The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Friday, July 14, 2006

Privacy Commissioner's Audit of Canada Border Services Agency find privacy protections lacking 

The Office of the Privacy Commissioner of Canada has just recently released the result of its audit of the Canada Border Services Agency, focusing particularly on the sharing of information between the CBSA and other countries. The Commissioner's office found that the CBSA hasn't been following the required procedures when it comes to information sharing with the United States, as much information is provided verbally without any record being made of the information provided and to whom. Here is the executive summary from the Audit:

Audit of the Personal Information Management Practices of the Canada Border Services Agency (June 2006) Privacy Commissioner of Canada

Section I - Main Messages

1.1 We found that the Canada Border Services Agency (CBSA) has systems and procedures in place for managing and sharing personal information with other countries. However, significant opportunities exist to better manage privacy risks and achieve greater accountability, transparency and control over the trans-border flow of data. Trans-border data flows refer to personal information that is collected or disclosed across international borders.

1.2 Written requests for assistance from foreign governments are processed in accordance with requirements. However, many of the information exchanges between the CBSA and the United States at the regional level are verbal, and are not based on written requests. These exchanges are not recorded consistently and do not follow the approval process as established under CBSA policy. Furthermore, they are not compliant with the terms of the Canada-United States Customs Mutual Assistance Agreement of June 1984.

1.3 The CBSA needs a coordinated method of identifying and tracking all flows of its trans-border data. The Agency cannot, with a reasonable degree of certainty, report either on the extent to which it shares personal information with the United States, or how much and how often it shares this information. By extension, it cannot be certain that all information sharing activities are appropriately managed and comply with section 107 of the Customs Act and section 8 of the Privacy Act.

1.4 Generally, the controls surrounding the Passenger Information System (PAXIS) and the Integrated Customs Enforcement System (ICES) are sound. These two key systems contain sensitive personal information about millions of travellers. Notably, foreign jurisdictions do not have direct access to these systems, and electronic disclosures to the United States under the Shared Lookout and High-Risk Traveller Identification initiatives are transmitted over secure channels. However, there are opportunities to strengthen controls to further reduce the risk that personal information could be improperly used or disclosed. These opportunities include:

  • completing the introduction of a new security management framework as initiated by the CBSA;
  • updating and clarifying roles and responsibilities for IT functions;
  • ensuring system access rights are kept up-to-date;
  • implementing audit control capability for lookout data printouts; and
  • introducing a mechanism for Canada and the United States to assure each other that the system controls and protection of shared personal information are adequate.

1.5 The CBSA needs to explore ways to improve the quality and control of data it acquires under the Advance Passenger Information/Personal Name Record (API/PNR) initiative to ensure that personal information is as accurate and complete as possible.

1.6 The CBSA has not yet evaluated the effectiveness of the High-Risk Traveller Identification (HRTI) Initiative with the United States because the project has yet to be fully implemented. In particular, it should assess the extent to which inaccurate or incomplete data may affect enforcement objectives and individual travellers. Until the CBSA has evaluated the initiative, the Agency will not be able to demonstrate that it has achieved its objective and, accordingly, that the collection and use of vast amounts of personal information about millions of travellers is justified.

1.7 The CBSA is a new entity. Therefore, the time is opportune for the Agency to articulate and implement a comprehensive privacy management framework. In particular, the CBSA should work toward updating and strengthening its agreements with the United States covering the sharing of personal information. The Agency should also consolidate its reporting of privacy incidents and look for ways of improving the monitoring of personal information disclosures.

1.8 Finally, the activities associated with sharing data across borders should be made more transparent. A clear and complete picture of these activities is not readily available to show what information is shared with whom, and for what purpose. As is true for other departments, the CBSA’s trans-border data flows are not accounted for in meaningful detail. More transparency is needed to better inform Parliament and the Canadian public about activities in this area.

1.9 Addressing such matters is in the public interest. We believe that strong privacy management and accountability are essential for dealing with the public’s concerns about the flow of personal information from Canada to other countries.

Labels: ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs