
33. The CPI Centre also set limitations on the information in CPIC’s databases that could be viewed by the FBI and its partner agencies under the MOC. They were not able to access information relating to young offenders, persons wanted on province-wide warrants, non-conviction criminal records (i.e., not-guilty verdicts, acquittals, withdrawals, stays of proceeding, or peace bonds), or suspended (pardoned) criminal records. We confirmed, however, that the FBI and its partner agencies, including CBP, did have access to Caution flags and SIP entries.
34. According to the MOC, information obtained from either CPIC or NCIC/III could only be used for “criminal justice purposes.” The MOC provided the following definition: “criminal justice purposes is defined to mean that the use of CPIC and NCIC/III data is intended specifically by law enforcement and criminal justice agencies in the performance of law enforcement and criminal justice matters to include national security issues as mandated by the legislation of the respective countries.” The MOC did not define “law enforcement” or “criminal justice.”
35. The MOC specified that Canadian privacy laws and the CPIC Policy Manual required that users of CPIC data establish the accuracy and validity of a CPIC record prior to it being used. As such, all information collected from CPIC by US law enforcement agencies should have been confirmed by contacting the contributing CPIC agency to determine its accuracy and relevancy before the information could be used for any purpose.

CPIC CAUTION FLAGS AND SIP ENTRIES RELATING TO ATTEMPTED SUICIDES

36. CPIC is comprised of four individual data banks: the Investigative Data Bank, Identification Data Bank, Intelligence Data Bank, and Ancillary Data Bank. The information at issue in this matter was held in the Investigative Data Bank.^{Footnote 10}
37. Caution flags and SIP entries are separate and distinct entries in CPIC’s Investigative Data Bank, which may be used simultaneously. A Caution flag is used as an indicator of past interactions of concern. A SIP entry enables the contributing agency to enter pertinent data and comments concerning an individual, including why that person is of special interest to police.
38. The User Manual stated that CPIC agencies should use a Caution flag “to indicate that the record subject is considered dangerous to himself/herself or to others.” A SIP entry could be used to record data on a person under certain categories of known criminal offenders, such as individuals with a history of violent offences, sex offences, and/or family violence. The User Manual provided that a SIP entry could also be used for a person known to “be dangerous to police, himself/herself or other persons,” including “a person who suffers from an apparent emotional or mental health disorder” or “threatened or attempted suicide either when in or out of police custody.”
39. The RCMP made representations that the sharing of information relating to individuals who have threatened or attempted to commit suicide, and who may pose a safety risk to themselves or others, assists police in fulfilling their mandate and duties, which includes preserving the peace, preventing and investigating crime, and the protection of life and property.
40. The RCMP characterized this type of information as “critical public safety information” with significant value in the event of future contact with the individual. According to the RCMP, these types of entries permit police agencies to assess potential dangers to their personnel, the general public, and to the individuals themselves, in order to determine the type of resources that may be required in order to best respond to the situation at hand when dealing with the individual. Moreover, the RCMP explained that CPIC users trust that if partner agencies add information to CPIC, it has been deemed “critical public safety information” by the contributing CPIC agency.
41. In the case of the complainant, as noted above, the TPS entered a Caution flag for “Suicidal Tendencies” based on its prior interactions with the complainant. The TPS also entered a SIP relating to “Mental Health” with an added notation “Attempted Suicide – Drugs.”
42. According to the RCMP’s representations, the CPIC policies that were in place in November 2013 gave contributing CPIC agencies the discretion to determine when the use of Caution flags and SIP entries were appropriate. The RCMP also emphasized that CPIC policies and protocols did not mandate that any or all suicide attempts be entered into the system.
43. In general, CPIC policies gave the discretion to CPIC agencies to determine whether there are compelling public safety and law enforcement reasons for sharing personal information via CPIC. The onus was therefore put on each CPIC agency to determine whether federal or provincial laws prohibited the disclosure of information, including privacy legislation.
44. In order to ensure the accuracy of the information shared via the CPIC system, CPIC policies and the MOC put certain obligations on both the disclosing and collecting CPIC agencies to verify the relevance and accuracy of information before it could be used.

RETENTION OF CPIC CAUTION FLAGS AND SIP ENTRIES

45. SIP entries had an automatic 5-year purge date. CPIC automatically generated a purge notification to the originating agency 30 days prior to the prescribed SIP entry destruction date. It was then up to that agency to decide whether the SIP entry should be deleted (for which no action would be necessary) or whether it should be renewed. If the originating CPIC agency wished to extend the retention period of the SIP entry, it had to manually renew the expiry date in CPIC.
46. A Caution flag did not have an automatic purge date, nor did it affect the automatic purge of the SIP records. The User Manual stated that “suicidal” Caution flags “should be extended for as long as is necessary.”
47. The RCMP emphasized in its representations that it was (and is) the responsibility of the contributing CPIC agency to conduct the appropriate review to ensure that only valid public safety information remains on the system.
48. The SIP entry relating to the complainant had an expiry date of June 30, 2017, but has since been removed from CPIC by the TPS, along with the Caution flag (as detailed at paragraphs 105–106 of this report).

CONFIDENTIALITY AND DISSEMINATION OF CPIC INFORMATION

49. In terms of the proper use of information retrieved from CPIC, both the MOC and CPIC policies set out requirements for verifying the accuracy of information retrieved from CPIC with the originating agency prior to it being used by another CPIC agency.
50. The Policy Manual stated that “Information that is contributed to, stored in, and retrieved from CPIC is supplied in confidence by the originating agency for the purpose of assisting in the detection, prevention or suppression of crime and the enforcement of law.”^{Footnote 11} It also provided that “Each agency having access to CPIC records is responsible for the confidentiality and dissemination of information stored on the CPIC system.”
    

    Any record placed on the CPIC system must be the subject of an agency file maintained by the originator for as long as the record is on CPIC. An agency must be able to confirm its CPIC records promptly, 24 hours a day, 7 days a week.

51. Similarly, the Policy Manual also explained that an agency that contributed information to CPIC would retain ownership over that information:
    

    A record placed on the CPIC system is deemed to be under the control of the CPIC agency making the entry. Access to that record can only be granted by the contributing agency, upon a request made to that agency/department, under the federal/provincial access legislation that applies to that agency.^{Footnote 12}

52. The RCMP confirmed that the use of the complainant’s personal information by CBP was contrary to the requirement to verify the information with the originating agency prior to use as detailed in both the MOC and the Policy Manual. Moreover, the SIP entry in the complainant’s case clearly indicated that the TPS was the record owner, and clearly stated “DO NOT DIVULGE INTEREST TO SUBJECT” and “CONFIRM WITH ORIGINATING AGENCY” (emphasis in original).
53. The RCMP advised that it communicated with the FBI to advise of this incident and to request that CBP be reminded of its obligations under the MOC. The RCMP also advised that subsequent to its correspondence to the FBI, a review of the matter was conducted by CBP and that further guidance was given to CBP staff regarding the proper usage of information obtained from CPIC.

Changes made to CPIC during the Course of our Investigation

54. We received correspondence from the RCMP Commissioner in September 2014, advising that in recognition of the importance of safeguarding the personal information of Canadians and its commitment to privacy, the CPI Centre implemented a number of changes to CPIC, including:
    • The introduction of a new SIP entry, known as an Observed Behavior (OB) entry to reference a subject who has demonstrated behaviour that causes concern about their safety or the safety of others.
    • An optional field referred to as SHARE USA that relates directly to the SIP-OB and allows contributing agencies to choose whether or not their OB entry contains crucial public safety information that should be shared with US agencies, including border officials.
    • In May 2015, the SIP entry relating to “Mental Health,” as well as the Caution flags for “Suicidal Tendencies” and “Mental Instability,” were removed from CPIC.
    • To more closely align how information is accessed by Canadian agencies, the CPI Centre assigned specific access to US law enforcement and criminal justice agencies based on the agency mandates. Specific access to CPIC information by US agencies is now categorized into 21 filtered classifications that mirror, as closely as possible, CPIC eligibility criteria in Canada. Although this alignment did not affect how CBP was categorized, the RCMP did limit or remove CPIC access rights from several other US agencies.
    • The MOC between the RCMP and the FBI providing access to CPIC was revised in order to emphasize the necessity of compliance with CPIC policies and procedures.
55. The RCMP subsequently provided copies of the Spring 2015 CPIC User Manual and the May 2015 revision of the CPIC Policy Manual, both of which were revised to reflect the system changes outlined in the RCMP Commissioner’s correspondence.

Applicable Sections of the Act

56. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
57. The information contained in CPIC that was accessed and used by CBP is clearly the personal information of the complainant, since it included her name, sex, race, age, date of birth, weight, home address, driver’s license number, and information regarding her perceived mental health.
58. In our view, information about an attempted suicide is information related to a person’s mental health or mental state, which we consider to be particularly sensitive personal information.
59. the Act states that personal information can only be disclosed with an individual's consent – subsection 8(1) – or in accordance with one of the categories of permitted disclosures outlined in subsection 8(2) of the Act.
60. The complainant alleges that the disclosure of her personal information to CBP was in contravention of section 8 of the Act because she did not consent to it and she does not believe that it should have been shared with US border officials. There is no dispute that the complainant did not consent to her personal information being shared with CBP. The disclosure was therefore not authorized under subsection 8(1) of the Act.
61. We must therefore determine whether the disclosure to CBP via CPIC was in fact authorized under subsection 8(2) of the Act. The same determination must also be made with respect to the more general complaint made by the complainant’s MP.
62. Subsection 8(2) provides that, “Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed,” and goes on to describe the specific purposes in paragraphs (a) through (m) under which a disclosure would be authorized.
63. The RCMP submits that US authorities, including border officials, have been authorized to access the personal information on CPIC by virtue of the disclosure authority in paragraph 8(2)(f) of the Act, which provides that personal information under the control of a government institution may be disclosed:
    

    [U]nder an agreement or arrangement between the Government of Canada or an institution thereof and … the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation.

64. The RCMP believes that its position is further supported by the “consistent use” authority to disclose found in paragraph 8(2)(a) of the Act, which states that personal information can be disclosed by an institution “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.” The RCMP referred to the Info Source description of RCMP Personal Information Bank (PIB) PPU 005^{Footnote 13} in support of this position.
65. RCMP PPU 005 contains personal information on individuals who have been involved in investigations under the Criminal Code, federal and provincial statutes, municipal bylaws and territorial ordinances, and includes information held in the CPIC system.^{Footnote 14} The description of consistent uses for information held in this bank includes sharing with accredited domestic and foreign law enforcement and foreign investigative agencies, departments of the Criminal Justice System and Courts in the administration or enforcement of the law and in the detection, prevention, or suppression of crime generally.

Analysis

A) WAS THE DISCLOSURE OF THE COMPLAINANT’S PERSONAL INFORMATION AUTHORIZED UNDER PARAGRAPH 8(2)(f) OF the Act?

66. As already noted, paragraph 8(2)(f) permits a Canadian government institution to disclose personal information to an institution of the government of a foreign state “under an agreement or arrangement” for the purpose of “administering or enforcing any law or carrying out a lawful investigation.” It is therefore not an open-ended permission to share personal information with foreign authorities. At a minimum, information sharing must take place in accordance with the terms of the agreement or arrangement between the Canadian government institution and the foreign authority. Any information sharing must also be limited to the purposes of administering or enforcing a law or carrying out a lawful investigation.
67. The requirement for an agreement or arrangement in paragraph 8(2)(f) is an important one. We are of the view that an agreement or arrangement that dictates the terms under which sharing takes place is essential for ensuring that, among other things, any information sharing is limited in scope, is conducted only for permissible purposes, that the confidentiality of information is safeguarded, and that there are procedures in place to verify the accuracy of information.
68. The MOC between the RCMP and the FBI states that “the use of CPIC and NCIC/III data is intended specifically by law enforcement and criminal justice agencies in the performance of law enforcement and criminal justice matters …”
69. The RCMP does not dispute that the complainant’s personal information could only be considered to have been shared in accordance with the MOC if it was for a law enforcement or criminal justice purpose. However, the RCMP maintains that the sharing of the complainant’s personal information with the CBP was indeed for a law enforcement purpose.
70. The RCMP explained that, in general terms, CBP’s admissibility assessment under section 212 of the INA includes the consideration of an individual’s risk to public safety, which may include a review of information relating to mental health and suicide attempts. Section 212 of the INA specifically refers to a threat to the property, safety, or welfare of the alien or others (i.e., it includes consideration of the individual’s risk to self or to others).
71. The RCMP submits that the sharing of information relating to suicide attempts with CBP should be considered to be for a law enforcement purpose for the following reasons:
    

    Given that border officials have a general mandate relating to public safety and the preservation of peace at the border, it is foreseeable that the US CBP’s consultation of behavioural information, including whether suicide was threatened or attempted, assists in guarding against any “threat to the property, safety, or welfare of the alien or others.” This would be, therefore, a purpose consistent with that of the initial critical public safety information data collection. Moreover, the role of border officials is not limited to ensuring public safety and the preservation of peace at the border point, but also throughout the US. As such, admissibility reviews assist in ensuring that individuals who enter the US will not be a threat to public safety after having entered.

72. The RCMP believes that suicide attempts may be indicators that an individual poses a danger to him or herself or to others, and that the sharing of this type of information is consistent with the common law duties of police officers to preserve the peace, prevent and investigate crime, and the protection of life and property, which are essential components of “aw enforcement” and “criminal justice” as referred to in the MOC. The RCMP therefore takes the position that the disclosure of information relating to attempted suicides to CBP via CPIC is for the purposes of law enforcement and public safety as stipulated in the MOC.
73. Neither the MOC nor CPIC policies define the term “law enforcement.” While the term may be capable of multiple interpretations, we are satisfied based on the dictionary definition of the term as well as how it has been defined in provincial and territorial statutes that it should not be interpreted as broadly as the RCMP is urging in this case, particularly in light of the quasi-constitutional nature of the Privacy Act.
74. In support of this view, we note that in its ordinary meaning, “law enforcement” is defined as “[t]he detection and punishment of violations of the law.”^{Footnote 15} Similarly, to “enforce” means to “compel observance of (a law etc.).”^{Footnote 16}
75. Enforcement of a law is distinct from the broader term “administering” a law, which refers to actions relating to implementing a law.^{Footnote 17} While paragraph 8(2)(f) uses both the terms “enforcing” and “administering” a law, the MOC is restricted to sharing exclusively for “law enforcement” and “criminal justice” purposes, which strongly suggests that sharing under the MOC was meant to be more limited in scope.
76. Several provincial public sector privacy statutes also define the term “law enforcement” in a similarly limited fashion. For instance, subsection 2(1) of MFIPPA defines the term as follows:
    “law enforcement” means,
    1. policing,
    2. investigations or inspections that lead or could lead to proceedings in a court or tribunal if a penalty or sanction could be imposed in those proceedings, or
    3. the conduct of proceedings referred to in clause (b).
    This definition is largely consistent across provincial and territorial statutes where the term is found.
77. In her investigation, the IPCO found that the use of attempted suicide information by US border officials did not generally constitute “law enforcement” within the meaning of MFIPPA. In her view, US border officials were using the information primarily to screen individuals seeking to travel to or through the US. Absent limited situations where there were officer or public safety concerns in accordance with the Mental Health Disclosure Test, the IPCO found that the screening of travellers was not for a “policing” purpose. Nor did such screening involve any judicial or quasi-judicial proceedings that could to lead to a penalty or sanction.
78. For similar reasons, we find that the sharing of the complainant’s personal information was not for “law enforcement” or “criminal justice purposes” as stipulated in the MOC. There is no suggestion in this case that the complainant had violated the law or otherwise failed to follow the correct procedures in her application for admission to the US. She was simply refused entry based on health-related grounds and was told that if she wanted to apply again for admission she would need to undergo a medical examination. There was no penalty or sanction at play. Indeed, under the Preclearance Act, SC 1999, c. 20, which governs the powers of CBP officers operating in Canadian airports, it does not appear that any sanction could have been imposed by a CBP officer in the circumstances.
79. That being the case, we find that the disclosure of the complainant’s personal information was not consistent with the requirements of paragraph 8(2)(f).
80. We agree with the RCMP that in some circumstances, the sharing of information relating to an attempted suicide could be consistent with the common law duties of police officers to preserve the peace, prevent and investigate crime, and the protection of life and property. However, we are of the view that CBP’s admissibility assessment in the circumstances was not consistent with such purposes, since there is nothing to indicate that the complainant posed a threat to public safety.
81. Having reached this conclusion, we believe that in general, CBP should not have access to information relating to attempted suicides by Canadians where an individual cannot be reasonably considered to present a risk to public safety. This includes both SIP entries and Caution flags. Our position is consistent with the IPCO, who concluded that suicide attempts could only be considered to raise public safety concerns where they involved serious threats, violent actions, or serious harm to self by attempting to provoke a lethal response by the police or by attempting suicide while in police custody.

B) WAS THE DISCLOSURE OF THE COMPLAINANT’S PERSONAL INFORMATION TO CBP AUTHORIZED PURSUANT TO PARAGRAPH 8(2)(a) OF the Act?

82. The RCMP also takes the position that the disclosure of information relating to suicide attempts is authorised under paragraph 8(2)(a) of the Act, since “its use clearly has a reasonable and direct connection to the original purpose(s) for which the information was compiled (i.e., criminal justice purposes, including law enforcement).”
83. In our view, the same assessment applied to the MOC also applies with respect to paragraph 8(2)(a) of the Act. Having concluded that the disclosure of personal information relating to attempted suicides to CBP is not authorized under the MOC, we do not see how its use by CBP to assess admissibility into the US was consistent with the purposes for which it was compiled.
84. We note that the IPCO also conducted an analysis of whether the use of this type of information by CBP could be considered to be consistent with the purpose for which it was collected. According to the IPCO, the primary purpose for which police services collect information related to attempted suicides is to document their involvement in the incident for their own local records, which is a legitimate purpose. In other circumstances, one or more of the following additional purposes may be engaged:
    1. assisting officers in determining the appropriate response and actions to be taken when responding to a call for service;
    2. determining appropriate responses and actions in relation to individuals who may be in the custody of the police; and
    3. protecting the public, police officers, and the individual.
85. We agree with this analysis and find that the first two circumstances could only apply to police services that deal with the individual in question during the course of policing activities. Only the third circumstance could apply to the disclosure to CBP, but only where past suicide attempts can reasonably be considered to indicate that the individual poses a risk to others, which was not the case with the complainant. Absent such a risk to others, we are of the view that an individual would not reasonably expect that information about an attempted suicide collected by a law enforcement agency would be used by US border officials as part of an admissibility assessment.
86. As such, we find that the disclosure of the complainant’s personal information was not authorized under paragraph 8(2)(a) because its use by CBP for an admissibility assessment was not consistent with the purpose for which it was obtained or compiled by the TPS.

C) WERE THE CPIC POLICIES SUFFICIENT TO ADEQUATELY GUARD AGAINST THE DISCLOSURE OF THE COMPLAINANT’S PERSONAL INFORMATION TO CBP?

87. Having found that the disclosure of the complainant’s personal information to the CBP was not consistent with paragraphs 8(2)(f) or 8(2)(a) of the Act, we are also of the view that the CPIC policies in effect at the time did not provide sufficient clarity in order to protect against such a disclosure.
88. We recognize that even though the RCMP is the steward of CPIC, it does not unilaterally decide on CPIC functionality and policies. Nonetheless, as a signatory to the MOC with the FBI, the RCMP bears the responsibility for ensuring that information that is shared with US authorities is done in a manner consistent with the MOC in order to be compliant with the Act. Since CPIC policies are the primary means of ensuring compliance with the MOC, the RCMP must also take responsibility for these policies.
89. The CPIC policies in effect at the time that the complainant’s personal information was used by CBP provided no specific guidance regarding when a Caution flag for “Suicidal Tendencies” could or should be placed on CPIC. Similarly, CPIC policies did not adequately explain when a contributing agency was or was not permitted to make a SIP entry relating to “Mental Health.” The policies allowed for the sharing of information about individuals who suffer from an “apparent emotional or mental health disorder,” which we believe was overly broad and allowed for the sharing of personal information in a manner inconsistent with the requirements of the MOC.
90. We are of the view that the CPIC policies ought to have limited the sharing of attempted suicide information with US authorities and border officials only to cases where the individual in question could reasonably be considered to present an ongoing threat to others and provided comprehensive guidance explaining how to make such a determination.
91. With respect to the changes made to CPIC during the course of our investigation, we reviewed the revised manuals in detail and noted that several sections are inconsistent between the new versions of the User Manual and the Policy Manual. Although we are pleased that the RCMP took the step of removing the Caution flags for “Suicidal Tendencies” and “Mental Instability” altogether from CPIC, we are concerned that CPIC policies remain unclear and do not provide sufficient guidance to contributing agencies regarding what to include in the new SIP-OB entries relating to attempted suicides and when such entries can or should be made available to US authorities.
92. We are equally concerned that the new SHARE USA field in CPIC is set by default to share information with US authorities, requiring a CPIC agency to purposely choose to limit the disclosure to Canadian agencies by indicating “No” in the SHARE USA field.

Preliminary Report of Findings

93. After having the reviewed the changes made to CPIC by the RCMP following receipt of the RCMP Commissioner’s correspondence of September 2014, we provided the RCMP with a Preliminary Report of Findings in July 2015 and an opportunity to respond to our preliminary recommendations. Our recommendations were based on our findings with respect to both the specific and systemic aspects of the complaints, as well as our analysis of the changes to CPIC implemented by the RCMP during the course of the investigation.
94. In particular, we recommended that the RCMP further revise the CPIC policies to provide detailed guidance for contributing agencies in determining when an individual who had threatened or attempted suicide can be considered to present an ongoing risk to public safety, including examples to help contributing agencies determine when to exercise the discretion to disclose information relating to mental health or suicide attempts.
95. Similarly, we recommended that these revisions also reflect that the use of information relating to mental health or suicide attempts by US authorities should only be authorised by the contributing agency where the US agency has established there is a clear law enforcement or public safety purpose for its collection as required by the MOC and that the information is clearly relevant to that purpose.
96. In response to our Preliminary Report of Findings and recommendations, the RCMP reiterated three overarching concepts that the it believes to be fundamental to the administration of CPIC:
    1. While CPIC is operated under the stewardship of the RCMP’s National Police Services, all police agencies and public safety partners in Canada, including RCMP criminal operations, actively contribute to its development and policy direction. This collaboration and consultation ensures the CPIC system accurately reflects the needs of the broader criminal justice community, both nationally and internationally.
    2. Contributing agencies are responsible for the information they input into CPIC. This includes a responsibility for accuracy and adherence to all associated legislation and policies, which includes CPIC policy, but perhaps more importantly, their internal, municipal, and provincial policies and legislation.
    3. The primary function of CPIC is to share information among the criminal justice community enabling them to meet their duties in the preservation of peace, the protection of life and property, and the prevention and investigation of crime.
97. The RCMP did not agree to make any further changes to CPIC policies or functionality as a result of our recommendations.

UPDATED MOC WITH THE FBI

98. While the RCMP did not accept to make further changes to CPIC or its guiding policies, it did update its MOC with the FBI, which was signed by both parties on October 27, 2015. The MOC now makes specific reference to respecting Constitutional and legal frameworks that protect privacy in both Canada and the US. It also now includes the following definitions, which are particularly relevant to our analysis:
    

    “Criminal Justice Purposes” means performance of any of the following activities: Detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. The administration of criminal justice shall include criminal identification activities and the collection, storage, and dissemination of criminal history record information.

    “Criminal Justice Agency” means: A governmental institution or any subunit thereof that performs the administration of criminal justice pursuant to a statute, the common law, or executive order, and that allocates a substantial part of its annual budget to the administration of criminal justice.

99. The updated MOC also contains new language with respect to the disclosure and use of information under the arrangement:
    

    Pursuant to CPIC and NCIC/III policy, the use of the information contained in the CPIC and the NCIC/III systems is for criminal justice agencies for criminal justice purposes or for a consistent use thereof. Further to the definition of criminal justice purposes, the use of CPIC and NCIC/III data is intended specifically by law enforcement and criminal justice agencies in the performance of law enforcement and criminal justice matters, including counterterrorism/intelligence investigations.

100. The concept of “consistent use” is defined in the revised MOC to mean “a use that has a reasonable and direct connection to the original purpose(s) for which the information was obtained or complied.”
101. In our view, the reference to a consistent use would not support the disclosure of attempted suicide information to US border officials in the absence of a risk to officer or public safety. Pursuant to the revised MOC, in order for a use to be consistent, there must still be a reasonable and direct connection with the original purpose for which the information was obtained or compiled. The Supreme Court of Canada has held that a use may be a consistent use, for the purposes of the Act, when an individual would “reasonably expect” the information to be used in such a manner.^{Footnote 18}
102. As noted in our analysis under paragraph 8(2)(a), we do not believe that an individual would reasonably expect that information about an attempted suicide – which is highly sensitive information collected by Canadian police services during the course of policing activities – would then be used by US border officials to deny them entry into the US. Where the information does not demonstrate an ongoing risk to public safety, its use by US border officials for immigration assessment considerations is not directly and reasonably connected to the original purposes for which the information was compiled.

UPDATED TPS PRACTICES

103. The TPS also made changes in its practices. In July 2015, the Chief of the TPS submitted a report to the Toronto Police Services Board (TPSB) on the subject of “Disclosure of Attempt/Threaten Suicide Information on CPIC to U.S. Customs and Border Protection.”^{Footnote 19} The purpose of the report was to update the TPSB regarding the TPS’s recommended new practices and to describe how they compare with the IPCO’s recommendations.
104. The report outlines the following considerations with respect to the changes made to the TPS’ practices regarding the disclosure of information relating to attempted or threatened suicides via CPIC:
     • Although the IPCO recommend restricting Ontario police services from creating certain SIP files, the TPS took the position that restricting US CBP from accessing certain SIP files was the best solution.^{Footnote 20}
     • The TPS will choose not to share its SIP-OB entries with US authorities and border officials using CPIC’s SHARE USA function unless one or more of the criteria found in the Mental Health Disclosure Test have been met.
     • The consideration to renew a SIP entry for attempt/threaten suicide is now performed every 2 years instead of 5 years. The review is based, in part, on the passage of time, the age of the person at the time of the incident, other relevant and material information, and, according to the criteria set out in the Mental Health Disclosure Test.
     • The TPS has now implemented a reconsideration process by which an individual can make a request to have a SIP-OB entry relating to attempt/threaten suicide removed from CPIC by making a request to the TPS’ Manger of Records Management Services.^{Footnote 21} The TPS initiated the reconsideration process for several individuals who were denied entry to the US based on SIP-MH entries made by the TPS, including the complainant in this matter.
105. These changes were implemented in August 2015. As part of the implementation of these new practices, the TPS conducted a review of its own existing SIP entries according to the criteria set out in the Mental Health Disclosure Test, as well as on the passage of time, the age of the person at the time of the incident, and other relevant and material information. As a result of its review, the TPS removed 9,766 SIP entries out of a total of 15,180 that it had entered into CPIC relating to threatened or attempted suicide.
106. The complainant confirmed that she was contacted by the TPS and advised that, following its review, the Caution flag and SIP entries relating to her attempted suicide were removed from CPIC.^{Footnote 22}

Findings and final recommendations

107. For the reasons set out in this report, we consider both the specific and systemic aspects of the complaints to be well-founded. The sharing of the complainant’s personal information was not authorized under either paragraph 8(2)(f) or 8(2)(a) of the Act.
108. Pursuant to paragraph 35(1)(b) of the Act, on December 15, 2016, we provided the RCMP with our findings and the final recommendations, and requested that it provide us with notice of any new actions that it had taken, or proposed to take, to implement these recommendations:
     1. That the default state of the SHARE USA feature in CPIC be set to supress the sharing of SIP-OB entries relating to threatened or attempted suicides with US border officials.
     2. That the RCMP revise CPIC policies to provide clear, consistent, and specific guidance that will ensure that attempted suicide information is shared with US border officials only where the individual can reasonably be considered to present an ongoing risk to others. We provided the RCMP with specific examples of the CPIC policies that we believe to be unclear and/or inconsistent.
109. In this respect, we strongly encouraged the RCMP to model CPIC policies after the guidelines that have now been implemented by the TPS, which incorporate the Mental Health Disclosure Test and a more limited record retention period. We are of the view that these guidelines clearly limit the sharing of a SIP-OB entry relating to an attempted suicide with US border officials to circumstances where the individual can reasonably be considered to present a risk to others. Additionally, we believe that the requirement that contributing CPIC agencies review each SIP-OB entry for relevancy after 2 years rather than 5 years is a much more reasonable record retention practice.

The RCMP’s Response to Our Findings and Recommendations

110. In correspondence dated January 31, 2017, the RCMP advised that it does not agree with either our findings or recommendations. Overall, the RCMP takes the position that the “Report of Findings is silent on acknowledging the crucial duty and role police have in protection people, even from themselves.”
111. We believe that it is important to reiterate that in describing the scope of our investigation at paragraph 30 of this report, we recognized the importance of CPIC to policing as a national information sharing tool that enables law enforcement and public safety partners to work together effectively. We agree with the RCMP that in some circumstances, the sharing of information relating to an attempted suicide could be consistent with the common law duties of police officers to preserve the peace, prevent and investigate crime, and the protection of life and property. However, our investigation focused only on the specific issue of whether the disclosure of personal information relating to suicide attempts to CBP via CPIC was authorized under the Act.
112. The RCMP disagrees with our finding that the disclosure to CBP was not authorized under section 8 of the Act for the following reasons:
     

     [Y]our analysis … seeks to exclude US Customs and Border Protection (CBP) as a law enforcement agency, culminating in your conclusion at paragraph [81], which seems to suggest that a threat to public safety (beyond an established pattern of behaviour that that threatens oneself) is required to qualify the CBP to receive information regarding instances of attempts to harm oneself.

     By any reasonable assessment, measure or interpretation, the US CBP is a law enforcement agency. I cannot accept your analysis and conclusion otherwise …

113. For clarity, we recognize that CBP has authority to enforce US laws relating to customs and immigration.^{Footnote 23} As such, we agree that CBP may be considered a “law enforcement and criminal justice agency” for the purposes of the MOC. However, following our analysis at paragraphs 73–80 of this report, we are of the view that CBP’s use of the complainant’s personal information relating to her attempted suicide for an admissibility assessment was not done “in the performance of law enforcement and criminal justice matters” as stipulated in the MOC.
114. Despite the RCMP’s disagreement, we continue to hold the view that the disclosure of information relating to attempted suicides to CBP under the circumstances discussed in this report is not authorized under section 8 of the Act.
115. In response to our recommendation with respect to CPIC policies, the RCMP stated:
     

     … [W]e agree that CPIC policies and procedures must always provide clear direction and guidance. The RCMP, in consultation with the NPIS AB, continues to review and update these on a regular basis to ensure consistency and clarity. These policies provide clear guidance on the criteria to create a record under the OB category, which aligns with the spirit of the Mental Health Disclosure Test, highlighted in your report.

116. We are pleased that the RCMP and NPIS AB have reviewed and updated the relevant CPIC policies and procedures. However, we are of the view that, as presently worded, CPIC policies still do not align with the spirit of the Mental Health Disclosure Test. We provided the RCMP with several examples to support our position. Current CPIC policies appear to give contributing agencies the discretion to disclose information relating to attempted suicides to CBP even where a clear law enforcement or public safety purpose has not been established. In our view, such disclosures would not be authorized under section 8 of the Act.
117. The RCMP also provided us with the following clarification of current policies regarding the retention of SIP-OB entries:
     

     Your report suggests that the retention period for SIP-OB entries be reviewed by each contributing agency for relevancy after two years, rather than five years. However, your report does not explain that contributing agencies are actually provided with a monthly validation report for all records that have been on the CPIC system for more than 12 months. These reports serve as reminders to agencies to undertake periodic reviews to validate the relevancy and accuracy of these records. OB-type entries may then be updated or removed at the contributing agency’s discretion.

118. We reviewed the RCMP’s current policies on SIP entries (Section 1.10 of the User Manual) and confirmed that contributing agencies are indeed instructed to review each entry for relevancy after 12 months, which we find to be an acceptable practice:
     

     A SIP record is validated every 12 months after initial entry at which time the record should be reviewed to determine if the information is still valid, accurate and relevant. When the record appears on the Purge Report, the agency shall review the record and ensure it is still pertinent before extending the expiry date.

119. Despite our disagreement on the default setting for the SHARE USA function in CPIC and the clarity and consistency of the policies regarding the use of the SIP-OB entry, we are encouraged by the number of entries relating to mental health and/or attempted suicides that have been removed from the CPIC system. As noted at paragraph 105 of this report, the TPS removed 9,766 out of a total of 15,180 entries relating to threatened or attempted suicide.
120. According to the RCMP, when it introduced the SIP-OB type and changed its policies in May 2015:
     

     Agencies were also required to remove any references to mental health or suicide from the CPIC system. Since that time, there has been a notable decrease in the number of records containing the MH or S record types and caution flags, from approximately 100,000 records in November 2014, to 3,500 records in December 2016. The RCMP continues to work with contributing agencies to eliminate the remaining MH and S records. It is worth noting that, with the replacement of the MH and S types by the OB type, only approximately 16,000 OB records have been added (recognizing that OB records also include a number of different types of public safety information).

121. This is certainly a step in the right direction. However, in order to better understand how contributing CPIC agencies interpret the current CPIC policies regarding the use and disclosure of information relating to attempted or threatened suicides, we invite the RCMP to report back to us within one year with updated numbers regarding the use of SIP-OB entries.

Conclusions

122. Throughout the course of our investigation, the RCMP continued to hold the position that the IPCO’s Mental Health Disclosure Test is too narrow in scope in that it requires a threat of violence and does not allow for the disclosure of information where the individual is believed to pose an ongoing risk to self. We are of the view that very limited information about an individual’s mental health and/or suicide risk can be shared with US border officials and only under the circumstances where the individual can reasonably be considered to present a risk to officer or public safety.
123. We find support for our conclusion that the complainant’s suicide attempt did not raise any public safety concerns in the fact that the TPS has since removed the CPIC entry connected to the complainant’s suicide attempt after reconsidering its approach to suicide-related information.
124. We are of the view that the CPIC policies relating to attempted suicides were unclear at the time the complainant was denied entry to the US and that they remain unclear. More concrete guidance is required in order to prevent indiscriminate and inconsistent practices with respect to sharing of suicide-related information with US border officials. As Canada’s national police force and signatory to the MOC, in our view, the RCMP is best placed to provide clear and specific guidance to CPIC agencies in this regard.
125. With the introduction of the SHARE USA function, it is possible for the RCMP to tailor guidance specifically to circumstances under which US authorities and border officials should be given access to such information. However, we do not agree that the SHARE USA should be set by default to share SIP-OB entries relating to suicide attempts with US border officials. We believe that the most appropriate option is for the RCMP to supress these entries by default and to develop clear policies detailing when a CPIC agency can opt to share this information with US border officials. We believe that sharing by default introduces a significant risk that sensitive personal information relating to mental health could be inadvertently shared across the border in a manner that is not consistent with the Act.

Other

126. During our investigation, we met with representatives of the Canadian Psychiatric Association (“CPA”) to discuss the CPA’s concerns with respect to the sharing of attempted suicide information via CPIC with US border officials. Subsequent to this meeting, we invited the RCMP to participate in a discussion with the CPA on this issue. The RCMP declined our invitation; however, the Director General of the CPI Centre advised that the RCMP would welcome opportunities to meet with the CPA or other mental health advocates outside of the scope of our investigation.
127. We therefore strongly encourage the RCMP to consult with mental health professionals and associations as it revises CPIC policies relating to SIP-OB entries.