WxT Language switcher

Correctional Service Canada (Re), 2025 OIC 43

Date: 2025-08-18
OIC file number: 5822-01936
Access request number: A-2021-00045

Summary

The complainant alleged that the Correctional Service of Canada (CSC) had improperly withheld information under subsection 19(1) (personal information) of the Access to Information Act. This was in response to an access request for emails sent to and from the Warden at Millhaven Institution containing the words “outbreak”, “covid”, “mask”, isolate”, “lockdown” or “Structured Intervention Units (SIU)” between April 19 and 25, 2021. The allegation falls within paragraph 30(1)(a) of the Act. The investigation confirmed that portions of the withheld information such as names and contact information of staff and offenders for the purpose of COVID-19 contract tracing, performance appraisals, information related to intra-regional transfers and the names and birthdates of offenders, as well as details regarding an offender’s criminal history met the requirements of subsection 19(1). The Information Commissioner ordered CSC to disclose the information that does not meet the requirements of subsection 19(1), such as the type of incidents in the situation reports. CSC gave notice to the Commissioner that it would implement the order. The complaint is well founded.

Complaint

[1]        The complainant alleged that the Correctional Service of Canada (CSC) had improperly withheld information under the following sections of the Access to Information Act:

  • paragraph 16(1)(d) (security of penal institutions),
  • subsection 16(2) (facilitating the commission of an offence),
  • subsection 19(1) (personal information),
  • paragraph 21(1)(a) (advice or recommendations),
  • paragraph 21(1)(d) (plans related to personnel management or administration); and
  • section 23 (solicitor-client privilege).

[2]        This was in response to an access request for emails sent to and from the Warden at Millhaven Institution containing the words “outbreak”, “covid”, “mask”, isolate”, “lockdown” or “Structured Intervention Units (SIU)” between April 19 and 25, 2021. 

[3]        The allegation falls within paragraph 30(1)(a) of the Act.

[4]        As requested by the complainant, the scope of the investigation is limited to the application of subsection 19(1) to withhold information.

Investigation

[5]        When an institution withholds information under an exemption, it bears the burden of showing that refusing to grant access is justified.

Subsection 19(1): personal information

[6]        Subsection 19(1) requires institutions to refuse to disclose personal information.

[7]        To claim this exemption, institutions must show the following:

  • The information is about an individual—that is, a human being, not a corporation.
  • There is a serious possibility that disclosing the information would identify that individual.
  • The information does not fall under one of the exceptions to the definition of “personal information” set out in paragraphs 3(j) to 3(m) of the Privacy Act (for example, business contact information for public servants).

[8]        When these requirements are met, institutions must then consider whether the following circumstances (listed in subsection 19(2)) exist:

  • The person to whom the information relates consents to its disclosure.
  • The information is publicly available.
  • Disclosure of the information would be consistent with section 8 of the Privacy Act.

[9]        When one or more of these circumstances exist, subsection 19(2) of the Access to Information Act requires them to reasonably exercise their discretion to decide whether to disclose the information.

Does the information meet the requirements of the exemption?

[10]      CSC withheld the names and contact information of staff and offenders who were listed as having possible contact with an individual who tested positive for COVID-19, information related to intra-regional transfers, birthdates and fingerprint serial (FPS) numbers of offenders, as well as performance appraisals and information related to the criminal and medical history of offenders pursuant to subsection 19(1).

[11]      During the course of the investigation, CSC conceded that the requirements of subsection 19(1) were not met for the information withheld on page 7, the date of isolation on page 49 and portions of the withheld information on page 77. For page 77, CSC did not specify which portions of the information, in its opinion, did not meet the requirements of subsection 19(1).

[12]      I accept that the requested records contain some personal information about identifiable individuals, specifically the names and contact information of staff and offenders for the purpose of COVID-19 contact tracing, performance appraisals, information related to intra-regional transfers and the names, birthdates and FPS numbers of offenders, as well as details regarding an offender’s criminal and history. Such information meets the requirements of subsection 19(1).

[13]      With respect to the remaining withheld information, CSC argued that this information is about identifiable individuals, and that even seemingly non-personal information could be linked to an identifiable individual.

[14]      The Federal Court in Gordon v Canada (Health), 2008 FC 258 (Gordon), at paragraph 34 held that information will be about an identifiable individual where there is a serious possibility that an individual could be identified through the use of that information, alone or in combination with other available information.

[15]      In John Howard Society of Canada v. Canada (Public Safety), 2022 FC 1459 (John Howard), the Federal Court highlighted the importance of evidence in demonstrating the serious possibility of identification. Relying on Gordon, the court in John Howard found that evidence which is speculative and lacking concreteness was insufficient to meet the requirements of subsection 19(1).

[16]      In Gordon, the Federal Court used the words “other available information” in describing the nature of the information that may be used in combination with the information at issue to identify an individual. In Canada (Information Commissioner) v. Canada (Public Safety and Emergency Preparedness), 2019 FC 1279, the Federal Court further explained that “other available information” does not include information held confidentially by government, or information in the mind of the individual to whom the information relates, when only that individual can identify themselves. The court indicated that it does include information that is available to the general public and may include information available only to a segment of the public, depending on the context.

Pages 9, 30-31

[17]      The information on these pages consists of charts containing the names, position, date of last shift, date of next shift and contact information for CSC employees that may have been in contact with an individual who tested positive for COVID-19. CSC withheld the names, contact information, dates of last shift and dates of next shift.

[18]      CSC explained that

“…it is personal information whether an in [sic] individual was in close contact with COVID-19 and being told to self isolate.  In the case of these records, there is uncertainty as to whether these individuals could be identified due not being able to readily contact them.  Based on these records, that uncertainly is unresolved.” 

[19]      I accept that the fact that an individual was in close contact with COVID-19 is personal in nature and therefore the names and contact information consist of information about identifiable individuals.

[20]      However, I am not satisfied that CSC has provided sufficient representations to demonstrate that the dates of last shift and next shift, on their own, are about an identifiable individual.

[21]      In accordance with section 36.2 of the Act, the Office of the Information Commissioner (OIC) consulted the Office of the Privacy Commissioner (OPC) in respect of the information at issue.

[22]      The OPC agreed that this information, on its own, does not constitute personal information as it speaks to the functions of the individual as an employee of CSC and is therefore subject to the exception of paragraph 3(j) of the Privacy Act.

[23]      OPC further noted, however, that there could be circumstances in which, in combination with other information contained in the records, or available through other sources, the information could lead to the identification of the concerned individuals or to the disclosure of medical information (i.e. that they tested positive for COVID, that they needed to isolate or that they were in contact with an infected individual). OPC stated that the name of the institution is included in the records and, in combination with the name of the position occupied, could allow for the identification of the concerned individual.

[24]      In this case, as noted by the OPC, the names of the positions occupied have been released. The positions at issue are CX, MAI, unit CM and healthcare. While CSC was specifically asked how many individuals work in these positions at the institution, they did not provide any representations on this issue.

[25]      According to the Commissioner's directive 005-1: Institutional management structure, roles and responsibilities - Canada.ca, the MAI is the Manager of Assessment and Intervention and each sector should be assigned one MAI at all times. The unit CM is in charge of unit operations and deployment within the unit or sector.

[26]      Given the role played by both the MAI and unit CM, it is reasonable to assume that there are a limited number of individuals fulfilling these roles at any given time within the units / sectors. As a result, I accept that the disclosure of the date of last shift and date of next shift for individuals in these categories (i.e. MAI and unit CM) would result in the release of identifiable personal information.

[27]      I did not find any information that would lead me to believe that there are a limited number of CX or healthcare staff in the unit / sector and CSC did not address this in their representations.

[28]      Based on the above, I conclude that disclosing the date of last shift and date of next shift for individuals within the CX or healthcare category would not result in the release of any identifiable personal information.

Page 58

[29]      Page 58 consists of an email discussing proposed rating changes related to the performance of senior excluded staff. CSC withheld the names of 3 individuals pursuant to subsection 19(1). Two of the names were withheld in a sentence stating that speaking bullets have been received for the two individuals. I note that speaking bullets were requested for all individuals.

[30]      The third name was withheld in the context of a question, asking if the recipient wishes to provide updated notes for the individual whose name was withheld based on a rating change.

[31]      CSC stated that the summary bullets were requested for all employees, but these redactions mention results for specific employees and their performance. Therefore, the information is considered personal. While CSC acknowledged that the change in rating does not indicate whether it is a positive or negative change, CSC further explained that disclosing the fact that the rating change is taking place for these individuals could potentially lead to significant speculation and undue exposure which would unreasonably increase the risk of injury. 

[32]      Upon being consulted, the OPC stated that the correspondence speaks to the general process and contains no indication on what changes have occurred.  As such, the OPC agreed that the information at issue, by itself, does not constitute personal information. The OPC notes however that the email lists an attachment which it did not receive and therefore cannot determine if, combined with the information in the attachment, it would allow the identification of the individuals named in the email or would disclose other personal information about them.

[33]      Having reviewed the responsive records in their entirety, the OIC did not locate the referenced attachment or any other information within the records that could lead to the identification of the individuals mentioned.

[34]      In my view, although the names appear in an email relating to employee ratings and performance, no specific performance information is included. While I acknowledge that disclosure would reveal that there is a change of ratings for the individuals, the change in rating does not, on its own, indicate if the change is positive or negative and does not appear to reveal any information about the individuals’ performance.

[35]      As a result, I conclude that the names of the three individuals on page 58 do not meet the requirements of subsection 19(1).

Page 77

[36]      The information withheld on page 77 consists of a footnote.

[37]      While CSC acknowledged that certain information on this page did not meet the requirements of subsection 19(1), it did not indicate what information, in particular, did not meet the requirements in its view. In support of its application of subsection 19(1), CSC had originally stated that releasing any information would lead to the identity of the individual noted in the footnote. 

[38]      I am not convinced that CSC has demonstrated how any of the information withheld on this page meets the requirements of 19(1).

[39]      The OPC agreed that there is no identifiable information on page 77 but indicated that without access to the remaining records at issue, it could not take a definitive position.

[40]      Having reviewed the other records within the response package, the OIC did not identify any other information that would lead to the identification of the individual. As a result, I conclude that the information withheld on page 77 does not meet the requirements of subsection 19(1).

SITREPS (pages 83-110, 128-156, 165-182, 184-204)

[41]      The SITREPS contain information about institution and community incidents. The information that is withheld includes the type of incident, name and FPS number of offender, details about the incident and any injuries sustained and approximate time of the incidents. In some cases, the previous history of the offender is included, including release date, institution, sentence details, previous charges and date sentence commenced.

[42]      CSC maintained that these reports typically involve specific details of the event such as the institution in which the event took place, the details of the event, and the type of event and that this could all be used to determine who was involved in the event.

[43]      CSC further added that descriptions of injuries are personal information. In addition, the measures taken to mitigate the injury can be considered personal information, as they speak to severity of the personal actions of the subjects.

[44]      I accept that the name and FPS number of offender, details about the incident and any injuries sustained, approximate time of the incidents and the previous history of the offender, including release date, institution, sentence details, previous charges and date sentence commenced consists of identifiable personal information and therefore meets the requirements of subsection 19(1).

[45]      I am not convinced that the type of incident, on its own, would allow for the identification of the concerned individual given the common nature of the incidents at issue and the large number of inmates housed at each institution.  This is consistent with the OPC’s position.

[46]      I conclude that the type of incident listed within the SITREPS does not meet the requirements of subsection 19(1).

Did the institution reasonably exercise its discretion to decide whether to disclose the information?

[47]      Since portions of the information meet the requirements of subsection 19(1), CSC was required to reasonably exercise its discretion under subsection 19(2) to decide whether to disclose the information when one or more of the circumstances described in subsection 19(2) existed when it responded to the access request.

[48]      Under paragraph 19(2)(a), CSC was required to determine whether consent was provided by making reasonable efforts to seek consent from the individuals whose personal information appears in the records. I accept that it was not reasonable for CSC to seek consent in this case, given the sensitive nature of the information at issue and the number of individuals involved.

[49]      Under paragraph 19(2)(b), CSC’s discretion would have been triggered if any of the personal information was publicly available. I accept that the information at issue is not publicly available.

[50]      Finally, discretion is also triggered under paragraph 19(2)(c) when the disclosure would be in accordance with section 8 of the Privacy Act. Subsection 8(2) of the Privacy Act provides a number of circumstances where personal information under the control of a government institution may be disclosed, including where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure. CSC’s representations demonstrate that a delegated authority considered the public interest when deciding whether to disclose the personal information. Ultimately, CSC decided against disclosing the information at issue. I conclude that CSC’s exercise of discretion under paragraph 19(2)(c) was reasonable.

[51]      I conclude that the circumstances set out in subsection 19(2) did not exist when CSC responded to the access request. Consequently, there is no need to examine the issue of discretion.

Outcome

[52]      The complaint is well founded.

Order

I order the Minister of Public Safety and Emergency Preparedness to disclose the following:

  1. Date of last shift and date of next shift for individuals in the healthcare and CX categories on pages 9, 30-31;
  2. Date of isolation on page 49;
  3. Names of 3 individuals on page 58;
  4. All information withheld under 19(1) on page 77; and
  5. Type of incidents contained in the situation reports on pages 83-110, 128-156, 165-182, 184-204.

Initial report and notice from institution

On July 7, 2025, I issued my initial report to the Minister of Public Safety and Emergency Preparedness setting out my order.

On August 6, 2025, the Assistant Commissioner, Policy gave me notice that they would be implementing the order and releasing the information on or before August 15, 2025.

Review by Federal Court

When an allegation in a complaint falls under paragraph 30(1)(a), (b), (c), (d), (d.1) or (e) of the Act, the complainant has the right to apply to the Federal Court for a review. When the Information Commissioner makes an order(s), the institution also has the right to apply for a review. The complainant and/or institution must apply for a review within 35 business days after the date of this report. When they do not, the Privacy Commissioner may apply for a review within the next 10 business days. Whoever applies for a review must serve a copy of the application for review to the relevant parties, as per section 43. If no one applies for a review by these deadlines, the order(s) takes effect on the 46th business day after the date of this report.

Other recipients of final report

As required by subsection 37(2), this report was provided to the Privacy Commissioner of Canada.

Date modified:
Submit a complaint