Canada Border Services Agency over-discloses personal information to the Information Commissioner in relation to an ATIA request

Complaint under the Privacy Act

December 2, 2022

---

Description

An individual complained that Canada Border Services Agency (“CBSA”) submitted too much information to the Information Commissioner (“IC”) in support of its ultimately unsuccessful request for the IC to allow CBSA to decline to respond to the complainant’s access to information requests under provisions added to the Access to Information Act (“ATIA”) in 2019. Specifically, CBSA disclosed not just information about the access requests in question and the complainant’s previous access requests, but also sensitive labour relations material about the complainant that was originally collected or generated by CBSA for an entirely different purpose.

Takeaways

• To disclose personal information as a “consistent use” under paragraph 8(2)(a) of the Privacy Act (the Act), the disclosure must be for a consistent use with the original purpose for which it was collected by the federal institution.
• Personal Information that an Access to Information and Privacy (ATIP) Unit gathers to respond to an access or personal information request will generally have been collected or created by the institution for purposes unrelated to access to information. Therefore, it should not be disclosed under paragraph 8(2)(a) in support of a request to the IC to decline to respond to an access request (even if, in the opinion of the institution, it could be relevant).
• Personal information originally collected by the institution for the purpose of responding to an individual’s access requests, such as the nature and frequency of their requests and their interactions with the ATIP Unit, is a different matter. This type of personal information can generally be disclosed to the IC under paragraph 8(2)(a) for the purpose of determining how/if to respond to those requests, as this would generally constitute a consistent use with the original purpose of collection by the institution.

---

Report of Findings

Overview

1. The complainant, a previous CBSA employee, alleged that the CBSA contravened the disclosure provisions of the Act when it included their personal information in a request to the IC for approval of CBSA to decline to act on two ATIA requests. Specifically, the CBSA appended seven items in support of its five-page letter, including information pertaining to (i) the two requests at issue, (ii) other ATIP requests that the complainant had submitted, and (iii) the report from a review of workplace events (the “Review Report”) involving the complainant.
2. CBSA argued that disclosure was permitted in accordance with paragraph 8(2)(a) of the Act because much of the personal information had been initially collected by the CBSA in the context of workplace conflict. It went on to say that the disclosure was “made in the context of the CBSA seeking the IC’s approval to exercise an ATIA power, following the ATIP requests made by [the complainant] to obtain [their] personal information in relation to the conflict.
3. Based on the above facts, we believe that there is a direct connection between the purpose of collection and the use of the personal information in the context of 6.1 of the ATIA, so that [the complainant] should have reasonably expected that [their] personal information could be used in the proposed manner.”
4. At issue therefore is whether the CBSA respected Section 8 of the Act, in this case, paragraph 8(2)(a) which permits the disclosure of information without the consent of the individual where the disclosure is “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.” As per jurisprudence, and the Treasury Board Secretariat (TBS) guidance, “consistent uses” must have a sufficiently direct connection to the original purpose for which the information was obtained such that an individual would reasonably expect it to be used in this manner^{Footnote 1}.
5. After consideration of the facts, we found that the disclosure to the IC of information that the CBSA collected in the course of administering the ATIA to be a consistent use. However, we determined that the disclosure of the Review Report was not a consistent use and therefore contravened the Act. Accordingly, we recommended that the CBSA develop guidance to assess the merits of a ‘consistent use disclosure’ to other government institutions.
6. Upon its review of a Preliminary Report of Finding on the matter, the CBSA disagreed with our finding and was unwilling to commit to implementing our recommendation. We therefore consider the matter to be well-founded and not resolved. We are concerned that in light of this position, future similar disclosures in contravention of the Privacy Act could recur and call on CBSA to reconsider and implement the recommendation.

Background

7. The complainant has been involved in internally and externally led CBSA investigations/reviews pertaining to harassment and workplace violence. CBSA subsequently conducted a review.
8. Two years later, the complainant, still a CBSA employee at the time, submitted two ATIA requests to CBSA. The CBSA ATIP Coordinator sent a request to the IC to seek the complainant’s approval to decline to act on these two requests, pursuant to subsection 6.1(1) of the ATIA. In support of the five-page letter, CBSA appended seven items, including: (i) the details of the two requests at issue, (ii) other ATIP requests that the complainant had submitted, and (iii) the Review Report. In its letter to the IC, the CBSA explained that they needed to “protect CBSA employees from what [they] believe to be continued vexatious requests,” and that it “believes that there are motives behind the requests other than obtaining access to information.”
9. Subsection 6.1(1) of the ATIA states that, “With the Information Commissioner’s written approval, the head of a government institution may, before giving a person access to a record or refusing to do so, decline to act on the person’s request if, in the opinion of the head of the institution, the request is vexatious, is made in bad faith or is otherwise an abuse of the right to make a request for access to records.”
10. The Office of the Information Commissioner’s (OIC) web site sets out the process for seeking the IC’s approval to decline to act on an access request^{Footnote 2}, as well as the OIC’s interpretation of section 6.1 of the ATIA^{Footnote 3}.
11. The IC’s decision explained that the “application is denied and the CBSA is required to act on the access request.”

Analysis

12. As noted above, paragraph 8(2)(a) of the Act permits an institution to disclose personal information, without consent, for “the purpose for which the information was obtained or for a use consistent with that purpose.” For a disclosure to be for a “consistent use” it must have a sufficiently direct connection to the original purpose for which the information was obtained such that an individual would reasonably expect it to be used in this manner^{Footnote 4}.
13. The complainant contends that the supporting documentation disclosed by CBSA in its letter to the IC was confidential.
14. During the course of our investigation, both parties provided a copy of the May 4th letter sent to the IC with the appendices.
15. In the letter to the IC, the CBSA explained, among other things, that there were concerns about the complainant’s requests being submitted under both the ATIA and the Privacy Act, thereby increasing the burden on CBSA in responding to her voluminous and duplicative requests. It also opined that the complainant’s ATIP requests demonstrated “a clear pattern of abuse of the ATIA.”
16. With respect to the disclosure, the CBSA initially explained that it believed the disclosures were for a ‘consistent use’ for the original purpose of collection and therefore permissible under paragraph 8(2)(a) of the Act. Specifically, it argued that the information was initially collected in the context of the workplace conflict, and that the subsequent disclosure to the IC was connected to that original purpose because it was made to determine how to handle the complainant’s request for the complainant’s personal information pertaining to that conflict. As described below, we disagree that the purpose of the disclosure was for a consistent use with the original purpose of collection because the purpose of addressing workplace violence is substantially distinct from the purpose of requesting a decision from the IC to decline to act on an ATIA request under section 6.1 of the ATIA.
17. The CBSA later altered its argument, claiming that while the personal information in the workplace violence report disclosed to IC was originally compiled by CBSA for the purpose of addressing a workplace violence, the CBSA’s ATIP Office obtained it for the purpose of responding to the complainant’s access request. It argued that the disclosure to IC was therefore consistent as it was for the purpose of administering the ATIA.
18. With respect to this argument, paragraph 8(2)(a) of the Act is clear that any ‘consistent uses’ must be “for the purpose for which the information was obtained or compiled by the institution…” [emphasis added]. I.e., it is the original purpose for which the information was obtained by the institution that matters for determining whether a disclosure is for a “consistent use” - not the purpose for which any individual unit within the institution subsequently collected the information. We therefore did not further consider this second argument by the CBSA.
19. The CBSA contended that “only as much personal information as was necessary to set out the case for the IC was provided … per the OIC’s process on requesting the IC’s approval to decline to act on a request, there is only one opportunity to provide representations. Therefore, the CBSA had to balance the disclosure of personal information against providing sufficient information for the IC to make an informed decision.”
20. It is good practice to minimize the amount of personal information disclosed in any particular situation. However, under the Privacy Act, as noted above, the test for whether a disclosure without consent is permissible under paragraph 8(2)(a) is not whether an institution believes the disclosure was necessary for a given purpose, but whether the disclosure for that purpose is sufficiently directly related to the original purpose of collection such that an individual would reasonably expect it.
21. Upon review of the appendices included in support of the request to decline to act, we confirmed that Annexes A and B, and D through G is the information that CBSA collected in the course of administering the complainant’s access requests. More specifically, the content contained in these annexes includes: (i) the ATIA requests in question as well as (ii) previous ATIP requests, (iii) correspondence with the requester related to the processing of their requests, (iv) correspondence from someone named in an ATIP request related to the retrieval/processing of requests, and (v) the requester’s contact information. In our view, the disclosure to the IC of this information, that was originally collected by the CBSA for the purpose of responding to the complainant’s access requests, can reasonably be considered to be for a “consistent use” in this case. This is because the disclosure was done to seek IC approval (under section 6.1. of the ATIA) with respect to how to respond to the complainant’s access request.
22. However, the disclosure to IC also included, in Appendix C, a Review Report, which was completed externally of previous investigations/reviews pertaining to harassment and workplace violence and “related management and Human Resources actions.”
23. We do not agree that disclosure to the IC of the personal information in the above report is for a consistent use with the purpose for which the institution obtained or complied the information, as CBSA’s original purpose for collection – addressing workplace conflict – is distinct from the purpose of responding to access requests under the ATIA.
24. We therefore find that the CBSA contravened section 8 of the Act when it disclosed the Review Report to the IC.
25. Consequently, we recommended to the CBSA that within nine months of the issuance of this report, it develop guidance that includes a clear process by which CBSA officials assess the merit of proposed consistent use disclosures of personal information to other government institutions.
26. The CBSA did not accept the findings of this report and did not agree to implement our recommendation. We are concerned by the CBSA’s unwillingness to date to implement corrective action to address the contravention our investigation identified. We call on the CBSA to reconsider, and to demonstrate the implementation of the recommendation to the OPC, by providing a copy of the above-noted guidance within 9 months.