Canada Border Services Agency
Symbol of the Government of Canada

ARCHIVED - Privacy Act

CBSA Annual Report

Warning This page has been archived.

Archived Content

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Table of Contents

Return to Top of Page

Privacy Act Report

Return to Top of Page


This report provides an overview of the activities of the Canada Border Services Agency (CBSA) relating to the management of the Privacy Act between April 1, 2009 and March 31, 2010.

In 2009-2010, the CBSA introduced procedures and practices that will ensure the continued provision of timely service to Canadians who seek to exercise their right to access records under the Privacy Act, and which demonstrate leadership in the management of increasingly numerous and complex privacy requests.

Return to Top of Page

The Canada Border Services Agency

As part of the Public Safety portfolio, the CBSA is responsible for providing integrated border services that support national security priorities and facilitate the free flow of people and goods, including food, plants and animals, across the border.

On April 1, 2004, the CBSA established the Access to Information and Privacy (ATIP) Section. This section was initially staffed with six employees based on an estimated annual workload of between 250 and 350 requests. During the 2007–2008 fiscal year, due to growing demand on the Agency, the ATIP Section was expanded and replaced by the CBSA's ATIP and Disclosure Policy Division, which now staffs 38 full time employees. In 2009–2010, the CBSA received 1,385 requests under the Privacy Act, an increase of 245 files, or 21.5% from the previous reporting year. The Agency completed 95.6% of all privacy requests within the 30 day legislated time frame while managing this challenging workload.

Return to Top of Page

The Privacy Act

The Privacy Act came into effect on July 1st, 1983. The purpose of the Act is to provide individuals with the right to seek access to their personal information held by the federal government, as well as to govern the collection, use, disclosure, retention and disposal of that personal information.

As stated in Section 72(1) of the Act "The head of every government institution shall prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year".

Return to Top of Page

CBSA Structures

The ATIP Coordinator for the CBSA is the Director of the Access to Information and Privacy Division. The ATIP Division is part of the Corporate Secretariat, which reports directly to the President of the CBSA. Consistent with the best practices identified by the Treasury Board of Canada Secretariat (TBS), the ATIP Coordinator is positioned within two levels of the President, and enjoys full delegated authority reporting directly to the Corporate Secretary, who, in turn, reports to the President.

The ATIP Division is comprised of three units: two Case Management units and a Policy and Training unit. The Case Management units task all branches and regions with records retrieval requests and provide daily operational guidance and support to Agency employees.

The Policy and Training unit develops policies, tools and procedures to facilitate the retrieval of records, provides ATIP and privacy training to all CBSA employees, registers Personal Information Banks in Info Source, and maintains the CBSA Privacy Management Framework, an 'evergreen' needs analysis of access and privacy requirements within the CBSA. At the end of the 2009-2010 reporting period 38 full time equivalents (FTE) were employed in the ATIP Division :

CBSA Access to Information and Privacy Division FTEs
Director's Office 2
Policy & Training (inc. Administration) 11
Case Management A 12
Case Management B 13

In 2009-2010, the CBSA created the Information Sharing Unit (ISU), which is part of the Legislation and Program Integration Division, in the Planning and Performance Management Directorate.

The ISU supports and coordinates strategic and/or horizontal information sharing initiatives for the CBSA in an effort to address information sharing challenges, such as seeking regulatory or legislative changes, developing disclosure policy and relevant memoranda of understanding, or coordinating information sharing activities on behalf of internal or external stakeholders, including international partners. Within this mandate, the ISU provides policy guidance to CBSA programs related to the collection and disclosure of information, under sub-section 8(2) of the Privacy Act and section 107 of the Customs Act.

The ISU has the responsibility to ensure that information sharing legislation, policy and procedures are clearly and consistently understood throughout the Agency. This includes the coordination and vetting of training materials in coordination with the Human Resources Branch's Training and Learning Division.

Information Sharing Unit FTEs
Manager 1
Analysts 7
Return to Top of Page

Privacy Impact Assessment (PIA) Executive Summaries

There were no Privacy Impact Assessments completed during the 2009-2010 fiscal year.

Two CBSA PIA's are currently being evaluated by the Office of the Privacy Commissioner (OPC). "Cross Border Currency Reporting Program" was submitted to the OPC in December 2009, and "Four Country Conference (FCC)" was submitted on April 12, 2009. In addition, several Preliminary Privacy Impact Assessments (PPIA) were initiated during the reporting period, an example of which is described below:

Anti-Doping Information-Sharing Memorandum of Understanding with the International Olympic Committee and the International Paralympic Committee

The CBSA submitted a PPIA to the OPC on November 30, 2009 related to the Anti-Doping Information-Sharing Memorandum of Understanding between the CBSA and the International Olympic Committee and the International Paralympic Committee.

The PPIA was completed by the CBSA Olympic and Paralympics Task Force of the Operations Branch, with oversight fromthe Corporate Secretariat, Corporate Security and Intelligence Programs, and the Office of the Privacy Commissioner. The purpose was to establish the conditions to allow information collected during port of entry enforcement actions to be shared with the International Olympic Committee and the International Paralympic Committee, relating to controlled, prohibited or regulated substances found on accredited Olympic and Paralympic participants.

Impacted by this initiative were athletes, coaches, trainers, officials, team officials, support personnel and other members of the national Olympic Committee or Paralympic Committee delegations.

Legislative authority for the collection and use of personal information outlined in this PPIA include sections 11, 12, 13, 95, 98, 99, 101, and 110 of the Customs Act, and section 5 of the Canada Border Services Agency Act.

The use of personal information outlined in this PPIA was initiated on January 25, 2010 and concluded on March 25, 2010.

For further information, please visit:

Return to Top of Page

Education and Training

In 2009-2010, available resources were focused towards educational initiatives that supported the implementation of streamlined request processing procedures throughout the Agency. To this end, 572 employees in high-demand areas participated in ATIP Awareness Sessions, which are designed to ensure that the CBSA employees fully understand the procedures and their responsibilities under the Privacy Act. With the success of this program, the Division is taking steps to deliver more sessions in 2010 – 2011.

Within the ATIP Division, employees received on-site case management and redaction software training and were encouraged to attend courses provided by the TBS and the Canada School of Public Service (CSPS) relating to the interpretation of the Act. Employees were also provided with ongoing mentoring by senior analysts, team leaders and managers.

In 2009-2010, the ISU reviewed all information sharing training delivered within the CBSA to ensure consistency and completeness of the material. In collaboration with the ATIP Division's Policy and Training Unit, a review of the Port of Entry Recruit Training Privacy Training was done. In addition, the ISU began development of training for the CBSA's investigative bodies on proper use of the designation pursuant to paragraph 8(2)(e) of the Privacy Act as well as a course entitled "Introduction to Information Sharing for the CBSA." Both these courses will be finalized and implemented in 2010-2011.

Return to Top of Page

Changes to the CBSA's Organization, Programs and Operations

On April 1st, 2010, as part of its ongoing Change Agenda, the CBSA implemented a new organizational structure designed to establish clearer lines of accountability within the Agency. This new model will also create clear distinctions between program management, to be carried out at headquarters, and program delivery, to be carried out in the regions.

The ISU was created within the Programs Branch to develop frameworks, policies, strategies and plans related to information sharing as described under section 8(2) of the Privacy Act and section 107 of the Customs Act. The ISU will also assume responsibility for supporting PIA's. The ATIP Division will focus on the administration and interpretation of the Access to Information Act and the Privacy Act.

Return to Top of Page

New and/or Revised Institutional Privacy- related Policies and Procedures

In response to concerns raised by the Treasury Board of Canada Secretariat (TBS) in the 2009-2010 Management Accountability Framework (MAF) exercise, the CBSA revised its Info Source update procedures to ensure that Personal Information Banks (PIB) fully reflect the collection and use of personal information by CBSA programs and activities.

To address the situation, the ATIP Division now works directly with the responsible program managers to ensure that their Class of Records and PIB's are accurate, thus facilitating the public's access to information contained in CBSA systems or held by CBSA programs. This new approach allows the ATIP Division to answer any questions programs managers may have and facilitates the identification required PIA updates.

A dditionally, in 2010, the CBSA began drafting a new PIA Approval Process that will be in place by September 2010, as required by the new TBS Directive on Privacy Impact Assessment.

The new PIA Approval Process will be published in conjunction with revised CBSA Delegation and Designation Orders.

Return to Top of Page

Changes Implemented Based on Recommendations from the Office of the Privacy Commissioner

In a 2006 audit of transborder data flows the OPC made 19 recommendations to improve aspects of information management within the CBSA.

In her Annual Report to Parliament 2008-2009 – Report on the Privacy Act, the Commissioner noted that CBSA had fully implemented or made progress on all 19 recommendations.

Notably, in 2010, the CBSA will complete a Privacy Management Framework (PMF). An Agency-wide gap analysis exercise with recommendations for the development of specific tools, training modules and measurement and governance instruments which will allow it to better record and track the collection and disclosures of personal information and improve public reporting of cross-border data flows. The PMF will be maintained on an 'evergreen basis', in order to identify and respond to new demands on a timely basis.

The ISU is finalizing an electronic form to track 8(2)(e) disclosures and is completing a review of information-sharing agreements with the U.S, including the development of information safeguards and standards.

Return to Top of Page

Other Changes

In response to the Status Report published by the Auditor General of Canada (OAG) in March 2009, the CBSA implemented several procedural changes related to information sharing.

The OAG addressed the absence of an "agency-wide data quality procedure" and focused on the methods used by the CBSA to ensure the accuracy of lookouts. In response, the Agency updated its systems to ensure consistency in the review and maintenance of lookouts, and issued guidelines to ensure that lookouts are requested in a consistent manner. Furthermore, the PMF proposes the development of new directives designed to ensure the accuracy of personal information collected by the CBSA. Further updates to policy are therefore anticipated.

Lastly, the OAG identified 16 instances where departments and agencies reported potential legal barriers to information sharing. In response the ISU conducted extensive consultations with other government departments, with whom the CBSA regularly shares information, such as the Royal Canadian Mounted Police and Citizenship and Immigration. As a result, new mechanisms and safeguards were identified which greatly improve the capacity of the CBSA to lawfully share information.

Return to Top of Page

Disclosures Made Pursuant to Paragraph 8(2)(m) of the Privacy Act

During the 2009–2010 fiscal year, no disclosures pursuant to paragraph 8(2)(m) of the Privacy Act were made by the CBSA.

Return to Top of Page

Delegation Order

See Annex A (PDF, 167 KB) for a signed copy of the Delegation Order.

Return to Top of Page

Statistical Report

See Annex B (PDF, 68 KB) for the CBSA's statistical report on the Privacy Act.

Return to Top of Page

Chapter 2: Interpretation of Statistical Report

Return to Top of Page


In 2009-2010, the CBSA updated its procedures in order to ensure that it continues to provide a high level of service to requesters while addressing increased workload related issues. These practices have had success, as indicated by the following table:

Fiscal Year Received Completed % On time
2008-2009 1,140 1,089 89.6%
2009-2010 1,385 1,343 95. 6%

Overall, the CBSA received 1,385 privacy requests in 2009-2010, a 21.5% increase from the previous year. In total, 178 requests were carried forward from 2008-2009. Similarly, 220 requests were carried forward from 2009-2010 to the current 2010-2011 period.

The CBSA completed 1,343 privacy requests during 2009-2010, just slightly less than 97% of the total number of request that it received. Of these, 95.6% were completed within the statutory time frames.

Requests completed in 2009-2010
30 days or under 865
31 days to 60 days 371
61 days to 120 days 86
121 days or over 21

Disposition of requests completed
All disclosed 117
Disclosed in part 954
Nothing disclosed (excluded) 1
Nothing disclosed (exempt) 3
Unable to process 191
Abandoned by applicant 77
Transferred 0
Total 1343

Finally, approximately 25% of privacy requests received in 2009-2010 required consultation with other government departments.

Return to Top of Page


Under certain conditions the Privacy Act allows departments to extend the 30 day period by which requests must be completed. Section 15 of the Act permits extensions of up to an additional 30 days if there is a need for consultations, translations, or if the search for the requested documents would unreasonably interfere with the operations of the institution. The CBSA applied 386 extensions to requests during 2009-2010 as indicated in the table below:

Reason for extension Extensions taken
Searching 64
Consultation 322
Translation 0
Total 386
Return to Top of Page

Complaints and Investigations

Section 29(1) of the Privacy Act describes how the OPC receives and investigates complaints from individuals in respect to their private information held by a government institution. Examples of complaints the OPC may choose to investigate include: refusal of access to personal information, when an individual alleges that personal information about themselves held by a government institution has been used or disclosed beyond the scope of the Act, or if an individual has not been given access to personal information in the official language requested by the individual.

In 2009–2010, 16 privacy complaints were filed against the CBSA by the OPC. This number represents a significant decrease from 2008-2009, when the Agency received 31 complaints. The 16 complaints were related to: time delay (2), general reasons (7), applied exemptions (6) and use and disclosure (1). In addition, there were 33 active complaints in the OPC inventory carried over from previous years.

During the 2009–2010 fiscal year, the OPC resolved 30 privacy complaints against the CBSA. Of the complaints resolved, 9 were well founded, 5 were abandoned or discontinued and 16 were not substantiated. A total of 19 complaints are being carried forward into the 2010–2011 fiscal year. Where complaints are found to be substantiated by the OPC, the matter is reviewed by the delegated managers and processes are adjusted if required. For example, complaints relating to extensions may be reviewed to determine whether the length of time taken was appropriate, given the complexity of the request.

Complaints processed in 2009-2010
Carried forward from 2008-2009 33
New Complaints in 2009-2010 16
Total inventory 49

Complaints closed in 2009-2010
Resolved – well founded 9
Abandoned/discontinued 5
Not substantiated 16
Total 30
Carried forward to 2010-2011 19

Reasons for complaints Complaints received
Time Delay 2
Refusal - Exemption 6
Refusal - General 7
Use and Disclosure 1
Total 16
Return to Top of Page


There were no Privacy appeals to the courts during the 2009–2010 fiscal year.

Return to Top of Page

Annex A - Delegation Orders

Delegation Orders (PDF, 167 KB)

Return to Top of Page

Annex B - Statistical Reports

Statistical Reports (PDF, 68 KB)

Return to Top of Page

Annex C - Supplemental Reporting Requirements

Supplemental Reporting Requirements
Privacy Act

Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for this reporting period.
Indicate the number of:

  • Preliminary Privacy Impact Assessments initiated: 11
  • Preliminary Privacy Impact Assessments completed: 9
  • Privacy Impact Assessments initiated: 10
  • Privacy Impact Assessments completed: 0
  • Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): 2

To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase such as: