The Government of Canada holds itself to the highest standards when protecting the personal information of its clients.
Immigration, Refugees and Citizenship Canada (IRCC) is committed to safeguarding clients’ personal information and properly managing and protecting clients’ information by having strong privacy and security policies in place.
IRCC takes all privacy breaches very seriously.
In the event of a breach, IRCC responds quickly to contain the breach and reviews its processes with a view of adjusting or implementing measures to help prevent a breach from happening again.
IRCC continually reviews its information management practices to ensure compliance with the Privacy Act. Employees are informed and trained on policies and procedures relating to privacy protections.
Supplementary Messages
Privacy breaches
The Department has well-established training and awareness activities to respond to privacy breaches. It has implemented policies and guidelines so that breaches are contained, tracked and resolved as quickly as possible.
IRCC’s process and handling of privacy breaches
The vast majority of privacy breaches at IRCC are considered “non-material”, which are low risk/low impact (e.g. misdirected mail or email) and are dealt with internally. IRCC evaluates the level of risk based on Treasury Board of Canada Secretariat (TBS) Guidelines for Privacy Breaches, in determining whether or not a breach is deemed “material”.
A material privacy breach involves sensitive personal information, and could reasonably be expected to cause serious injury or harm to the individual and/or involves a large number of affected individuals. The Office of the Privacy Commissioner of Canada (OPC) and TBS are only notified when “material” privacy breaches occur.
While IRCC handles a significant amount of personal information and, as a result, is subject to the occurrence of privacy breaches, the number of reported privacy breaches is minimal compared to the overall processing volumes.
Recent IRCC privacy breaches: Client Support Centre privacy breach related to Afghanistan
On October 18, 2021, personal information of 636 individuals was inadvertently released in four emails sent by the Client Support Centre.
These individuals were addressed in the “To” line instead of the “BCC” (or blind copy line), exposing their email addresses to all recipients. The subject/topic of the message, which was related to Afghanistan, was also released. The breach was limited to the people within each of the four emails; one person did not receive the information of the 636 other people.
The Department has assessed that no client’s name or photo was included in IRCC-issued emails. However, a client's preference as defined in their user profile with their personal email provider (e.g. Gmail or Hotmail), may have displayed their profile picture or name.
This error was discovered on the same day the breach occurred.
On October 22, 2021, a letter of apology was sent to all affected individuals and they were also asked to delete all copies of the email received.
On October 28, 2021, as this privacy breach is considered a “material” privacy breach, IRCC informed the OPC and TBS, as per the TBS Guidelines for Privacy Breaches.
IRCC took immediate action to prevent recurrence of this privacy breach. Among the numerous measures includes:
The creation of a written procedure, which will include a step-by-step visual job aid. There will be lower limits to how many people will be included in an email. These measures will minimize the risk of a privacy breach due to human error in the future.
There is a new special measures webform for people to ask the Department questions. This webform streamlines the intake, triage and processing of client enquiries related to Afghanistan.
IRCC continues to explore ways in which we can protect client information through the development and implementation of possible mitigation measures.
Fingerprint and photo privacy breach
IRCC collects personal information from clients, including fingerprints and photographs, in support of their immigration application or refugee claim.
Once a person becomes a Canadian citizen, fingerprints collected are deleted from immigration holdings by the Royal Canadian Mounted Police (RCMP) on IRCC’s behalf.
Due to a system issue, the Government of Canada (IRCC, RCMP, and Canada Border Services Agency [CBSA]) inadvertently retained personal information (biometric fingerprints and photos) of some immigration clients beyond the defined retention period. The biometric fingerprints and photographs of some clients were not immediately purged once Canadian citizenship was attained, as intended by departmental policy.
IRCC notified affected clients that their fingerprints were retained beyond the normal retention period.
The information was always well protected.
IRCC continues to actively investigate the full scope of the situation and be transparent about this privacy breach:
The OPC was notified on February 26, 2021.
IRCC began notifying clients on March 19, 2021 that their biometrics were kept beyond the stated retention period.
There is a public notice regarding the retention of biometric information available to clients on the IRCC website.
The Department continues to actively engage with relevant partners, and consultation with the OPC is ongoing.
IRCC has established a dedicated point of contact for individuals to reach out to, if they have any questions or concerns.
IRCC is taking this situation very seriously and has established a task force with senior level leadership to examine exactly what caused this breach, precisely how many individuals are affected, and how a breach of this nature can be prevented in the future.
IRCC is working diligently to delete the biometric photographs of those who have become citizens from IRCC’s and CBSA’s holdings and notify those clients of the retention error. The fingerprints of all notified clients have been purged.
IRCC is reviewing client records to ensure that biometrics are deleted from any citizen case file. If additional cases are discovered, IRCC will delete the information stored past the retention date and notify the client of our error.
If pressed on what the consequences are on the individuals as a result of the privacy breach?
The retention of this information beyond the defined retention period resulted in some clients’ information being disclosed to law enforcement agencies, when fingerprints are verified by the law enforcement agency for a criminal inquiry or to lay criminal charges.
IRCC has notified the affected individuals of this disclosure.
There is no reason to believe identity fraud or theft has occurred, as the information was always well protected, and was not publicly accessible. IRCC is committed to safeguarding clients’ personal information and ensuring that this information is properly managed and protected.
OPC’s Examination of the Passport Program’s Personal Information Management Practices
IRCC is accountable for the Passport Program, which issues Canadian passports and travel documents. IRCC executes the program in collaboration with its partner organizations, Global Affairs Canada (GAC), Canada Post Corporation (CPC) and Employment and Social Development Canada (ESDC).
On June 19, 2019, the OPC informed IRCC of its intention to carry out a review of passport management practices, which was undertaken as a result of the significant number of breach reports and complaints received by the OPC related to the loss or authorized disclosure of passport information.
According to the OPC’s final report, they found no indications of inadequacies with the measures in place to prevent unauthorized disclosures of passports. Overall, the volume of passports lost or stolen while under the control of the institutions is not high compared to the number of passports issued.
The OPC has recommended a few areas of potential improvement. IRCC, along with our partner organizations agree with the recommendations and are currently working to address them.
A summary of the OPC’s review, and its conclusions were included in the OPC’s Annual Report to Parliament, which was tabled on December 9, 2021.
Background
Privacy breaches
In the event of a privacy breach, IRCC responds quickly by containing the breaches, notifying affected individuals, and implementing measures to prevent the breaches from happening again.
IRCC has developed and implemented comprehensive internal privacy breach guidelines.
IRCC continually reviews its processes in order to ensure the highest standard in respecting and complying with the Privacy Act. Employees are informed and trained on policies and procedures relating to privacy protections.
IRCC reports material privacy breaches to the OPC and TBS.