Privacy Impact Assessment (PIA) Executive Summary
Archived - Interactive Advance Passenger Information Initiative

The Interactive Advance Passenger Information (IAPI) initiative supports the perimeter security initiatives under the Canada–United States declaration entitled Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness (Action Plan). The Action Plan aims to, amongst other things, address threats earlier in the travel continuum, to enhance Canada's security and to facilitate the flow of legitimate goods and people into Canada. The IAPI initiative allows the Canada Border Services Agency (CBSA) to obtain passenger information prior to a commercial flight's departure to Canada, and provide a board/no-board message to the carrier. This information helps air carriers to determine whether or not Canada-bound travellers hold the appropriate documentation to enter Canada, and will contribute to addressing potential cases of inadmissibility before a traveller reaches the Canadian border.

The IAPI initiative builds on the existing regulatory framework underpinning the CBSA's Advance Passenger Information/Passenger Name Record (API/PNR) program. The IAPI initiative serves to both expand and modernize the legal obligations imposed on commercial transporters. IAPI will introduce new data elements in the air mode and will ensure the earlier provision of data that carriers already submit under the current API/PNR Program. The IAPI statutory framework provides the CBSA with the authority to apply a systematic mechanism to identify travellers who are inadmissible to Canada, either as result of the passengers being the subject of a declaration by the Minister of Immigration, Refugees and Citizenship (the Minister) under the Negative Discretion authority [Immigration and Refugee Protection Act (IRPA) subsection 22.1(1)], if there exists an enforced removal order without the required Authorization to Return to Canada (ARC) documentation or Temporary Resident Permit (TRP), or because they lack the prescribed documentation for entry into Canada such as an electronic Travel Authorization (eTA) or visa.

The regulatory framework underpinning the CBSA's current API/PNR program comprises four sets of regulations made under the authority of the Customs Act (CA) and theIRPA. The IAPI initiative is subject to subsections 8.1(8), 107.1(1) and 109.1(3), and paragraphs 164(i) and (j) of the CA, and to subsection 5(1) and sections 150 and 150.1 of IRPA.

Regulations made under the CA:

• 1.   Passenger Information (Customs) Regulations
• 2.   Designated Provisions (Customs) Regulations

Regulations made under IRPA:

• 3.   Immigration and Refugee Protection Regulations
• 4.   Protection of Passenger Information Regulations

IAPI will introduce new functions to existing CBSA activities:

• The API/PNR Program Data Acquisition process will enable the CBSA to receive new API data elements earlier in the travel continuum, and flight update information; and
• The CBSA will gain the ability to issue board/no-board messages to commercial air carriers.

The scope of the initiative includes the collection of API data at check-in (which normally begins 24 hours prior to the flight's scheduled time of departure), the collection of multiple pushes of PNR data beginning at 72 hours prior to departure, checks to ensure that travellers have the prescribed documentation to travel to Canada or if a traveller is a prescribed person under IRPA, and the issuance of a board/no-board message to air carriers for all passengers expected to be on board all international commercial flights coming to Canada. The operationalization of pre-departure PNR pushes will come into effect at a later date, based on considerations such as ratification of the Canada-EU PNR Agreement or, if deemed necessary, Canada's national security interests.

API Transmission

When each passenger checks in with the commercial air carrier, the passenger's API will be electronically transmitted to the CBSA by the commercial air carrier or a service provider employed on their behalf. The passenger's API data will first be queried against the CBSA's Interdiction and Border Alerting System (IBAS) in order to determine if the required travel document is on file or if the passenger is exempt from obtaining a prescribed IRPA document (eTA, Visa, etc.).

If a board message is issued, the foreign national's information will then be manually reviewed to determine whether he/she is the subject of a declaration by the Minister under the Negative Discretion authority or if there exists an enforced removal order without the required ARC documentation or TRP.

Crew members will not be included in the interactive portion of the board/no-board process for immigration documents – but they will be checked for a declaration by the Minister under the Negative Discretion authority or if there is an enforced removal order without the required ARC documentation or TRP.

PNR Transmission

The CBSA currently collects PNR information at wheels-up under the existing API/PNR program for targeting purposes in an effort to fulfill its mandate. The regulatory amendments related to pre-departure PNR will come into force at a later date, based on considerations such as ratification of the Can-EU PNR Agreement or, if deemed necessary, Canada's national security interests. The amendments modify the PPIR to give the CBSA the flexibility to modernize the use of PNR for targeting purposes while not conflicting with the commitments made to the EU in the previous API/PNR Agreement, nor the signed, but not yet ratified Canada-EU PNR Agreement.

Risks & Mitigation

The commercial IAPI PIA identified five potential privacy risks related to the collection, use, retention and access of personal information collected under the IAPI initiative which will be mitigated using safeguards such as policy updates, manual review by CBSA Targeting Officers of the IAPI worklist, updating the API/PNR Program Personal Information Bank (PIB) to accurately reflect IAPI's updates to the API/PNR program, and providing updates regarding the status of API information to ensure that API information is limited in its use, retention and disclosure.

Risks & Recommendations:        

• 1. The Privacy Act does not afford the Right of Access to foreign nationals who are not in Canada.
  • The CBSA should continue the existing informal policy of granting the Right of Access to all foreign nationals located outside of Canada to ensure that those passengers affected by an IAPI board/no-board message are able to access the information about them provided to the CBSA and request corrections if it appears that incorrect information about them was collected.
• 2. An automated system could potentially issue erroneous "no-board" messages regarding passengers based on incorrect matches between an individual's API data and another individual who is listed under the Minister's Negative Discretion authority or who has a previously enforced removal order. 
  • The CBSA should continue with the implementation of a manual no-board process (i.e. manual IAPI work list review) process using Targeting Officers at the National Targeting Centre (NTC). 
• 3. The CBSA currently receives an undetermined amount of API/PNR information about passengers who are no longer planning to come to Canada and is unable to identify this information.
  • The various Flight Update Notification messages that will be implemented as part of the IAPI initiative will address this issue by allowing the Agency to determine when a passenger cancels their plans to come to Canada and annotate the passenger's travel history. This will allow the CBSA to label any previously received API/PNR data as "not coming to Canada" for the affected traveller.
• 4. CBSA Info Source PIB Records relating to the API/PNR Program Data Acquisition process and Air Passenger Targeting program activity do not accurately reflect all elements of the IAPI initiative.
  • In the short term (i.e. within six months of the implementation of IAPI) the CBSA should update the API/PNR Program PIB to reflect IAPI initiative updates.
• 5. The regulation of API under the IRPR represents a potential privacy concern with respect to how API will be collected, retained and used by the CBSA.
  • Within six months of implementation, the CBSA will issue an Operational Bulletin to all staff which provides additional clarity regarding the status of API information and the wording of the IRPRs which are being amended for IAPI implementation. The CBSA will also modify Memorandum D1-16-3, Administrative Guidelines for the Provision to others, Allowing access to others and Use of Advance Passenger Information (API) and Passenger Name Record (PNR) Data, to ensure that API information is limited in its use, retention, and disclosure.

Right of Access

Individuals may formally request access to their personal information, or access to corporate records related to or created by the API/PNR Program by contacting the CBSA's Access to Information and Privacy Division.

Individuals may also request their API/PNR data or request a correction to erroneous data by completing the Traveller's API/PNR Information Request Form, which is available on the CBSA's website, and mailing it to the CBSA. The CBSA will forward a written response to the traveller generally within 30 days of receipt of the request.

Accountability

If an individual has concerns about the collection, use, disclosure or retention of their personal information, they may issue a complaint to CBSA Access to Information and Privacy Division. Complaints should be made in writing, and include the individual's name, contact information, and a brief description of their concerns. Contact information for the Access to Information and Privacy Division at the CBSA.

The CBSA's website provides information to the public about the API/PNR program, the reason for the collection of API/PNR data and the safeguards taken to protect the information.

Date modified:

2016-07-01