Canada Border Services Agency
Symbol of the Government of Canada

ARCHIVED - Privacy Impact Assessment

Warning This page has been archived.

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Privacy Impact Assessment for the Implementation of Customs Controlled Area (CCA) Regulations at Designated Locations

Executive Summary

"The Canada Border Services Agency (CBSA) ensures the security and prosperity of Canada by managing the access of people and goods to and from Canada." (Source: CBSA Web site)

The Canada Border Services Agency (CBSA) is responsible for providing integrated border services that support national security and public safety priorities and facilitate the free flow of persons and goods including animals and plants that meet all requirements under program legislation. The President of the CBSA reports directly to the Minister of Public Safety and controls and manages all matters relating to the Agency.

In 2001, through Bill S-23, sections 11.2 to 11.5 and 99.2 to 99.4 were introduced to the Customs Act to allow for the creation of Customs Controlled Areas (CCA).

The implementation of designated areas as CCAs is expected to take place in the spring of 2013. These designated areas are intended to address potential problems resulting from internal conspiracies where domestic employees may misuse their positions at certain border-related facilities to engage in criminal activities when in contact with uncleared international travellers and/or goods. The areas to be designated may include locations such as:

  • International baggage areas
  • Tarmacs at airports
  • Transfer departure facilities (TDF)
  • Other areas of airports deemed sensitive (i.e. hallways, warehouses, corridors)
  • Marine docks and warehouses in marine ports of entry (POE)
  • Some areas of postal plants and courier warehouses
  • Duty-free shops
  • Cruise ship terminals
  • Rail terminals
  • Rail yards.

While the legislative authority to designate CCAs has existed since 2001, recent legislative amendments to the Customs Act (Bill S-2) were required to improve the operational functionality of the CCA initiative. On June 11, 2009, Bill S-2 – An Act to Amend the Customs Act received Royal Assent. For clarity, the wording of the amendments, which previously authorized the questioning and searching of individuals exiting a CCA only, now authorize border services officers to question, examine and search persons within the CCA as well as those exiting the CCA.

A further refinement made to the CCA legislation by Bill S-2 requires persons within a CCA to present themselves, report goods acquired within the areas, and answer questions truthfully only upon request of an officer. This differs from the 2001 legislation that stated that everyone presents themselves and reports acquired goods to an officer upon exiting a CCA.

While current collections of personal information will not be expanded by the implementation of CCAs, the changes to the Act allow for more operational flexibility by the CBSA.

It is important to note that the CBSA submitted a Preliminary Privacy Impact Assessment (PPIA) to the Office of the Privacy Commissioner (OPC) on February 16th, 2010 in anticipation of the implementation of CCAs. On December 23rd, 2010, the OPC provided its recommendations relating to the PPIA and the CCA Initiative in general. Therefore this Privacy Impact Assessment (PIA) not only addresses the recommendations by the OPC, but it further assesses, in detail, any potential privacy risks to the Personal Information (PI) of individuals (i.e. domestic travellers and employees) as a result of the implementation of the proposed CCA regulations.

This report has found the CBSA to be a highly compliant organization in the requirements of the Privacy Act and in ensuring the requirements of the Act are met. However, as with any organization there are risks that have been revealed as a result of this assessment. As such, ten (10) privacy risks have been identified all of which can be reasonably mitigated. The PIA summarizes the privacy risks identified, and categorizes the level of risk as low, moderate or high. Risk is defined by a factor of both impact and likelihood of occurrence. The goal of risk management is to maintain privacy risks within acceptable bounds. The higher ratings provide an indication of priority areas for implementing suggested risk mitigation mechanisms.