We have archived this page on the web

The information was accurate at the time of publishing but may no longer reflect the current state at the Canada Border Services Agency. It is not subject to the Government of Canada web standards.

Annual Report to Parliament on the Privacy Act
Canada Border Services Agency 2018-2019

Table of contents

Chapter One: Privacy Act Report

Introduction

The Canada Border Services Agency (CBSA) is pleased to present to Parliament, in accordance with section 72 of the Privacy Act, its annual report on the management of this Act. The report describes the activities that support compliance with the Privacy Act for the fiscal year commencing April 1, 2018, and ending March 31, 2019. During this period, the CBSA continued to build on successful practices implemented in previous years.

The purpose of this Act is to extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by a government institution and that provide individuals with a right of access to that information.Footnote 1

As stated in subsections 72(1) and 72(2) of the Privacy Act, “The head of every government institution shall prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year.… Every report prepared under subsection (1) shall be laid before each House of Parliament within three months after the financial year in respect of which it is made or, if that House is not then sitting, on any of the first fifteen days next thereafter that it is sitting.”Footnote 2

Organization

I. About the Canada Border Services Agency

Since 2003, the CBSA has been an integral part of the Public Safety Canada (PS) portfolio, which was created to ensure coordination across all federal departments and agencies responsible for national security and the safety of Canadians.Footnote 3 The CBSA itself is responsible for providing integrated border services that support national security and public safety priorities and facilitate the free flow of persons and goods, including animals and plants, that meet all requirements under the program legislation.

The CBSA carries out its responsibilities with a workforce of approximately 14,000 employees, including over 6,500 uniformed CBSA officers who provide services at approximately 1,200 points across Canada and at 39 international locations.Footnote 4

II. Access to Information and Privacy Division

The Access to Information and Privacy (ATIP) Division is comprised of six units: an Administration section, three Case Management units, and two Policy units. The Administration section’s function is to receive all incoming requests and consultations, to ensure quality control of all outgoing correspondence, and to support the Case Management units in their day-to-day business. The Case Management units assign branches and regions with retrieval requests, process requests under the Privacy Act, and provide daily operational guidance and support to CBSA employees. The ATIP Policy and Governance Unit develops policies, tools, and procedures to support ATIP requirements within the CBSA and provides training to employees. The Information Sharing and Collaborative Arrangement Policy Unit maintains the policy framework for the CBSA’s information sharing and domestic written collaborative arrangements. On average, 71 full time equivalents, and five part time and casual employees were employed in the ATIP Division during fiscal year 2018–2019.

The ATIP coordinator for the CBSA is the Executive Director of the ATIP Division. The ATIP Division is part of the Chief Data Office, which reports to the Vice-President (VP) of the Strategic Policy Branch. Consistent with best practices identified by the Treasury Board of Canada Secretariat (TBS),Footnote 5 the CBSA's ATIP coordinator is positioned within three levels of the President and has full delegated authority, reporting directly to the Chief Data Officer, who in turn reports to the VP of the Strategic Policy Branch.

Key to maintaining compliance with the statutory time requirements of the Privacy Act is the ATIP Division’s ability to obtain personal information from branches and regions in a timely and reliable manner. Supported by a network of 17 ATIP liaison officers across the CBSA, the ATIP Division is well positioned to receive, coordinate, and process requests for personal information under the Privacy Act.

The ATIP Division works closely with other members of the PS portfolio, including the Canadian Security Intelligence Service, the Correctional Service of Canada, the Parole Board of Canada, and the Royal Canadian Mounted Police, to share best practices and develop streamlined processes for the retrieval of jointly held records within the 30-day legislated time frame required to respond to privacy requests.

Activities and Accomplishments

I. Performance

Fiscal year 2018–2019 saw record high volumes of privacy requests made to the CBSA. The record volumes are largely attributable to individuals seeking copies of their history of arrival dates into Canada. In fiscal year 2018–2019, 85% of all the privacy requests received by the CBSA came from individuals seeking their Traveller History Report, which contains information used to support residency requirements for programs administered by Immigration, Refugees and Citizenship Canada (IRCC) and Employment and Social Development Canada (ESDC).

In September 2012, IRCC, in consultation with the CBSA, introduced a new consent-based application form which sees applicants for citizenship provide consent on their applications for IRCC to view their travel history directly. The CBSA has allocated 100 accounts to the IRCC to verify (view only) clients’ Travel History Report (THR) to Canada. IRCC has since viewed approximately 1.2 million THR, of which 380,860 were in fiscal year 2018-2019, that might otherwise have been requested formally through the CBSA by way of formal Privacy Act, or Access to Information Act requests.

The CBSA continued to see high volumes of privacy requests submitted through the Access to Information and Privacy Online Request tool. Through this tool, the Agency received 11,180 requests, which amounted to 83.1% of all privacy requests received by the CBSA.

The CBSA continued to offer the electronic format for responses to privacy requests. Although electronic format made up only 9.3% of all formal privacy requests that were either all disclosed or disclosed in part in fiscal year 2018–2019, these requests accounted for 87.4% of all the pages the CBSA disclosed in their entirety or disclosed in part this fiscal year.

The ATIP Division also provided case-by-case policy guidance to CBSA program areas related to the disclosure of information under section 8 of the Privacy Act and section 107 of the Customs Act. In total, the ATIP Division received 1,778 requests for guidance in fiscal year 2018–2019, representing an increase of 11.7% over the previous year.

The CBSA ATIP Division is one of the largest and busiest in all of government. Our large workload and fast-paced environment can easily generate conflicting forces that can have a negative impact on our employees unless these forces are well-managed; consequently, staff morale and well-being are extremely important aspects for the CBSA ATIP Division.

Being an agency with information stored across the country as well as internationally, the use of electronic filing systems has become increasingly important. With this in mind, the division has transitioned to an entirely paperless office. Adding remote access capability to the new paperless environment enabled us to implement a telework schedule that allows our employees the option to work from home. The results have been remarkable with the best on-time performance within the legislated timeframe in the history of the CBSA despite record high volumes of requests received.

II. Education and Training

In fiscal year 2018–2019, the ATIP Division continued to conduct bilingual training sessions that supported the implementation of streamlined processing procedures and built an awareness of ATIP obligations. These sessions are designed to ensure that the participants fully understand their responsibilities under the Privacy Act, with a focus on requests made pursuant to the Act and the duty to assist principles. Ten sessions were offered, with 276 National Capital Region (NCR) and regional employees taking part.

CBSA employees also took advantage of the free online course entitled “Managing Information at the Canada Border Services Agency and the Access to Information Act and the Privacy Act.” This one-hour online course was designed to provide employees with the basic principles for effectively managing information in their daily work. After completing this course, employees will have acquired the knowledge to better identify various types of information, learned how requests under the Access to Information Act and the Privacy Act are handled, and learned about their responsibilities throughout the process. A total of 624 participants completed the online training in fiscal year 2018–2019.

Moreover, the ATIP Division delivered 15 in-class training sessions on section 107 of the Customs Act, as well as basic information sharing, disclosure of intelligence-related information, and business line specific training sessions to 121 employees in the NCR and across the regions. In addition, before attending the in-class training, employees are advised to complete the interactive online training course, regarding information sharing that was developed by the ATIP Division.

Further, the ATIP Division developed a communications plan to raise employees’ awareness of their obligations under the Privacy Act. The plan leverages key dates, such as Data Privacy Day, and other activities at the CBSA to promote ATIP tools, resources, and awareness.

Finally, the ATIP Division continues to actively participate in the TBS-led ATIP coordinators’ and ATIP practitioners’ meetings. These meetings provide opportunities for ATIP employees from the CBSA to liaise with employees from other institutions to discuss various issues and challenges that have been identified by the ATIP community.

III. New and Revised Privacy-related Policies and Procedures

During fiscal year 2018–2019, the CBSA continued to revise existing policies and to develop new ones.

The ATIP Division has continued to take a number of measures to enhance and promote ATIP tools that are readily accessible to CBSA employees by utilizing Apollo (GCDocs). To this end, we are able to ensure that the ATIP intranet site is up to date and available to all CBSA employees. This allows the ATIP Division to quickly share information and best practices and to facilitate collaboration across the Agency.

During the reporting period, the ATIP Policy and Governance Unit developed an ATIP Handbook for analysts. The first section focuses on the Administrative section of the ATIP Division. The second section focus on the day to day work of the Case Management units. The handbook includes reference material and provides clear guidance on CBSA policies and procedures which can be easily referenced. The Handbook will remain an evergreen document subject to updates and revisions.

Additionally, the policies and procedures surrounding the processing of privacy breaches were reviewed and updated. This includes a revised Privacy Breach Protocol as well as reporting procedures and reference material.

As of October 1, 2018, institutions have been required to provide a written explanation to requesters when a personal information request takes more than 30 days to fulfill, under Section 4.2.7 of the Directive on Personal Information Requests and Correction of Personal Information. The CBSA has amended its response letters to requesters to comply with TBS’s Directive.

Given the rise in ATIP related audio/video redacting requests, the ATIP division has taken measurements to respond to these requests in a timely manner by installing redaction stations within the division.

This year, the CBSA continued to be an active participant in the renewal process through the ADM ATIP Committee and the Privacy Act Modernization working group. The focus of this working group is now to continue to develop policy options and working on transition advice alongside Innovation, Science and Economic Development Canada (ISED) for the Personal Information Protection Electronic Document Act (PIPEDA).

The first annual report to the Minister of Public Safety on the application of the Ministerial Direction to the CBSA: Avoiding Complicity in Mistreatment by Foreign Entities, was issued to the CBSA President in September 2018. The President presented the report to the Minister during the same time.

The ATIP Division assisted the CBSA’s Origin, Valuation and Negotiations Unit to successfully negotiate the Customs Administration and Trade Facilitation Chapter of the United States-Mexico-Canada Agreement (formerly the North American Free Trade Agreement) by providing policy advice and guidance on the information sharing components of the Chapter. The Agreement was signed by all countries in November 2018.

The ATIP Division continued to provide the service of informally reviewing CBSA records for internal programs as if they had been requested under the Privacy Act. The ATIP Division received 113 internal requests of this nature in fiscal year 2018–2019.

The ATIP Division closely monitors the time it takes to process privacy requests. Monthly reports, which show trends and performance, are submitted to the managers of the Case Management units, the Executive Director of the ATIP Division, the Chief Data Officer, and the Vice-President of the Strategic Policy Branch. Monthly reports consisting of statistics on the performance of the offices of primary interest are also distributed to all ATIP liaison officers. Finally, quarterly trend reports portraying the overall performance of the Agency are reviewed and discussed during meetings of the Agency’s Executive CommitteeFootnote 6 and are included in the Agency Performance Summary.

IV. Reading Room

The CBSA, in accordance with the Privacy Act, maintains a reading room for applicants who wish to review material in person at the CBSA. Applicants may access the reading room by contacting the CBSA's ATIP Division by telephone at 343-291-7021 or by sending an email to ATIP-AIPRP@cbsa-asfc.gc.ca. The reading room is located at

Place Vanier Complex, 14th Floor, Tower A
333 North River Road
Ottawa, Ontario K1A 0L8

V. Audits of, and Investigations into the Privacy Practices of the Canada Border Services Agency

In 2018-2019, there were no key issues raised as a result of privacy investigations, and no audits were conducted that related to privacy practices of the CBSA.

VI. Privacy Impact Assessments

In fiscal year 2018–2019, the CBSA completed eight Privacy Impact Assessments (PIA). They were all sent to the OPC and TBS for review and comments.

The eight PIAs completed by the CBSA are:

The full executive summaries of these PIAs can be found on the CBSA's website.

Data Analytics

The CBSA is in the process of a major transformation, driven by the need to modernize how front-line services are delivered and operations are managed. The intent is to transition the management of Canada’s borders to a risk-based model. To achieve this, the Agency is investing in digital solutions to strengthen its capacity for evidence-based decision making and improve performance management. This is reflected in the CBSA’s Data Analytics Strategy, which will result in data that is of a high quality, accessible, and well managed and that supports effective business intelligence and risk management.

The Data Analytics Strategy provides for the expansion of data analytics through the improved integration of data that the Agency creates, data acquired from other government departments, and data procured from third parties. Therefore the PIA is structured to accommodate new content as new datasets, data uses, and data users grows over time. Specifically, any incremental new privacy issues will be assessed via annexes that describe any new data sets or data systems, the uses of associated data, and the users of the data analytics outputs.

Entry/Exit Initiative – Final Implementation

In 2011, Canada and the United States (U.S.) issued Beyond the Border: A Shared Vision for Perimeter Security and Economic Competitiveness, which established a new, long-term partnership built upon a perimeter approach to security and economic competitiveness. The Perimeter Security and Economic Competitiveness Action Plan (Action Plan), issued later that year, sets out the joint Canada – U.S. priorities for achieving this vision. In February 2017, Canada and the U.S. reaffirmed the previous commitment to fully implement coordinated entry and exit systems to exchange biographic information at the land border and to build upon processes implemented under previous phases of the initiative, notably:

The Entry/Exit Initiative is consistent with the CBSA’s mission to ensure Canada's security and prosperity by facilitating and overseeing international travel and trade across Canada's border.

API/PNR Program – Data Acquisition

Since 2002, commercial air carriers have been required to provide the Canada Border Services Agency (CBSA) with Advance Passenger Information (API) and, beginning in 2003, with Passenger Name Record (PNR) data relating to all passengers on board Canada-bound commercial aircraft.

Once provided, this information helps to enhance the security of Canada through three distinct program activities conducted under the CBSA’s API/PNR program, including: Air Passenger Targeting, Intelligence, and Interactive Advance Passenger Information (IAPI).

This PIA acts as a core PIA for the API/PNR program, focusing specifically on the acquisition of API/PNR data while providing a broad overview of the authorized processing parameters for any program activities that use API/PNR information. These parameters include collection, use, access, retention, disclosure and disposal of the data. This PIA is not a stand-alone document and must be read in conjunction with one of the following addenda PIAs: Air Passenger Targeting, IAPI and Intelligence.

API/PNR Program – Air Passenger Targeting

In 2010, following an extensive effectiveness review, the CBSA implemented a long-term solution using a scenario-based targeting methodology within CBSA’s Passenger Information System (PAXIS). Scenario-Based Targeting (SBT) is aligned with the Government of Canada’s commitments under the Beyond the Border Action Plan to address threats earlier to enhance our security and facilitate the flow of legitimate goods and people.

SBT assesses each traveller against scenarios representing a specific combination of risk. The criteria and data elements for each scenario are derived from analyzing historical enforcement, tactical and operational information. SBT is a more flexible tool to respond to the evolving world of global threats, and offers more governance and performance measurement opportunities than risk scoring under the High-Risk Traveller Identification. Scenarios do not generate a cumulative score like the risk scoring methodology; rather, when a traveller’s information matches all the criteria of a scenario, they are considered to be a potential risk requiring review by a targeting officer.

Scenarios fall under three categories: national security, illicit migration and contraband. SBT directs CBSA’s focus towards a smaller segment of the travelling population who represent a potential high risk via API and PNR, enforcement trends and intelligence information. SBT enables a greater flexibility than the risk scoring approach. It is possible to create, modify or delete a scenario from PAXIS in near real time to support new, evolving or expired risk threats.

API/PNR Program – Intelligence

Historically, the API/PNR program was created for the purposes of improving traveler risk assessment procedures in the air mode; retrieving information pertaining to individuals seeking entry to Canada, thereby allowing the Agency to conduct risk assessments, scenario-based risk analyses, and queries for enforcement and intelligence purposes on individuals prior to their arrival to Canada. CBSA intelligence activities interpret the border environment to identify threats or risks to its integrity by creating intelligence products to influence decision-makers in mitigating the identified threat.

The API/PNR Program supports the CBSA Intelligence Program, whereby actionable intelligence is collected, analyzed and distributed “regarding people, goods, shipments or conveyances bound for or leaving Canada” to help the CBSA and other law enforcement partners identify people, goods, shipments or conveyances that may be inadmissible or pose a threat to the security of Canada. CBSA officers located within Canada, at ports of embarkation or at posts abroad assess information collected from a wide range of sources. In addition, the CBSA provides timely, accurate, strategic, operational and tactical intelligence advice to government authorities, like-minded counterpart nations and stakeholders related to threats to national security, including information on terrorism, weapons proliferation, war crimes, organized crime, smuggling, immigration fraud and irregular migration, fraudulent documentation and border enforcement. Intelligence products such as lookouts, alerts, scientific reports and threat and risk assessments inform, support and enhance the Agency’s screening and targeting capabilities and other CBSA programs (such as Admissibility Determination, Criminal Investigations and Immigration Enforcement)”Footnote 9.

Biometric Expansion Program

Immigration, Refugees and Citizenship Canada (IRCC) and the Canada Border Services Agency (CBSA) are jointly responsible for the delivery of Canada’s immigration program by managing the movement of foreign nationals across Canada’s borders in order to maintain a balance between the desire to welcome newcomers to Canada and the obligation to protect the health, safety, and security of Canadian society. Among the responsibilities of these departments are the prevention of irregular migration, the prevention of entry into Canada of inadmissible persons as defined by the Immigration and Refugee Protection Act (IRPA), and the detention and removal of inadmissible persons from Canada.

Accurately establishing identity is crucial to immigration decisions. For more than 20 years, biometrics (fingerprints and a photograph) have played a role in supporting immigration screening and decision-making in Canada.

Expanding biometrics will strengthen Canada’s immigration programs through effective screening (biometric collection, verification, and information-sharing with partner countries). It will also enable Canada to facilitate application processing and travel – while maintaining public confidence in our immigration system.

Biometrics Expansion does not include collecting biometrics from Canadian citizens, citizenship applicants (including passport applicants), or existing permanent residents.

Alternatives to Detention Program

As a key pillar to the National Immigration Detention Framework, the Alternatives to Detention (ATD) Program provides officers with an expanded set of tools and programs that will enable them to more effectively manage their client-base while achieving balanced enforcement outcomes. The wider availability of ATDs supports recommendations from the United Nations High Commission for Refugees (UNHCR) for a robust ATD program within Canada.

This PIA outlines the expansion of two current ATDs to a national level – Voice Reporting (VR) and Community Case Management and Supervision (CCMS), and the introduction of Electronic Monitoring (EM) as a pilot program in the Greater Toronto Area Region.

For those who agree to VR programming, the individual provides voice samples which are stored in a new information system (the Voice Reporting System – VRS) and compared/matched against future voice reporting events. Once enrolled in VR, the individual is required to call a telephone line at regular intervals, at which time their voice is compared to the recordings obtained at the time of VR enrollment.

CCMS is a risk-based community release program, whereby subsequent to a risk assessment, a CBSA officer or the Immigration Refugee Board (IRB) determines that an individual’s risk can be managed in community, resulting in a release from detention. CCMS is intended to promote detention avoidance or detention release for persons that remain compliant with the CBSA but who may lack a bondsperson, or who require social service support in addition to a bondsperson to mitigate risk upon release into the community. Services and programming are provided by three contracted Service Providers (SPs) that are established and experienced in the delivery of community case management to individuals that pose some level of security risk to the public or risk to the integrity of CBSA’s immigration enforcement program.

The EM system is built upon real-time location data collected and analysed in a central facility and reported to regional staff to investigate for enforcement purposes as appropriate. The CBSA is utilizing the services of Correctional Service of Canada (CSC), who currently maintains a successful, national EM program. A Memorandum of Understanding with CSC has been signed to address the details related to policies, procedures, privacy, information sharing and financial arrangements.

Framework Memorandum of Understanding (MOU) between the Canada Border Services Agency (CBSA) and the Federal Bureau of Investigations (FBO)

In addition to sharing information with partners from the United States (US) Department of Homeland Security (USDHS), under existing instruments, the CBSA has a compelling need to share information with the FBI, regarding matters relevant to the shared mandates of these two organizations. As Canada and the US share the longest non-militarized border in the world, the sharing of information between intelligence and criminal investigations programs on both sides of the border becomes imperative for the protection of its citizens. Business and traveler volumes traversing the Canada-US border justify the necessity to have well established, real-time intelligence and investigative links.

To this end, the CBSA established a process for information sharing with the FBI, pursuant to the MOU, allowing for timely information sharing, or the proactive disclosure, under exigent circumstances (i.e. imminent threat), of information about individuals and organizations for which reasonable grounds exist to suspect that they may pose a border-related threat to the safety or security of individuals in either Canada or the US.

Disclosures Made Pursuant to Paragraph 8(2)(e) of the Privacy Act

During the 2018–2019 fiscal year, 695 disclosures pursuant to paragraph 8(2)(e) of the Privacy Act were made by the CBSA.

Disclosures Made Pursuant to Paragraph 8(2)(m) of the Privacy Act

During the 2018–2019 fiscal year, the CBSA made one disclosure related to immigration removals pursuant to paragraph 8(2)(m) of the Privacy Act.

It is in the public interest to demonstrate that the CBSA is carrying out its mandate. This disclosure served to demonstrate that the objectives and integrity of the immigration system and the protection of the health and safety of Canadians were being maintained. The balance between the public’s need to know and protection of an individual’s privacy is of utmost concern to the CBSA. In this case, it was determined that public interest in the disclosure of this individual’s removal status outweighed any injury to the individual.

The OPC was notified before the disclosure was made.

Delegation Order

See Annex A for a signed copy of the delegation order.

Chapter Two: Statistical Report

Statistical report on the Privacy Act

See Annex B for the CBSA's statistical report on the Privacy Act.

Interpretation of the Statistical Report

I. Requests Processed Under the Privacy Act

The CBSA received 13,447 privacy requests in fiscal year 2018–2019, which was an increase of 13% over the previous year. Moreover, the CBSA responded to 13,873 Privacy Act requests, representing 92.5% of the total number of requests received and outstanding from the previous reporting period.

For the past five years, the CBSA has consistently been among the top government departments in terms of workload. While receiving a substantial number of requests each year, the CBSA has been able to maintain and improve upon its performance in a year which has seen its greatest number of requests ever received.

Demandes de renseignements personnels reçues/traitées

Image description
Privacy Requests Received/Completed
Fiscal Year Requests Received Completed Requests
2014-2015 12,769 12,024
2015-2016 11,247 11,400
2016-2017 11,590 11,791
2017-2018 13,429 13,575
2018-2019 13,447 13,873

II. Outstanding Requests from Previous Years

During this reporting period, the CBSA built on the positive steps taken last year and was able to close more files than it received. Of the 1,129 requests carried over to fiscal year 2019–2020, 715 were on time and 414 were late.

III. Completion Time

Of all the requests completed, the CBSA was successful in responding to 97.9% within the legislated timelines, an increase from the 90.8% achieved last fiscal year.

In total, 1,195 extensions were applied for in fiscal year 2018–2019. This represents a decrease of 20.5% in extensions in comparison to the previous fiscal year, and this despite an increase in the volume of requests received.

IV. Complaints and Investigations

Subsection 29(1) of the Privacy Act describes how the OPC receives and investigates complaints from individuals regarding their personal information held by a government institution. Examples of complaints the OPC may choose to investigate include a refusal of access to personal information; an allegation that personal information about an individual that is held by a government institution has been misused or wrongfully disclosed; or failure to provide access to personal information in the official language requested by the individual.

Throughout fiscal year 2018–2019, 64 Privacy Act complaints were filed against the CBSA, which represents an increase of 82.9% compared to fiscal year 2017–2018. The reason most cited for complaints was a delay in responding to requests. The complaints received during the fiscal year were related to the following issues: time delay (24); refusal to disclose (16); application of exemptions (13); use and disclosure (8); collection (1); extension (1); and miscellaneous (1). For context, the number of complaints filed relate to only 0.5% of the 13,873 privacy requests completed during this period.

Of the 29 complaints resolved in fiscal year 2018–2019, 19 were deemed well-founded, and 10 were deemed not well-founded. Additionally, four complaints were resolved; two were discontinued; and one was settled. Where complaints are substantiated, the matter is reviewed by the delegated managers and processes are adjusted if required.

V. Privacy Breaches

Two material privacy breaches were reported during the 2018–2019 fiscal year.

The first involved a breach of information in which a USB key containing the personal information of an individual, was lost in transit when sent from Halifax Stanfield International Airport to the CBSA’s Halifax Inland Enforcement office. To date the USB key has not been found, however the affected individual was informed and expressed no concern regarding the loss of information.

The second incident occurred when electronic file folders (containing personal information) on CBSA’s Apollo record management system were left open for a period of time (view access only) to all CBSA employees. During this time some folders were accessed without authorization. The breach was contained on the same day that it was reported, and the containment completed by correcting the folder permissions in Apollo. A full audit in Apollo was completed to determine how many employees viewed these folders and what information was potentially compromised as a result of the open access. The Agency has also developed a draft action plan to remind employees of their obligations, review Apollo access permissions, expedite a review of what may have transpired, and address obvious shortcomings that may have given rise to the breach.

When a Privacy Breach occur, the CBSA’s Privacy Breach Protocol as well as the Privacy Code of Principles provides information and guidelines for CBSA employees on the procedures that protect the personal information managed in our offices. We hold our employees to a high standard and expect them to abide by these guidelines, in order to preserve public trust and confidence in the integrity of the organization.

VI. Conclusion

The aachievements portrayed in this report reflect the CBSA’s commitment to ensuring that every reasonable effort is made to meet its obligations under the Privacy Act. The CBSA strives to provide Canadians with their personal information to which they have a right in a timely and helpful manner while protecting the privacy rights of all Canadians.

Annex A – Delegation Order

Ministerial Order
Access to Information Act & Privacy Act (ATIP)

Pursuant to section 73 of the Access to Information Act and section 73 of the Privacy Act, I hereby designate the persons holding the positions set out in the schedule hereto, or a person authorized to exercise the powers or perform the duties and functions of that position, to exercise or perform the powers, duties and functions of the Minister of Public Safety and Emergency Preparedness as the head of the Canada Border Services Agency under the provisions of the Act and related regulations set out in the schedule opposite each position.

This order replaces previous designation orders and comes into force on the date on which it is signed.

Dated at Ottawa, Province of Ontario, this 1st day of October, 2018.

The Honourable Ralph Goodale, P.C., M.P.
Minister of Public Safety and Emergency Preparedness

Schedule
Ministerial Order under the Access to Information Act & the Privacy Act

Position Access to Information Act and Regulations Privacy Act and Regulations
President Full authority Full authority
Executive Vice-President Full authority Full authority
Vice-President, Corporate Affairs Branch Full authority Full authority
Chief Data Officer Full authority Full authority
Executive Director, Information Sharing, Access to Information and Chief Privacy Office Full authority Full authority
Assistant Director, Access to Information and Privacy Operations and Manager, Access to Information and Privacy Policy and Governance Full authority Full authority 
(except 8(2)(m))
Access to Information and Privacy Team Leader, Operations Full authority Full authority 
(except 8(2)(m))

Annex B – Statistical Report on the Privacy Act

Name of instituation: Canada Border Services Agency

Reporting period: 2018-04-01 to 2019-03-31

Part 1 — Requests Under the Privacy Act

  Number of Requests
Received during reporting period 13,447
Outstanding from previous reporting period 1,555
Total 15,002
Closed during reporting period 13,873
Carried over to next reporting period 1,129

Part 2 — Requests Closed During the Reporting Period

2.1 Disposition and completion time (days)
Disposition of requests 1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365 Total
All disclosed 1,632 6,645 1,106 63 9 4 0 9,086
Disclosed in part 233 1,193 741 409 23 42 61 2,702
All exempted 0 4 2 5 0 0 0 11
All excluded 0 1 0 0 0 0 0 1
No records exist 72 219 62 13 1 0 3 370
Request abandoned 660 396 51 1 0 4 0 1,112
Neither confirmed nor denied 3 1 0 0 0 0 0 4
Total 2,600 8,459 2,194 479 27 46 68 13,873
2.2 Exemptions
Section Number of Requests
18(2) 0
19(1)(a) 645
19(1)(b) 37
19(1)(c) 28
19(1)(d) 84
19(1)(e) 0
19(1)(f) 0
20 3
21 716
22(1)(a)(i) 22
22(1)(a)(ii) 3
22(1)(a)(iii) 1
22(1)(b) 1,451
22(1)(c) 25
22(2) 0
22.1 0
22.2 0
22.3 1
23(a) 0
23(b) 0
24(a) 0
24(b) 0
25 1
26 2,380
27 80
28 1
2.3 Exclusions
Section Number of Requests
69(1)(a) 0
69(1)(b) 0
69.1 0
70(1) 0
70(1)(a) 0
70(1)(b) 0
70(1)(c) 0
70(1)(d) 0
70(1)(e) 0
70(1)(f) 0
70.1 0
2.4 Format of information released
Disposition Paper Electronic Other formats
All disclosed 5,599 74 0
Disclosed in part 1,524 1,178 0
Total 11,123 1,252 0

2.5 Complexity

2.5.1 Relevant pages processed and disclosed
Disposition of Requests Number of Pages Processed Number of Pages Disclosed Number of Requests
All disclosed 42,058 42,058 9,673
Disclosed in part 631,333 428,561 2,702
All exempted 2,763 0 11
All excluded 0 0 1
Request abandoned 2,183 2,070 1,112
Neither confirmed nor denied 0 0 4
Total 678,337 472,689 13,503
2.5.2 Relevant pages processed and disclosed by size of requests
Disposition Less than 100 pages processed 101-500 pages processed 501-1000 pages processed 1001-5000 pages processed More than 5000 pages processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
All disclosed 9,662 36,719 10 3,787 1 1,552 0 0 0 0
Disclosed in part 1,824 31,628 662 155,624 157 107,090 56 99,365 3 34,854
All exempted 11 0 0 0 0 0 0 0 0 0
All excluded 1 0 0 0 0 0 0 0 0 0
Request abandoned  1,106 331 5 1,163 1 576 0 0 0 0
Neither confirmed nor denied 4 0 0 0 0 0 0 0 0 0
Total 12,608 68,678 677 160,574 159 109,218 56 99,365 3 34,854
2.5.3 Other complexities
Disposition Consultation Required Legal Advice Sought Interwoven Information Other Total
All disclosed 3 0 0 0 0
Disclosed in part 0 0 2,380 0 2,380
All exempted 0 0 0 0 0
All excluded 0 0 0 0 0
Request abandoned 0 0 0 0 0
Neither confirmed nor denied 0 0 0 0 0
Total 0 0 2,380 0 2,380

2.6 Deemed refusals

2.6.1 Reasons for not meeting statutory deadline
Number of requests closed past the statutory deadline Workload External consultation Internal consultation Other
296 156 17 8 115
2.6.2 Number of days past deadline
Number of Days Past Deadline Number of Requests Past Deadline Where No Extension Was Taken Number of Requests Past Deadline Where An Extension Was Taken Total
1 to 15 days 58 36 94
16 to 30 days 8 19 27
31 to 60 days 11 23 34
61 to 120 days 2 25 27
121 to 180 days 0 11 11
181 to 365 days 1 51 52
More than 365 days 16 35 51
Total 96 200 296
2.7 Requests for translation
Translation Requests Accepted Refused Total
English to French  0 0 0
French to English  0 0 0
Total 0 0 0

Part 3 — Disclosures Under Subsection 8(2) and 8(5)

Paragraph 8(2)(e) Paragraph 8(2)(m) Paragraph 8(5) Total
695 1 1 697

Part 4 — Requests for Correction of Personal Information and Notations

Disposition for Correction Requests Received Number
Notations attached 21
Requests for correction accepted 0
Total 21

Part 5 — Extensions

5.1 Reasons for extensions and disposition of requests
Disposition of Requests Where an Extension Was Taken 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation or conversion
Section 70 Other
All disclosed 194 0 2 0
Disclosed in part 901 0 28 0
All exempted 5 0 0 0
All excluded 0 0 0 0
No records exist 32 0 1 0
Request abandoned 32 0 0 0
Total 1,164 0 31 0
5.2 Length of extensions
Length of Extensions 15(a)(i) Interference with operations 15(a)(ii) Consultation 15(b) Translation purposes
Section 70 Other
1 to 15 days 0 0 0 0
16 to 30 days 1,164 0 31 0
Total 1,164 0 31 0

Part 6 — Consultations Received From Other Institutions and Organizations

6.1 Consultations received from other government institutions and organizations
Consultations Other Government of Canada Institutions Number of Pages to Review Other Organizations Number of Pages to Review
Received during the reporting period 103 5,535 1 39
Outstanding from the previous reporting period 5 31,159 0 0
Total 108 36,694 1 39
Closed during the reporting period 102 3,781 0 0
Pending at the end of the reporting period 6 32,913 1 39
6.2 Recommendations and completion time for consultations received from other Government of Canada institutions (days)
Recommendation 1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365 Total
All disclosed 14 16 4 2 0 0 0 36
Disclosed in part 23 26 9 1 0 0 0 59
All exempted 5 2 0 0 0 0 0 7
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 2 0 0 0 0 0 0 0
Total 42 44 13 3 0 0 0 102
6.3 Recommendations and completion time for consultations received from other organizations (days)
Recommendation 1 to 15 16 to 30 31 to 60 61 to 120 121 to 180 181 to 365 More than 365 Total
All disclosed 0 0 0 0 0 0 0 0
Disclosed in part 0 0 0 0 0 0 0 0
All exempted 0 0 0 0 0 0 0 0
All excluded 0 0 0 0 0 0 0 0
Consult other institution 0 0 0 0 0 0 0 0
Other 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0

Part 7 — Completion time of consultations on Cabinet confidences

7.1 Requests with Legal Services
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0
7.2 Requests with Privy Council Office
Number of Days Fewer Than 100 Pages Processed 101-500 Pages Processed 501-1000 Pages Processed 1001-5000 Pages Processed More than 5000 Pages Processed
Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed Number of Requests Pages Disclosed
1 to 15 0 0 0 0 0 0 0 0 0 0
16 to 30 0 0 0 0 0 0 0 0 0 0
31 to 60 0 0 0 0 0 0 0 0 0 0
61 to 120 0 0 0 0 0 0 0 0 0 0
121 to 180 0 0 0 0 0 0 0 0 0 0
181 to 365 0 0 0 0 0 0 0 0 0 0
More than 365 0 0 0 0 0 0 0 0 0 0
Total 0 0 0 0 0 0 0 0 0 0

Part 8 - Complaints and Investigations Notices Received

Section 31 Section 33 Section 35 Court action Total
64 35 29 0 128

Part 9 - Privacy Impact Assessments (PIAs)

Number of PIA(s) completed 8

Part 10 — Resources related to the Privacy Act

10.1 Costs
Expenditures Amount
Salaries $4,075,962
Overtime $65,990
Goods and Services: Professional services contracts $0
Goods and Services: Other $179,478
Total $4,321,430
10.2 Human Resources
Resources Person Years Dedicated to Privacy Activities
Full-time employees 47.642
Part-time and casual employees 3.44
Regional staff 0.00
Consultants and agency personnel 0.00
Students 0.00
Total 51.08
Exemptions Tables for the Privacy Act
Section Number of requests
22.4 National Security and Intelligence Committee 0
27.1 Patent or Trademark privilege 0
Date modified: