CBSA Annual Report
This report provides an overview of the activities of the Canada Border Services Agency (CBSA) relating to the management of the Privacy Act between April 1, 2009 and March 31, 2010.
In 2009-2010, the CBSA introduced procedures and practices that will ensure the continued provision of timely service to Canadians who seek to exercise their right to access records under the Privacy Act, and which demonstrate leadership in the management of increasingly numerous and complex privacy requests.
As part of the Public Safety portfolio, the CBSA is responsible for providing integrated border services that support national security priorities and facilitate the free flow of people and goods, including food, plants and animals, across the border.
On April 1, 2004, the CBSA established the Access to Information and Privacy (ATIP) Section. This section was initially staffed with six employees based on an estimated annual workload of between 250 and 350 requests. During the 2007–2008 fiscal year, due to growing demand on the Agency, the ATIP Section was expanded and replaced by the CBSA's ATIP and Disclosure Policy Division, which now staffs 38 full time employees. In 2009–2010, the CBSA received 1,385 requests under the Privacy Act, an increase of 245 files, or 21.5% from the previous reporting year. The Agency completed 95.6% of all privacy requests within the 30 day legislated time frame while managing this challenging workload.
The Privacy Act came into effect on July 1st, 1983. The purpose of the Act is to provide individuals with the right to seek access to their personal information held by the federal government, as well as to govern the collection, use, disclosure, retention and disposal of that personal information.
As stated in Section 72(1) of the Act "The head of every government institution shall prepare for submission to Parliament an annual report on the administration of this Act within the institution during each financial year".
The ATIP Coordinator for the CBSA is the Director of the Access to Information and Privacy Division. The ATIP Division is part of the Corporate Secretariat, which reports directly to the President of the CBSA. Consistent with the best practices identified by the Treasury Board of Canada Secretariat (TBS), the ATIP Coordinator is positioned within two levels of the President, and enjoys full delegated authority reporting directly to the Corporate Secretary, who, in turn, reports to the President.
The ATIP Division is comprised of three units: two Case Management units and a Policy and Training unit. The Case Management units task all branches and regions with records retrieval requests and provide daily operational guidance and support to Agency employees.
The Policy and Training unit develops policies, tools and procedures to facilitate the retrieval of records, provides ATIP and privacy training to all CBSA employees, registers Personal Information Banks in Info Source, and maintains the CBSA Privacy Management Framework, an 'evergreen' needs analysis of access and privacy requirements within the CBSA. At the end of the 2009-2010 reporting period 38 full time equivalents (FTE) were employed in the ATIP Division :
|CBSA Access to Information and Privacy Division FTEs|
|Policy & Training (inc. Administration)||11|
|Case Management A||12|
|Case Management B||13|
In 2009-2010, the CBSA created the Information Sharing Unit (ISU), which is part of the Legislation and Program Integration Division, in the Planning and Performance Management Directorate.
The ISU supports and coordinates strategic and/or horizontal information sharing initiatives for the CBSA in an effort to address information sharing challenges, such as seeking regulatory or legislative changes, developing disclosure policy and relevant memoranda of understanding, or coordinating information sharing activities on behalf of internal or external stakeholders, including international partners. Within this mandate, the ISU provides policy guidance to CBSA programs related to the collection and disclosure of information, under sub-section 8(2) of the Privacy Act and section 107 of the Customs Act.
The ISU has the responsibility to ensure that information sharing legislation, policy and procedures are clearly and consistently understood throughout the Agency. This includes the coordination and vetting of training materials in coordination with the Human Resources Branch's Training and Learning Division.
|Information Sharing Unit FTEs|
There were no Privacy Impact Assessments completed during the 2009-2010 fiscal year.
Two CBSA PIA's are currently being evaluated by the Office of the Privacy Commissioner (OPC). "Cross Border Currency Reporting Program" was submitted to the OPC in December 2009, and "Four Country Conference (FCC)" was submitted on April 12, 2009. In addition, several Preliminary Privacy Impact Assessments (PPIA) were initiated during the reporting period, an example of which is described below:
The CBSA submitted a PPIA to the OPC on November 30, 2009 related to the Anti-Doping Information-Sharing Memorandum of Understanding between the CBSA and the International Olympic Committee and the International Paralympic Committee.
The PPIA was completed by the CBSA Olympic and Paralympics Task Force of the Operations Branch, with oversight fromthe Corporate Secretariat, Corporate Security and Intelligence Programs, and the Office of the Privacy Commissioner. The purpose was to establish the conditions to allow information collected during port of entry enforcement actions to be shared with the International Olympic Committee and the International Paralympic Committee, relating to controlled, prohibited or regulated substances found on accredited Olympic and Paralympic participants.
Impacted by this initiative were athletes, coaches, trainers, officials, team officials, support personnel and other members of the national Olympic Committee or Paralympic Committee delegations.
Legislative authority for the collection and use of personal information outlined in this PPIA include sections 11, 12, 13, 95, 98, 99, 101, and 110 of the Customs Act, and section 5 of the Canada Border Services Agency Act.
The use of personal information outlined in this PPIA was initiated on January 25, 2010 and concluded on March 25, 2010.
For further information, please visit: http://cbsa-asfc.gc.ca/agency-agence/reports-rapports/pia-efvp/atip-aiprp/adis-erca_20100222-eng.html
In 2009-2010, available resources were focused towards educational initiatives that supported the implementation of streamlined request processing procedures throughout the Agency. To this end, 572 employees in high-demand areas participated in ATIP Awareness Sessions, which are designed to ensure that the CBSA employees fully understand the procedures and their responsibilities under the Privacy Act. With the success of this program, the Division is taking steps to deliver more sessions in 2010 – 2011.
Within the ATIP Division, employees received on-site case management and redaction software training and were encouraged to attend courses provided by the TBS and the Canada School of Public Service (CSPS) relating to the interpretation of the Act. Employees were also provided with ongoing mentoring by senior analysts, team leaders and managers.
In 2009-2010, the ISU reviewed all information sharing training delivered within the CBSA to ensure consistency and completeness of the material. In collaboration with the ATIP Division's Policy and Training Unit, a review of the Port of Entry Recruit Training Privacy Training was done. In addition, the ISU began development of training for the CBSA's investigative bodies on proper use of the designation pursuant to paragraph 8(2)(e) of the Privacy Act as well as a course entitled "Introduction to Information Sharing for the CBSA." Both these courses will be finalized and implemented in 2010-2011.
On April 1st, 2010, as part of its ongoing Change Agenda, the CBSA implemented a new organizational structure designed to establish clearer lines of accountability within the Agency. This new model will also create clear distinctions between program management, to be carried out at headquarters, and program delivery, to be carried out in the regions.
The ISU was created within the Programs Branch to develop frameworks, policies, strategies and plans related to information sharing as described under section 8(2) of the Privacy Act and section 107 of the Customs Act. The ISU will also assume responsibility for supporting PIA's. The ATIP Division will focus on the administration and interpretation of the Access to Information Act and the Privacy Act.
In response to concerns raised by the Treasury Board of Canada Secretariat (TBS) in the 2009-2010 Management Accountability Framework (MAF) exercise, the CBSA revised its Info Source update procedures to ensure that Personal Information Banks (PIB) fully reflect the collection and use of personal information by CBSA programs and activities.
To address the situation, the ATIP Division now works directly with the responsible program managers to ensure that their Class of Records and PIB's are accurate, thus facilitating the public's access to information contained in CBSA systems or held by CBSA programs. This new approach allows the ATIP Division to answer any questions programs managers may have and facilitates the identification required PIA updates.
A dditionally, in 2010, the CBSA began drafting a new PIA Approval Process that will be in place by September 2010, as required by the new TBS Directive on Privacy Impact Assessment.
The new PIA Approval Process will be published in conjunction with revised CBSA Delegation and Designation Orders.
In a 2006 audit of transborder data flows the OPC made 19 recommendations to improve aspects of information management within the CBSA.
In her Annual Report to Parliament 2008-2009 – Report on the Privacy Act, the Commissioner noted that CBSA had fully implemented or made progress on all 19 recommendations.
Notably, in 2010, the CBSA will complete a Privacy Management Framework (PMF). An Agency-wide gap analysis exercise with recommendations for the development of specific tools, training modules and measurement and governance instruments which will allow it to better record and track the collection and disclosures of personal information and improve public reporting of cross-border data flows. The PMF will be maintained on an 'evergreen basis', in order to identify and respond to new demands on a timely basis.
The ISU is finalizing an electronic form to track 8(2)(e) disclosures and is completing a review of information-sharing agreements with the U.S, including the development of information safeguards and standards.
In response to the Status Report published by the Auditor General of Canada (OAG) in March 2009, the CBSA implemented several procedural changes related to information sharing.
The OAG addressed the absence of an "agency-wide data quality procedure" and focused on the methods used by the CBSA to ensure the accuracy of lookouts. In response, the Agency updated its systems to ensure consistency in the review and maintenance of lookouts, and issued guidelines to ensure that lookouts are requested in a consistent manner. Furthermore, the PMF proposes the development of new directives designed to ensure the accuracy of personal information collected by the CBSA. Further updates to policy are therefore anticipated.
Lastly, the OAG identified 16 instances where departments and agencies reported potential legal barriers to information sharing. In response the ISU conducted extensive consultations with other government departments, with whom the CBSA regularly shares information, such as the Royal Canadian Mounted Police and Citizenship and Immigration. As a result, new mechanisms and safeguards were identified which greatly improve the capacity of the CBSA to lawfully share information.
During the 2009–2010 fiscal year, no disclosures pursuant to paragraph 8(2)(m) of the Privacy Act were made by the CBSA.
See Annex A (PDF, 167 KB) for a signed copy of the Delegation Order.
See Annex B (PDF, 68 KB) for the CBSA's statistical report on the Privacy Act.
In 2009-2010, the CBSA updated its procedures in order to ensure that it continues to provide a high level of service to requesters while addressing increased workload related issues. These practices have had success, as indicated by the following table:
|Fiscal Year||Received||Completed||% On time|
Overall, the CBSA received 1,385 privacy requests in 2009-2010, a 21.5% increase from the previous year. In total, 178 requests were carried forward from 2008-2009. Similarly, 220 requests were carried forward from 2009-2010 to the current 2010-2011 period.
The CBSA completed 1,343 privacy requests during 2009-2010, just slightly less than 97% of the total number of request that it received. Of these, 95.6% were completed within the statutory time frames.
|Requests completed in 2009-2010|
|30 days or under||865|
|31 days to 60 days||371|
|61 days to 120 days||86|
|121 days or over||21|
|Disposition of requests completed|
|Disclosed in part||954|
|Nothing disclosed (excluded)||1|
|Nothing disclosed (exempt)||3|
|Unable to process||191|
|Abandoned by applicant||77|
Finally, approximately 25% of privacy requests received in 2009-2010 required consultation with other government departments.
Under certain conditions the Privacy Act allows departments to extend the 30 day period by which requests must be completed. Section 15 of the Act permits extensions of up to an additional 30 days if there is a need for consultations, translations, or if the search for the requested documents would unreasonably interfere with the operations of the institution. The CBSA applied 386 extensions to requests during 2009-2010 as indicated in the table below:
|Reason for extension||Extensions taken|
Section 29(1) of the Privacy Act describes how the OPC receives and investigates complaints from individuals in respect to their private information held by a government institution. Examples of complaints the OPC may choose to investigate include: refusal of access to personal information, when an individual alleges that personal information about themselves held by a government institution has been used or disclosed beyond the scope of the Act, or if an individual has not been given access to personal information in the official language requested by the individual.
In 2009–2010, 16 privacy complaints were filed against the CBSA by the OPC. This number represents a significant decrease from 2008-2009, when the Agency received 31 complaints. The 16 complaints were related to: time delay (2), general reasons (7), applied exemptions (6) and use and disclosure (1). In addition, there were 33 active complaints in the OPC inventory carried over from previous years.
During the 2009–2010 fiscal year, the OPC resolved 30 privacy complaints against the CBSA. Of the complaints resolved, 9 were well founded, 5 were abandoned or discontinued and 16 were not substantiated. A total of 19 complaints are being carried forward into the 2010–2011 fiscal year. Where complaints are found to be substantiated by the OPC, the matter is reviewed by the delegated managers and processes are adjusted if required. For example, complaints relating to extensions may be reviewed to determine whether the length of time taken was appropriate, given the complexity of the request.
|Complaints processed in 2009-2010|
|Carried forward from 2008-2009||33|
|New Complaints in 2009-2010||16|
|Complaints closed in 2009-2010|
|Resolved – well founded||9|
|Carried forward to 2010-2011||19|
|Reasons for complaints||Complaints received|
|Refusal - Exemption||6|
|Refusal - General||7|
|Use and Disclosure||1|
There were no Privacy appeals to the courts during the 2009–2010 fiscal year.
Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for this reporting period.
Indicate the number of:
To access the Portable Document Format (PDF) version you must have a PDF reader installed. If you do not already have such a reader, there are numerous PDF readers available for free download or for purchase such as: