Thursday, November 17, 2011

Privacy Commissioner of Canada releases annual report on public sector privacy law

Jennifer Stoddart has just tabled her annual report to Parliament on the Privacy Act, Canada's federal public sector privacy law: Annual Report to Parliament 2010-2011 - Report on the Privacy Act.

From her media release on the topic:

Audit of airport security measures flags concerns about over-collection and safeguarding of travellers’ personal information

2010-2011 Annual Report to Parliament on the Privacy Act examines the stewardship of personal information by Canada’s airport security authority, the RCMP and other federal departments and agencies

OTTAWA, November 17, 2011 – The Government of Canada is collecting too much information about some air travellers and is not always safeguarding it properly, Privacy Commissioner Jennifer Stoddart found in an audit published with her annual report today.

The audit of the privacy policies and practices of the Canadian Air Transport Security Authority (CATSA) concluded that the agency was reaching beyond its mandate by completing security reports on incidents which were not related to aviation security.

This was the case even with incidents involving an activity that was legal. For example, CATSA collected information about air passengers who were found to be carrying large sums of cash on domestic flights. CATSA also contacted police in such cases. Since it should not be collecting personal information about legal activities not related to aviation security, the Office of the Privacy Commissioner of Canada recommended that CATSA immediately cease that practice. CATSA agreed.

Moreover, the audit found that such incident reports, and other types of personal information collected by the agency, were not always properly secured.

“Documents containing sensitive personal information were left on open shelves and in plain view in a room where passengers may be taken for security checks,” Commissioner Stoddart reported.

The audit also identified other concerns about procedures not being followed during the screening process. When auditors visited the rooms where CATSA officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera even though these types of devices are strictly prohibited according to CATSA’s operating procedures.

“Fortunately, these irregularities were uncommon and we were pleased that CATSA moved quickly to correct them by issuing a reminder to staff and conducting inspections to ensure proper procedures were followed,” said Commissioner Stoddart.

Even so, she added, “the Government of Canada is entrusted with highly sensitive personal information, and is obliged to handle it with an uncompromising level of care—not some of the time, or even most of the time, but all of the time.”

The audit was summarized in the 2010-2011 annual report on the Privacy Act, which was tabled in Parliament today.

The annual report also contains a summary of another audit conducted by the Office of the Privacy Commissioner of Canada (OPC). It examined the Royal Canadian Mounted Police’s (RCMP) management of operational databases that are widely shared with other police forces, government institutions and other organizations.

The audit determined that, while the RCMP has policies and procedures to safeguard the sensitive information contained in the databases, there were also some disturbing gaps.

For instance, the Privacy Act, which governs the information-handling practices of federal government departments and agencies, requires that organizations retain personal information no longer than absolutely necessary. And yet, information about offences for which a pardon had been granted, or that resulted in a wrongful conviction, continues to be accessible in a database called the Police Reporting and Occurrence System.

“People who were convicted of an offence they did not commit, or who have been granted a pardon, have a right to go about their lives without information—and especially misinformation—about their past coming to light,” Commissioner Stoddart noted. “Such information must be more tightly controlled.”

The annual report highlights the work of the OPC in 2010-2011 in strengthening the privacy rights of Canadians. It summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act. The report also describes several Privacy Impact Assessments that federal institutions submitted to the Office for review during the past fiscal year.

Aimed at assessing the government’s stewardship of personal information, the report has separate chapters devoted to the collection, use and disclosure of data. Given the sensitive nature of the personal information that the state needs to govern, the report warns of grave consequences for its over-collection, misuse or inappropriate disclosure.

Aside from the two audit summaries, here are other highlights of today’s reports:

  • Biometric identifiers: Citizenship and Immigration Canada submitted Privacy Impact Assessments for two initiatives involving the use of fingerprints and other biometric identifiers for immigration control. The OPC recommended ways to strengthen privacy safeguards for vulnerable populations such as refugee claimants.
  • Passenger behaviour observation: A Privacy Impact Assessment for a new pilot project to observe airport travellers for suspicious activity raised several concerns, including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.
  • Personal data breaches: The OPC received a record number of reports of breaches of personal information in 2010-2011. One involved a malfunction of the new My Service Canada Account website, a day after its launch, which allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.
  • Follow-up to past audits: During follow-ups on three audits originally conducted in 2008 and 2009, the entities that we audited indicated that 32 of 34 of the OPC’s recommendations had been fully or substantially implemented. For example, the RCMP reported that it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the Privacy Commissioner’s recommendations.

The full annual report and audit reports on CATSA’s aviation security measures and the RCMP operational databanks are available at

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.

No comments: