We have archived this page on the web
The information on this page is for reference only. It was accurate at the time of publishing but may no longer reflect the current state at the Canada Border Services Agency. It is not subject to the Government of Canada web standards.
Annual Report to Parliament on the Privacy Act
Canada Border Services Agency 2018-2019
Table of contents
- Chapter One: Privacy Act Report
- Chapter Two: Statistical report
- Annex A - Delegation Order
- Annex B – Statistical Report
Chapter One: Privacy Act Report
Introduction
The Canada Border Services Agency (CBSA) is pleased to present to Parliament, in accordance with section 72 of the Privacy Act, its annual report on the management of this Act. The report describes the activities that support compliance with the Privacy Act for the fiscal year commencing April 1, 2018, and ending March 31, 2019. During this period, the CBSA continued to build on successful practices implemented in previous years.
The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.Footnote 1
As stated in subsections 72(1) and 72(2) of the Privacy Act, “The head of every government institution shall prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year.… Every report prepared under subsection (1) shall be laid before each House of Parliament within three months after the financial year in respect of which it is made or, if that House is not then sitting, on any of the first fifteen days next thereafter that it is sitting.”Footnote 2
Organization
I. About the Canada Border Services Agency
Since 2003, the CBSA has been an integral part of the Public Safety Canada (PS) portfolio, which was created to ensure coordination across all federal departments and agencies responsible for national security and the safety of Canadians.Footnote 3 The CBSA itself is responsible for providing integrated border services that support national security and public safety priorities and facilitate the free flow of persons and goods, including animals and plants, that meet all requirements under the program legislation.
The CBSA carries out its responsibilities with a workforce of approximately 14,000 employees, including over 6,500 uniformed CBSA officers who provide services at approximately 1,200 points across Canada and at 39 international locations.Footnote 4
II. Access to Information and Privacy Division
The Access to Information and Privacy (ATIP) Division is comprised of six units: an Administration section, three Case Management units, and two Policy units. The Administration section’s function is to receive all incoming requests and consultations, to ensure quality control of all outgoing correspondence, and to support the Case Management units in their day-to-day business. The Case Management units assign branches and regions with retrieval requests, process requests under the Privacy Act, and provide daily operational guidance and support to CBSA employees. The ATIP Policy and Governance Unit develops policies, tools, and procedures to support ATIP requirements within the CBSA and provides training to employees. The Information Sharing and Collaborative Arrangement Policy Unit maintains the policy framework for the CBSA’s information sharing and domestic written collaborative arrangements. On average, 71 full time equivalents, and five part time and casual employees were employed in the ATIP Division during fiscal year 2018–2019.
The ATIP coordinator for the CBSA is the Executive Director of the ATIP Division. The ATIP Division is part of the Chief Data Office, which reports to the Vice-President (VP) of the Strategic Policy Branch. Consistent with best practices identified by the Treasury Board of Canada Secretariat (TBS),Footnote 5 the CBSA's ATIP coordinator is positioned within three levels of the President and has full delegated authority, reporting directly to the Chief Data Officer, who in turn reports to the VP of the Strategic Policy Branch.
Key to maintaining compliance with the statutory time requirements of the Privacy Act is the ATIP Division’s ability to obtain personal information from branches and regions in a timely and reliable manner. Supported by a network of 17 ATIP liaison officers across the CBSA, the ATIP Division is well positioned to receive, coordinate, and process requests for personal information under the Privacy Act.
The ATIP Division works closely with other members of the PS portfolio, including the Canadian Security Intelligence Service, the Correctional Service of Canada, the Parole Board of Canada, and the Royal Canadian Mounted Police, to share best practices and develop streamlined processes for the retrieval of jointly held records within the 30-day legislated time frame required to respond to privacy requests.
Activities and Accomplishments
I. Performance
Fiscal year 2018–2019 saw record high volumes of privacy requests made to the CBSA. The record volumes are largely attributable to individuals seeking copies of their history of arrival dates into Canada. In fiscal year 2018–2019, 85% of all the privacy requests received by the CBSA came from individuals seeking their Traveller History Report, which contains information used to support residency requirements for programs administered by Immigration, Refugees and Citizenship Canada (IRCC) and Employment and Social Development Canada (ESDC).
In September 2012, IRCC, in consultation with the CBSA, introduced a new consent-based application form which sees applicants for citizenship provide consent on their applications for IRCC to view their travel history directly. The CBSA has allocated 100 accounts to the IRCC to verify (view only) clients’ Travel History Report (THR) to Canada. IRCC has since viewed approximately 1.2 million THR, of which 380,860 were in fiscal year 2018-2019, that might otherwise have been requested formally through the CBSA by way of formal Privacy Act, or Access to Information Act requests.
The CBSA continued to see high volumes of privacy requests submitted through the Access to Information and Privacy Online Request tool. Through this tool, the Agency received 11,180 requests, which amounted to 83.1% of all privacy requests received by the CBSA.
The CBSA continued to offer the electronic format for responses to privacy requests. Although electronic format made up only 9.3% of all formal privacy requests that were either all disclosed or disclosed in part in fiscal year 2018–2019, these requests accounted for 87.4% of all the pages the CBSA disclosed in their entirety or disclosed in part this fiscal year.
The ATIP Division also provided case-by-case policy guidance to CBSA program areas related to the disclosure of information under section 8 of the Privacy Act and section 107 of the Customs Act. In total, the ATIP Division received 1,778 requests for guidance in fiscal year 2018–2019, representing an increase of 11.7% over the previous year.
The CBSA ATIP Division is one of the largest and busiest in all of government. Our large workload and fast-paced environment can easily generate conflicting forces that can have a negative impact on our employees unless these forces are well-managed; consequently, staff morale and well-being are extremely important aspects for the CBSA ATIP Division.
Being an agency with information stored across the country as well as internationally, the use of electronic filing systems has become increasingly important. With this in mind, the division has transitioned to an entirely paperless office. Adding remote access capability to the new paperless environment enabled us to implement a telework schedule that allows our employees the option to work from home. The results have been remarkable with the best on-time performance within the legislated timeframe in the history of the CBSA despite record high volumes of requests received.
II. Education and Training
In fiscal year 2018–2019, the ATIP Division continued to conduct bilingual training sessions that supported the implementation of streamlined processing procedures and built an awareness of ATIP obligations. These sessions are designed to ensure that the participants fully understand their responsibilities under the Privacy Act, with a focus on requests made pursuant to the Act and the duty to assist principles. Ten sessions were offered, with 276 National Capital Region (NCR) and regional employees taking part.
CBSA employees also took advantage of the free online course entitled “Managing Information at the Canada Border Services Agency and the Access to Information Act and the Privacy Act.” This one-hour online course was designed to provide employees with the basic principles for effectively managing information in their daily work. After completing this course, employees will have acquired the knowledge to better identify various types of information, learned how requests under the Access to Information Act and the Privacy Act are handled, and learned about their responsibilities throughout the process. A total of 624 participants completed the online training in fiscal year 2018–2019.
Moreover, the ATIP Division delivered 15 in-class training sessions on section 107 of the Customs Act, as well as basic information sharing, disclosure of intelligence-related information, and business line specific training sessions to 121 employees in the NCR and across the regions. In addition, before attending the in-class training, employees are advised to complete the interactive online training course, regarding information sharing that was developed by the ATIP Division.
Further, the ATIP Division developed a communications plan to raise employees’ awareness of their obligations under the Privacy Act. The plan leverages key dates, such as Data Privacy Day, and other activities at the CBSA to promote ATIP tools, resources, and awareness.
Finally, the ATIP Division continues to actively participate in the TBS-led ATIP coordinators’ and ATIP practitioners’ meetings. These meetings provide opportunities for ATIP employees from the CBSA to liaise with employees from other institutions to discuss various issues and challenges that have been identified by the ATIP community.
III. New and Revised Privacy-related Policies and Procedures
During fiscal year 2018–2019, the CBSA continued to revise existing policies and to develop new ones.
The ATIP Division has continued to take a number of measures to enhance and promote ATIP tools that are readily accessible to CBSA employees by utilizing Apollo (GCDocs). To this end, we are able to ensure that the ATIP intranet site is up to date and available to all CBSA employees. This allows the ATIP Division to quickly share information and best practices and to facilitate collaboration across the Agency.
During the reporting period, the ATIP Policy and Governance Unit developed an ATIP Handbook for analysts. The first section focuses on the Administrative section of the ATIP Division. The second section focus on the day to day work of the Case Management units. The handbook includes reference material and provides clear guidance on CBSA policies and procedures which can be easily referenced. The Handbook will remain an evergreen document subject to updates and revisions.
Additionally, the policies and procedures surrounding the processing of privacy breaches were reviewed and updated. This includes a revised Privacy Breach Protocol as well as reporting procedures and reference material.
As of October 1, 2018, institutions have been required to provide a written explanation to requesters when a personal information request takes more than 30 days to fulfill, under Section 4.2.7 of the Directive on Personal Information Requests and Correction of Personal Information. The CBSA has amended its response letters to requesters to comply with TBS’s Directive.
Given the rise in ATIP related audio/video redacting requests, the ATIP division has taken measurements to respond to these requests in a timely manner by installing redaction stations within the division.
This year, the CBSA continued to be an active participant in the renewal process through the ADM ATIP Committee and the Privacy Act Modernization working group. The focus of this working group is now to continue to develop policy options and working on transition advice alongside Innovation, Science and Economic Development Canada (ISED) for the Personal Information Protection Electronic Document Act (PIPEDA).
The first annual report to the Minister of Public Safety on the application of the Ministerial Direction to the CBSA: Avoiding Complicity in Mistreatment by Foreign Entities, was issued to the CBSA President in September 2018. The President presented the report to the Minister during the same time.
The ATIP Division assisted the CBSA’s Origin, Valuation and Negotiations Unit to successfully negotiate the Customs Administration and Trade Facilitation Chapter of the United States-Mexico-Canada Agreement (formerly the North American Free Trade Agreement) by providing policy advice and guidance on the information sharing components of the Chapter. The Agreement was signed by all countries in November 2018.
The ATIP Division continued to provide the service of informally reviewing CBSA records for internal programs as if they had been requested under the Privacy Act. The ATIP Division received 113 internal requests of this nature in fiscal year 2018–2019.
The ATIP Division closely monitors the time it takes to process privacy requests. Monthly reports, which show trends and performance, are submitted to the managers of the Case Management units, the Executive Director of the ATIP Division, the Chief Data Officer, and the Vice-President of the Strategic Policy Branch. Monthly reports consisting of statistics on the performance of the offices of primary interest are also distributed to all ATIP liaison officers. Finally, quarterly trend reports portraying the overall performance of the Agency are reviewed and discussed during meetings of the Agency’s Executive CommitteeFootnote 6 and are included in the Agency Performance Summary.
IV. Reading Room
The CBSA, in accordance with the Privacy Act, maintains a reading room for applicants who wish to review material in person at the CBSA. Applicants may access the reading room by contacting the CBSA's ATIP Division by telephone at 343-291-7021 or by sending an email to ATIP-AIPRP@cbsa-asfc.gc.ca. The reading room is located at
Place Vanier Complex, 14th Floor, Tower A
333 North River Road
Ottawa, Ontario K1A 0L8
V. Audits of, and Investigations into the Privacy Practices of the Canada Border Services Agency
In 2018-2019, there were no key issues raised as a result of privacy investigations, and no audits were conducted that related to privacy practices of the CBSA.
VI. Privacy Impact Assessments
In fiscal year 2018–2019, the CBSA completed eight Privacy Impact Assessments (PIA). They were all sent to the OPC and TBS for review and comments.
The eight PIAs completed by the CBSA are:
- Data analytics
- Entry/Exit Initiative – Final Implementation
- Advance Passenger Information / Passenger Name Record Program (API/PNR) – Data Acquisition
- Advance Passenger Information / Passenger Name Record Program (API/PNR) – Air Passenger Targeting
- Advance Passenger Information / Passenger Name Record Program (API/PNR) – Intelligence
- Biometric Expansion Program
- Alternatives to Detention Program
- Framework Memorandum of Understanding (MOU) between the Canada Border Services Agency (CBSA) and the Federal Bureau of Investigations (FBI)
The full executive summaries of these PIAs can be found on the CBSA's website.
Data Analytics
The CBSA is in the process of a major transformation, driven by the need to modernize how front-line services are delivered and operations are managed. The intent is to transition the management of Canada’s borders to a risk-based model. To achieve this, the Agency is investing in digital solutions to strengthen its capacity for evidence-based decision making and improve performance management. This is reflected in the CBSA’s Data Analytics Strategy, which will result in data that is of a high quality, accessible, and well managed and that supports effective business intelligence and risk management.
The Data Analytics Strategy provides for the expansion of data analytics through the improved integration of data that the Agency creates, data acquired from other government departments, and data procured from third parties. Therefore the PIA is structured to accommodate new content as new datasets, data uses, and data users grows over time. Specifically, any incremental new privacy issues will be assessed via annexes that describe any new data sets or data systems, the uses of associated data, and the users of the data analytics outputs.
Entry/Exit Initiative – Final Implementation
In 2011, Canada and the United States (U.S.) issued Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness, which established a new, long-term partnership built upon a perimeter approach to security and economic competitiveness. The Perimeter Security and Economic Competitiveness Action Plan (Action Plan), issued later that year, sets out the joint Canada – U.S. priorities for achieving this vision. In February 2017, Canada and the U.S. reaffirmed the previous commitment to fully implement coordinated entry and exit systems to exchange biographic information at the land border and to build upon processes implemented under previous phases of the initiative, notably:
- September 2012 – January 2013: A proof of concept involving the exchange of Biographic Entry DataFootnote 7 on third country nationalsFootnote 8, permanent residents of Canada, and lawful permanent residents of the U.S. at four automated ports of entry along the shared land border.
- June 30, 2013: The implementation of the Entry/Exit Initiative involving the exchange of Biographic Entry Data on third country nationals, permanent residents of Canada, and lawful permanent residents of the U.S. at all automated ports of entry along the common land border.
- August 23, 2016: Canada began the one-way sharing of Biographic Entry Data on all U.S. citizens and nationals who enter Canada at land ports of entry as an interim measure until such time as the requisite legislative and regulatory authorities are in place in Canada to collect on all travellers who cross the border in the land mode.
The Entry/Exit Initiative is consistent with the CBSA’s mission to ensure Canada's security and prosperity by facilitating and overseeing international travel and trade across Canada's border.
API/PNR Program – Data Acquisition
Since 2002, commercial air carriers have been required to provide the Canada Border Services Agency (CBSA) with Advance Passenger Information (API) and, beginning in 2003, with Passenger Name Record (PNR) data relating to all passengers on board Canada-bound commercial aircraft.
Once provided, this information helps to enhance the security of Canada through three distinct program activities conducted under the CBSA’s API/PNR program, including: Air Passenger Targeting, Intelligence, and Interactive Advance Passenger Information (IAPI).
This PIA acts as a core PIA for the API/PNR program, focusing specifically on the acquisition of API/PNR data while providing a broad overview of the authorized processing parameters for any program activities that use API/PNR information. These parameters include collection, use, access, retention, disclosure and disposal of the data. This PIA is not a stand-alone document and must be read in conjunction with one of the following addenda PIAs: Air Passenger Targeting, IAPI and Intelligence.
API/PNR Program – Air Passenger Targeting
In 2010, following an extensive effectiveness review, the CBSA implemented a long-term solution using a scenario-based targeting methodology within CBSA’s Passenger Information System (PAXIS). Scenario-Based Targeting (SBT) is aligned with the Government of Canada’s commitments under the Beyond the Border Action Plan to address threats earlier to enhance our security and facilitate the flow of legitimate goods and people.
SBT assesses each traveller against scenarios representing a specific combination of risk. The criteria and data elements for each scenario are derived from analyzing historical enforcement, tactical and operational information. SBT is a more flexible tool to respond to the evolving world of global threats, and offers more governance and performance measurement opportunities than risk scoring under the High-Risk Traveller Identification. Scenarios do not generate a cumulative score like the risk scoring methodology; rather, when a traveller’s information matches all the criteria of a scenario, they are considered to be a potential risk requiring review by a targeting officer.
Scenarios fall under three categories: national security, illicit migration and contraband. SBT directs CBSA’s focus towards a smaller segment of the travelling population who represent a potential high risk via API and PNR, enforcement trends and intelligence information. SBT enables a greater flexibility than the risk scoring approach. It is possible to create, modify or delete a scenario from PAXIS in near real time to support new, evolving or expired risk threats.
API/PNR Program – Intelligence
Historically, the API/PNR program was created for the purposes of improving traveler risk assessment procedures in the air mode; retrieving information pertaining to individuals seeking entry to Canada, thereby allowing the Agency to conduct risk assessments, scenario-based risk analyses, and queries for enforcement and intelligence purposes on individuals prior to their arrival to Canada. CBSA intelligence activities interpret the border environment to identify threats or risks to its integrity by creating intelligence products to influence decision-makers in mitigating the identified threat.
The API/PNR Program supports the CBSA Intelligence Program, whereby actionable intelligence is collected, analyzed and distributed “regarding people, goods, shipments or conveyances bound for or leaving Canada” to help the CBSA and other law enforcement partners identify people, goods, shipments or conveyances that may be inadmissible or pose a threat to the security of Canada. CBSA officers located within Canada, at ports of embarkation or at posts abroad assess information collected from a wide range of sources. In addition, the CBSA provides timely, accurate, strategic, operational and tactical intelligence advice to government authorities, like-minded counterpart nations and stakeholders related to threats to national security, including information on terrorism, weapons proliferation, war crimes, organized crime, smuggling, immigration fraud and irregular migration, fraudulent documentation and border enforcement. Intelligence products such as lookouts, alerts, scientific reports and threat and risk assessments inform, support and enhance the Agency’s screening and targeting capabilities and other CBSA programs (such as Admissibility Determination, Criminal Investigations and Immigration Enforcement)”Footnote 9.
Biometric Expansion Program
Immigration, Refugees and Citizenship Canada (IRCC) and the Canada Border Services Agency (CBSA) are jointly responsible for the delivery of Canada’s immigration program by managing the movement of foreign nationals across Canada’s borders in order to maintain a balance between the desire to welcome newcomers to Canada and the obligation to protect the health, safety, and security of Canadian society. Among the responsibilities of these departments are the prevention of irregular migration, the prevention of entry into Canada of inadmissible persons as defined by the Immigration and Refugee Protection Act (IRPA), and the detention and removal of inadmissible persons from Canada.
Accurately establishing identity is crucial to immigration decisions. For more than 20 years, biometrics (fingerprints and a photograph) have played a role in supporting immigration screening and decision-making in Canada.
Expanding biometrics will strengthen Canada’s immigration programs through effective screening (biometric collection, verification, and information-sharing with partner countries). It will also enable Canada to facilitate application processing and travel – while maintaining public confidence in our immigration system.
Biometrics Expansion does not include collecting biometrics from Canadian citizens, citizenship applicants (including passport applicants), or existing permanent residents.
Alternatives to Detention Program
As a key pillar to the National Immigration Detention Framework, the Alternatives to Detention (ATD) Program provides officers with an expanded set of tools and programs that will enable them to more effectively manage their client-base while achieving balanced enforcement outcomes. The wider availability of ATDs supports recommendations from the United Nations High Commission for Refugees (UNHCR) for a robust ATD program within Canada.
This PIA outlines the expansion of two current ATDs to a national level – Voice Reporting (VR) and Community Case Management and Supervision (CCMS), and the introduction of Electronic Monitoring (EM) as a pilot program in the Greater Toronto Area Region.
For those who agree to VR programming, the individual provides voice samples which are stored in a new information system (the Voice Reporting System – VRS) and compared/matched against future voice reporting events. Once enrolled in VR, the individual is required to call a telephone line at regular intervals, at which time their voice is compared to the recordings obtained at the time of VR enrollment.
CCMS is a risk-based community release program, whereby subsequent to a risk assessment, a CBSA officer or the Immigration Refugee Board (IRB) determines that an individual’s risk can be managed in community, resulting in a release from detention. CCMS is intended to promote detention avoidance or detention release for persons that remain compliant with the CBSA but who may lack a bondsperson, or who require social service support in addition to a bondsperson to mitigate risk upon release into the community. Services and programming are provided by three contracted Service Providers (SPs) that are established and experienced in the delivery of community case management to individuals that pose some level of security risk to the public or risk to the integrity of CBSA’s immigration enforcement program.
The EM system is built upon real-time location data collected and analysed in a central facility and reported to regional staff to investigate for enforcement purposes as appropriate. The CBSA is utilizing the services of Correctional Service of Canada (CSC), who currently maintains a successful, national EM program. A Memorandum of Understanding with CSC has been signed to address the details related to policies, procedures, privacy, information sharing and financial arrangements.
Framework Memorandum of Understanding (MOU) between the Canada Border Services Agency (CBSA) and the Federal Bureau of Investigations (FBO)
In addition to sharing information with partners from the United States (US) Department of Homeland Security (USDHS), under existing instruments, the CBSA has a compelling need to share information with the FBI, regarding matters relevant to the shared mandates of these two organizations. As Canada and the US share the longest non-militarized border in the world, the sharing of information between intelligence and criminal investigations programs on both sides of the border becomes imperative for the protection of its citizens. Business and traveler volumes traversing the Canada-US border justify the necessity to have well established, real-time intelligence and investigative links.
To this end, the CBSA established a process for information sharing with the FBI, pursuant to the MOU, allowing for timely information sharing, or the proactive disclosure, under exigent circumstances (i.e. imminent threat), of information about individuals and organizations for which reasonable grounds exist to suspect that they may pose a border-related threat to the safety or security of individuals in either Canada or the US.
Disclosures Made Pursuant to Paragraph 8(2)(e) of the Privacy Act
During the 2018–2019 fiscal year, 695 disclosures pursuant to paragraph 8(2)(e) of the Privacy Act were made by the CBSA.
Disclosures Made Pursuant to Paragraph 8(2)(m) of the Privacy Act
During the 2018–2019 fiscal year, the CBSA made one disclosure related to immigration removals pursuant to paragraph 8(2)(m) of the Privacy Act.
It is in the public interest to demonstrate that the CBSA is carrying out its mandate. This disclosure served to demonstrate that the objectives and integrity of the immigration system and the protection of the health and safety of Canadians were being maintained. The balance between the public’s need to know and protection of an individual’s privacy is of utmost concern to the CBSA. In this case, it was determined that public interest in the disclosure of this individual’s removal status outweighed any injury to the individual.
The OPC was notified before the disclosure was made.
Delegation Order
See Annex A for a signed copy of the delegation order.
Chapter Two: Statistical Report
Statistical report on the Privacy Act
See Annex B for the CBSA's statistical report on the Privacy Act.
Interpretation of the Statistical Report
I. Requests Processed Under the Privacy Act
The CBSA received 13,447 privacy requests in fiscal year 2018–2019, which was an increase of 13% over the previous year. Moreover, the CBSA responded to 13,873 Privacy Act requests, representing 92.5% of the total number of requests received and outstanding from the previous reporting period.
For the past five years, the CBSA has consistently been among the top government departments in terms of workload. While receiving a substantial number of requests each year, the CBSA has been able to maintain and improve upon its performance in a year which has seen its greatest number of requests ever received.
Image description
| Fiscal Year | Requests Received | Completed Requests |
|---|---|---|
| 2014-2015 | 12,769 | 12,024 |
| 2015-2016 | 11,247 | 11,400 |
| 2016-2017 | 11,590 | 11,791 |
| 2017-2018 | 13,429 | 13,575 |
| 2018-2019 | 13,447 | 13,873 |
II. Outstanding Requests from Previous Years
During this reporting period, the CBSA built on the positive steps taken last year and was able to close more files than it received. Of the 1,129 requests carried over to fiscal year 2019–2020, 715 were on time and 414 were late.
III. Completion Time
Of all the requests completed, the CBSA was successful in responding to 97.9% within the legislated timelines, an increase from the 90.8% achieved last fiscal year.
In total, 1,195 extensions were applied for in fiscal year 2018–2019. This represents a decrease of 20.5% in extensions in comparison to the previous fiscal year, and this despite an increase in the volume of requests received.
IV. Complaints and Investigations
Subsection 29(1) of the Privacy Act describes how the OPC receives and investigates complaints from individuals regarding their personal information held by a government institution. Examples of complaints the OPC may choose to investigate include a refusal of access to personal information; an allegation that personal information about an individual that is held by a government institution has been misused or wrongfully disclosed; or failure to provide access to personal information in the official language requested by the individual.
Throughout fiscal year 2018–2019, 64 Privacy Act complaints were filed against the CBSA, which represents an increase of 82.9% compared to fiscal year 2017–2018. The reason most cited for complaints was a delay in responding to requests. The complaints received during the fiscal year were related to the following issues: time delay (24); refusal to disclose (16); application of exemptions (13); use and disclosure (8); collection (1); extension (1); and miscellaneous (1). For context, the number of complaints filed relate to only 0.5% of the 13,873 privacy requests completed during this period.
Of the 29 complaints resolved in fiscal year 2018–2019, 19 were deemed well-founded, and 10 were deemed not well-founded. Additionally, four complaints were resolved; two were discontinued; and one was settled. Where complaints are substantiated, the matter is reviewed by the delegated managers and processes are adjusted if required.
V. Privacy Breaches
Two material privacy breaches were reported during the 2018–2019 fiscal year.
The first involved a breach of information in which a USB key containing the personal information of an individual, was lost in transit when sent from Halifax Stanfield International Airport to the CBSA’s Halifax Inland Enforcement office. To date the USB key has not been found, however the affected individual was informed and expressed no concern regarding the loss of information.
The second incident occurred when electronic file folders (containing personal information) on CBSA’s Apollo record management system were left open for a period of time (view access only) to all CBSA employees. During this time some folders were accessed without authorization. The breach was contained on the same day that it was reported, and the containment completed by correcting the folder permissions in Apollo. A full audit in Apollo was completed to determine how many employees viewed these folders and what information was potentially compromised as a result of the open access. The Agency has also developed a draft action plan to remind employees of their obligations, review Apollo access permissions, expedite a review of what may have transpired, and address obvious shortcomings that may have given rise to the breach.
When a Privacy Breach occur, the CBSA’s Privacy Breach Protocol as well as the Privacy Code of Principles provides information and guidelines for CBSA employees on the procedures that protect the personal information managed in our offices. We hold our employees to a high standard and expect them to abide by these guidelines, in order to preserve public trust and confidence in the integrity of the organization.
VI. Conclusion
The aachievements portrayed in this report reflect the CBSA’s commitment to ensuring that every reasonable effort is made to meet its obligations under the Privacy Act. The CBSA strives to provide Canadians with their personal information to which they have a right in a timely and helpful manner while protecting the privacy rights of all Canadians.
Annex A – Delegation Order
Ministerial Order
Access to Information Act & Privacy Act (ATIP)
Pursuant to section 73 of the Access to Information Act and section 73 of the Privacy Act, I hereby designate the persons holding the positions set out in the schedule hereto, or a person authorized to exercise the powers or perform the duties and functions of that position, to exercise or perform the powers, duties and functions of the Minister of Public Safety and Emergency Preparedness as the head of the Canada Border Services Agency under the provisions of the Act and related regulations set out in the schedule opposite each position.
This order replaces previous designation orders and comes into force on the date on which it is signed.
Dated at Ottawa, Province of Ontario, this 1st day of October, 2018.
The Honourable Ralph Goodale, P.C., M.P.
Minister of Public Safety and Emergency Preparedness
| Position | Access to Information Act and Regulations | Privacy Act and Regulations |
|---|---|---|
| President | Full authority | Full authority |
| Executive Vice-President | Full authority | Full authority |
| Vice-President, Corporate Affairs Branch | Full authority | Full authority |
| Chief Data Officer | Full authority | Full authority |
| Executive Director, Information Sharing, Access to Information and Chief Privacy Office | Full authority | Full authority |
| Assistant Director, Access to Information and Privacy Operations and Manager, Access to Information and Privacy Policy and Governance | Full authority | Full authority (except 8(2)(m)) |
| Access to Information and Privacy Team Leader, Operations | Full authority | Full authority (except 8(2)(m)) |
Annex B – Statistical Report on the Privacy Act
Name of instituation: Canada Border Services Agency
Reporting period: 2018-04-01 to 2019-03-31
Part 1 — Requests Under the Privacy Act
| Number of Requests | |
|---|---|
| Received during reporting period | 13,447 |
| Outstanding from previous reporting period | 1,555 |
| Total | 15,002 |
| Closed during reporting period | 13,873 |
| Carried over to next reporting period | 1,129 |
Part 2 — Requests Closed During the Reporting Period
| Disposition of requests | 1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total |
|---|---|---|---|---|---|---|---|---|
| All disclosed | 1,632 | 6,645 | 1,106 | 63 | 9 | 4 | 0 | 9,086 |
| Disclosed in part | 233 | 1,193 | 741 | 409 | 23 | 42 | 61 | 2,702 |
| All exempted | 0 | 4 | 2 | 5 | 0 | 0 | 0 | 11 |
| All excluded | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 1 |
| No records exist | 72 | 219 | 62 | 13 | 1 | 0 | 3 | 370 |
| Request abandoned | 660 | 396 | 51 | 1 | 0 | 4 | 0 | 1,112 |
| Neither confirmed nor denied | 3 | 1 | 0 | 0 | 0 | 0 | 0 | 4 |
| Total | 2,600 | 8,459 | 2,194 | 479 | 27 | 46 | 68 | 13,873 |
| Section | Number of Requests |
|---|---|
| 18(2) | 0 |
| 19(1)(a) | 645 |
| 19(1)(b) | 37 |
| 19(1)(c) | 28 |
| 19(1)(d) | 84 |
| 19(1)(e) | 0 |
| 19(1)(f) | 0 |
| 20 | 3 |
| 21 | 716 |
| 22(1)(a)(i) | 22 |
| 22(1)(a)(ii) | 3 |
| 22(1)(a)(iii) | 1 |
| 22(1)(b) | 1,451 |
| 22(1)(c) | 25 |
| 22(2) | 0 |
| 22.1 | 0 |
| 22.2 | 0 |
| 22.3 | 1 |
| 23(a) | 0 |
| 23(b) | 0 |
| 24(a) | 0 |
| 24(b) | 0 |
| 25 | 1 |
| 26 | 2,380 |
| 27 | 80 |
| 28 | 1 |
| Section | Number of Requests |
|---|---|
| 69(1)(a) | 0 |
| 69(1)(b) | 0 |
| 69.1 | 0 |
| 70(1) | 0 |
| 70(1)(a) | 0 |
| 70(1)(b) | 0 |
| 70(1)(c) | 0 |
| 70(1)(d) | 0 |
| 70(1)(e) | 0 |
| 70(1)(f) | 0 |
| 70.1 | 0 |
| Disposition | Paper | Electronic | Other formats |
|---|---|---|---|
| All disclosed | 5,599 | 74 | 0 |
| Disclosed in part | 1,524 | 1,178 | 0 |
| Total | 11,123 | 1,252 | 0 |
2.5 Complexity
| Disposition of Requests | Number of Pages Processed | Number of Pages Disclosed | Number of Requests |
|---|---|---|---|
| All disclosed | 42,058 | 42,058 | 9,673 |
| Disclosed in part | 631,333 | 428,561 | 2,702 |
| All exempted | 2,763 | 0 | 11 |
| All excluded | 0 | 0 | 1 |
| Request abandoned | 2,183 | 2,070 | 1,112 |
| Neither confirmed nor denied | 0 | 0 | 4 |
| Total | 678,337 | 472,689 | 13,503 |
| Disposition | Less than 100 pages processed | 101-500 pages processed | 501-1000 pages processed | 1001-5000 pages processed | More than 5000 pages processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| All disclosed | 9,662 | 36,719 | 10 | 3,787 | 1 | 1,552 | 0 | 0 | 0 | 0 |
| Disclosed in part | 1,824 | 31,628 | 662 | 155,624 | 157 | 107,090 | 56 | 99,365 | 3 | 34,854 |
| All exempted | 11 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 1,106 | 331 | 5 | 1,163 | 1 | 576 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 4 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 12,608 | 68,678 | 677 | 160,574 | 159 | 109,218 | 56 | 99,365 | 3 | 34,854 |
| Disposition | Consultation Required | Legal Advice Sought | Interwoven Information | Other | Total |
|---|---|---|---|---|---|
| All disclosed | 3 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 2,380 | 0 | 2,380 |
| All exempted | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 |
| Request abandoned | 0 | 0 | 0 | 0 | 0 |
| Neither confirmed nor denied | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 2,380 | 0 | 2,380 |
2.6 Deemed refusals
| Number of requests closed past the statutory deadline | Workload | External consultation | Internal consultation | Other |
|---|---|---|---|---|
| 296 | 156 | 17 | 8 | 115 |
| Number of Days Past Deadline | Number of Requests Past Deadline Where No Extension Was Taken | Number of Requests Past Deadline Where An Extension Was Taken | Total |
|---|---|---|---|
| 1 to 15 days | 58 | 36 | 94 |
| 16 to 30 days | 8 | 19 | 27 |
| 31 to 60 days | 11 | 23 | 34 |
| 61 to 120 days | 2 | 25 | 27 |
| 121 to 180 days | 0 | 11 | 11 |
| 181 to 365 days | 1 | 51 | 52 |
| More than 365 days | 16 | 35 | 51 |
| Total | 96 | 200 | 296 |
| Translation Requests | Accepted | Refused | Total |
|---|---|---|---|
| English to French | 0 | 0 | 0 |
| French to English | 0 | 0 | 0 |
| Total | 0 | 0 | 0 |
Part 3 — Disclosures Under Subsection 8(2) and 8(5)
| Paragraph 8(2)(e) | Paragraph 8(2)(m) | Paragraph 8(5) | Total |
|---|---|---|---|
| 695 | 1 | 1 | 697 |
Part 4 — Requests for Correction of Personal Information and Notations
| Disposition for Correction Requests Received | Number |
|---|---|
| Notations attached | 21 |
| Requests for correction accepted | 0 |
| Total | 21 |
Part 5 — Extensions
| Disposition of Requests Where an Extension Was Taken | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation or conversion | |
|---|---|---|---|---|
| Section 70 | Other | |||
| All disclosed | 194 | 0 | 2 | 0 |
| Disclosed in part | 901 | 0 | 28 | 0 |
| All exempted | 5 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 |
| No records exist | 32 | 0 | 1 | 0 |
| Request abandoned | 32 | 0 | 0 | 0 |
| Total | 1,164 | 0 | 31 | 0 |
| Length of Extensions | 15(a)(i) Interference with operations | 15(a)(ii) Consultation | 15(b) Translation purposes | |
|---|---|---|---|---|
| Section 70 | Other | |||
| 1 to 15 days | 0 | 0 | 0 | 0 |
| 16 to 30 days | 1,164 | 0 | 31 | 0 |
| Total | 1,164 | 0 | 31 | 0 |
Part 6 — Consultations Received From Other Institutions and Organizations
| Consultations | Other Government of Canada Institutions | Number of Pages to Review | Other Organizations | Number of Pages to Review |
|---|---|---|---|---|
| Received during the reporting period | 103 | 5,535 | 1 | 39 |
| Outstanding from the previous reporting period | 5 | 31,159 | 0 | 0 |
| Total | 108 | 36,694 | 1 | 39 |
| Closed during the reporting period | 102 | 3,781 | 0 | 0 |
| Pending at the end of the reporting period | 6 | 32,913 | 1 | 39 |
| Recommendation | 1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total |
|---|---|---|---|---|---|---|---|---|
| All disclosed | 14 | 16 | 4 | 2 | 0 | 0 | 0 | 36 |
| Disclosed in part | 23 | 26 | 9 | 1 | 0 | 0 | 0 | 59 |
| All exempted | 5 | 2 | 0 | 0 | 0 | 0 | 0 | 7 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 2 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 42 | 44 | 13 | 3 | 0 | 0 | 0 | 102 |
| Recommendation | 1 to 15 | 16 to 30 | 31 to 60 | 61 to 120 | 121 to 180 | 181 to 365 | More than 365 | Total |
|---|---|---|---|---|---|---|---|---|
| All disclosed | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Disclosed in part | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All exempted | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| All excluded | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Consult other institution | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Other | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 7 — Completion time of consultations on Cabinet confidences
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Number of Days | Fewer Than 100 Pages Processed | 101-500 Pages Processed | 501-1000 Pages Processed | 1001-5000 Pages Processed | More than 5000 Pages Processed | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | Number of Requests | Pages Disclosed | |
| 1 to 15 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 16 to 30 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 31 to 60 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 61 to 120 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 121 to 180 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| 181 to 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| More than 365 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
| Total | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Part 8 - Complaints and Investigations Notices Received
| Section 31 | Section 33 | Section 35 | Court action | Total |
|---|---|---|---|---|
| 64 | 35 | 29 | 0 | 128 |
Part 9 - Privacy Impact Assessments (PIAs)
| Number of PIA(s) completed | 8 |
|---|
Part 10 — Resources related to the Privacy Act
| Expenditures | Amount |
|---|---|
| Salaries | $4,075,962 |
| Overtime | $65,990 |
| Goods and Services: Professional services contracts | $0 |
| Goods and Services: Other | $179,478 |
| Total | $4,321,430 |
| Resources | Person Years Dedicated to Privacy Activities |
|---|---|
| Full-time employees | 47.642 |
| Part-time and casual employees | 3.44 |
| Regional staff | 0.00 |
| Consultants and agency personnel | 0.00 |
| Students | 0.00 |
| Total | 51.08 |
| Section | Number of requests |
|---|---|
| 22.4 National Security and Intelligence Committee | 0 |
| 27.1 Patent or Trademark privilege | 0 |
- Date modified: