Canada Border Services Agency (Re), 2025 OIC 16

Date: 2025-03-10
OIC file number: 5822-05416
Access request number: ZA-2023-11566 (A-2022-15630)

Summary

The complainant alleged that the Canada Border Services Agency (CBSA) had improperly withheld information under subsection 16(2) (facilitating the commission of an offence) and paragraph 20(1)(d) (negotiations by a third party) of the Access to Information Act in response to an access request. The request was for assessments of cybersecurity and data breach risks associated with the ArriveCAN application. The allegation falls under paragraph 30(1)(a) of the Act.

During the investigation, CBSA disclosed portions of the assessments it had withheld under subsection 16(2) and paragraph 20(1)(d). CBSA continued to withhold other information under subsection 16(2) and also decided to exempt information under subsection 19(1) (personal information).

The Information Commissioner concluded that some of the information CBSA continued to withhold did not meet the requirements of subsection 16(2). She also concluded that CBSA did not determine, as is required when information meets the requirements of subsection 19(1), whether circumstances existed that would mean it would have to exercise its discretion to decide whether to disclose this information.

The complaint is well founded.

The Commissioner issued an initial report with her intended orders. In response, CBSA provided additional representations in support of its application of subsection 16(2) and disclosed more records. The complainant indicated they were satisfied with the information. Therefore, no order was necessary.

The Commissioner reminded CBSA that receiving an initial report is not an opportunity to present new information or new representations on the outcome of the complaint. Institutions are required to give their best and full representations during the investigation. When the initial report is issued, the investigation is complete and the Commissioner has made her decision on the outcome of the complaint.

Complaint

[1] The complainant alleged that the Canada Border Services Agency (CBSA) had improperly withheld information under subsection 16(2) (facilitating the commission of an offence) and paragraph 20(1)(d) (negotiations by a third party) of the Access to Information Act. This was in response to an access request for assessments of cybersecurity and data breach risks associated with the ArriveCAN application. The allegation falls under paragraph 30(1)(a) of the Act.

Investigation

[2] When an institution withholds information related to a third party, the third party and/or the institution bear the burden of showing that refusing to grant access is justified.

[3] The Office of the Information Commissioner (OIC) gave the third party, KPMG, the opportunity under paragraph 35(2)(c) to provide representations showing why the information should not be disclosed. KPMG noted that they are contractually and professionally prohibited from consenting to the disclosure of the information, however they did not provide any representations in support of the application of paragraph 20(1)(d) to the withheld information.

[4] On September 13, 2024, CBSA disclosed portions of the security assessments, which it had withheld under subsection 16(2) and paragraph 20(1)(d) when it responded to the access request. CBSA continued to withhold the remaining information under subsection 16(2). CBSA decided also to rely on subsection 19(1) to withhold information.

[5] The following analysis relates to the remaining information at issue.

Subsection 16(2): facilitating the commission of an offence

[6] Subsection 16(2) allows institutions to refuse to disclose information that, if disclosed, could reasonably be expected to facilitate the commission of an offence.

[7] To claim this exemption, institutions must show the following:

Disclosing the information (for example, information on criminal methods or techniques, or technical details of weapons, as set out in paragraphs 16(2)(a) to (c)) could facilitate the commission of an offence.
There is a reasonable expectation that this harm could occur—that is, the expectation is well beyond a mere possibility.

[8] When these requirements are met, institutions must then reasonably exercise their discretion to decide whether to disclose the information.

Does the information meet the requirements of the exemption?

[9] CBSA withheld portions of cybersecurity reviews of various elements of the ArriveCAN application, including intranet and internal network addresses. CBSA also withheld the security risk levels in various versions of the security authorization for COVID-19 contact tracking.

[10] During the investigation, CBSA explained that it withheld intranet and internal network addresses as they reveal the layout and structure its internal network. Should a malicious actor gain access to the network, the addresses at issue could provide a roadmap that would reduce the time taken to obtain sensitive information. While CBSA’s systems are designed to detect and cut off external intrusions, an equally important line of defence is to ensure that someone who accesses the system even momentarily is unable to navigate the network rapidly based on preexisting knowledge of the internal structure. As a result, CBSA states that the release of this information could reasonably be expected to facilitate the commission of the offence of hacking.

[11] Based on the above, I accept that the release of this information could reasonably be expected to facilitate the commission of an offence.

[12] Regarding the information withheld within the cybersecurity reviews and security authorizations, during the investigation, CBSA noted that large portions of the records in question pertain to its information technology (IT) security assessments of the ArriveCAN application and operating environment. CBSA claims that the exempted information discloses the specific vulnerabilities identified during these assessments. If released this information could be used by malicious actors as a roadmap outlining the system’s vulnerabilities to penetrate the application. As a result, CBSA believes that if it were to release this information, it is reasonable to believe that it could be used to facilitate the offence of hacking and, should this occur, the personal information of millions of individuals would be vulnerable.

[13] I accept that disclosure of the portions of the records that identify specific security vulnerabilities could reasonably be expected to facilitate the commission of an offence.

[14] That said, other information was withheld within the records that does not appear to meet either of the above-noted categories of information. Such information includes but is not limited to statements related to asset identification and valuation, lists of components involved in the risk assessments and summaries of changes made, names of reference documents and portions of the executive overviews. CBSA did not provide any representations during the course of the investigation to demonstrate that subsection 16(2) applies to this specific information.

[15] As a result, I am not convinced that disclosure of all of the withheld information could reasonably be expected to facilitate the commission of an offence, nor that the expectation of harm is well beyond mere possibility. Consequently, I conclude that portions of the information do not meet the requirements of the exemption.

Did the institution reasonably exercise its discretion to decide whether to disclose the information?

[16] Since portions of the information meet the requirements of subsection 16(2), CBSA was required to reasonably exercise its discretion to decide whether to disclose the information. In doing so, CBSA had to consider all the relevant factors for and against disclosure.

[17] CBSA does not have to provide a detailed analysis of each factor it considered and explain how it weighed one against the other. However, a blanket declaration that it had exercised its discretion and considered all relevant factors is not sufficient.

[18] CBSA’s representations demonstrate that it considered all relevant factors, including the purpose of the Act, the public interest in disclosure, the public interest in preserving the integrity of the government’s computer systems and the public availability of the information.

[19] In light of the above, I conclude that CBSA reasonably exercised its discretion when it decided not to disclose the information that meets the requirements of subsection 16(2).

Subsection 19(1): personal information

[20] Subsection 19(1) requires institutions to refuse to disclose personal information.

[21] To claim this exemption, institutions must show the following:

The information is about an individual—that is, a human being, not a corporation.
There is a serious possibility that disclosing the information would identify that individual.
The information does not fall under one of the exceptions to the definition of “personal information” set out in paragraphs 3(j) to 3(m) of the Privacy Act (for example, business contact information for public servants).

[22] When these requirements are met, institutions must then consider whether the following circumstances (listed in subsection 19(2)) exist:

The person to whom the information relates consents to its disclosure.
The information is publicly available.
Disclosure of the information would be consistent with section 8 of the Privacy Act.

[23] When one or more of these circumstances exist, subsection 19(2) of the Access to Information Act requires institutions to reasonably exercise their discretion to decide whether to disclose the information.

Does the information meet the requirements of the exemption?

[24] CBSA applied subsection 19(1) to withhold the pictures and contact information of two KPMG employees on page 50 of the records.

[25] I am satisfied that the information is about individuals, that disclosing it could result in these individuals being identified, and that it does not fall under any of the exceptions set out in the Privacy Act.

[26] In light of the above, I conclude that the information meets the requirements of subsection 19(1).

Did the institution reasonably exercise its discretion to decide whether to release the information?

[27] Since the information meets the requirements of subsection 19(1), CBSA was required to reasonably exercise its discretion under subsection 19(2) to decide whether to disclose the information when one or more of the circumstances described in subsection 19(2) existed when it responded to the access request.

[28] Under paragraph 19(2)(a), CBSA was required to determine whether the individuals whose information appears in the records provided consent to disclosure (Fontaine v. Royal Canadian Mounted Police, 2009 FCA 150 at paragraph 26). The court in Fontaine recognized that while there may be practical difficulties when seeking consent from individuals, the institution is obliged to “make reasonable efforts” to seek such consent.

[29] CBSA did not provide any representations during the course of the investigation as to whether it made reasonable efforts to seek consent from the individuals. In light of this, I must conclude that CBSA did not show that it has determined whether the circumstances set out in paragraph 19(2)(a) existed, which prevented CBSA from exercising its discretion when appropriate.

[30] Under paragraph 19(2)(b), CBSA’s discretion would have been triggered if any of the personal information was publicly available.

[31] CBSA did not provide any representations during the course of the investigation to demonstrate that it considered whether portions of the personal information within the records was publicly available. Consequently, I must conclude that CBSA did not show that it had reasonably exercised its discretion under paragraph 19(2)(b).

[32] Finally, discretion is also triggered under paragraph 19(2)(c) when the disclosure would be in accordance with section 8 of the Privacy Act. In this case, I conclude that the circumstances set out in paragraph 19(2)(c) did not exist when CBSA responded to the access request. Consequently, there is no need to examine the issue of discretion under paragraph 19(2)(c).

Outcome

[33] The complaint is well founded.

Initial report and notice from institution

On January 17, 2025, I issued my initial report to the Minister of Public Safety and Emergency Preparedness setting out my orders:

Disclose all redacted information that does not meet the requirements of subsection 16(2) as described in my report. The information that must be disclosed can be found on pages 59, 70, 73, 92, 104, 105, 113, 176, 187, 195, 265, 282, 302, 451, 454, 456, 465, 466, 470, 471, 472, 479, 480, 566, 664, 679, 760, 764, 771, 779, 818 and 831-832.
Determine whether the circumstances in paragraphs 19(2)(a) and (b) exist and; if they do, reasonably exercise discretion to decide whether to release the information.

On February 13, 2025, CBSA disclosed to the complainant additional information it had previously withheld.

On February 20, 2025, the CBSA’s Director General and Chief Privacy Officer provided me with notice that an additional disclosure of information had been made to the complainant. CBSA also provided additional representations explaining how the remaining information met the requirements of subsection 16(2), despite my clear indication that my initial report was not to solicit further representations and that no new representations would be considered as my investigation was complete and I had made my finding on the complaint.

On March 1, 2025, the complainant, who had been informed of the content of my order on October 29, 2024, indicated that they were now satisfied with the information that had been disclosed.

Accordingly, an order is no longer necessary.

Nonetheless, I wish to reiterate that the issuance of my initial report, under subsection 37(1), is not a further opportunity for institutions to provide new or additional representations. All my initial reports clearly state that this is not an opportunity for additional representations. These reports further explain that at that point the investigation is complete, and I have made my decision on the outcome of the complaint.

Institutions are required to give their best and full representations during the investigation, not after the issuance of my initial report. Paragraph 35(2)(b) specifies that the reasonable opportunity to provide representations is to be given to institutions during the course of the OIC’s investigation of a complaint. The Act does not envision that following the issuance of my initial report, institutions are further authorized or entitled to provide additional representations and / or raise additional basis for refusing access.

Paragraph 37(1)(c) expressly states that, on receipt of my initial report, institutions shall notify me of the action taken or proposed to be taken to implement my order or recommendation or the reasons why no such action has been taken or is proposed to be taken. The notice is also not an opportunity to submit new or additional arguments for withholding the information at issue. The purpose of this notice is solely to inform complainants of the institutions’ intentions in relation to my orders, as I am required by paragraph 37(3)(a) to include in my final report a summary of any notice given to me.

In any event, section 34 gives me the authority to determine the procedure to be followed in the performance of any duty or function in carrying out my investigations within the parameters set out in the Act. This procedure cannot reasonably involve a relaunching of my investigation as a result of representations made by an institution following the issuance of my initial report.

As emphasized by the Federal Court in Information Commissioner of Canada v. Toronto Port Authority and Canadian Press Enterprises Inc., 2016 FC 683 (paragraph 72), to impose an obligation on me to relaunch the investigation when the investigation is complete would:

(1) frustrate the investigation process; (2) be contrary to the duties imposed upon government institutions under subsection 4(2.1) and paragraph 10(1)(b) of the ATIA to make every reasonable effort to assist requesters and to identify the specific provision of the ATIA for a refusal, respectively; (3) undermine the Commissioner's role as the master of her own process; and (4) potentially undermine the quasi-constitutional right of timely access.

I trust that the CBSA and other institutions subject to the Act will abide to the above when providing representations during the course of the OIC’s investigations. Doing so ensures that the investigation process remains as efficient as possible and that the rules of procedural fairness are followed.

Review by Federal Court

When an allegation in a complaint falls under paragraph 30(1)(a), (b), (c), (d), (d.1) or (e) of the Act, the complainant has the right to apply to the Federal Court for a review. When the Information Commissioner makes an order(s), the institution also has the right to apply for a review. The complainant and/or institution must apply for a review within 35 business days after the date of this report. When they do not, third parties] may apply for a review within the next 10 business days. Whoever applies for a review must serve a copy of the application for review to the relevant parties, as per section 43. If no one applies for a review by these deadlines, the order(s) takes effect on the 46th business day after the date of this report.

Other recipient of final report

As required by subsection 37(2), this report was provided to KPMG.