The Government of Canada holds itself to the highest standards when protecting the personal information of its clients.
Immigration, Refugees and Citizenship Canada (IRCC) is committed to safeguarding clients’ personal information and properly managing and protecting clients’ information by having strong privacy and security policies in place.
IRCC takes all privacy breaches very seriously.
In the event of a breach, IRCC responds quickly to contain the breach and reviews its processes with a view of adjusting or implementing measures to help prevent a breach from happening again.
IRCC continually reviews its information management practices to ensure compliance with the Privacy Act. Employees are informed and trained on policies and procedures relating to privacy protections.
Supplementary messages
Privacy breaches
The Department has well-established training and awareness activities to respond to privacy breaches. It has implemented policies and guidelines so that breaches are contained, tracked and resolved as quickly as possible.
IRCC’s process and handling of privacy breaches
The vast majority of privacy breaches at IRCC are considered “non-material”, which are low risk/low impact and are dealt with internally. IRCC evaluates the level of risk based on Treasury Board of Canada Secretariat (TBS) Guidelines for Privacy Breaches, in determining whether or not a breach is deemed “material”.
A material privacy breach involves sensitive personal information, and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals. The Office of the Privacy Commissioner of Canada (OPC) and TBS are only notified when “material” privacy breaches occur.
While IRCC handles a significant amount of personal information and, as a result, is subject to the occurrence of privacy breaches, the number of reported privacy breaches is minimal compared to the overall processing volumes.
IRCC Afghanistan-related privacy breaches: Client Support Centre breach
On October 18, 2021, personal information of 636 individuals was inadvertently released in four emails sent by the Client Support Centre. This error was discovered on the same day the breach occurred.
These individuals were addressed in the “To” line instead of the “BCC” (or blind copy line), exposing their email addresses to all recipients. The subject/topic of the message, which was related to Afghanistan, was also released. The breach was limited to the people within each of the four emails.
The Department has assessed that no client’s name or photo was included in the text of the IRCC-issued emails. However, a client's preference as defined in their user profile with their personal email provider (e.g. Gmail or Hotmail), may have displayed their profile picture or name.
On October 22, 2021, a letter of apology was sent to all affected individuals and they were also asked to delete all copies of the email received.
On October 26, 2021, the CBC published an article on the privacy breach, claiming that the names and photos of individuals were released and that families further feared for their safety as a result of this privacy breach.
On October 28, 2021, as this privacy breach is considered a “material” privacy breach, IRCC informed the OPC and TBS, as per the TBS Guidelines for Privacy Breaches.
IRCC put in place these measures to prevent recurrence of a privacy breach at the CSC including:
The creation of a written procedure, which included a step-by-step visual job aid. There will be lower limits to how many people will be included in an email. These measures minimized the impact of a privacy breach due to human error in the future.
On October 18, 2021, a new Webform was implemented to help streamline intake and better triage client enquiries upon receipt.
IRCC continues to explore ways in which we can protect client information through the development and implementation of possible mitigation measures.
IRCC Moscow privacy breach
On September 7, 2021, personal information about an application was misdirected when an email address was entered into Outlook, and it auto-populated an address for a third party.
The email contained proof of employment certificates from the Embassy of Canada in Afghanistan, along with other personal information. Of note, the recipient of the misdirected email was not an individual unknown to the Department, rather someone who contacted IRCC inquiring about their own family’s application.
IRCC immediately attempted to recall the message and sent a follow-up message requesting deletion.
The third party who received the misdirected information has confirmed deletion.
Apology letters were sent to the identified individuals.
On September 23, 2021, as this privacy breach is considered a “material” privacy breach, IRCC informed the OPC and TBS, as per the TBS Guidelines for Privacy Breaches.
A reminder was sent to all staff regarding the importance of double checking correspondence addresses.
Background
Privacy breaches
In the event of a privacy breach, IRCC responds quickly by containing the breaches, notifying affected individuals, and implementing measures to prevent the breaches from happening again.
IRCC has developed and implemented comprehensive internal privacy breach guidelines.
IRCC continually reviews its processes in order to ensure the highest standard in respecting and complying with the Privacy Act. Employees are informed and trained on policies and procedures relating to privacy protections.
IRCC reports material privacy breaches to the OPC and TBS.
