2010-2011 Annual Report of Privacy Commissioner of Canada
In the report, Stoddart is very critical of how personal information is being handled by Canada’s airport security authority, the Royal Canadian Mounted Police (RCMP) and other federal departments and agencies:
"While there is much to applaud, the record is not unblemished."
"In an audit of airport security measures, for instance, we looked inside the private rooms where officers review images generated by full-body scanners and found a closed-circuit television camera and a cellphone. We did not find many such devices with recording capabilities — but nor did we find none, as the rules require."
"We also found highly sensitive documents related to security incidents stored on open shelves and in boxes where passengers may be present."
"But of even greater concern to us was that security authorities were collecting more personal information than permitted under their mandate — on incidents that were not threats to air safety and that, in some cases, were not even illegal."
"A separate audit of the RCMP’s control over its operational databases also raised concerns over the stewardship of personal information."
"For example, when a person receives a pardon for a past crime, or is found to have been wrongfully convicted of an offence, the RCMP is supposed to block access to any information about the incident in its database. This hasn’t been happening, so even though people have a right to get on with their lives, information about their past can continue to be shared."
"Without question, the state needs personal information to govern. No government could avert a terrorist attack, fight crime, issue a passport or administer the tax system without data about individuals."
"Modern information technology facilitates the process. Data can be collected more rapidly and in greater quantity than ever before. It can also be processed, manipulated, transformed, stored and disclosed more readily than ever before."
"The stated objective of all this data management is better program delivery, strengthened public safety, and more effective governance and accountability."
"But, as this report describes, so much personal information in the hands of government can also pose risks to the privacy of individuals."
- Biometric identifiers: Citizenship and Immigration Canada submitted Privacy Impact Assessments for two initiatives involving the use of fingerprints and other biometric identifiers for immigration control. The OPC [Office of the Privacy Commissioner] recommended ways to strengthen privacy safeguards for vulnerable populations such as refugee claimants.
- Passenger behaviour observation: A Privacy Impact Assessment for a new pilot project to observe airport travellers for suspicious activity raised several concerns, including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.
- Personal data breaches: The OPC received a record number of reports of breaches of personal information in 2010-2011. One involved a malfunction of the new My Service Canada Account website, a day after its launch, which allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.
- Follow-up to past audits: During follow-ups on three audits originally conducted in 2008 and 2009, the entities that we audited indicated that 32 of 34 of the OPC’s recommendations had been fully or substantially implemented. For example, the RCMP reported that it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the Privacy Commissioner’s recommendations.