CIMM - Data Breaches and Privacy Breaches - June 2, 2021
- The Government of Canada holds itself to the highest standards when protecting the personal information of our clients.
- Immigration, Refugees and Citizenship Canada (IRCC) is committed to safeguarding clients’ personal information and properly managing and protecting clients’ data by having strong privacy and security policies in place.
- IRCC discovered a privacy breach involving fingerprints and photographs that were inadvertently retained beyond the defined retention period.
- IRCC has engaged the Office of the Privacy Commissioner, and we are notifying affected clients to assure them that their records are well protected, and that their fingerprints and photo are being deleted.
- IRCC continually reviews its information management practices to ensure compliance with the Privacy Act. Employees are informed and trained on policies and procedures relating to privacy protections.
- IRCC is not aware of any cyber-attack, nefarious access or use or disclosure of personal information resulting from a breach of the Department's security safeguards.
- IRCC takes all privacy breaches very seriously. The Department has well-established training and awareness activities. It has implemented policies and guidelines so that breaches are contained, tracked and resolved as quickly as possible.
IRCC’s process and handling of privacy breaches
- The vast majority of privacy breaches at IRCC are considered "non-material", which are low risk/low impact (e.g., misdirected mail or email) and are dealt with internally. IRCC evaluates the level of risk based on Treasury Board of Canada Secretariat Guidelines for Privacy Breaches, in determining whether or not a breach is deemed "material".
- A material privacy breach involves sensitive personal information, and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals. The Office of the Privacy Commissioner of Canada (OPC) is only notified when “material” privacy breaches occur.
- While IRCC handles a significant amount of personal information and, as a result, is subject to the occurrence of privacy breaches, the number of reported privacy breaches is minimal compared to the overall processing volumes.
Fingerprint and photo privacy breach
- IRCC collects personal information from clients, including fingerprints and photographs, in support of their immigration application or refugee claim.
- Once a person becomes a Canadian citizen, fingerprints collected are deleted from immigration holdings by the Royal Canadian Mounted Police (RCMP) on IRCC’s behalf.
- Due to a system issue, the Government of Canada (IRCC, Royal Canadian Mounted Police, and Canada Border Services Agency) inadvertently retained personal information (biometric fingerprints and photos) of some immigration clients beyond the defined retention period.
- IRCC notified affected clients that their fingerprints were retained beyond the normal retention period.
- The information was always well protected. The biometric fingerprints and photographs of some clients were not immediately purged once Canadian citizenship was attained, as intended by departmental policy.
- IRCC continues to actively investigate the full scope of the situation and be transparent about this privacy breach:
- The OPC was notified on February 26, 2021.
- IRCC began notifying clients on March 19, 2021 that their biometrics were kept beyond the stated retention period.
- There is a public notice regarding the retention of biometric information available to clients on the IRCC website.
- The Department continues to actively engage with relevant partners, and continues consultation with the OPC.
- IRCC has established a dedicated point of contact for individuals to reach out to, if they have any questions or concerns.
- IRCC is taking this situation very seriously and has established a task force with senior level leadership to examine exactly what caused this breach, precisely how many individuals are affected, and how a breach of this nature can be prevented in the future.
- IRCC is working diligently to delete the biometric photographs of those who have become citizens from IRCC’s and CBSA’s holdings.
[If pressed on what the consequences are on the individuals as a result of the privacy breach?]
- The retention of this information beyond the defined retention period has resulted in some clients’ information being disclosed to law enforcement agencies, when fingerprints are verified by the law enforcement agency for a criminal inquiry or to place criminal charges.
- IRCC has notified the affected individuals of this disclosure.
- There is no reason to believe identify fraud or theft has occurred, as the information was always well protected, and was not publically accessible. IRCC is committed to safeguarding clients’ personal information and ensuring that this information is properly managed and protected.
Notable IRCC breaches:
|Name of reach
|# of individuals affected
|Description of incident breach and mitigation measures taken
|Type of breach
Client Survey Privacy Breach
IRCC contracted Advanis to conduct its annual Client Service Evaluation Survey.
Program officials implemented measures to ensure this type of breach does not occur in the future. Of note, the 2021 Survey has been conducted, approximately 230,000 survey invitations were sent and there were no known privacy breaches related to this year’s survey.
|CPC-Sydney Privacy Breach
On April 29, 2020, CPC-Sydney sent out a message to 721 staff regarding a training initiative. In error, the personal email addresses of all those in receipt of the email were released to the other staff members.
- On August 13, 2020, Shared Services Canada notified IRCC of potentially compromised GCKeys with access to IRCC portals.
- GCKey is a Government of Canada credential service that is used by some federal departments to allow to access to their services.
- In the case of this incident, usernames and passwords were acquired fraudulently (by bad actors), who then tried to gain access to government services.
- As soon as IRCC became aware of this security incident, we reviewed the activity on our 'My Account' portal and revoked access to 2,687 accounts that may have been affected.
- IRCC’s security control, a two-step authentication process, prevented the 'bad actors' from connecting to the IRCC client accounts, thus preventing a privacy breach.
- Clients were nonetheless notified about this incident and IRCC advised clients:
- of steps they should take to restore access to their online account;
- to update their accounts with a unique password and avoid reusing the same passwords for different systems and applications; and
- who to contact should they have additional questions.
Elections Canada Privacy Breach
- 34,293 individuals were affected by this material breach.
- In March 2019, IRCC and Elections Canada (EC) signed a Memorandum of Understanding (MOU) that allows IRCC to share non-citizen data with EC for the purpose of updating and maintaining the National Register of Electors.
- At EC’s request, on April 1, 2019, IRCC shared a data extract of permanent residents and long-term foreign nationals taken from Global Case Management System that should have not included Canadian citizens but it did.
- IRCC notified the OPC on January 28, 2020.
- Notification letters were sent out September 23, 2020.
- Program officials implemented measures to ensure this type of breach does not occur in the future.
- In the event of a privacy breach, IRCC responds quickly by containing the breaches, notifying affected individuals, and implementing measures to prevent the breaches from happening again.
- IRCC has developed and implemented comprehensive internal privacy breach guidelines.
- IRCC continually reviews its processes in order to ensure the highest standard in respecting and complying with the Privacy Act. Employees are informed and trained on policies and procedures relating to privacy protections.
- IRCC reports material privacy breaches to the Office of the Privacy Commissioner and Treasury Board Secretariat.
Fingerprint and photo privacy breach
- To protect the integrity of its immigration system, IRCC collects personal information from clients, including fingerprints and biometric photographs in support of their immigration application or refugee claim. These photographs should have been deleted from IRCC, Royal Canadian Mounted Police, and Canada Border Services Agency immigration holdings or databases once clients became Canadian citizens.
- It is an IRCC policy that once a person becomes a Canadian citizen, fingerprints that were collected during the application process are deleted from immigration holdings by the Royal Canadian Mounted Police on IRCC’s behalf.
- IRCC continues to enhance its systems and business rules to ensure better system functionality. Strengthened verification and control measures are also being put in place.
- Date modified: