Friday, July 14, 2006

Privacy Commissioner's Audit of Canada Border Services Agency find privacy protections lacking

The Office of the Privacy Commissioner of Canada has just recently released the result of its audit of the Canada Border Services Agency, focusing particularly on the sharing of information between the CBSA and other countries. The Commissioner's office found that the CBSA hasn't been following the required procedures when it comes to information sharing with the United States, as much information is provided verbally without any record being made of the information provided and to whom. Here is the executive summary from the Audit:

Audit of the Personal Information Management Practices of the Canada Border Services Agency (June 2006) Privacy Commissioner of Canada

Section I - Main Messages

1.1 We found that the Canada Border Services Agency (CBSA) has systems and procedures in place for managing and sharing personal information with other countries. However, significant opportunities exist to better manage privacy risks and achieve greater accountability, transparency and control over the trans-border flow of data. Trans-border data flows refer to personal information that is collected or disclosed across international borders.

1.2 Written requests for assistance from foreign governments are processed in accordance with requirements. However, many of the information exchanges between the CBSA and the United States at the regional level are verbal, and are not based on written requests. These exchanges are not recorded consistently and do not follow the approval process as established under CBSA policy. Furthermore, they are not compliant with the terms of the Canada-United States Customs Mutual Assistance Agreement of June 1984.

1.3 The CBSA needs a coordinated method of identifying and tracking all flows of its trans-border data. The Agency cannot, with a reasonable degree of certainty, report either on the extent to which it shares personal information with the United States, or how much and how often it shares this information. By extension, it cannot be certain that all information sharing activities are appropriately managed and comply with section 107 of the Customs Act and section 8 of the Privacy Act.

1.4 Generally, the controls surrounding the Passenger Information System (PAXIS) and the Integrated Customs Enforcement System (ICES) are sound. These two key systems contain sensitive personal information about millions of travellers. Notably, foreign jurisdictions do not have direct access to these systems, and electronic disclosures to the United States under the Shared Lookout and High-Risk Traveller Identification initiatives are transmitted over secure channels. However, there are opportunities to strengthen controls to further reduce the risk that personal information could be improperly used or disclosed. These opportunities include:

  • completing the introduction of a new security management framework as initiated by the CBSA;
  • updating and clarifying roles and responsibilities for IT functions;
  • ensuring system access rights are kept up-to-date;
  • implementing audit control capability for lookout data printouts; and
  • introducing a mechanism for Canada and the United States to assure each other that the system controls and protection of shared personal information are adequate.

1.5 The CBSA needs to explore ways to improve the quality and control of data it acquires under the Advance Passenger Information/Personal Name Record (API/PNR) initiative to ensure that personal information is as accurate and complete as possible.

1.6 The CBSA has not yet evaluated the effectiveness of the High-Risk Traveller Identification (HRTI) Initiative with the United States because the project has yet to be fully implemented. In particular, it should assess the extent to which inaccurate or incomplete data may affect enforcement objectives and individual travellers. Until the CBSA has evaluated the initiative, the Agency will not be able to demonstrate that it has achieved its objective and, accordingly, that the collection and use of vast amounts of personal information about millions of travellers is justified.

1.7 The CBSA is a new entity. Therefore, the time is opportune for the Agency to articulate and implement a comprehensive privacy management framework. In particular, the CBSA should work toward updating and strengthening its agreements with the United States covering the sharing of personal information. The Agency should also consolidate its reporting of privacy incidents and look for ways of improving the monitoring of personal information disclosures.

1.8 Finally, the activities associated with sharing data across borders should be made more transparent. A clear and complete picture of these activities is not readily available to show what information is shared with whom, and for what purpose. As is true for other departments, the CBSA’s trans-border data flows are not accounted for in meaningful detail. More transparency is needed to better inform Parliament and the Canadian public about activities in this area.

1.9 Addressing such matters is in the public interest. We believe that strong privacy management and accountability are essential for dealing with the public’s concerns about the flow of personal information from Canada to other countries.

No comments: