Neutral citation: 2003 FCT 133
DZEVAD CEMERLIC, M.D.
- and -
SOLICITOR GENERAL OF CANADA
REASONS FOR ORDER
 This is an application pursuant to section 41 of the Privacy Act, R.S.C. 1985, c. P-21 as amended (the "Act") for a review of the decision of the Solicitor General of Canada, acting on behalf of the Canadian Security Intelligence Service ("CSIS"), wherein he refused the applicant access to certain personal information about the applicant, and refused to confirm or deny whether other personal information about the applicant existed.
 At issue in this case is a request from the applicant for access to personal information concerning himself held by CSIS. While the applicant has raised a large number of issues, the Court has distilled the case down to three main issues.
1. Did CSIS err by refusing to disclose personal information pursuant to the exemptions in sections 19 (foreign government confidences), 21 (international affairs and defence confidences), 26 (third party confidences) and 28 (medical information confidences) of the Act?
2. Did CSIS err by refusing to confirm or deny the existence of information in two personal information banks pursuant to subsection 16(2) (national security and counterintelligence confidences)?
3. Did CSIS undertake a proper search of four personal information banks which it claims contain no information on the applicant?
The Applicant's Request
- The applicant believes that at one time he was the target of a CSIS investigation and that this investigation has left the impression in his community that he is a person to be regarded with suspicion. On August 7, 1997, as part of an attempt to clear his name, the applicant requested pursuant to subsection 12(1) of Act that CSIS produce all information related to him in its personal information banks. Section 12 states:
12. (1) Subject to this Act every individual who is a Canadian Citizen or a permanent resident within the meaning of subsection 2(1) of the Immigration and Refugee Protection Act has a right to and shall, on request, be given access to
(a) any personal information about the individual contained in a personal information bank; and
12. (1) Sous réserve des autres dispositions de la présente loi, tout citoyen canadien et tout résident permanent, au sens de la Loi sur l'immigration, a le droit de se faire communiquer sur demande_:
a) les renseignements personnels le concernant et versés dans un fichier de renseignements personnels;
(b) any other personal information about the individual under the control of a government institution with respect to which the individual is able to provide sufficiently specific information on the location of the information as to tender it reasonably retrievable by the government institution.
b) les autres renseignements personnels le concernant et relevant d'une institution fédérale, dans la mesure où il peut fournir sur leur localisation des indications suffisamment précises pour que l'institution fédérale puisse les retrouver sans problèmes sérieux.
 CSIS responded to the applicant's request in a letter dated October 3, 1997. The letter informed the applicant that:
- (vi) there was no information concerning the applicant in Bank Number: SIS PPU 015 (CSIS Records), Bank Number: SIS PPU 020 (Access Request Records), Bank Number: SIS PPU 025 (CSIS Candidates) and Bank Number: SIS PPU 040 (Unlawful Conduct Investigations);
- (vii) the respondent was disclosing 32 pages of information found in Bank Number: SIS PPU 005 (Security Assessments / Advice), but was applying exemptions to some of the information pursuant to sections 19 and 21 of the Act;
- (viii) the respondent was disclosing 49 pages of information found in Bank Number: SIS PPU 035 (Complaints Against CSIS or Its Employees), but was applying exemptions to some of the information pursuant to section 21;
- (ix) the respondent was disclosing 5 pages of information found in Bank Number: SIS PPU 055 (Security and Integrity of Government Property, Personnel and Assets), but was applying exemptions to some of the information pursuant to sections 21, 26 and 28;
- (x) Bank Number: SIS PPU 045 (CSIS Investigational Records) has been designated an exempt bank and the respondent refused to confirm or deny whether personal information about the applicant existed in the bank; and that
- (xi) in accordance with subsection 16(2) of the Act, the respondent refused to indicate whether personal information about the applicant existed in Bank Number: SIS PPU 050 (Self Protection Activity).
The Privacy Commissioner's Investigation
- The applicant filed a complaint with the Privacy Commissioner alleging CSIS had denied him access to his personal information in banks 005, 035, 040 and 055. The Commissioner's findings are set out in a letter to the applicant, dated February 23, 2001. In his letter, the Commissioner stated at p. 3:
As you know, during our investigation, we questioned some of the exemptions applied by CSIS to portions of the information denied to you. I am now satisfied, after reviewing its representations, that CSIS has the authority to refuse to grant you access to some of the requested information held in banks PPU 005, 035 and 055. We were also able to confirm that CSIS searched bank PPU 040 in order to locate personal information about you and that none was found.
 Although the applicant did not complain about CSIS's response to his request for information in banks 015, 020, 025, 045 and 050, the Commissioner examined the way CSIS processed the applicant's request with respect to these banks as well. The Commissioner confirmed that CSIS had undertaken a search for information in banks 015, 020 and 025, but did not find any information related to the applicant in these banks. The Commissioner was also satisfied that the response received by the applicant from CSIS with respect to banks 045 and 050 was in accordance with the requirements of the Act.
Application to the Court
- On April 2, 2001, an application for judicial review under section 41 of the Act was filed with the Court. Applications under section 41 are for a review of the institution's decision not to disclose personal information. While seeking an opinion from the Privacy Commissioner is a prerequisite to filing an application under section 41, the Commissioner's determination is not the subject of the review. Section 41 states:
41. Any individual who has been refused access to personal information requested under subsection 12(1) may, if a complaint has been made to the Privacy Commissioner in respect of the refusal, apply to the Court for a review of the matter within forty-five days after the time the results of an investigation of the complaint by the Privacy Commissioner are reported to the complainant under subsection 35(2) or within such further time as the Court may, either before or after the expiration of those forty-five days, fix or allow.
41. L'individu qui s'est vu refuser communication de renseignements personnels demandés en vertu du paragraphe 12(1) et qui a déposé ou fait déposer une plainte à ce sujet devant le Commissaire à la protection de la vie privée peut, dans un délai de quarante-cinq jours suivant le compte rendu du Commissaire prévu au paragraphe 35(2), exercer un recours en révision de la décision de refus devant la Cour. La Cour peut, avant ou après l'expiration du délai, le proroger ou en autoriser la prorogation.
 In support of his application, the applicant has sworn an affidavit and attached a number of exhibits, including newspaper articles and copies of several letters he wrote to public officials.
 The respondent has filed with the Court an affidavit from Mr. Daryl Zelmer, the Director General of Internal Security for CSIS. Included as exhibits to his affidavit are copies of the documents sent to the applicant in response to his requests. On May 31, 2001, Madam Prothonotary Aronovitch issued an Order allowing the respondent to file a confidential supplementary affidavit in sealed form. The supplementary affidavit from Mr. Zelmer discloses the details of why the applicant was denied access to information in banks 005, 035 and 055. All of the withheld
information has been provided to the Court as exhibits to the supplementary affidavit. The supplementary affidavit also indicates whether any information concerning the applicant is in banks 045 and 055, and if so, provides that information to the Court and explains why it was not disclosed. Mr. Zelmer's supplementary affidavit did not form part of the public court file and will be returned to counsel for the respondent after the disposition of this application.
CONDUCT OF THE HEARING
- Section 51 of the Act sets out the procedure to be followed at the hearing of a section 41 application:
51. (1) Any application under section 41 or 42 relating to personal information that the head of a government institution has refused to disclose by reason of paragraph 19(1)(a) or (b) or section 21, and any application under section 43 in respect of a file contained in a personal information bank designated as an exempt bank under section 18 to contain files all of which consist predominantly of personal information described in section 21, shall be heard and determined by the Associate Chief Justice of the Federal Court or by such other judge of the Court as the Associate Chief Justice may designate to hear the applications.
(2) An application referred to in subsection (1) or an appeal brought in respect of such application shall
(a) be heard in camera; and
(b) on the request of the head of the government institution concerned be heard and determined in the National Capital Region described in the schedule to the National Capital Act.
51. (1) Les recours visés aux articles 41 ou 42 et portant sur les cas où le refus de donner communication de renseignements personnels est lié aux alinéas 19(1)a) ou b) ou à l'article 21 et sur les cas concernant la présence des dossiers dans chacun desquels dominent des renseignements visés à l'article 21 dans des fichiers inconsultables classés comme tels en vertu de l'article 18 sont exercés devant le juge en chef adjoint de la Cour fédérale ou tout autre juge de cette Cour qu'il charge de leur audition.
(2) Les recours visés au paragraphe (1) font, en premier ressort ou en appel, l'objet d'une audition à huis clos; celle-ci a lieu dans la région de la capitale nationale définie à l'annexe de la Loi sur la capitale nationale si le responsable de l'institution fédérale concernée le demande.
(3) During the hearing of an application referred to in subsection (1) or an appeal brought in respect of such application, the head of the government institution concerned shall, on the request of the head of the institution, be given the opportunity to make representations ex parte.
(3) Le responsable de l'institution fédérale concernée a, au cours des auditions en première instance ou en appel et sur demande, le droit de présenter des arguments en l'absence d'une autre partie.
 On November 21, 2002, the Supreme Court of Canada released its decision in Ruby v. Canada (Solicitor General), 2002 SCC 75, reversing in part  3 F.C. 589 (C.A.), the Court stated that paragraph 51(2)(a) of the Act, which provides for mandatory in camera proceedings, was an infringement of section 2(b) of the Canadian Charter of Rights and Freedoms that could not be justified under section 1. The provision failed the minimal impairment branch of the section 1 test because it mandated an in camera hearing not just for the merits of the exemptions claimed under paragraphs 19(1)(a) or (b) or section 21, but also prevented "collateral" issues from being heard in open court. Accordingly, this hearing was conducted in an open court, but the details of the exemptions claimed by the government under paragraph 19(1)(a) and section 21 were conducted in camera and ex parte as required by section 51. At the in camera and ex parte hearing, CSIS authorized the Court to disclose in public that CSIS had provided the applicant with almost all (approximately 99%) of the information in its files about the applicant.
BURDEN OF PROOF
- In proceedings under the Privacy Act, accessibility is the rule, confidentiality the exception, see Ruby (F.C.A.), supra at para. 31. See also Rubin v. Canada (Canada Housing and Mortgage Corp.),  1 F.C. 265 at p. 276 (C.A.), which dealt with the Access to Information Act, R.S.C. 1985, c. A-1. Under section 47 of the Act, the burden is on the head of the relevant government institution to establish its authorization for refusing to disclose the personal information requested by the applicant. Section 47 states:
47. In any proceedings before the Court arising from an application under section 41, 42 or 43, the burden of establishing that the head of a government institution is authorized to refuse to disclose personal information requested under subsection 12(1) or that a file should be included in a personal information bank designated as an exempt bank under section 18 shall be on the government institution concerned.
47. Dans les procédures découlant des recours prévus aux articles 41, 42 ou 43, la charge d'établir le bien-fondé du refus de communication de renseignements personnels ou le bien-fondé du versement de certains dossiers dans un fichier inconsultable classé comme tel en vertu de l'article 18 incombe à l'institution fédérale concernée.
 The respondent has invoked both mandatory and discretionary exemptions in the case at bar. When reviewing the exemptions claimed by CSIS, the Court will adopt the approach of Mr. Justice Strayer in Kelly v. Canada (Solicitor General) (1992), 53 F.T.R.147, cited with approval by Mr. Justice Laforest writing in dissent but with the support of the entire Court on this point in Dagg v. Canada (Minister of Finance),  2 S.C.R. 403 at para. 110. With respect to mandatory exemptions in the Act, Mr. Justice Strayer stated at p. 148:
[...] The nature of this burden is adequately clear when the institution head simply invokes a mandatory exemption: in such a case the Court may look at the Act and the material exempted and determine whether as a matter of law that material comes within the description of material which the Act requires exempted.
And with respect to discretionary exemptions in the Act, he stated at p. 149:
It will be seen that these exemptions require two decisions by the head of an institution: first, a factual determination as to whether the material comes within the description of material potentially subject to being withheld from disclosure; and second, a discretionary decision as to whether that material should nevertheless be disclosed.
The first type of factual decision is one which, I believe, the Court can review and in respect of which it can substitute its own conclusion. This is subject to the need, I believe, for a measure of deference to the decisions of those whose institutional responsibilities put them in a better position to judge the matter. [...]
The second type of decision is purely discretionary. In my view in reviewing such a decision the Court should not itself attempt to exercise the discretion de novo but should look at the document in question and the surrounding circumstances and simply consider whether the discretion appears to have been exercised in good faith and for some reason which is rationally connected to the purpose for which the discretion was granted.
 In accordance with Kelly, the Court will assess mandatory exemptions and factual determinations on a correctness standard. With respect to discretionary decisions, the Court will assess whether CSIS exercised its discretion "within proper limits and on proper principles" per Ruby (F.C.A.) at para. 39 and Rubin at p. 276, and "in good faith and for some reason which is rationally connected to the purpose for which the discretion was granted" per Kelly at p. 149.
Issue No. 1 - Exemptions claimed with respect to information in banks 005, 035 and 055
(a) Exemption pursuant section 19 - Information received in confidence from a foreign government or institution (foreign government confidences)
- CSIS applied the exemption in paragraph 19(1)(a) to some information found in bank 005 because it was received in confidence from a foreign government or institution. Paragraph 19(1)(a) states:
19. (1) Subject to subsection (2), the head of a government institution shall refuse to disclose any personal information requested under subsection 12(1) that was obtained in confidence from
(a) the government of a foreign state or an institution thereof;
19. (1) Sous réserve du paragraphe (2), le responsable d'une institution fédérale est tenu de refuser la communication des renseignements personnels demandés en vertu du paragraphe 12(1) qui ont été obtenus à titre confidentiel_:
a) des gouvernements des États étrangers ou de leurs organismes;
 In Ruby (F.C.A.), supra at para. 100, the Federal Court of Appeal described the exemption in section 19 in the following terms:
Section 19 is a qualified mandatory exemption: the head of a government institution must refuse to disclose personal information obtained in confidence from another government or an international organization of states unless that government or institution consents to disclosure or makes the information public. This is generally referred to as the third party exemption. [emphasis added]
The purpose of the exemption in paragraph 19(1)(a) is to prevent an inadvertent disclosure of information obtained in confidence from foreign governments or institutions. This is vital to preserving the present supply of intelligence information received from foreign sources, see Ruby (S.C.C.) at paras. 43-44.
 Pursuant to subsection 19(2), information withheld under subsection 19(1) may be disclosed if the foreign government or institution from which the information was obtained consents to the disclosure or makes the information public. Subsection 19(2) states:
19. (2) The head of a government institution may disclose any personal information requested under subsection 12(1) that was obtained from any government, organization or institution described in subsection (1) if the government, organization or institution from which the information was obtained
(a) consents to the disclosure; or
(b) makes the information public.
19. (2) Le responsable d'une institution fédérale peut donner communication des renseignements personnels visés au paragraphe (1) si le gouvernement, l'organisation, l'administration ou l'organisme qui les a fournis_:
a) consent à la communication;
b) rend les renseignements publics.
 While the language of the provision is permissive in nature, the Court of Appeal in Ruby (F.C.A.) at paras. 101-111 stated that subsection 19(2)(a) creates a "consent requirement." At para. 104, the Court stated that as a result of subsection 19(2)(a), "the authority who claims the benefit of the exemption is the person who has to ensure that the third party is not consenting to disclosure." At para. 110, the "consent requirement" was described as follows:
In our view, a request by an applicant to the head of a government institution to have access to personal information about him includes a request to the head of that government institution to make reasonable efforts to seek the consent of the third party who provided the information. In so concluding, we want to make it clear that we are only addressing the question of onus and that we are in no way determining the methods or means by which consent of the third party can be sought. Political and practical considerations pertaining, among others, to the nature and volume of the information may make it impractical to seek consent on a case-by-case basis and lead to the establishment of protocols which respect the spirit and the letter of the Act and the exemption. [emphasis added]
 The information withheld from the applicant pursuant to paragraph 19(1)(a) undoubtedly falls within the scope of the provision. Be that as it may, the evidence does not show that CSIS made any efforts to obtain consent to release the information from the third party who provided it. It is submitted by the respondent that this does not need to be done on a case-by-case basis and that it is within the discretion of the government institution in question to determine what is appropriate in each case.
 The Court does not agree with the respondent's submission. I interpret the statements of the Court of Appeal in Ruby (F.C.A.) at para. 110 as waiving the requirement for a government institution to seek consent if it is acting pursuant to an established protocol that respects the spirit and the letter of the Act and the exemption. Other than a general statement that this information was received "in confidence", the respondent has not provided the Court with evidence of an established protocol regarding the release of personal information. The respondent must do more than simply assert information received "in confidence" to meet its obligation under paragraph 19(2)(a).
 Moreover, the respondent's assertion that it is within the discretion of the government institution to determine what is appropriate does not respect the spirit of the Act, which requires a government institution to justify the withholding of personal information. To allow a government institution to decide what is appropriate in every case would undermine the very purpose of the "consent requirement" in paragraph 19(2)(a). As applicants generally do not know the nature of the withheld information or from whom it was obtained, in the majority of cases it will be virtually impossible for an applicant to obtain the consent of the third party. As such, allowing a government institution to determine when consent will be sought renders paragraph 19(2)(a) meaningless.
 The Court is of the opinion that CSIS did not properly apply the exemption in section 19 to information in bank 005.
(b) Exemption pursuant to section 21 - Information injurious to international affairs and defence (international affairs and defence confidences)
 CSIS exempted some of the information found in banks 005, 035 and 055 pursuant to section 21, which states:
21. The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) the disclosure of which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada or any state allied or associated with Canada, as defined in subsection 15(2) of the Access to Information Act, or the efforts of Canada toward detecting, preventing or suppressing subversive or hostile activities, as defined in subsection 15(2) of the Access to Information Act, including, without restricting the generality of the foregoing, any such information listed in paragraphs 15(1)(a) to (i) of the Access to Information Act.
21. Le responsable d'une institution fédérale peut refuser la communication des renseignements personnels demandés en vertu du paragraphe 12(1) dont la divulgation risquerait vraisemblablement de porter préjudice à la conduite des affaires internationales, à la défense du Canada ou d'États alliés ou associés avec le Canada, au sens du paragraphe 15(2) de la Loi sur l'accès à l'information, ou à ses efforts de détection, de prévention ou de répression d'activités hostiles ou subversives, au sens du paragraphe 15(2) de la même loi, notamment les renseignements visés à ses alinéas 15(1)a) à i).
 The exemption in section 21 is a discretionary one that applies to information which could reasonably be expected to be injurious to the conduct of international affairs, the defence of Canada, or national security. In order to claim the exemption under section 21, the head of a government institution must demonstrate there is a reasonable expectation of injury.
 In his affidavit, Mr. Zelmer states that the disclosure of the exempted information could reasonably be expected to be injurious to the efforts of Canada in detecting, preventing or suppressing subversive or hostile activities. The exempted information concerns internal procedures used by CSIS to categorize and assess information, such as file numbers and cross-referencing methods and results. It also contains information on CSIS's cryptographic and computer systems. If the information was disclosed, it would provide insight into CSIS's functions and hamper its ability to carry out its mandate.
 Mr. Zelmer's supplementary affidavit provided detailed evidence on the nature of the exempted information and on the potential for injury if that information is disclosed. The respondent has demonstrated that the information falls within the exemption found in section 21. The Court has kept in mind Mr. Justice's MacKay's statement in Ternette v. Canada (Solicitor General) (1991),  2 F.C. 75 at para. 35 (T.D.), that there is a potential for "wider injury than might be perceived by considering a piece or pieces of information without awareness of how that could be fitted with other information to provide a mosaic of significance to those seeking intelligence related to CSIS operations". While the release of the exempted information in this case alone might be insignificant, if such information was disclosed on a regular basis, it would undoubtedly threaten the integrity of CSIS operations.
 Further, the Court has reviewed the exempted information and finds that it only concerns CSIS's methods of cross-referencing, filing and categorizing information and is not relevant to the applicant's personal situation.
(c) Exemption pursuant to section 26 - Third party information (third party confidences)
 Some of the information located by CSIS in bank 055 was not disclosed pursuant to the exemption in section 26. Section 8 is relevant to the application of the exemption in section 26. Relevant portions of both sections are reproduced here:
8. (1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.
(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed
8. (1) Les renseignements personnels qui relèvent d'une institution fédérale ne peuvent être communiqués, à défaut du consentement de l'individu qu'ils concernent, que conformément au présent article.
(2) Sous réserve d'autres lois fédérales, la communication des renseignements personnels qui relèvent d'une institution fédérale est autorisée dans les cas suivants_:
(m) for any purpose where, in the opinion of the head of the institution,
(i) the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure, or
(ii) disclosure would clearly benefit the individual to whom the information relates.
26. The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) about an individual other than the individual who made the request, and shall refuse to disclose such information where the disclosure is prohibited under section 8.
m) communication à toute autre fin dans les cas où, de l'avis du responsable de l'institution_:
(i) des raisons d'intérêt public justifieraient nettement une éventuelle violation de la vie privée,
(ii) l'individu concerné en tirerait un avantage certain.
26. Le responsable d'une institution fédérale peut refuser la communication des renseignements personnels demandés en vertu du paragraphe 12(1) qui portent sur un autre individu que celui qui fait la demande et il est tenu de refuser cette communication dans les cas où elle est interdite en vertu de l'article 8.
 The latter portion of section 26 contains a mandatory exemption that prevents a government institution from disclosing personal information concerning a third party without the consent of the third party unless one of the circumstances enumerated in subsection 8(2) applies. Paragraphs 8(2)(a) through (l) identify specific circumstances under which personal information concerning a third party may be released, none of which apply to the case at bar. Paragraph 8(2)(m) permits the disclosure of information concerning third parties if it is in the public interest to do so or if disclosure would clearly benefit the individual to whom it relates.
 Paragraph 8(2)(m) requires a government institution to conduct a discretionary balancing of the public interest in disclosure and/or the benefit to the applicant of releasing the information, against the right to privacy of third parties. Due to this requirement, section 28, like section 19, is best described as a qualified mandatory exemption. In Ruby (F.C.A.), the Court stated at para. 121:
[..] Section 26 clearly was meant to protect third parties from having confidential information revealed about them. In that provision, discretion is conferred upon the head of a government institution in order that he or she use judgment in balancing third party privacy interests with the requesting party's access rights. Subparagraph 8(2)(m)(i) was enacted in order that a similar discretionary balance be maintained between the public interest in disclosure and the right to privacy.
The Court went on to emphasize that consideration must be given to subparagraph 8(2)(m)(i) when applying the exemption under section 26 at para. 124:
[...] it is unclear whether CSIS took any consideration of subparagraph 8(2)(m)(i) when it refused to disclose information relating to third parties and whether, therefore, it properly applied the exemption it claimed pursuant to section 26 of the Act.
 Mr. Justice Létourneau, who co-wrote the decision in Ruby (F.C.A.), also reached a similar conclusion in Canada (Information Commissioner) v. Canada (Commissioner of the Royal Canadian Mounted Police),  3 F.C. 70 at paras. 10-11 (C.A.), appeal heard and reserved by S.C.C. October 29, 2002,  S.C.C.A. No. 251 (QL), which dealt with subparagraph 8(2)(m)(i) in the context of the Access to Information Act, supra.
 The respondent submits that he has demonstrated that the personal information exempted pursuant to section 26 is information that falls within that exemption and that CSIS properly exercised its discretion in accordance with paragraph 8(2)(m).
 The Court is not satisfied that CSIS conducted a discretionary balancing of the competing interests involved in applying the exemption found in section 26. The only evidence on this issue is a blanket statement by Mr. Zelmer that some personal information was exempted pursuant to section 26 because it concerned identifiable individuals. While the Court accepts that the withheld information concerns third parties and falls within the scope of section 26, there is simply no evidence on which this Court can base a finding that CSIS conducted a discretionary balancing as required by paragraph 8(2)(m).
 The Court finds CSIS failed to balance the privacy interests of the third parties involved with the fact that the withheld information simply contains names of third persons identified by the applicant in his discussions with CSIS.
(d) Exemption pursuant to section 28 - Medical information (medical confidences)
 The remainder of the withheld information from bank 055 was exempted pursuant to section 28 on the basis that the information relates to medical information about the physical or mental health of the applicant and disclosure would be contrary to his best interests. Section 28 states:
28. The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that relates to the physical or mental health of the individual who requested it where the examination of the information by the individual would be contrary to the best interests of the individual.
28. Le responsable d'une institution fédérale peut refuser la communication des renseignements personnels demandés en vertu du paragraphe 12(1) qui portent sur l'état physique ou mental de l'individu qui en demande communication, dans les cas où la prise de connaissance par l'individu concerné des renseignements qui y figurent desservirait celui-ci.
 As indicated by the use of the term "may", section 28 is a discretionary exemption. Mr. Zelmer's supplementary affidavit contains the exempted information and an explanation of why the exemption in section 28 was applied. The respondent submits the evidence shows CSIS properly exercised its discretion in refusing to disclose the information.
 There are two requirements that must first be met before a government institution can apply the exemption in section 28. The first requirement is that the information in question must relate to the physical or mental health of the individual who requested it. In the case at bar, there is no question that the information in question relates to the physical or mental health of the applicant.
 The second requirement for the application of section 28 is an assessment by the head of a government institution on whether the release of the requested information is in the best interests of the individual. In making this assessment, the head of the government institution is authorized by subsection 13(1) of the Privacy Regulations, SOR/83-508 (the "Regulations"), to seek an opinion from a duly qualified medical practitioner or psychologist as to whether disclosure of the information would be contrary to the best interests of the individual. Pursuant to section 14 of the Regulations, the head of the government institution may also require that an individual examine this information in person and in the presence of a duly qualified medical practitioner or psychologist so that the practitioner or psychologist may explain or clarify the information to the individual.
 It is the Court's view that a government institution bears a heavy onus in justifying an exemption under section 28. Unlike the other exemptions in the Act, which balance an individual's right to personal information with the interests of others, section 28 involves a balancing of an individual's right to personal information with his or her own best interests as determined by the head of a government institution. It hardly needs to be said that in our society individuals are generally entitled to decide what is in their own best interests. This entitlement should not be taken away lightly.
 The respondent has failed to justify to the Court the use of the exemption in section 28. CSIS applied section 28 as a blanket exemption to the information relating to the applicant's physical or mental health without regard for the second requirement. There is no indication that CSIS engaged in any form of analysis as to what was in the best interests of the applicant. Furthermore, there was no consultation with a duly qualified medical practitioner or psychologist, nor any consideration given to the possibility of allowing the applicant access in the presence of a duly qualified medical practitioner or psychologist. While the failure to consider these two options is not in itself a reason for this Court to override CSIS's decision, it contributes to the Court's finding that CSIS failed to properly analyse what was in the best interests of the applicant as required by section 28.
Issue No. 2 - Refusal to confirm or deny the existence of personal information in banks
045 and 050
(a) Bank 045 - CSIS investigations (national security confidences)
 The respondent refused to confirm or deny whether any personal information relating to the applicant existed in bank 045, which contains information on CSIS investigations, and informed the applicant that if the bank contained any information it would be exempt pursuant to sections 21 or 22. As this bank consists predominantly of sensitive national security information, it is CSIS's policy to refuse to confirm or deny the existence of any information in the bank.
 Pursuant to section 18, bank 045 has been designated as an exempt bank by the Governor in Council, see Exempt Personal Bank Order, No. 14 (CSIS), SOR/92-688. Section 18 states:
Governor in Council may designate exempt banks
18. (1) The Governor in Council may, by order, designate as exempt banks certain personal information banks that contain files all of which consist predominantly of personal information described in section 21 or 22.
Disclosure may be refused
(2) The head of a government institution may refuse to disclose any personal information requested under subsection 12(1) that is contained in a personal information bank designated as an exempt bank under subsection (1).
Contents of order
(3) An order made under subsection (1) shall specify
(a) the section on the basis of which the order is made; and
(b) where a personal information bank is designated that contains files that consist predominantly of personal information described in subparagraph 22(1)(a)(ii), the law concerned.
18. (1) Le gouverneur en conseil peut, par décret, classer parmi les fichiers de renseignements personnels inconsultables, dénommés fichiers inconsultables dans la présente loi, ceux qui sont formés de dossiers dans chacun desquels dominent les renseignements visés aux articles 21 ou 22.
Autorisation de refuser
(2) Le responsable d'une institution fédérale peut refuser la communication des renseignements personnels demandés en vertu du paragraphe 12(1) qui sont versés dans des fichiers inconsultables.
Éléments que doit contenir le décret
(3) Tout décret pris en vertu du paragraphe (1) doit porter_:
a) une mention de l'article sur lequel il se fonde;
b) de plus, dans le cas d'un fichier de renseignements personnels formé de dossiers dans chacun desquels dominent des renseignements visés au sous-alinéa 22(1)a)(ii), la mention de la loi dont il s'agit.
 Under subsection 18(2), a government institution may withhold information that is contained in an exempt bank. However, section 18 does not give a government institution the power to adopt a policy of refusing to confirm or deny the existence of information in an exempt bank. In order to invoke such a policy, a government institution must rely upon subsection 16(2). Section 16 states:
16. (1) Where the head of a government institution refuses to give access to any personal information requested under subsection 12(1), the head of the institution shall state in the notice given under paragraph 14(a)
(a) that the personal information does not exist, or
(b) the specific provision of this Act on which the refusal was based or the provision on which a refusal could reasonably be expected to be based if the information existed,
and shall state in the notice that the individual who made the request has a right to make a complaint to the Privacy Commissioner about the refusal.
(2) The head of a government institution may but is not required to indicate under subsection (1) whether personal information exists.
16. (1) En cas de refus de communication de renseignements personnels demandés en vertu du paragraphe 12(1), l'avis prévu à l'alinéa 14a) doit mentionner, d'une part, le droit de la personne qui a fait la demande de déposer une plainte auprès du Commissaire à la protection de la vie privée et, d'autre part_:
a) soit le fait que le dossier n'existe pas;
b) soit la disposition précise de la présente loi sur laquelle se fonde le refus ou sur laquelle il pourrait vraisemblablement se fonder si les renseignements existaient.
(2) Le paragraphe (1) n'oblige pas le responsable de l'institution fédérale à faire état de l'existence des renseignements personnels demandés.
 The Federal Court of Appeal held in Ruby (F.C.A.) that subsection 16(2) permits a government institution to adopt a policy of neither confirming nor denying the existence of information in a personal information bank. The implementation of a policy of this nature under subsection 16(2) involves an exercise of discretion by the government institution. That discretion must be exercised reasonably in the context of the factual circumstances involved, see Ruby (F.C.A.) at paras. 65-66. In Ruby (F.C.A.) at para. 65, the Court found that the Department of External Affairs had acted reasonably in adopting a policy of this nature because "[g]iven the nature of the bank in question, the mere revealing of the existence or non-existence of information is in itself an act of disclosure; a disclosure that the requesting party is or is not the subject of an investigation."
 Bank 045 contains information on individuals who are or were under investigation by CSIS on the suspicion that they have been involved in activities that constitute a threat to the security of Canada. Like the situation in Ruby (F.C.A.), if CSIS revealed the existence or non-existence of information in bank 045 to a requesting party, it would in effect be disclosing to that individual whether they were a target of a CSIS investigation. In the context of these factual circumstances, the Court finds CSIS acted reasonably in adopting a uniform policy of neither confirming nor denying the existence of information in bank 045. Even a judge of this Court could not obtain confirmation from CSIS that he or she is or is not under investigation with respect to these matters.
(b) Bank 050 - CSIS's counter intelligence operations (counter intelligence confidences)
 CSIS also refused to indicate whether personal information concerning the applicant existed in bank 050, which contains information that supports CSIS's counter intelligence program. It is CSIS's policy never to disclose whether personal information exists in this bank pursuant to subsection 16(2) and to inform applicants that if personal information existed in this bank, it would be exempt from disclosure under sections 19(1), 22(1)(b), 25 or 26.
 The adoption of this policy by CSIS must be reasonable when viewed in the context of the factual circumstances, see Ruby (F.C.A.) at paras. 65-66. As mentioned above, the adoption of this type of policy is justified when revealing the existence or non-existence of information would in itself be an act of disclosure. Another circumstance which would justify the adoption of this type of
policy is detailed in the reasons of Mr. Justice Muldoon inZanganeh v. Canada (Canadian Security Intelligence Service),  1 F.C. 244 (T.D.). At para. 13, Mr. Justice Muldoon allowed CSIS to neither confirm or deny the existence of information in a bank where: "the very acknowledgment of the existence of any information in the bank, whether or not such information exists, can -- and certainly would -- compromise the security of Canada by providing a referential insight, a chink in the armour of secrecy which the Canadian service must maintain".
 The information in bank 050 is intended to support CSIS's counter intelligence program and allows CSIS to protect itself from infiltration by hostile foreign services and others whose interests are inimical to the interests of Canada. Acknowledging the existence of information in bank 050 would reveal to an individual whether he or she is the subject of a counter intelligence operation and would compromise the security of Canada by detrimentally affecting CSIS's ability to carry out counter intelligence operations. The Court finds that the respondent properly exercised its discretion under subsection 16(2) by refusing to confirm or deny the existence of personal information concerning the applicant in bank 050.
Issue No. 3 - Did CSIS conduct a proper search of information? Banks 015, 020, 025, and 040
 CSIS informed the applicant that it found no records relating to him in its search of banks 015, 020, 025 and 040. The Privacy Commissioner confirmed that CSIS had undertaken a proper search for information in banks 015, 020, 025 and 040, but did not find any information related to the applicant in these banks. The applicant believes that CSIS has misrepresented that there are no records relating to him in these banks.
 Based on the evidence before it, the Court is satisfied that there are no records relating to the applicant in these information banks. At the hearing of the application on January 8, 2003, the applicant reported that he had filed 930 "detailed complaints" with CSIS since 1999. Since the subject of this hearing is an application for access dated August 7, 1997, it only pertains to personal records in existence on or before that date. Accordingly, these "detailed complaints" are antecedent, and not in the information banks for the purpose of this matter.
 CSIS erred in its application of the exemptions in sections 19, 26 and 28 to personal information concerning the applicant contained in banks 005 and 055. The matter will be returned to CSIS for a new review of the application of these exemptions. However, CSIS complied with the Act by searching its recording for information about the applicant, and providing almost all of this information to the applicant, and informing the applicant that no information about the applicant existed in its other CSIS information banks.
 The Court, after scrutinizing the CSIS information about the applicant, concludes that the applicant is fearful of CSIS without justification or reasonable basis. The applicant, a refugee from Bosnia, has come to Canada with a fear of "secret police", which is understandable in light of his unfortunate background in Bosnia. This Court has reviewed all of the information withheld by CSIS and finds that the applicant does not have any reason to fear, or be concerned about CSIS.
"Michael A. Kelen" ______________________________
February 7, 2003
FEDERAL COURT OF CANADA
NAMES OF COUNSEL AND SOLICITORS OF RECORD
STYLE OF CAUSE: DR.DZEVAD CEMERLIC, M.D.
SOLICITOR GENERAL OF CANADA
PLACE OF HEARING: TORONTO, ONTARIO
DATE OF HEARING: JANUARY 8, 2003
REASONS FOR ORDER: THE HONOURABLE MR.JUSTICE KELEN
MS.GINA M. SCARCELLA
SOLICITORS OF RECORD:
DR.DZEVAD CEMERLIC, M.D.
STN.A G D
25 THE ESPLANADE
MR. MORRIS ROSENBERG
DEPUTY ATTORNEY GENERAL OF CANADA
FEDERAL COURT OF CANADA
DZEVAD CEMERLIC, M.D.
- and -
SOLICITOR GENERAL OF CANADA
REASONS FOR ORDER