Investigation into COVID-19 vaccination attestation requirements established by Department of National Defence for members of the Canadian Armed Forces

Complaints under the Privacy Act

May 29, 2023

---

Description

We examined whether the vaccination attestation requirements established by Department of National Defence (DND) for members of the Canadian Armed Forces (CAF) in response to the COVID-19 pandemic complied with the collection, use, and disclosure provisions of the Privacy Act (the Act); including whether access controls in DND’s Monitor MASS (Military Administration Support System) system were sufficient. Additionally, we examined the necessity and proportionality of the measures considering the circumstances under which they were established.

Takeaways

• DND had the authority to collect information on CAF members’ COVID-19 vaccination status under the National Defence Act and Part II of the Canada Labour Code; and uses and disclosures of such information were generally consistent with the purposes for which it was collected.
• For systems, such as DND’s Monitor MASS, which are used to house sensitive personnel information (including in this case COVID-19 vaccination status) centralized oversight of access permissions is important to avoid inappropriate access, without a valid purpose, to sensitive personal information.
• Though the principle of necessity and proportionality is not currently a requirement of the Privacy Act, limiting the collection of personal information to what is demonstrably necessary is a requirement of the TBS Directive on Privacy Practices. In this case we found that the collection of personal information under the measures implemented by DND for members of the CAF was necessary, effective, and proportional, under the circumstances.

---

Report of Findings

Overview

Following the Government of Canada's announcement in October of 2021 that federal public servants would be required to be fully vaccinated against COVID-19 and the Department of National Defence’s (“DND”) issuance of the CDS Directive on CAF COVID-19 Vaccination (“the CDS Directive”) which required members of the Canadian Armed Forces (“CAF”) to be fully vaccinated and attest to their vaccination status, our office received 16 complaints against DND/CAF.

Our office also received complaints against the Treasury Board of Canada Secretariat (“TBS”) and institutions of the core public administration (including one against DND by a civilian employee) as well as complaints against other public organizations that are not subject to TBS’s Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police (“TBS’s Policy”) and instead have their own management authorities established under their institution’s legislation. Those complaints are addressed in separate reports.

Several complainants alleged that the collection of CAF members’ vaccination status, and in some cases religious or medical information in support of an accommodation request to be exempted from the requirements of the CDS Directive, was unreasonable. After investigation and analysis we found that DND/CAF’s collection of personal information under the CDS Directive complied with the requirement of section 4 of the Privacy Act (the “Act”) as it relates directly to DND operating programs or activities, namely, DND’s workplace health and safety responsibilities during a national emergency situation as a result of the COVID-19 pandemic.

Certain complainants alleged that DND/CAF’s use of personal information relating to their vaccination status was improper. We determined that the use of this information by DND/CAF was consistent with the purposes for which it had been collected and, as such, complied with section 7 of the Act.

Many complainants also raised concerns in relation to DND/CAF’s use of Monitor MASS to record members’ vaccination status. They alleged that access controls and permissions were insufficient to prevent unauthorized access to their personal information. We did not find any instances of inappropriate access to CAF members information; however, we recommended that DND/CAF implement measures to periodically validate that units properly review and revoke permissions that provide access to CAF members’ sensitive information in Monitor MASS. DND has declined to implement this recommendation.

Certain complainants also alleged that they had declined to provide DND/CAF with information relating to their vaccination status which resulted in them being identified as “Unvaccinated” in Monitor MASS. They alleged that this information was not an accurate reflection of their vaccination status, and that DND/CAF did not take all reasonable steps to ensure that the complainants’ vaccination status was accurate, up-to-date and complete. We determined that DND/CAF had, in fact, provided members with the opportunity, instructions, and tools necessary to ensure that information relating to their vaccination status was as accurate, up-to-date and complete as possible. CAF members who were unwilling to attest to their vaccination status could select as a reason “[u]nwilling to share vaccination status" to reflect their decision or status more accurately. This did not materially affect DND/CAF’s decision-making process with respect to imposing administrative consequences on CAF members who were unwilling to attest.

Based on the above, we concluded that the CDS directives were implemented in conformity with the legal requirements of the Act.

Additionally, although not a requirement under the Act, we also examined the principles of necessity and proportionality as they pertain to the collections established under the CDS directive. We determined that, in the context of the global COVID-19 pandemic, the CDS Directive was, overall, necessary and proportional given the emergency situation that existed; the real potential that CAF members would need to deploy within Canada and internationally; and, the role of the CAF in supporting the federal government’s response to the pandemic. Similar to other federal employers, DND/CAF has clear obligations under the Canada Labour Code to protect health and safety of its employees (i.e. CAF members) in the workplace and we are satisfied that based on the conditions and public health guidance at the time, that vaccination was the most effective method to prevent infection and serious disease from COVID-19 in order to ensure the health and safety of the Defence Team and the operational readiness posture of the CAF.

As such, we are satisfied that the CDS Directive addressed the necessity and proportionality principles in the context of the global COVID-19 pandemic.

Background

1. On 6 October 2021, the Government of Canada announced that all public servants in the core public administration would need to attest to being fully vaccinated against COVID-19 or be put on leave without pay unless accommodated for medical reasons or on the basis of a prohibited grounds of discrimination. These requirements were formalized for employees of the core public administration under TBS’s Policy.
2. The Canadian Armed Forces (CAF), which is supported by Department of National Defence (DND), and other separate federal public service employers were asked to implement substantially similar policies for their employees.
3. Subsequently, on 6 October 2021, the Chief of the Defence Staff (CDS) of the CAF issued the CDS Directive. This was supplemented on 15 November 2021 by the CDS Directive 002 on CAF COVID-19 Vaccination – Implementation of Accommodations and Administrative Action (“CDS Directive 002”). CDS Directive 002 was later amended on 2022 December 2021. These amendments provided details on additional flexibility for members in remote locations and those currently on operational deployments; and described additional requirements for the processing of requests for accommodation.
4. Under the Directive, all CAF members,^{Footnote 1} including those working from home, were required to attest to their COVID-19 vaccination status. Those who could not be vaccinated due to grounds protected under the Canadian Human Rights Act could request an accommodation. Failure by a member to disclose their vaccination status would result in “administrative consequences” which could include a recorded warning, counselling and probation, and an administrative review which could lead to release from the CAF. The same consequences would be imposed on CAF members who were not vaccinated after a grace period or those whose request for accommodation was denied if they remained unwilling to be vaccinated.
5. The Directive referred significantly to TBS’s Policy, including in matters relating to requesting an accommodation, in order to ensure alignment. In this regard, the CDS Directive and TBS’s policy, established similar requirements with similar objectives. It should be noted however that TBS’s Policy did not contemplate unvaccinated employees (or those who were unwilling to attest to their vaccination status) losing their jobs in the same manner in which CAF members could potentially be released from the CAF following an administrative review.
6. The Directive identified that the measures were being implemented, “in order to protect members of CAF and the Defence Team, and to demonstrate responsible leadership to Canada and Canadians through the Defence Team’s response to the pandemic”.^{Footnote 2}
7. In order to collect vaccination attestation information, CAF members were required to input their vaccination status into Monitor MASS, an operational human resource management application developed and operated by DND/CAF. For members who did not have access to Monitor MASS, paper forms could be submitted to the member’s supervisor who would then enter the information for the individual in Monitor MASS.
8. On 11 October 2022, the CDS issued CDS Directive 003 on CAF COVID-19 Vaccination for Operations and Readiness (“CDS Directive 003”), which superseded the previous CDS Directives on CAF COVID-19 Vaccination. While this directive provided certain conditions under which CAF members would not need to be fully vaccinated against COVID-19 (i.e. where vaccination is not required for operational readiness reasons), it retained the requirement that all CAF members would need to attest to their COVID-19 vaccination status.

Jurisdiction

9. Several complainants alleged that requiring vaccination and attestation of vaccination status constituted a contravention of their rights guaranteed by the Canadian Charter of Rights and Freedoms (“the Charter”), and that therefore the requirements were unlawful.  However, making findings on Charter compliance is outside of the scope of our Office’s jurisdiction and thus outside the scope of this report’s analysis.

Methodology

10. Given that DND/CAF was asked to align with the requirements of TBS’s Policy and that, as such, the policy largely informed the broad requirements of the related CDS directives, we have relied additionally upon TBS’s representations in relation to TBS’s Policy. We refer readers to the Report of Findings for our Investigation into COVID-19 vaccination attestation requirements established by the Treasury Board of Canada for employees of the core public administration for additional background and context.

Analysis

Issue 1: Was the information collected by DND/CAF related directly to an operating program or activity of the institution as required by the Act?

11. Several of the complainants allege that DND, pursuant to the Directive, required them to provide, on a mandatory basis, personal information relating to their COVID-19 vaccination status and, in certain cases in order to obtain an accommodation from these requirements, information about their religious beliefs or medical history. These complainants allege that this collection represents an unreasonable infringement of their privacy rights.
12. Section 4 of the Act requires that institutions only collect personal information about individuals if that information relates directly to an operating program or activity of the institution. These programs or activities are normally established through legislation which authorizes the program or activity in question. Section 4 does not require that a collection be “necessary”, just that there be “a direct, immediate relationship with no intermediary between the information collected and the operating programs or activities of the government.”^{Footnote 3}
13. While certain complainants alleged that their vaccination status was being collected without their consent, it should be noted that the Act does not include a general requirement that institutions obtain individuals’ consent for the collection of their personal information. We also note that vaccination status information was collected directly from CAF members; and, that members were informed, in the CDS Directive as well as in the Monitor MASS privacy notice, of the purpose of the collection, in accordance with section 5 of the Act.
14. DND responded that it collected members’ COVID-19 vaccination status in fulfillment of its responsibilities under the Canada Labour Code and that the collection related directly to ensuring the health and safety of CAF members in the workplace.
15. DND further indicated that the information was collected pursuant to sections 4 and 18 of the National Defence Act (NDA) in relation to the control and administration of the CAF; and, more specifically, in order to ensure the health and safety of the Defence Team and the operational readiness posture of the CAF.
16. We accept that the CAF has a unique role within the Government of Canada in responding to events within Canada and around the world; and that DND therefore has a need to understand whether individual CAF members are deployable and under which circumstances and limitations. Additionally, it is not always possible to foresee when or where individual CAF members, or their units, will need to be deployed.
17. In support of the Directive, DND submitted evidence from the Public Health Agency of Canada, dated 3 September 2021, demonstrating that among other things:
    1. The Delta variant of COVID-19, which was becoming dominant at the time, was more transmissible than previous variants and risked leading to more hospitalizations and deaths in the midst of what was then Canada’s fourth wave of the global pandemic; and,
    2. The approved COVID-19 vaccines were very effective at preventing severe illness, hospitalization and death.
18. Based on this evidence, we are satisfied that, at the time the Directive was put in place, the collection of information relating to the vaccination status of CAF members related directly to the responsibilities of DND to ensure the health and safety of CAF members and DND civilian employees in the workplace and to ensure the operational readiness posture of the CAF.
19. The Directive contemplated three potential vaccination status options for CAF members: “fully vaccinated”; “unable to be vaccinated”; and “unwilling to be vaccinated”. The last status would include those members who were either unvaccinated or vaccinated but unwilling to disclose their vaccination status, and were not approved for an accommodation under grounds defined in the Canadian Human Rights Act.
20. The Directive allowed for individuals to request an accommodation if they could not “be fully vaccinated due to a certified medical contraindication, religious ground, or any other prohibited ground of discrimination as defined in the Canadian Human Rights Act (CHRA)”.^{Footnote 4} Details for requesting accommodations were later specified in CDS Directive 002 on CAF COVID-19 Vaccination – Implementation of Accommodations and Administrative Action published in November 2021 and subsequently updated in CDS Directive 02 on CAF COVID-19 Vaccination – Implementation of Accommodations and Administrative Action – Amendment 1 in December 2021.
21. In order to request an accommodation on medical grounds, CAF members were required to provide information about their medical contraindications using forms completed and signed by a healthcare provider.^{Footnote 5} In order to request an accommodation on religious grounds, CAF members were required to “articulate the requirement for the religious request by sworn attestation using the GC affidavit form Religious Belief, explaining the basis of the religious nature of the exemption and why it prevents vaccination”.^{Footnote 6} Finally, in order to request an exemption based on grounds of discrimination under the CHRA, a member was required to “articulate the requirement for accommodation articulating the grounds of discrimination under the CHRA by using an affidavit, explaining the grounds for discrimination basis of the request and why it prevents vaccination”.^{Footnote 7}
22. We are of the view that collecting personal information to evaluate a request for accommodation under the Directive is directly related to a government institution’s responsibilities under the Canadian Human Rights Act to avoid discriminating against employees based on prohibited grounds of discrimination.^{Footnote 8} There is an immediate and direct relationship between this responsibility and collecting information from employees to justify their request for accommodation on the basis of one of these grounds. In this context, it is difficult to see how DND could be expected to make a decision about an accommodation request without obtaining additional information about the nature of the CAF member’s circumstances.
23. On 11 October 2022, the CDS issued CDS Directive 003 on CAF COVID-19 Vaccination for Operations and Readiness, which superseded the previous CDS Directives on CAF COVID-19 Vaccination. While this directive provided certain conditions under which CAF members would not need to be fully vaccinated against COVID-19 (i.e. where vaccination is not required for operational readiness reasons), it retained the requirement that all CAF members would need to attest to their COVID-19 vaccination status.
24. Based on the above, we conclude that the collections required under the Directive related directly to existing programs or activities, that being: (i) ensure the health and safety of the CAF members and civilian employees in the workplace; and, (ii) to ensure the operational readiness posture of the CAF. We found no instances of collections that were not directly related to implementing the Directive. Therefore, we find the allegations with respect to this issue to be not well-founded.

Issue 2: Was the use of the personal information collected under the Directive authorized under section 7 of the Act?

25. Some complainants alleged that DND’s use of information relating to their vaccination status, for the purpose of making a decision on the application of administrative consequences for unvaccinated individuals, was inappropriate.
26. Section 7 of the Act establishes the conditions under which information, collected by institutions, can be used. Specifically, subsection 7 (a) establishes that information can be used “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose.”
27. As identified earlier in this report, we accept that the purpose of collecting the vaccination status of CAF members relates directly to the responsibilities of DND to ensure the health and safety of CAF members and DND civilian employees in the workplace and to ensure the operational readiness posture of the CAF.
28. When connecting to Monitor MASS, users were presented with a screen informing them that:
    • “The purpose for collection and use of this information is to fulfill the responsibility of your supervisor to ensure the health and safety [of] CAF members. This is a requirement under the DM/CDS Directive – CAF COVID-19 Vaccination Policy.”
    • “The personal information collected will be used to confirm your vaccination status and to consider request for accommodation for those unable to be vaccinated. The personal information will be used, in conjunction with additional COVID-19 preventative measures, including rapid testing, to determine if you will be granted on-site access to the workplace and to determine whether you may report to work in person or remotely. Your personal information will also be used by your organization to monitor and report on the overall impact of COVID-19 and compliance with the vaccination policy”; and,
    • “Refusal to provide the requested information will result in administrative consequences such as CAF members being restricted in their employment until they are fully compliant.”
29. We did not encounter any evidence substantiating that DND’s use of the information collected was inconsistent with the purposes listed above; and, as such, we conclude that DND used the information for the purposes for which it was collected or in a manner consistent with those purposes. Accordingly, we find the allegations with respect to this issue not well-founded.

Issue 3: Did the use of Monitor MASS for collection and storage of CAF members’ vaccination status result in unauthorized disclosure of information?

30. Many complainants alleged that the access controls in Monitor MASS are insufficient and that, as a result, their information was at risk of inappropriate disclosure to other members of their units who had no requirement for access to such information.
31. Subsection 8 (1) of the Act requires that personal information under the control of an institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with the conditions identified in subsection 8 (2). Paragraph 8 (2) (a) allows for disclosure “for the purpose for which the information was obtained or compiled by the institution or for a use consistent with that purpose”.
32. The Monitor MASS User Guide^{Footnote 9} states that, “Monitor MASS (Military Administration Support System or MM) is an application used for operational human resource management in real time, which assists the Chain of Command (CoC) in the daily management of their personnel. Monitor Mass gathers information from different systems that affect the daily employment of the soldiers within a unit.” The User Guide also specifies that Monitor MASS is authorized for storage and processing of information up to the Protected B level (i.e. information whose unauthorized disclosure could reasonably be expected to cause serious injury outside the national interest, e.g. to individuals or businesses).
33. Monitor MASS is used by DND to collect and store COVID-19 vaccination status attestations from CAF members. Members are required to log into the system and input their vaccination status.
34. Details of a CAF member’s COVID-19 vaccination status can be viewed by individuals within the member’s chain-of-command (i.e. supervisors/managers) at the unit who have the “View Sensitive Data” privilege enabled for their account in Monitor MASS.
35. In our discussions with members of the Military Command Software Centre (“MCSC”), which is the team responsible for developing, managing and maintaining the Monitor MASS application for DND, we were informed that privilege management (including the ability to access sensitive data about CAF members) is typically delegated to the unit level and such decisions are the responsibility of the unit Commanding Officer (“CO”), or Officer in Charge (OC - for smaller/subordinate CAF units). Privileges at the unit level are implemented by the unit’s Monitor MASS administrator on behalf of the CO/OC. As such, privilege management is significantly decentralized in Monitor MASS.
36. Members of the MCSC indicated to us that this decentralized approach is by intent and that it enables individual units to determine which roles and permissions to assign to their members in a way that best meets the unit’s individual circumstances. We accept that, to a certain extent, individual units will have differing needs depending on that nature of the unit’s role, composition and the environment or command under which they exist (e.g. Canadian Army, Royal Canadian Navy, Royal Canadian Airforce, Special Operations Command); and that such needs may change over time depending on the unit’s deployment status and staffing levels.
37. We believe however that it is prudent in such a decentralized model to ensure that robust central audit and oversight activities are in place to validate that individual units and commands are properly exercising their responsibilities to grant permissions and revoke them when individuals move on or when the permissions are otherwise no longer required.
38. DND advised us in their representations that on 12 January 2022, the Senior Officer responsible for the MCSC emailed a communiqué to command and unit Monitor MASS administrators reminding them of the need to use Monitor MASS’ data access/privacy controls to support their unit’s “functional requirements and to ensure appropriate protection of privacy controlled data”. The communiqué also reminded administrators of the need to “ensure that governance policies are in place with one or more appointed Administrators in Monitor MASS who have a high level of understanding of the roles when providing permissions.” Finally, units were advised to “conduct a review of the ‘View Sensitive Data’ privilege for each member to ensure access to information is an essential requirement in the performance of their duties.”
39. While we view the direction in the communiqué as appropriate under the circumstances, we did not find any evidence that MCSC followed up with Monitor MASS administrators to validate that they had taken action, nor was there any evidence that MCSC had collected any metrics to determine the extent to which this action was implemented and effective. As such, from a management perspective, it is unclear whether the communiqué achieved its intended outcomes.
40. Given the decentralized access control/privilege management model in use for Monitor MASS, and in consideration of the sensitivity of the information stored in Monitor MASS (including members’ COVID-19 vaccination status), we recommended that DND/CAF establish measures to periodically validate that: (i) individual commands and units have implemented and maintain appropriate governance policies for permissions management within the units; and, (ii) units are regularly reviewing ‘View Sensitive Data’ privileges assigned to members within the unit as well as for those transferring out of the unit. This will help to support CAF members’ privacy and maintain the “need-to-know” principle.
41. DND declined to implement our recommendation. DND has responded to our recommendation indicating that in their view the measures that are in place ‘provide sufficient assurance that access controls are managed and monitored and that the management of personal information within Monitor MASS respects the privacy rights of CAF members.’ We do not feel that the measures described by DND provide sufficient assurance that privileges allocated at the unit level in Monitor MASS are implemented in accordance with DND’s direction; and we are not confident that these privileges are being appropriately monitored and controlled by DND. As such, we feel that this remains a risk to the privacy of CAF members. We urge DND to implement the recommendation.
42. We did not find any evidence, nor was there any specific examples raised, of actual inappropriate disclosures of CAF members’ COVID-19 vaccination status through Monitor MASS. Therefore, we find the allegations relating to insufficient access controls in Monitor MASS leading to inappropriate disclosures is not well-founded.

Issue 4: Did DND take reasonable steps to ensure that personal information that was used for determining the COVID-19 vaccination status of CAF members was accurate?

43. Some complainants allege that they declined to submit a vaccination status attestation in the form and manner specified by DND/CAF, or that they declined to submit a vaccination status attestation altogether; and that, as a result, their vaccination status in Monitor MASS was set to indicate that they were “unvaccinated”. They allege that this resulted in the collection, retention and use of inaccurate data about the members. They further allege that, as a result, DND/CAF used inaccurate information in making decisions relating to the application of administrative consequences.
44. Subsection 6 (2) of the Act requires that institutions take all reasonable steps to ensure that any personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.
45. It appears that CAF members were reasonably informed of the manner and process to follow to set their own vaccination status in Monitor MASS. DND/CAF communicated to CAF members, via the CDS directives, the process to follow as well as the possible vaccination statuses, and their meanings. Members were also provided the necessary tools to ensure that their status was properly and accurately entered into Monitor MASS. Even if members had no personal access to Monitor MASS on their own, DND/CAF provided an alternative method in the way of a paper form that the complainants in this matter could have used to communicate their correct vaccination status to their supervisor.
46. Individuals who were unwilling to attest to their vaccination status were required to select “unvaccinated” in Monitor MASS, when in fact this may not have been a true representation of their status. However, Monitor MASS also included a “reason” field which would permit those individuals to indicate that they were “[u]nwilling to share vaccination status".
47. Although subsection 6(2) of the Privacy Act has not attracted a large volume of jurisprudence, a comparable provision in Alberta’s Health Information Act (R.S.A. 2000 c. H-5, s. 61) has been interpreted as requiring that sufficiently accurate “for the purpose for which it will be used or disclosed.”^{Footnote 10}
48. In practice, the coding applied (i.e. “Unvaccinated” rather than only indicating that the individual is unwilling to attest) does not appear to have affected the decision-making process in the sense that both those who are unwilling to be vaccinated and those unwilling to attest were subject to the same administrative consequences. Additionally, the “reason” field did provide a further clarification to enable an accurate representation of members’ vaccination status.
49. Notwithstanding the decision-making neutrality of the coding, it would have been optimal, and more clear, to provide employees the ability to select a field indicating “unwilling to attest”, thus avoiding any ensuing confusion.
50. Based on this, we have determined that DND/CAF did take reasonable steps to ensure that the complainants’ vaccination status were accurate, up-to-date and complete. As such we find the allegations relating to this issue not well-founded.

Other

Was the information collected necessary and proportional?

51. Our office also considered the necessity and proportionality of the vaccine mandates and the vaccination attestation measures put in place by federal institutions during the COVID-19 pandemic. Given that DND/CAF and other federal separate employers were asked to align with TBS’s Policy, our analysis here focuses largely on any significant differences between the necessity and proportionality for the CAF and the core public administration.
52. To guide institutions in considering necessity and proportionality, our Office advocates a four-part test^{Footnote 11} that calls for institutions to ask themselves the following questions when establishing particularly privacy-invasive programs and services:
    • Is the measure demonstrably necessary to meet a specific need?
    • Is it likely to be effective in meeting that need?
    • Is there a less privacy-intrusive way of achieving the same end?
    • Is the loss of privacy proportional to the need?
53. With respect to the first point of the four-part test, necessity, we have considered that the requirements were instituted during the global COVID-19 pandemic which represented an exceptional set of circumstances to which the Government of Canada and the CAF, more specifically, had to respond. We are satisfied that the measures mandated under the CDS Directive were connected to the pressing and substantial goals of ensuring the health and safety of CAF members in the workplace and maintaining the operational capability and deployability of the Canadian Armed Forces. DND further explained in their representations to our office that vaccination was also intended to help mitigate the risk of transmission of the virus to vulnerable groups that the CAF was called upon to serve in the context of the pandemic.
54. With respect to the second part of the test, DND provided evidence that the CDS Directive was based on public health advice from the Public Health Agency of Canada and scientific studies; and aligned with the requirements established in TBS’s Policy for the core public administration. Based on the information provided by DND as well as our analysis in the context of our investigation of the requirements established for employees of the core public administration, we are satisfied that a vaccination mandate was effective in meeting the objectives; and, that the collection of information relating to members’ vaccination status to implement this mandate was therefore effective in meeting the objectives that were established under the CDS Directive.
55. With respect to the third element of the test, the necessity and proportionality principle requires a consideration of whether less privacy-intrusive measures could achieve the same end. This element requires DND to demonstrate that less privacy-intrusive measures would not have been able to achieve their important objectives of protecting the health and safety of its employees. We were not provided with any significant information that DND had considered any potential less intrusive alternatives (such as rapid testing). However, we are satisfied, as with our investigation relating to the core public administration, that other alternatives, including rapid tests, would not have been as effective in the circumstances to ensure that individuals who attended onsite workplaces were protected from COVID-19.
56. As detailed in our report of findings in relation to vaccination attestation requirements for the core public administration, we received analysis from the Public Health Agency of Canada, supported by references to external evidence, demonstrating that at the time DND/CAF put the CDS Directive in place there was a substantial body of evidence on the efficacy of vaccines for protecting individuals coming into contact with others, such as in a shared workspace, from severe illness. As in our report of findings in relation to vaccination attestation requirements for the core public administration, we accept that vaccination was demonstrated, at that time, to be the most effective means to ensure that individuals who attended onsite workplaces were protected from COVID-19.
57. However, we also noted that Court and tribunal decisions that have considered vaccine requirements to date have emphasized the importance of assessing the relevant operating context, including whether employees work onsite or from home.^{Footnote 12}
58. In fact, we acknowledge that CAF members could, at any time, be required to be present on-site on an ad hoc basis for operational needs; and that the CAF, in particular, may be called upon to rapidly deploy domestically and internationally in response to threats, emergencies and disasters into jurisdictions that may have differing requirements for COVID-19 vaccination. We accept that it is not possible to know with certainty in advance when the CAF may be called upon to deploy, although there are individuals and units that are on heightened states of readiness.^{Footnote 13} We also acknowledge that bringing unvaccinated individuals up to full vaccination status is not something that can be done quickly on an ‘as-needed’ basis. As such, given the pandemic conditions at the time, we find that it was reasonable for DND/CAF to require that all members either become fully vaccinated or request an accommodation from the requirements of the CDS Directive. Additionally, we accept that in order to know which personnel are deployable that collecting the vaccination status for all members was, and remains, a reasonable and effective approach for DND/CAF.
59. With respect to the fourth part of the four-part test: is the loss of privacy proportional to the need, we would expect DND to be able to demonstrate that the potential privacy impacts to CAF members, resulting from the collection of information relating to their COVID vaccination status, were proportional to the benefits that would result from the collection.
60. The CDS Directive required the disclosure of limited information about CAF members’ vaccination status, information that at the time the CDS Directive was first instituted, was also required to be disclosed to access many services in a number of provinces, including restaurants. In fact, the CAF did collect this information prior to the COVID-19 pandemic in relation to members’ vaccination status against other illnesses. Nevertheless, it remains medical information (sensitive by nature) and in certain cases could entail the disclosure of additional sensitive personal information for employees making accommodations requests. This loss of privacy must be measured against the benefits of the CDS Directive.
61. For the reasons set out in the assessment of the first and third elements, we are satisfied that the benefits of the CDS Directive included: to ensure that the CAF remained prepared and resourced to meet operational imperatives; to protect the health and safety of the Defence Team; and to mitigate the risk of transmission of the virus to vulnerable groups that the CAF could be, and were, called upon to serve in the context of the global pandemic.
62. When measured against these objectives, we find that the loss of privacy was proportional to the benefits in the context of this emergency situation.
63. Based on the evidence and representations before us, we are satisfied that the CDS Directive addressed the necessity and proportionality requirements.

Conclusion

64. We conclude that the CDS directives were implemented in conformity with the legal requirements of the Act. The complaints examined in this report are therefore not well-founded.
65. We did however recommend that DND/CAF implement measures to periodically validate that units properly review and revoke permissions that provide access to CAF members’ sensitive information in Monitor MASS. DND declined to implement this recommendation. We urge DND to do so.

Appendix 1 – Listing of vaccination attestation information collected by respondents

DND has indicated that the following vaccination attestation-related information is collected in Monitor MASS:

• CAF member’s name
• CAF member’s service number
• Attestation:
  • Fully vaccinated (date – second dose)
  • Partially vaccinated (date – first dose)
  • Unvaccinated requesting accommodation due to:
    • A certified medical contraindication or disability;
    • A religious belief that prohibits full vaccination; or
    • An inability to be vaccinated based on a ground of discrimination under the Canadian Human Rights Act.
  • Unvaccinated:
    • Unwilling to share vaccination status;
    • Unwilling to be vaccinated;
    • Unwilling to comply with the CDS Vaccination Directive (policy); or
    • Accommodation request denied.
  • Attestation not completed
    • Reason – LWOP (leave without pay)/MATA/PATA (maternity/parental leave)/Release/Unreachable.