[2017] 3 F.C.R. 540
T-699-15
2016 FC 1289
Union of Canadian Correctional Officers – Syndicat des agents correctionnels du Canada – CSN (UCCO-SACC-CSN) (Applicant)
v.
Attorney General of Canada (Respondent)
and
Privacy Commissioner of Canada (Intervener)
Indexed as: Union of Canadian Correctional Officers - Syndicat des Agents Correctionnels du Canada - CSN (UCCO-SACC-CSN) v. Canada (Attorney General)
Federal Court, St-Louis J.—Montréal, June 22 and November 23, 2016.
Constitutional law — Charter of Rights — Unreasonable Search or Seizure — Judicial review of Treasury Board decision to adopt part concerning financial inquiries in Appendix B of Standard on Security Screening (the Standard), Correctional Service of Canada (CSC) decision to adopt Commissioner’s Directive 564-1 “Individual Security Screening” (the Directive), s. 3(d) — Standard requiring financial inquiry (Inquiry) for all levels of security screening for federal public service employees — Directive extending security screening for renewing reliability status of CSC correctional officers at CX-1, CX-2 levels — Applicant asking court to declare part of Standard, Appendix B, Directive, s. 3(d) contrary to Charter, s. 8 — Applicant alleging, among other things, that verification of credit report of correctional officers constitutes unreasonable search — Whether part of Standard, Appendix B, Directive, s. 3(d) breaching Charter, s. 8 — Provisions of Standard, Directive not breaching Charter, s. 8, Treasury Board decision to adopt Standard, CSC decision to adopt Directive reasonable — Collecting credit report constituting search within meaning of s. 8, correctional officers having certain expectation to privacy — Objectives of Standard, Inquiry tied to national security — In particular objective of inquiry to assess whether individual poses security risk on basis of financial pressure or history of poor financial responsibility — Correctional officers could have access to sums of money resulting from corruption — Correctional officers ensuring protection of public, inmates, having access to sensitive information — Information provided serving objective of Standard, Directive — Contested provisions administrative, therefore less intrusive — Other aspects including seizure mechanism via Form signed by individual involved, fact decision to deny reliability status could be reviewed by Court or other tribunal arguing in favour of reasonableness of provisions in Standard and Directive — Application dismissed.
Privacy — Judicial review of Treasury Board decision to adopt part concerning financial inquiries in Appendix B of Standard on Security Screening (the Standard), Correctional Service of Canada (CSC) decision to adopt Commissioner’s Directive 564-1 “Individual Security Screening” (the Directive), s. 3(d) — Standard requiring financial inquiry (Inquiry) for all levels of security screening for federal public service employees — Directive extending security screening for renewing reliability status of CSC correctional officers at CX-1, CX-2 levels — Applicant asking Court to declare that Directive, s. 3(d) breaching Privacy Act, s. 4 — Applicant alleging, among other things, no direct relationship between its members’ credit reports, CSC activities — Whether Directive, s. 3(d) breaching Act, s. 4 — Directive, s. 3(d) not breaching Act, s. 4 — No personal information collected by government institution unless directly related to its programs or activities — Ordinary meaning of “relates directly” clearly not signifying “necessary” — Direct immediate relationship with no intermediary between information collected, government activities or programs required — Direct relationship herein — Credit record assessing reliability and vulnerability of correctional officers — Application dismissed.
This was an application for judicial review of a Treasury Board decision to adopt the part concerning financial inquiries in Appendix B of the Standard on Security Screening (the Standard), and of the Correctional Service of Canada (CSC) decision to adopt paragraph 3(d) of Commissioner’s Directive No. 564-1 “Individual Security Screening” (the Directive).
Pursuant to the Standard, all levels of security screening of federal public service employees now require a financial inquiry (the Inquiry) of the individual for whom the reliability status or security clearance is sought. For the Inquiry, the individual must consent to having their credit report sent to their employer. Before this Standard was adopted, the Inquiry was only conducted for “top secret” clearances. The Directive came into force in order to extend the scope of the Inquiry to the security screening for renewing the reliability status of CSC employees. Thus, correctional officers at the CX-1 and CX-2 levels must consent to having the CSC obtain their credit report. The applicant qualified this new requirement as a “search and seizure” and asked the Court to declare that part of Appendix B of the Standard on Security Screening and paragraph 3(d) of the Directive are contrary to section 8 of the Canadian Charter of Rights and Freedoms; and that paragraph 3(d) of the Directive breaches section 4 of the Privacy Act. This section limits the information a government institution can collect on an individual to information that relates directly to an operating program or activity of the institution. As for the Charter challenge, the applicant alleged, among other things, that requiring correctional officers to consent to a verification of their credit record constituted a search that must be presumed to be unreasonable, which thus imposes on the state the burden of establishing that it is reasonable, which was not done in this case. As for the allegation that paragraph 3(d) breaches section 4 of the Act, the applicant submitted that the credit record of its members does not relate directly to the CSC activities; that this measure does not meet the effectiveness criterion with respect to the objective; that the deleterious effects of this measure are disproportionate to the loss of privacy; and that there are alternative measures to assess the reliability of its members without having to investigate their credit record.
The main issues were whether the part of Appendix B of the Standard and paragraph 3(d) of the Directive breach section 8 of the Charter, and whether paragraph 3(d) of the Directive breaches section 4 of the Act.
Held, the application should be dismissed.
The provisions of the Standard and the Directive that include the Inquiry as a screening activity for the reliability status of correctional officers do not violate section 8 of the Charter and the Treasury Board decision to adopt the Standard and the CSC decision to adopt the Directive are reasonable. The collection of the credit record is a search within the meaning of section 8 and correctional officers have a certain expectation of privacy concerning the information in their credit report. That said, the objective of the Standard is to carry out security screening and enable its transferability within the government. The objective of the Inquiry is to assess whether an individual poses a security risk on the basis of financial pressure or history of poor financial responsibility. The Standard contributes to national security, which constitutes a valid and important pressing and substantial objective. It is likely that the information obtained will further the objective of national security. Correctional officers may have access to sums of money resulting from corruption. Correctional officers hold [translation] “the keys to the prison”, protect the public and inmates, have access to sensitive information in the Offender Management System and are the main point of contact for inmates. The likelihood that the information provided furthers the objective of the Standard and the Directive favours its reasonableness. The criminal or regulatory characterization of a search is relevant in assessing its reasonableness. In this case, the contested provisions are administrative in nature and are thus regarded as less intrusive, which supports the reasonableness of the Standard and the Directive. The seizure mechanism via the Form signed by the individual, the less invasive degree of intrusiveness considering the information concerned, and the possibility that the individual can verify the reliability of the information disclosed favour the reasonableness of the Standard and the Directive. The possibility that the ultimate decision to deny reliability status could be reviewed by the Court or another tribunal according to the circumstances favours the reasonableness of the Standard and the Directive.
The CSC decision to adopt paragraph 3(d) of the Directive, which includes the Inquiry as a security screening activity for the reliability status of correctional officers is reasonable, and this provision does not breach section 4 of the Act. Under section 4, no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution. The ordinary meaning of the words relates directly is clearly not necessary. Because words must be given their ordinary meaning and because it would have been easy for Parliament to use the word necessary and create a necessity test, the conclusion must be that this was not Parliament’s intent. Section 4 does not include a necessity test but a less onerous test of establishing a direct, immediate relationship with no intermediary between the information collected and the operating programs or activities of the government. There is a direct relationship between the information collected and the government’s activities in the present case. Correctional officers are in direct daily contact with individuals located inside penitentiaries and out in the community. These two groups are likely to put pressure on correctional officers. The information in correctional officers’ credit reports thus contributes to assessing their trustworthiness and vulnerability.
STATUTES AND REGULATIONS CITED
An Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, s. 5.
Canadian Charter of Rights and Freedoms, being Part I of the Constitution Act, 1982, Schedule B, Canada Act, 1982, 1982, c. 11 (U.K.) [R.S.C. 1985, Appendix II, No. 44], ss. 1, 8.
Financial Administration Act, R.S.C., 1985, c. F-11, ss. 2, 7, 83, Schedules IV, V.
Privacy Act, R.S.C., 1985, c. P-21, ss. 2, 4, 5, 29(1)(h), 41.
CASES CITED
APPLIED:
Goodwin v. British Columbia (Superintendent of Motor Vehicles), 2015 SCC 46, [2015] 3 S.C.R. 250; Reference Re Maritime Transportation Security Regulations, 2009 FCA 234; Rizzo & Rizzo Shoes Ltd. (Re), [1998] 1 S.C.R. 27.
CONSIDERED:
Eastmond v. Canadian Pacific Railway, 2004 FC 852; R. v. Rodgers, 2006 SCC 15, [2006] 1 S.C.R. 554; Hunter et al. v. Southam Inc., [1984] 2 S.C.R. 145; Doré v. Barreau du Québec, 2012 SCC 12, [2012] 1 S.C.R. 395; Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403; Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773; Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733; Corp of Goulbourn v. Regional Municipality of Ottawa-Carleton, [1980] 1 S.C.R. 496.
REFERRED TO:
R. v. Oakes, [1986] 1 S.C.R. 103; Strickland v. Canada (Attorney General), 2015 SCC 37, [2015] 2 S.C.R. 713; Canada (Auditor General) v. Canada (Minister of Energy, Mines and Resources), [1989] 2 R.C.S. 49; R. v. Edwards, [1996] 1 S.C.R. 128; Buenaventura Jr. v. Telecommunications Workers Union (TWU), 2012 CAF 69; H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13, [2006] 1 S.C.R. 441; Canada (Privacy Commissioner) v. Canada (Labour Relations Board), [1996] 3 F.C. 609 (T.D.); Dunsmuir v. New Brunswick, 2008 SCC 9, [2008] 1 S.C.R. 190 ; Thomson v. Canada (Attorney General), 2015 FC 985, affd 2016 FCA 253; Jackson v. Joyceville Penitentiary, [1990] 3 F.C. 55 (T.D.); Fila Canada Inc. v. Untel, [1996] 3 F.C. 493 (T.D.); Myers v. Canada (Attorney General), 2007 FC 947; Thomson Newspapers Ltd. v. Canada (Director of Investigation and Research, Restrictive Trade Practices Commission), [1990] 1 S.C.R. 425; R. v. McKinlay Transport Ltd., [1990] 1 S.C.R. 627; R. v. Simmons, [1988] 2 S.C.R. 495.
AUTHORS CITED
Canada. Correctional Service of Canada. Commissioner’s Directive No. 564-1, “Individual Security Screening”, February 9, 2015.
Canada. Financial Consumer Agency of Canada. “Understanding your Credit Report and Credit Score”, 2016.
Canada. House of Commons. Standing Committee on Access to Information, Privacy and Ethics. The Privacy Act: First Steps Towards Renewal, June 2009 (Chair: Paul Szabo).
Canada. Treasury Board. Policy on Government Security.
Canada. Treasury Board. Standard on Security Screening.
Canadian Oxford Dictionary, 2nd ed. Toronto: Oxford University Press, 2004, “direct”, “directly”.
Côté, Pierre-André. The Interpretation of Legisltation in Canada, 4th ed. Toronto: Carswell, 2011.
Dictionnaire Larousse en ligne, “direct”, “nécessaire”.
Driedger, Elmer A. Construction of Statutes, 2nd ed. Toronto: Butterworths, 1983.
APPLICATION for judicial review of the Treasury Board decision to adopt the part concerning financial inquiries in Appendix B of the Standard on Security Screening and of the Correctional Service of Canada decision to adopt paragraph 3(d) of Commissioner’s Directive No. 564-1 “Individual Security Screening”. Application dismissed.
APPEARANCES
Catherine Quintal and Ioanna Egarhos for the applicant.
Claude Joyal and Paul Deschênes for the respondent.
Sylvain Lussier, Regan Morris and Sarah Speevak for the intervener.
SOLICITORS OF RECORD
Laroche Martin, Montréal, for the applicant.
Deputy Attorney General of Canada for the respondent.
Osler, Hoskin & Harcourt LLP, Montréal, and Office of the Privacy Commissioner of Canada, Gatineau, for the intervener.
This is the English version of the reasons for judgment and judgment rendered by
St-Louis J.:
I. Introduction
[1] On October 20, 2014, the Standard on Security Screening (the Standard), adopted by the Treasury Board, came into effect and replaced the Personnel Security Standard (PSS), which had been in effect since 1994.
[2] The Standard sets out, in particular, the three security screening levels for federal public service employees, that is, reliability status, “secret” security clearance and “top secret” security clearance, as well as the activities and practices associated with each of these levels.
[3] Under the Standard, although security screening activities vary based on the reliability status or the security clearance sought, all of the levels now require a financial inquiry (the Inquiry) of the individual for whom the reliability status or security clearance is sought. For the Inquiry, individuals must first consent to having their credit report sent to their employer, and the employer will then obtain the report from the appropriate private agency and analyze its results. Before the Standard was adopted, Inquiries were only obligatorily conducted for “top secret” clearances.
[4] On February 9, 2015, Commissioner’s Directive 564-1 “Individual Security Screening” (the Directive) came into effect. It extends the Inquiry to the security screening for renewing the reliability status of Correctional Service of Canada (CSC) employees, because the intent of the screening is to evaluate the honesty and trustworthiness of an individual. Thus, because correctional officers at the CX-1 and CX-2 levels must have reliability status, they become subject to the Inquiry and must consequently consent to having their employer, CSC, obtain their credit report.
[5] The applicant, Union of Canadian Correctional Officers—Syndicat des agents correctionnels du Canada—CSN (the Union), represents all CSC correctional officers at the CX-1 and CX-2 levels. It characterizes the new requirement as a [translation] “search and seizure” and uses the term [translation] “search” to refer to it, a term that will be repeated in this judgment. The applicant objects to this search being imposed on its members. It is asking the Court to declare that the part concerning financial inquiries in Appendix B of the Standard and paragraph 3(d) of the Directive are contrary to section 8 of the Canadian Charter of Rights and Freedoms, being Part I of the Constitution Act, 1982, Schedule B, Canada Act 1982, 1982, c. 11 (U.K.) [R.S.C., 1985, Appendix II, No. 44] (the Charter). It is also seeking a declaration that paragraph 3(d) of the Directive breaches section 4 of the Privacy Act, R.S.C., 1985, c. P-21 (the Act). Those provisions are attached hereto.
[6] The respondent, the Attorney General of Canada (AGC), first responds that the contested provisions of the Standard and the Directive, while they constitute a search, do not necessarily infringe on a right to privacy under section 8 of the Charter because they are reasonable. The AGC also contends that the impugned provisions of the Directive do not violate section 4 of the Act because the information collected from the credit reports relates directly to the activity of security screening.
[7] The intervener, the Privacy Commissioner of Canada (the Commissioner), is not taking a position on the issue of compliance with section 4 of the Act in light of the specific facts of this case. However, he outlines what he considers to be the appropriate analytical framework for the implementation of section 4, and argues in this regard that the words relates directly create a necessity test. He also discusses certain relevant considerations in connection with the implementation of section 4 in this case, that is, the nature and the scope of the personal information contained in credit reports and the nature of the relationship between credit reports and assessing an employee’s trustworthiness, and he argues that correctional officers have a reasonable expectation of privacy. Lastly, without taking a position, he also outlines certain considerations that the Court should, in his opinion, consider in its analysis of sections 8 and 1 of the Charter.
[8] For the following reasons, the Court will dismiss this application for judicial review.
[9] In short, regarding section 8 of the Charter, the Court is of the opinion that the decisions of the Treasury Board and CSC to adopt the contested provisions of the Standard and the Directive are reasonable and do not violate section 8 given the state’s objective, the nature of the prison environment, the type of possible threats, the responsibilities of correctional officers, the manner in which the information is obtained, the nature of the information disclosed, the possibility of providing explanations prior to a decision and the avenues of recourse available in the event of a denial of reliability status.
[10] Concerning section 4 of the Act, the Court finds that this section does not contain a necessity test, that it is reasonable to conclude that there is a direct relationship between, first, the Inquiry and obtaining a credit report, and, second, security screening activities, and that CSC’s decision to adopt the contested decision of the Directive is consequently reasonable.
II. Legislative context
[11] Section 7 of the Financial Administration Act, R.S.C., 1985, c. F-11 (FAA), sets out that the Treasury Board may act for the Queen’s Privy Council for Canada on certain matters, including those relating to general administrative policy in the federal public administration and human resources management in the federal public administration. These matters involve, namely, the determination of terms and conditions of employment (paragraphs 7(1)(a) and (e) of the FAA, attached hereto).
[12] Pursuant to section 7 of the FAA, the Treasury Board issues policies, including the Policy on Government Security (the Policy). According to the wording of section 3 of the Policy, attached hereto, the Policy is rooted in the contextual premise that government security is the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence. Thus, there is a need to ensure that those having access to government information, assets and services are trustworthy, reliable and loyal. Furthermore, according to section 5, attached hereto, the objectives of the Policy are to ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management.
[13] Lastly, section 6 of the Policy, also attached hereto, states, inter alia, that deputy heads of all departments are responsible for appointing a departmental security officer and for ensuring that all individuals who will have access to government information and assets are security screened at the appropriate level and are treated in a fair and unbiased manner.
[14] Obtaining and maintaining a valid reliability status or security clearance is a condition of employment, contract, appointment or assignment within the Government of Canada, including CSC, and employees must consent to it. It requires the collection of personal information on individuals, which is done after they have provided their informed consent. In the case at bar, correctional officers express that consent by signing the Personnel Screening, Consent and Authorization Form (the Form).
[15] Over the years, the Treasury Board has adopted various standards enacting security screening activities, including the Standard, which came into effect on October 20, 2014. The Standard applies to all departments defined in section 2 of the FAA and all federal agencies included in Schedules IV and V of the FAA, and they must all implement it by October 20, 2017. CSC is included in that list.
[16] The objectives of the Standard are to ensure that security screening in the government is effective, efficient, rigorous, consistent and fair and to enable greater transferability of security screening between departments and agencies (section 5 of the Standard). The Standard states that security screening can be standard or enhanced, and describes the associated screening activities.
[17] According to the Standard, the purpose of the Inquiry is to assess whether an individual poses a security risk on the basis of financial pressure or a history of poor financial responsibility (section 7).
[18] In 2015, the Directive came into effect. It incorporates the Standard’s requirements for CSC and states, in paragraph 3(d), that one of the responsibilities of the departmental security officer is to ensure that credit checks are conducted at the national level.
[19] For the purposes of this case, this means that all correctional officer members of the Union must, since April 1, 2015, consent to having CSC obtain their credit report, from which data will be analyzed in the security screening associated with the renewal of their reliability status. It should be immediately noted that pursuant to paragraph 4(h) of the Directive, attached hereto, CSC managers will “provide the individual with an opportunity to explain any adverse information”.
III. Position of the parties
A. The Union
[20] The Union essentially submits (1) that the adoption of the Standard and the Directive is subject to the standard of reasonableness; (2) that the relevant provisions of the Standard and the Directive are unreasonable and violate section 8 of the Charter; (3) that their adoption is not saved by section 1 of the Charter; and (4) that its members’ credit reports do not relate directly to CSC’s programs and activities and that as a result, the relevant provisions of the Directive violate section 4 of the Act.
[21] The Union indicates that there is an error in part IV of its memorandum, for the order sought, when it refers to paragraph 2(d) of the Directive and not paragraph 3(d) of the Directive. The Court agrees that that is a clerical error and accepts the correction.
[22] In support of its submissions, the Union submits a total of five affidavits: the affidavit of Kevin Grabowsky, its national president; the affidavit of Laurent Vaillancourt, a correctional officer at level 2 (CX-2) and member of the Union; the affidavit of Manon Leblanc, a correctional officer at level 1 (CX-1); the affidavit of Dwaynes Soles, a correctional officer at level 2 (CX-2); and the affidavit of David Mellor, a correctional officer at level 1 (CX-1).
(1) The standard of review is reasonableness
[23] The Union initially contended, in its memorandum, that the correctness standard should apply, but it modified its position at the hearing and agrees with the respondent and the intervener on this point. Thus, the Union accepts that the Standard and the Directive are subject to the reasonableness standard.
(2) The provisions of the Standard and the Directive for checking the credit reports of all employees violate section 8 of the Charter
[24] The Union submits that section 8 of the Charter applies in this case because that provision ensures privacy and the protection of personal information, because requiring correctional officers to consent to a credit report check in order to obtain or renew their reliability status constitutes a search, and because the search must be presumed to be unreasonable, which thus imposes on the state the burden of establishing that it is reasonable. However, according to the Union, the state has not satisfied this burden in this case.
[25] The AGC does not object to the application of section 8 of the Charter, but argues that it is not a search or an unreasonable intrusion. It therefore seems appropriate for the Court to reiterate only the last component of the Union’s argument, effectively the only issue in dispute.
[26] The Union admits that the Treasury Board may, pursuant to section 7 of the Act, determine the conditions of employment of federal public servants and adopt a standard. It also admits that CSC has the power to adopt a directive. However, it argues that that standard and that directive must comply with the Charter, which is not the case here.
[27] The Union first notes that warrantless searches are always presumptively unreasonable (Goodwin v. British Columbia (Superintendent of Motor Vehicles), 2015 SCC 46, [2015] 3 S.C.R. 250 (Goodwin), at paragraph 56) and that the state has the onus of establishing that the Search was reasonable, which can only be done by establishing the following three elements: (1) the search was authorized by the law; (2) the law itself is reasonable; and (3) the search was not conducted in an unreasonable manner. In this case, the Union argues that the state has not established the second element, that is, that the Standard and the Directive are not unreasonable.
[28] To determine the reasonableness of the Standard and the Directive, the Union refers the Court to Reference re Marine Transportation Security Regulations, 2009 FCA 234, 202 C.R.R. (2d) 156 (Reference) and to the following contextual criteria: (1) the strength of the individual privacy interests at stake; (2) the manner in which the search is conducted; (3) the pressing nature of the public interest served by the statutory scheme authorizing the search; and (4) to what extent the information sought is likely to further that interest.
[29] Regarding the strength of the individual privacy interests at stake, the Union notes that the details of an individual’s financial situation represents precisely the type of information for which individuals should be able to determine when, how and to what extent it is communicated. The reasonable expectation of privacy is thus very important for such interests.
[30] Regarding the manner in which the search is conducted, which refers to how the information is collected, the Union admits that the checking of credit reports is not the most intrusive measure. However, it is somewhat more intrusive than asking an individual to provide the information him- or herself. The Union also points out that managers in various institutions can be called upon to question correctional officers to obtain explanations for some of the information collected, and that those managers would then have access to their employees’ financial information.
[31] Regarding the pressing nature of the public interest served by the statutory scheme, the Union notes the objective of the Standard, which is to contribute to national security, is valid and important.
[32] However, with respect to the last of the four factors identified, the Union doubts that the information sought is likely to further the purpose of contributing to national security. Instead, it contends that CSC did not present any evidence that financial pressure or a history of financial responsibility has already given rise to incidents that compromised national security, or that that factor has represented a particular risk. The Union adds that CSC has not established the benefits of the Inquiry in the overall assessment of the honesty and trustworthiness of officers, that it has failed to explain how this new measure would establish elements that are not covered by other existing measures, and that it has not established a correlation between the information in credit reports and the number of corrupt employees.
[33] The Union points out that none of the approximate 200 inquiries that have been conducted each month since 2015 has led to the non-renewal of the reliability status of a correctional officer because of information discovered in the officer’s credit report. The Union infers from this that the collection of information seems to have minimal impact on the final result.
[34] In summary, the Union argues that the systematic checking of the credit reports of members of the Union constitutes an unreasonable search, contrary to section 8 of the Charter.
(3) The violation of section 8 of the Charter is not saved by section 1 of the Charter
[35] Finding that the search is unreasonable, the Union turns to section 1 of the Charter, attached hereto, and argues in this regard that the violation of section 8 is not justified. It submits that the AGC must demonstrate, on a balance of probabilities, that a credit check is a pressing and substantial objective and that the means chosen to achieve that objective are proportional.
[36] The means chosen are proportional if (1) there is a rational connection between the means adopted and the objective; (2) the law impairs the right guaranteed by the Charter as little as possible; and (3) there is proportionality between the deleterious effects and the beneficial effects of the law (R. v. Oakes, [1986] 1 S.C.R. 103).
[37] Regarding the first point, the Union acknowledges that the objective of the contested measure is to protect national security by ensuring that dishonest or untrustworthy individuals do not have access to restricted assets or facilities or privileged information of the government, in particular as employees. At the same time, it admits that that objective is pressing and substantial and includes the existence of a rational connection between the checking of employees’ credit and the objective (paragraphs 55 and 56 of the applicant’s memorandum).
[38] However, concerning the second point, the Union argues that the measure does not impair the Charter right as little as possible because the scope of the Standard is excessive and the category of persons concerned is too broad. The government could have achieved its objective by restricting the categories of persons for which [translation] “that type of check is necessary” (paragraph 58 of the applicant’s memorandum).
[39] Regarding the third point, the Union maintains that the deleterious effects from checking the credit reports outweigh the benefits. In fact, there seems to be minimal benefits with respect to the objective of the search, namely, because a reliability status has never been revoked because of adverse information in a credit report, while the measure has caused increased stress among Union members.
(4) The provisions providing for credit report checks set out in the Standard and the Directive are contrary to section 4 of the Act
[40] The Union argues, lastly, that the contested measures violate section 4 of the Act, which limits the information that a government institution may collect on an individual to that which relates directly to an operating program or activity of the institution.
[41] The Union cites the Dictionnaire Larousse en ligne, French dictionary’s definition of “direct” ([translation] “direct”): “qui est en relation immédiate avec quelque chose d’autre, qui y est étroitement lié” ([translation] “that which immediately relates to something, that which is closely connected”) and refers the Court to section 5 of Quebec’s An Act respecting the Protection of Personal Information in the Private Sector, CQLR, c. P-39.1, which states that the information collected must be necessary.
[42] The Union submits that there is no direct relationship between its members’ credit reports and CSC’s activities. To support its statement, the Union points out that its members do not manage money or budgets as part of their jobs and that, for that reason, their personal financial practices in no way demonstrate their trustworthiness or ability to act as correctional officers.
[43] In that respect, at the hearing, the Union tried to minimize the scope of certain passages of its memorandum by stating that they were not admissions that a credit check could be justified in the assessment of the clearance level for certain positions, or even that a credit report could be related to the assessment of an individual’s trustworthiness and honesty. The Court will revisit this aspect in its analysis.
[44] The Union refers to the four-part test used by this Court to determine whether the use of surveillance cameras was acceptable in Eastmond v. Canadian Pacific Railway, 2004 FC 852, 16 Admin. L.R. (4th) 275 (Eastmond). According to the test, to determine whether the purpose for which the personal information is collected is reasonable, there must be an assessment of (1) whether the measure is demonstrably necessary to meet a specific need; (2) whether it is likely to be effective in meeting that need; (3) whether the loss of privacy is proportional to the benefit gained; and (4) whether there is a less privacy-invasive way of achieving the same end.
[45] The Union submits that the contested measures do not meet this test. First, the measure is not necessary to meet a specific need at CSC because there is no evidence that employees who experience some difficulty in managing their personal finances are less honest or represent a heightened risk for CSC. Furthermore, there are no cases where economic vulnerability factors have played a role in an incident in which an inmate has bribed a correctional officer, and the scale of any corruption problems has not been demonstrated.
[46] Second, the Union argues that this measure does not meet the effectiveness criterion with respect to the objective, namely, because since April 2015, no correctional officers have been denied the renewal of their reliability status after information, even adverse, was obtained from their credit report.
[47] Third, because there are minimal benefits to this measure, the deleterious effects become disproportionate to a loss of privacy.
[48] Fourth, the Union argues that there are alternate ways to assess the trustworthiness of its members without having to make a credit report inquiry.
B. The AGC
[49] The AGC essentially submits that the Standard and the Directive constitute reasonable [translation] “decisions”. Concerning section 8 of the Charter, the AGC contends that they essentially represent a proportionate balancing of the objectives of the legislative scheme and the value of privacy. Regarding section 4 of the Act, he advances that the partial information collected, in the credit report, relates directly to security screening activities carried out by CSC.
[50] The AGC submits three affidavits: the affidavit of Charles Taillefer, Director, Policy Development and Performance Measurement, Security and Identity Management, at the Treasury Board of Canada Secretariat; the affidavit of Nick Fabiano, Director General, CSC Security; and the affidavit of Dorothy Sicard, Manager, Personnel Security Screening, CSC Departmental Security.
[51] The AGC is first concerned about rectifying the facts presented by the Union to provide the Court with the appropriate factual background, which is at the heart of the analysis the Court must conduct. The AGC therefore describes the purpose of security investigations, the historical background of security screening, the evolution of threats to security in Canada since 1994, the implementation of a technological working environment, the development of the 2014 Standard, the content of the 2014 Standard, details on CSC and on the work of its employees (including correctional officers), details on the prison population and the content of credit reports.
[52] According to the AGC, the Court must determine four issues: (1) the applicable standard of review; (2) whether CSC’s decision to adopt the Directive implementing the Standard is reasonable regarding the credit report checks, with respect to section 4 of the Act; (3) whether the Treasury Board’s decision to adopt the Standard and that of CSC to adopt the Directive implementing it are reasonable regarding the credit report checks, with respect to the right to privacy in section 8 of the Charter, that is, whether they are the result of a proportionate balancing of the importance of ensuring the security of government operations through security screening and the right to privacy of correctional officers; and (4) whether section 1 of the Charter is engaged.
[53] The Court will follow the Union’s order of presentation for ease of reading, that is, (1) the applicable standard of review; (2) section 8 of the Charter; (3) section 1 of the Charter; and (4) section 4 of the Act.
(1) The standard of review is reasonableness
[54] The AGC submits, like the Union, that the standard of “reasonableness” should apply in this case because the Standard and the Directive constitute discretionary decisions adopted by the Treasury Board and CSC, and the Treasury Board and CSC have particular expertise in the area of the information that is required to determine the trustworthiness of public servants.
[55] The AGC emphasizes the consequences of choosing this standard of review and, in particular, the fact that the Court must show deference, that it must recognize the expertise of the Treasury Board and CSC in the area of the information that is required to determine the trustworthiness of public servants and that it cannot substitute its own decision for that of the Treasury Board and CSC.
(2) The Standard and the Directive are reasonable with respect to the credit checks pursuant to section 8 of the Charter
[56] The AGC does not contest that it constitutes a search or that section 8 of the Charter applies, but argues that it is not an unreasonable search. In fact, the AGC contends that the Standard and the Directive are not unreasonable because they represent a proportionate balancing of the objectives of the legislative scheme and the value of privacy.
[57] According to the AGC, the analysis to be conducted when the Charter value that is engaged is privacy is akin to that which is aimed at determining the reasonableness of a statute authorizing a search under section 8 of the Charter. This analysis consists in balancing the state’s legitimate interest in achieving legislative objectives with its effect on individual personal rights.
[58] Thus, having admitted that it constitutes a search, the AGC argues that the factors to be examined regarding the value of privacy that supports section 8 of the Charter are similar to those examined in support of section 4 of the Act. They are (a) the nature and the purpose of the legislative scheme, including the administrative context, objective and finality of the public interest; (b) the manner in which the credit report was obtained; (c) the degree of intrusiveness; and (d) the review subsequent to a decision (Goodwin, at paragraphs 55 to 57; Reference, at paragraphs 50 to 53). The AGC also examines (e) the balancing of competing interests and states that the decisions involved are the result of a reasonable balancing that takes all of these factors into account.
(a) The nature and purpose of the statutory scheme, including the administrative context, objective and finality of the public interest
[59] The AGC notes certain contextual factors such as those related to the adoption of the Standard by the Treasury Board, security screening, the working environment of correctional officers, the risks of fraud, corruption, threats and manipulation that they face and access to databases. Thus, given the controlled and regulated environment, correctional officers should expect to be under increased surveillance.
(b) The manner in which credit reports are obtained
[60] The Form used by CSC includes a warning informing its signatories of why they agree to provide their information, what the information will be used for, the location in which the information will be stored and when the information will expire. Thus, correctional officers are informed that CSC will obtain their credit report, and that they may contact the credit reporting agency to obtain their credit report beforehand and ask that any erroneous information be corrected or add explanations, if applicable.
[61] According to the AGC, this approach is a lot less intrusive than a search or a third party collection without prior consent.
(c) Degree of intrusiveness
[62] The AGC submits that credit reports are held by third parties that collect information on the credit history of millions of individuals, and that they contain information for third parties. Thus, correctional officers should expect the information therein to be shared with third parties. Furthermore, according to the AGC, the reports contain less information than is claimed by the Union. They do not contain banking transactions, transaction statements or credit scores. In addition to biographical data, the reports essentially reveal the individual’s available credit, used credit and payment history.
[63] The AGC argues that credit reports are requested and reviewed only by security division staff at CSC headquarters in Ottawa and states that institution managers never have access to credit reports at the interview level.
(d) Post-decision review
[64] Lastly, the AGC argues that correctional officers have recourse to explain any adverse information in their credit report and to contest any decision to revoke their reliability status. The availability of such recourse supports the finding of reasonableness.
(e) Balancing of interests
[65] The AGC argues that CSC put in place a regime that strikes a proper balance between the value of privacy protected by section 8 of the Charter and the legitimate objectives of the government’s legislative scheme.
[66] The Standard’s objective is not only to ensure national security, but also to provide reasonable assurance that individuals can be trusted to safeguard government information, assets and facilities and to reliably fulfil their duties.
[67] The Inquiry set out in the Standard was added further to the determination that the trustworthiness of public servants, without a credit report, was not adapted to the realities and threats we face today. According to the evidence, greed is one of the main sources of motivation inciting employees to commit a security violation.
[68] The fact that correctional officers do not have access to sums of money as part of their work is irrelevant. They perform their work in an environment where they could be influenced or forced to disclose sensitive information, move contraband in institutions or engage in other reprehensible conduct for financial gain likely to present a security risk.
[69] The Inquiry and how CSC uses the resulting information constitute reasonable measures that minimally affect the privacy of correctional officers, because (1) there is no mention in the credit reports that CSC obtained a copy thereof, so credit scores are not affected; (2) credit reports obtained by CSC do not have a risk assessment concerning the credit score; (3) credit reports identify only information concerning debt repayments; (4) credit reports are documents that are readily available to those who request them; (5) credit reports are kept in a secure environment; and (6) correctional officers have the opportunity to explain any adverse information.
(3) The measure is justified by section 1 of the Charter
[70] The AGC argues that even if the Court finds that the Standard and the Directive breach section 8 of the Charter, the measure they put in place is saved by section 1 of the Charter. Obtaining credit reports actually pursues an important, rational objective, infringing the Charter right minimally and proportionately.
(4) CSC’s decision to adopt the Directive implementing the Standard is reasonable with respect to credit report checks under section 4 of the Act
(a) Preliminary issue
[71] The AGC submits that this judicial review is premature because there is another appropriate recourse for contesting a breach of section 4 of the Act: not an application for judicial review, but a complaint to the Commissioner pursuant to paragraph 29(1)(h) of the Act (attached hereto). The AGC points out that such complaint is already before the Commissioner. Even though he has not yet rendered a decision, this is another adequate recourse (Strickland v. Canada (Attorney General), 2015 SCC 37, [2015] 2 S.C.R. 713 (Strickland)) for obtaining findings and recommendations.
[72] At the hearing, the AGC clarified his position. Relying on, in particular, Canada (Auditor General) v. Canada (Minister of Energy, Mines and Resources), [1989] 2 S.C.R. 49 (Auditor General), he contends in essence that Parliament did not intend to render the rights justiciable, that the Commissioner has the desired power and can make a report to Parliament, and that recourse to the Court is limited to the refusal of access set out in section 41 of the Act (attached hereto).
(b) The relevant provisions of the Standard and the Directive regarding the credit report checks are reasonable and do not breach section 4 of the Act
[73] In the alternative, if the Court decides to hear the case pursuant to section 4 of the Act, the AGC argues that the information collected clearly relates directly to security screening because that information contributes to assessing an individual’s vulnerability, verifying the elements of his or her conduct, identifying indicators of other problems that impact security and ensuring that correctional officers are trustworthy and honest.
[74] The AGC submits that the decisions at issue are not unreasonable because of an alleged breach of section 4 of the Act, which, together with section 5 of the Act (attached hereto), provides for two conditions for obtaining personal information, that is (1) the information collected relates directly to an operating program or activity of the institution; and (2) the information is collected directly from the correctional officer or the correctional officer has consented to it being collected.
[75] Regarding the first condition, the AGC submits that the words relates directly do not give rise to a difficulty of interpretation and do not mean necessary. In this respect, he advances that the information collected by CSC using credit reports “relates directly” to security screening. In fact, there is, in the opinion of the AGC, a direct relationship between obtaining a correctional officer’s credit report and the review of his or her trustworthiness because even if officers do not have access to sums of money, they nevertheless work in a highly secure environment where they are exposed to corruption.
[76] Thus, credit reports are relevant because they make it possible to assess four aspects of an individual (paragraph 61 of the respondent’s memorandum), and the AGC contends that the evidence demonstrates that there is a direct relationship between reviewing a correctional officer’s credit report and assessing his or her trustworthiness.
[77] The AGC also argues that correctional officers are informed of what they are consenting to when they sign the Form and that they are thus providing informed consent, which can be set aside only on basis of error, fear or injury.
[78] The AGC rejects the parallel with section 5 of An Act respecting the Protection of Personal Information in the Private Sector (attached hereto) raised by the Union because that section uses the word necessary and consequently integrates a necessity test. The AGC also rejects the parallel with Eastmond because that dispute concerned the installation of cameras without the employees’ consent, which is not the issue here, and because the wording of the statute at the centre of that case was different from that of section 4 of the Act.
[79] At the hearing, the AGC specified that credit reports do not indicate credit scores, that there is no trace of the checks in the reports, that there is no cash flow element and that credit reports are an instrument used for evaluating the factor or the likelihood of vulnerability.
C. The Commissioner—Intervener
[80] The Commissioner argues that the Court must determine whether the requirement of a credit report check is consistent with section 4 of the Act and section 8 of the Charter. After a concise statement of facts, the Commissioner first addresses the preliminary issue of the premature recourse raised by the AGC by submitting that the Union may raise a violation of section 4 of the Act in the application for judicial review. The Commissioner then examines the framework of analysis and the relevant considerations for the implementation of section 4 of the Act and ends with the reasonable expectation of privacy of correctional officers and the infringement of section 8 of the Charter, a point that he, however, does not take a position on. The Court will follow the following order in the presentation of the arguments of the intervener: (1) the reasonable expectation of privacy of correctional officers and section 8 of the Charter; and (2) the framework of analysis for section 4 of the Act.
(1) Correctional officers have a reasonable expectation of privacy with respect to their credit report
[81] The Commissioner submits that correctional officers have a reasonable expectation of privacy with respect to their credit report and cites the criteria set out in R. v. Edwards, [1996] 1 S.C.R. 128, at paragraph 31. Those criteria support the finding that there is a legitimate expectation of privacy because personal information is protected by federal and provincial privacy legislation in both the private and public sectors. Individuals subject to the Standard and the Directive cannot knowingly choose to not provide their consent to disclose their credit report without running the risk of losing their job. As stated above, the Commissioner does not, however, take a position on the issue of a reasonable expectation of privacy under section 8 of the Charter.
(2) Section 4 of the Act imposes a framework of analysis
(a) Preliminary issue
[82] The Commissioner objects to the AGC’s position with respect to the prematurity of the recourse of the Union. The Commissioner concedes that the Court may refuse to hear the application for judicial review if the Union failed to pursue an adequate alternative remedy (Buenaventura Jr. v. Telecommunications Workers Union, 2012 FCA 69, 348 D.L.R. (4th) 251, at paragraph 24), but argues that there is no such adequate remedy in this case.
[83] The Commissioner raises five arguments in support of his position, that is, (1) the Commissioner’s authority under the Act is limited to providing non-binding findings and recommendations on complaints (H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), 2006 SCC 13, [2006] 1 S.C.R. 441, at paragraphs 35–37); (2) once the Commissioner has published his findings, the Act does not provide for any subsequent recourse, and the complainant must thus file an application for judicial review before this Court to obtain a binding decision; (3) this Court is the most effective forum providing the most expeditious procedural avenue for processing the issues raised in this application; (4) there is no risk of contradictory decisions in this case because the Commissioner’s findings are not binding; and (5) it is appropriate in the circumstances for the Court to decide this issue.
[84] The Commissioner rejects the arguments proposed by the AGC and the parallel drawn with Auditor General and Strickland. According to the Commissioner, those decisions were made in an extremely specific context that cannot be imported in this case.
(b) The appropriate framework of analysis for the implementation of section 4 of the Act
[85] The notion of relates directly in section 4 of the Act is not defined in the Act and, according to the Commissioner, this notion must be interpreted considering that the objective of section 4 of the Act is to limit the amount of personal information collected by government institutions.
[86] The Commissioner raises principles of statutory interpretation to support the proposal that relates directly means necessary in this context. According to the Commissioner, this interpretation is more consistent with the ordinary meaning of section 4 of the Act, with the interpretation that the AGC previously provided, and with the overall context and purpose of the Act. In this regard, the Commissioner specifically notes comments made by a legal representative for the Minister of Justice, directives of the Treasury Board Secretariat, the Commissioner’s past findings and an obiter of this Court in Canada (Privacy Commissioner) v. Canada (Labour Relations Board), [1996] 3 F.C. 609 (T.D.).
[87] According to the Commissioner, this interpretation also requires that the employer demonstrate that there is no adequate less intrusive measure.
[88] In the alternative, the Commissioner argues that if the Court does not accept that the aspect of necessity exists in section 4 of the Act, this aspect must nonetheless be interpreted in a restrictive manner so that irrelevant personal information that could lead to the collection of other possibly relevant information is not collected.
(c) Relevant considerations for the implementation of section 4 of the Act in this matter
(i) Nature of the personal information in a credit report
[89] The Commissioner notes basically that credit reports contain highly sensitive personal information, the disclosure of which must be limited. In addition, correctional officers could be forced to explain some of the information and thus disclose additional personal information. Credit reports contain information on an individual’s current debt and financial history.
(ii) Direct relationship between credit reports and the assessment of an individual’s trustworthiness
[90] The Commissioner is asking the Court to consider whether the AGC effectively established that credit reports constitute an effective means of assessing the trustworthiness of employees and that no other reasonable, less intrusive means exist.
[91] Regarding the first point, the Commissioner submits that there is no empirical evidence that a credit report is an effective measure for achieving the objective of assessing an employee’s trustworthiness.
[92] Regarding the second point, the Commissioner submits that there are less intrusive and more effective ways to allow organizations to assess whether their employees are trustworthy. Those measures include, for example, interviews or even checking references from former employers.
IV. Issues
[93] The Court must first determine the appropriate standard of review and then address the following issues:
(1) Does the part of the Standard’s Appendix B and paragraph 3(d) of the Directive that include the Inquiry as a screening activity for the reliability status of correctional officers breach section 8 of the Charter?
(2) If the answer is yes, is that breach saved by section 1 of the Charter?
(3) Does paragraph 3(d) of the Directive, which includes the Inquiry as a screening activity for the reliability status of correctional officers, breach section 4 of the Act?
V. Analysis
A. Standard of review
[94] The Treasury Board’s decision to adopt the Standard and CSC’s decision to adopt the Directive implementing the Standard constitute discretionary administrative decisions. Thus, the standard of review that should be applied in this case is reasonableness, even if section 8 of the Charter is engaged (Dunsmuir v. New Brunswick, 2008 SCC 9, [2008] 1 S.C.R. 190, at paragraph 53; Thomson v. Canada (Attorney General), 2015 FC 985, at paragraph 38, affirmed by 2016 FCA 253, 365 C.R.R. (2d) 180, at paragraph 24).
B. Does the part of the Standard’s Appendix B and paragraph 3(d) of the Directive that include the Inquiry as a security screening activity for the reliability status of correctional officers violate section 8 of the Charter?
(1) Elements to determine
[95] According to the principles set out by the Supreme Court of Canada in 2015 in Goodwin, to address this issue, it must be determined (1) whether section 8 is engaged; (2) whether the search is authorized by law; (3) whether the search set out in the law is unreasonable; and (4) whether the search was carried out in an unreasonable manner.
[96] It is not in dispute in this case that section 8 is engaged because the collection of credit reports constitutes a search under section 8 and correctional officers have a certain expectation of privacy concerning the information in their credit report.
[97] It is also undisputed that the search is authorized by law and that, while the provisions in question are not those of a law but of a standard and a directive, the same criterion can be used (See for example Jackson v. Joyceville Penitentiary, [1990] 3 F.C. 55 (T.D.), and Fila Canada Inc. v. Doe, [1996] 3 F.C. 493 (T.D.); see also Myers v. Canada (Attorney General), 2007 FC 947, 319 F.T.R. 35, at paragraphs 30 and 31).
[98] Lastly, it is also undisputed that the search was not conducted in an unreasonable manner and there is no evidence to the contrary.
[99] Thus, it is up to the Court to determine whether the search set out in the law is unreasonable.
(2) The reasonableness of the search
[100] We find no determinative test for assessing the reasonableness of a search (Goodwin; Thomson Newspapers Ltd. v. Canada (Director of Investigation and Research, Restrictive Trade Practices Commission), [1990] 1 S.C.R. 425 (Thomson Newspapers)), but understand that the assessment of reasonableness must be conducted with flexibility and considering the purpose of the law in question (R. v. McKinlay Transport Ltd., [1990] 1 S.C.R. 627). The conclusion will also depend on “the importance of the state objective and the degree of impact on the individual’s privacy interest” (R. v. Rodgers, 2006 SCC 15, [2006] 1 S.C.R. 554, at paragraph 27). In this regard, as discussed in Hunter et al. v. Southam Inc., [1984] 2 S.C.R. 145 (Hunter) [at page 159 and 160] and noted by the Union, the Court will assess “whether in a particular situation the public’s interest in being left alone by government must give way to the government’s interest in intruding on the individual’s privacy in order to advance its goals, notably those of law enforcement.”
[101] Because warrantless searches are presumptively unreasonable (Goodwin and Hunter), the state has the burden of establishing the reasonableness of the search that is at issue in this dispute.
[102] The Court is guided by the criteria reiterated by the Supreme Court of Canada in Goodwin in 2015 and those to which the Federal Court of Appeal referred in Reference, and will therefore examine (a) the purpose of the Standard and the Directive, including the pressing nature of the public interest and to what extent the information sought is likely to further that interest; (b) the nature of the Standard and the Directive; (c) the seizure mechanism, that is, the manner in which a credit report is obtained, and the degree of intrusiveness; (d) the review subsequent to a decision or the availability of judicial supervision.
(a) The objective of the Standard and the Directive, including the pressing nature of the public interest and to what extent the information sought is likely to further that interest
[103] The review of the objective of the law will make it possible to militate for or against its reasonableness. For example, the purpose of preventing death and serious injuries on public highways was recognized as “compelling” and as weighing “heavily in favour of the reasonableness of the breath seizure” (Goodwin, at paragraph 59).
[104] It seems appropriate to note here that the objectives of the Policy governing the Standard are to ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management.
[105] The objectives stem from the contextual premise that government security is the assurance that information, assets and services are safeguarded from compromise and individuals are protected against workplace violence. Thus, the government must ensure that all individuals who have access to government information and assets are security screened at the appropriate level and are treated in a fair and unbiased manner.
[106] The objective of the Standard is to carry out security screening and enable its transferability within the government. Lastly, the objective of the Inquiry is to assess whether an individual poses a security risk on the basis of financial pressure or history of poor financial responsibility.
[107] According to the Union, the Standard contributes to national security, which, it admits, constitutes a valid and important pressing and substantial objective. The Court accepts this proposal and also considers that national security or government security, that is, safeguarding assets, information and services and protecting individuals against workplace violence, was recognized as a compelling objective that supports the reasonableness of the Standard and the Directive (R. v. Simmons, [1988] 2 S.C.R. 495, at paragraphs 48 and 49 [pages 527 and 528]; Reference, at paragraph 53).
[108] The Court agrees with the AGC’s position that it is likely that the information obtained will further the objective of national security. It is important, at this stage, to examine the responsibilities of correctional officers at the CX-1 and CX-2 levels. The positions involve the safety and protection of the public, staff members, inmates and the institution as well as the functional supervision of activities for CSC. Correctional officers at the CX-2 level are also responsible for case management services and the safe reintegration of offenders into society. These two groups are in direct contact with inmates, their families and visitors to the prison. They must prepare reports, from which information is used by CSC staff and other organizations to make decisions concerning security and the reintegration of inmates into society.
[109] The Union admits that employment in the public service, particularly in CSC, is considered a relatively regulated field (paragraph 31 of its memorandum). It also admits that there may be a rational connection between checking employees’ credit reports and the objective of the contested measure of protecting national security by ensuring that dishonest and untrustworthy individuals have access to restricted assets or facilities or privileged information of the government (paragraphs 55 and 56 of its memorandum). In addition, the Union does not dispute that inquiries can be justified [translation] “in the context of security investigations of individuals in certain job categories” (paragraph 2 of its memorandum). However, it stresses that the job of correctional officers does not fall under such category because correctional officers do not manage money or budgets and that, in that context, their personal financial practices do not demonstrate their trustworthiness or their ability to act in their position. Access to sums of money is thus a determinative element for the Union.
[110] However, while correctional officers do not manage money or budgets, they may nonetheless have access to sums of money resulting from corruption. In fact, the Court in this regard accepts the AGC’s proposal that correctional officers hold [translation] “the keys to the prison”, protect the public and inmates, have access to sensitive information in the Offender Management System and are the main point of contact for inmates. This position is confirmed by the information in the work descriptions for correctional officers at the CX-1 and CX-2 levels, submitted with the affidavit of Nick Fabiano, attesting to officers’ duties of surveillance, verifications and security.
[111] In the words of the AGC, correctional officers work in an environment where the imperatives of security measures are primordial and constant and where they are likely to be the subject of attempted bribery, threats and manipulation.
[112] Thus, if, as the Union admits, conducting inquiries and analyzing the credit reports of employees who manage sums of money or budgets is justified, it seems evident that it would also be justified for employees to whom money may be offered as a bribe or who, even absent the monetary factor, could be threatened, manipulated or coerced, as described, for example, by Nick Fabiano in his affidavit (at paragraphs 37–39).
[113] The likelihood that the information provided furthers the objective of the Standard and the Directive favours its reasonableness.
(b) The nature of the Standard and the Directive
[114] The Court recognizes that the criminal or regulatory characterization of a search is relevant in assessing its reasonableness (Goodwin, at paragraph 60). A regulatory law will thus give rise to a lower expectation of privacy than a criminal law (Thomson Newspapers, at paragraphs 95 and 122). However, in this case, the contested provisions are administrative in nature and are thus regarded as less intrusive (Reference, at paragraph 52), which supports the reasonableness of the Standard and the Directive.
(c) The seizure mechanism, that is, the manner in which a credit report is obtained, and the degree of intrusiveness
[115] Regarding the choice of the seizure mechanism used, it is interesting the note that demands for personal information, a photograph and fingerprints are among the least intrusive forms of search (Reference, at paragraph 61), versus, for example, breath demands or even blood samples (Goodwin, at paragraph 65).
[116] In the case at bar, the employer obtains the individual’s credit report following the signing, by that individual, of the Personnel Screening, Consent and Authorization Form, on which the individual checked the box confirming his or her consent. Completing a questionnaire, even when a refusal to sign it may jeopardize the person’s employment, constitutes a lesser intrusion on privacy than other types of searches (Reference, at paragraphs 48 and 51) and thus supports the reasonableness of the impugned provisions.
[117] Concerning the degree of intrusiveness, the evidence, including a document by the Financial Consumer Agency of Canada entitled “Understanding your credit report and credit score” (2016), at pages 8 et seq., shows that a credit report may disclose the following information:
• The individual’s biographic information (name, date of birth, current and previous addresses, current and previous telephone numbers, current and previous employers, social insurance number, driver’s licence number, passport number);
• Credit history information, such as credit accounts and transactions (credit cards, lines of credit or loans) and telecommunications accounts; negative banking information; public records (bankruptcy and registered items); debts sent to collection agencies; information on lenders; and remarks (consumer statements, fraud alerts and identity verification alerts);
• Mortgage information and history of mortgage payments;
• The codes attributed to various credit accounts, including a letter (R) and a number (from 1 to 9), indicating the individual’s payment history for each item.
[118] Adverse information is generally kept for up to seven years.
[119] Credit reports therefore do not disclose an individual’s credit score, cash flow, or even the balance of the individual’s bank accounts. In short, as its name indicates, a credit report discloses the credit granted to an individual, the level of use of that credit and the associated payment history. Apart from speculation on the level of debt and the existence of a mortgage loan identifying the individual as a property owner, credit reports do not disclose details on an individual’s lifestyle, contrary to what the Union claims.
[120] The Court is aware that the reliability of the results can undermine the reasonableness of the seizure (Goodwin, at paragraph 66). However, in this case, individuals have the opportunity to check the content of their credit report before its disclosure, to correct inaccurate information if applicable and to ensure the reliability of the information disclosed.
[121] The seizure mechanism via the Form signed by the individual, the less invasive degree of intrusiveness considering the information concerned, and the possibility that the individual can verify the reliability of the information disclosed favour the reasonableness of the provisions of the Standard and the Directive.
(d) Review subsequent to a decision or the availability of judicial supervision
[122] Bear in mind that “[w]hile less exacting review may be sufficient in a regulatory context, the availability and adequacy of review is nonetheless relevant to reasonableness under s. 8” (Goodwin, at paragraph 71). Thus, the existence of judicial supervision allowing for a review of the seizure will support the reasonableness of the law, while contrarily, “[a] provision authorizing such an unreviewable power would clearly be inconsistent with s. 8 of the Charter” (Hunter, at page 166). Note that the possibility of a reconsideration of the negative decision and an application for judicial review proved sufficient in Reference, at paragraph 60.
[123] The individual will have the opportunity to provide explanations for any adverse information at a meeting, which supports reasonableness. However, although Ms. Sicard testified that such meetings have never been conducted by institutional managers, the Directive itself indicates this possibility because paragraph 4(h) states that managers will provide the individual with an opportunity to explain any adverse information. It is indeed possible and likely that institutional managers will be provided with their employees’ financial information and their employees’ will consequently be required to disclose additional personal information to them.
[124] Paragraph 4(g) of the Directive sets out the review procedure and the availability of redress before this Court or the Canadian Human Rights Commission based on the facts, allegations and remedies sought. Appendix E of the Standard also states the procedure for contesting the denial or revocation of a reliability status or security clearance.
[125] Thus, even though the responsibility given to managers to conduct interviews with officers is debatable, the possibility that the ultimate decision to deny reliability status could be reviewed by this Court and/or another tribunal according to the circumstances favours the reasonableness of the Standard and the Directive.
(3) Conclusion
[126] Thus, the Court considers, in particular, the valid and important objective of the Standard and the Directive; the likelihood that the information provided furthers the objective of public interest; the administrative nature of the impugned provisions; the choice of seizure mechanism; the degree of intrusiveness; the possibility of providing explanations for adverse information; as well as the review and reconsideration procedures and the availability of judicial supervision. A review of these criteria makes it possible for the Court to find that the provisions of the Standard and the Directive that include the Inquiry as a security screening activity for the reliability status of correctional officers do not violate section 8 of the Charter and that the Treasury Board’s decision to adopt the Standard and CSC’s decision to adopt the Directive are, in this respect, reasonable.
[127] The Union and the AGC discussed applying section 1 of the Charter in this application. However, because the Court finds that there was no violation of section 8 of the Charter, it is not necessary to examine whether the violation is justified by section 1 of the Charter or to determine whether “the decision reflects a proportionate balancing of the Charter protections at play” (Doré v. Barreau du Québec, 2012 SCC 12, [2012] 1 S.C.R. 395, at paragraph 57).
C. Does paragraph 3(d) of the Directive, which includes the Inquiry as a security screening activity for the reliability status of correctional officers, violate section 4 of the Act?
[128] The Court will first address the AGC’s argument that this redress is premature.
(1) Premature redress
[129] The Court accepts the Commissioner’s position that the complaint process set out in paragraph 29(1)(h) of the Act should not be considered an adequate alternative remedy because the Commissioner’s findings and recommendations with respect to complaints are not binding and the Act does not provide for any subsequent recourse, requiring that the applicant file an application for judicial review to obtain a binding decision. Furthermore, because the issues specific to section 4 of the Act are similar to those related to section 8 of the Charter, it seems appropriate for the Court to rule on these two issues simultaneously.
(2) Section 4 protection
(a) General principles
[130] According to section 2, the purpose of the Act is to “extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.” It concerns government institutions, defined as any department or ministry of state of the Government of Canada, or any body or office, listed in the schedule, and any parent Crown corporation, and any wholly-owned subsidiary of such a corporation, within the meaning of section 83 of the FAA. This includes CSC.
[131] The Supreme Court of Canada addressed the purpose of the Act specifically as “limit[ing] the government’s ability to collect, use and disclose personal information” (Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403, at paragraph 47, La Forest J (dissenting on other points)). To achieve this objective, “Parliament has created a detailed scheme for collecting, using and disclosing personal information. First, the Act specifies the circumstances in which personal information may be collected by a government institution, and what use the institution may make of it: only personal information that relates directly to an operating program or activity of the government institution that collects it may be collected (s. 4)” (Lavigne v. Canada (Office of the Commissioner of Official Languages), 2002 SCC 53, [2002] 2 S.C.R. 773 (Lavigne), at paragraph 27).
[132] Personal information includes information on an individual’s employment history or financial transactions in which he or she participated. Regarding the collection of personal information, which is at issue here, section 4 of the Act states that no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
[133] The Court is aware of the importance of protecting an individual’s personal information and cites a passage from the decision of the Supreme Court of Canada in Alberta (Information and Privacy Commissioner) v. United Food and Commercial Workers, Local 401, 2013 SCC 62, [2013] 3 S.C.R. 733, at paragraph 19:
The focus is on providing an individual with some measure of control over his or her personal information: Gratton, at pp. 6 ff. The ability of individuals to control their personal information is intimately connected to their individual autonomy, dignity and privacy. These are fundamental values that lie at the heart of a democracy. As this Court has previously recognized, legislation which aims to protect control over personal information should be characterized as “quasi-constitutional” because of the fundamental role privacy plays in the preservation of a free and democratic society: Lavigne v. Canada (Office of the Commissioner of Official Languages), [2002] 2 S.C.R. 773, at para. 24; Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403, at paras. 65-66; H.J. Heinz Co. of Canada Ltd. v. Canada (Attorney General), [2006] 1 S.C.R. 441, at para. 28.
(b) Direct relationship
[134] Under section 4 of the Act, a government institution shall collect only information that “relates directly to an operating program or activity of the institution.” It is thus important to define the expression relates directly, identify the personal information collected and the operating program or activity of the government institution, and examine whether they are directly related.
[135] Because the terms relates directly, or lien direct in French, give rise to a different interpretation by the parties and are not defined in the Act, it is helpful to use methods of interpretation to establish their meaning. In accordance with the modern approach to statutory interpretation, the words of an act are to be read “in their entire context and in their grammatical and ordinary sense harmoniously with the scheme of the Act, the object of the Act, and the intention of Parliament” (Elmer Driedger, Construction of Statutes, 2nd ed., 1983, at page 87; Rizzo & Rizzo Shoes Ltd (Re), [1998] 1 S.C.R. 27, at paragraph 21).
[136] If we look first at the grammatical and ordinary sense of the words, three rules must guide our interpretation in accordance with the grammatical method: “(1) words must be given their ordinary meaning; (2) words must be given the meaning they had on the day the statute was enacted; (3) adding to the terms of the statute, or depriving them of effect, should be avoided” (Pierre-André Côté in collaboration with Stéphane Beaulac and Mathieu Devinat, The Interpretation of Legislation in Canada, 4th ed., Toronto: Carswell, 2011, at page 277). As previously stated, the Dictionnaire Larousse en ligne, French dictionary, defines the term “direct” [[translation] “direct”] as “qui est en relation immédiate avec quelque chose d’autre, qui y est étroitement lié” [[translation] “that which immediately relates to something, that which is closely connected”. The Canadian Oxford Dictionary defines the term “directly” as “in a direct manner”; the term “direct” is defined as “without intermediaries or the intervention of other factors”. The Dictionnaire Larousse en ligne, French dictionary, defines the term “nécessaire” [[translation] “necessary”] as “dont on ne peut se passer” [[translation] “that which is required”]; “qui est très utile ou obligatoire, indispensable, qui doit être fait, qui s’impose” [[translation] “that which is very useful or obligatory, indispensable, that which must be done, is imperative”]. Its synonyms include “obligatoire” [[translation] “obligatory”], “obligé” [[translation] “inescapable”], “inévitable” [[translation] “unavoidable”] and “essentiel” [[translation] “essential”].
[137] To specify the meaning of the terms relates directly, the Union refers to section 5 of An Act respecting the Protection of Personal Information in the Private Sector, which instead uses the term necessary. The wording of subsequent laws should therefore be considered with caution. The Supreme Court of Canada stated that “[a] comparision [sic] of like statutes enacted by the same Legislature is at most of peripheral assistance in determining the proper interpretation of the statute before the Court.” (Corp. of Goulbourn v. Reg. Mun. of Ottawa-Carleton, [1980] 1 S.C.R. 496, at page 515). In addition, the law to which the Union refers was not enacted by Parliament, but by the province of Quebec, and its argument can therefore be rejected.
[138] To complete the purpose of the Act stated in section 2 of the Act, it is possible to consider the administrative interpretation thereof, although such interpretation is not binding on the Court.
[139] For example, the Commissioner refers to the parliamentary business for the Act’s reform and to the report by the Standing Committee on Access to Information, Privacy and Ethics dated June 2009 to support his claim that the expression relates directly includes a necessity test (paragraph 25 of his memorandum). In fact, as part of the parliamentary business for the Act’s reform, the Department of Justice took the position that section 4 need not be amended to include a necessity test because the test was already contained therein. The Department of Justice’s legal representative provided the following explanation: “[t]he Treasury Board guidelines have said this expression “unless it relates directly” should mean a necessity test. Arguably, that’s the only legal interpretation that’s possible. If we say you shall not collect information unless it directly relates to a program, then basically it’s saying you can’t collect information you don’t need”.
[140] The Commissioner also refers to an obiter of this Court in Canada (Privacy Commissioner) v. Canada (Labour Relations Board), [1996] 3 F.C. 609 (T.D.), which states: “[t]he Act limits the collection of private information by government to what is necessary for its operations” (at paragraph 94).
[141] However, the Court finds that the ordinary meaning of the words relates directly is clearly not necessary. Because the words must be given their ordinary meaning and because it would have been easy for Parliament to use the word necessary and to create a necessity test, the Court finds that that was not Parliament’s intent. Despite the arguments of the Union and the Commissioner, the Court finds that section 4 does not contain a necessity test, but a less onerous test of establishing a direct, immediate relationship with no intermediary between the information collected and the operating programs or activities of the government. This interpretation considers the purpose of the Act, which is to protect the personal information of individuals within defined parameters, specifying the circumstances in which that information can be collected (Lavigne, at paragraph 27). The parameters are defined in section 4, which allows government institutions to collect personal information “that relates directly to an operating program or activity of the institution”, and not “that is necessary” to an operating program or activity of the institution.
[142] The information collected, that is, the information in an individual’s credit report, has been described in detail above. The activities involved are related to security screening, to ensure government security, that is, the safety and protection of the public, staff, inmates and the institution as well as the functional supervision of activities for CSC.
[143] With this in mind, the Court finds that there is a direct relationship between the information collected and the activities of the government. Correctional officers are in direct daily contact with individuals located inside penitentiaries and out in the community. These two groups are likely to put pressure on correctional officers. The information in correctional officers’ credit reports thus contributes to assessing their trustworthiness and vulnerability.
[144] As a result, CSC’s decision to adopt paragraph 3(d) of the Directive, which includes the Inquiry as a security screening activity for the reliability status of correctional officers is reasonable, and the provision does not violate section 4 of the Act.
VI. Conclusion
[145] In light of the foregoing, the decisions of the Treasury Board and CSC are reasonable. The part of the Standard’s Appendix B that concerns a financial inquiry and paragraph 3(d) of the Directive are not contrary to section 8 of the Charter, and paragraph 3(d) of the Directive is not contrary to section 4 of the Act.
JUDGMENT
THIS COURT’S JUDGMENT is that:
1. The application for judicial review is dismissed.
2. Costs are awarded in favour of the respondent.
ANNEX
Standard on Security Screening
Appendix B – Security Screening Model and Criteria
1. Security Screening Model
Security screening requirements are determined by the duties to be performed and by the sensitivity of information, assets or facilities to be accessed, and in accordance with the Position Analysis tool and guidance issued by the Secretariat.
Standard screening is conducted for all duties or positions in the federal government and for other individuals with whom there is a need to share or provide access to sensitive or classified information, assets or facilities, when responsibilities do not relate to security and intelligence functions.
Enhanced screening is conducted in limited and specific circumstances, and in accordance with the following criteria:
• When duties or positions involve, or directly support, security and intelligence (S&I) functions, including access to sensitive law enforcement or intelligence-related operational information, (i.e., sources or methodologies);
• When duties or positions involve direct joint operational activity with S&I departments or agencies;
• When duties or positions involve the provision of services to S&I departments or agencies which include management of, or access to, an aggregate of S&I information; or
• When duties or positions, and related access to sensitive information, create a high risk that an individual may be influenced by criminal or ideologically motivated persons or organizations.
There are three levels of security screening: reliability status, Secret security clearance, and Top Secret security clearance. Whenever the terms “status” or “clearance” are used, they encompass both standard and enhanced screening, unless otherwise specified.
The following table describes the standard and enhanced security screening activities.
| Reliability Status |
Secret Clearance |
Top Secret Clearance |
| 5 year background information • Verification of identity and background • Verification of educational and professional credentials • Personal and professional references • Financial inquiry (credit check) • Law enforcement inquiry (criminal record check) |
10 year background information • Reliability status • CSIS security assessment |
10 year background information + foreign travel, foreign assets, character references, education, military service • Reliability status / Secret clearance • CSIS security assessment |
| Enhanced • Law enforcement inquiry (Law enforcement record check (LERC)) • Security questionnaire and/or security interview • Open source inquiry |
[BLANK/EN BLANC] |
Enhanced • Security questionnaire and/or security interview • Open source inquiry • CSIS security assessment • Polygraph examination |
| Validity Period 10 years |
Validity Period 10 years |
Validity Period 5 years |
Commissioner’s Directive 564-1 – “Individual Security Screening”
3. The Departmental Security Officer has the following responsibilities:
…
d. ensure that criminal record checks, credit checks, law enforcement record checks, open source inquiries and Canadian Security Intelligence Service (CSIS) security assessments, as appropriate, are conducted at the national level
…
4. Managers will:
…
h. provide the individual with an opportunity to explain any adverse information
Canadian Charter of Rights and Freedoms, being Part I of the Constitution Act, 1982, Schedule B, Canada Act 1982, 1982, c. 11 (U.K.) [R.S.C., 1985, Appendix II, No. 44]
Rights and freedoms in Canada
1. The Canadian Charter of Rights and Freedoms guarantees the rights and freedoms set out in it subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.
…
Search or seizure
8. Everyone has the right to be secure against unreasonable search or seizure.
Privacy Act, R.S.C., 1985, c. P-21
Collection of personal information
4 No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
Personal information to be collected directly
5 (1) A government institution shall, wherever possible, collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2).
Individual to be informed of purpose
(2) A government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected.
Exception
(3) Subsections (1) and (2) do not apply where compliance therewith might
(a) result in the collection of inaccurate information; or
(b) defeat the purpose or prejudice the use for which information is collected.
…
Receipt and investigation of complaints
29 (1) Subject to this Act, the Privacy Commissioner shall receive and investigate complaints
…
(h) in respect of any other matter relating to
(i) the collection, retention or disposal of personal information by a government institution,
(ii) the use or disclosure of personal information under the control of a government institution, or
(iii) requesting or obtaining access under subsection 12(1) to personal information.
…
Review by Federal Court where access refused
41 Any individual who has been refused access to personal information requested under subsection 12(1) may, if a complaint has been made to the Privacy Commissioner in respect of the refusal, apply to the Court for a review of the matter within forty-five days after the time the results of an investigation of the complaint by the Privacy Commissioner are reported to the complainant under subsection 35(2) or within such further time as the Court may, either before or after the expiration of those forty-five days, fix or allow.
Financial Administration Act, R.S.C., 1985, c. F-11
Responsibilities of Treasury Board
7 (1) The Treasury Board may act for the Queen’s Privy Council for Canada on all matters relating to
(a) general administrative policy in the federal public administration;
…
(e) human resources management in the federal public administration, including the determination of the terms and conditions of employment of persons employed in it
Policy on Government Security
3. Context
3.1 Government security is the assurance that information, assets and services are protected against compromise and individuals are protected against workplace violence. The extent to which government can ensure its own security directly affects its ability to ensure the continued delivery of services that contribute to the health, safety, economic well-being and security of Canadians.
3.2 Security begins by establishing trust in interactions between government and Canadians and within government. In its interactions with the public when required, the government has a need to determine the identity of the individuals or institutions. Within government, there is a need to ensure that those having access to government information, assets and services are trustworthy, reliable and loyal. Consequently, a broad scope of government activities, ranging from safeguarding information and assets to delivering services, benefits and entitlements to responding to incidents and emergencies, rely upon this trust.
3.3 In a department, the management of security requires the continuous assessment of risks and the implementation, monitoring and maintenance of appropriate internal management controls involving prevention (mitigation), detection, response and recovery. The management of security intersects with other management functions including access to information, privacy, risk management, emergency and business continuity management, human resources, occupational health and safety, real property, materiel management, information management, information technology (IT) and finance. Security is achieved when it is supported by senior management—an integral component of strategic and operational planning—and embedded into departmental frameworks, culture, day-to-day operations and employee behaviours.
3.4 At a government-wide level, security threats, risks and incidents must be proactively managed to help protect the government’s critical assets, information and services, as well as national security. Advice, guidance and services provided by lead security agencies support departments and government in maintaining acceptable levels of security while achieving strategic goals and service delivery imperatives.
3.5 The management of security is most effective when it is systematically woven into the business, programs and culture of a department and the public service as a whole.
3.6 Deputy heads are accountable for the effective implementation and governance of security and identity management within their departments and share responsibility for the security of government as a whole. This comprises the security of departmental personnel, including those working in or for offices of Ministers or Ministers of State, and departmental information, facilities and other assets.
3.7 Ministers of the Crown, ministers, and Ministers of State are responsible for the security of their staff and offices as well as the security of sensitive information and assets in their custody, as directed by the prime minister.
3.8 This policy is issued under section 7 of the FAA.
3.9 Treasury Board has delegated to the President of the Treasury Board the authority to amend directives that support the policy in the following subject areas:
• Departmental security management
• Identity management
and to issue and amend standards that support the policy in the following subject areas:
• Information and identity assurance
• Individual security screening
• Physical security
• IT Security
• Emergency and business continuity management
• Security in contracting
3.10 This policy is to be read in conjunction with the Foundation Framework for Treasury Board Policies, the Directive on Departmental Security Management and the Directive on Identity Management.
…
5. Policy statement
5.1 The objectives of this policy are to ensure that deputy heads effectively manage security activities within departments and contribute to effective government-wide security management.
5.2 The expected results of this policy are:
• Information, assets and services are safeguarded from compromise and employees are protected against workplace violence;
• Governance structures, mechanisms and resources are in place to ensure effective and efficient management of security at both a departmental and government-wide level;
• Management of security incidents is effectively coordinated within departments and government-wide;
• Interoperability and information exchange are enabled through effective and consistent security and identity management practices; and
• Continuity of government operations and services is maintained in the presence of security incidents, disruptions or emergencies.
6. Requirements
6.1 Deputy heads of all departments are responsible for:
6.1.1 Establishing a security program for the coordination and management of departmental security activities that:
a. Has a governance structure with clear accountabilities
b. Has defined objectives that are aligned with departmental and government-wide policies, priorities and plans; and
c. Is monitored, assessed and reported on to measure management efforts, resources and success toward achieving its expected results;
6.1.2 Appointing a departmental security officer (DSO) functionally responsible to the deputy head or to the departmental executive committee to manage the departmental security program (Note: The deputy head of a small department or agency (SDA) can assume the role of DSO);
6.1.3 Establishing a formal arrangement with the service provider when the role of the DSO is fulfilled by a third party (e.g., shared or clustered service provider or a portfolio department);
6.1.4 Approving the departmental security plan that details decisions for managing security risks and outlines strategies, goals, objectives, priorities and timelines for improving departmental security and supporting its implementation;
6.1.5 Ensuring that managers at all levels integrate security and identity management requirements into plans, programs, activities and services;
6.1.6 Ensuring that all individuals who will have access to government information and assets, including those who work in or for offices of Ministers and Ministers of State, are security screened at the appropriate level before the commencement of their duties and are treated in a fair and unbiased manner;
6.1.7 Ensuring that their authority to deny, revoke or suspend security clearances is not delegated;
6.1.8 Ensuring that when significant issues arise regarding policy compliance, allegations of misconduct, suspected criminal activity, security incidents, or workplace violence they are investigated, acted on and reported to the appropriate law enforcement authority, national security agency or lead security agency.
6.2 Deputy heads of lead security agencies are responsible for:
6.2.1 Providing departments with advice, guidance and services related to government security, consistent with their mandated responsibilities;
6.2.2 Appointing an executive or executives to coordinate and oversee the provision of support services to departments and to represent the deputy head to TBS in this regard; and
6.2.3 Ensuring that the security support services provided help government departments achieve and maintain an acceptable state of security and readiness and that those services remain aligned with government-wide policies, priorities and plans related to government security.
• A list of lead security agencies and details on the nature and scope of their responsibilities under this policy are found in Appendix B—Responsibilities of Lead Security Agencies.
6.3 Monitoring and reporting requirements
Within departments
• Deputy heads are responsible for ensuring that periodic reviews are conducted to assess whether the departmental security program is effective, whether the goals, strategic objectives and control objectives detailed in their departmental security plan were achieved and whether their departmental security plan remains appropriate to the needs of the department and the government as a whole.
By departments
• Deputy heads are responsible for reporting periodically to TBS, on the status and progress of implementation of this policy and on the results of ongoing performance measurement.
Lead security agencies
• In additional to monitoring and reporting on their departmental security program Deputy heads of lead security agencies are also responsible for:
• Ensuring that periodic reviews are conducted to assess the effectiveness of their security support services to ensure they continue to meet the needs of departments and the government as a whole; and
• Reporting on their activities under this policy through current government reporting mechanisms, e.g., Management, Resources and Results Structure (MRRS), departmental performance reports (DPR) and reports on plans and priorities (RPP).
Government-wide
• TBS is responsible for:
º Monitoring compliance with this policy and the achievement of expected results in a variety of ways, including but not limited to MAF assessments, Treasury Board submissions, DPRs, RPPs, results of audits, evaluations and studies, and ongoing dialogue and committee work; and
º Reviewing and reporting to Treasury Board on the effectiveness and implementation of this policy and its directives and standards at the five-year mark from the effective date of the policy. Where substantiated by risk analysis, TBS will also ensure an evaluation is conducted.
An Act respecting the Protection of Personal Information in the Private Sector, CQLR, ch. P-39.1
5. Any person collecting personal information to establish a file on another person or to record personal information in such a file may collect only the information necessary for the object of the file.
Such information must be collected by lawful means.