The federal government broke its own privacy rules this spring when it expanded the Five Eyes intelligence network to automatically share 1.2 million confidential Canadian files per year with its international spy partners.
Immigration, Refugees and Citizenship Canada (IRCC) and the Privacy Commissioner both confirmed to National Observer that the IRCC did not file a privacy impact assessment before launching the program, which automatically shares personal data with the United States, the United Kingdom, Australia and New Zealand.
The advance assessment, used to identify and mitigate potential risks to privacy, is required by a Treasury Board directive designed to ensure anti-terrorism measures don’t violate personal privacy rights.
“It is quite shocking that they didn’t do a privacy impact assessment,” said Brenda McPhail, director of the privacy, technology and surveillance project of the Canadian Civil Liberties Association.
“For this kind of massive information-sharing agreement, that absolutely should have been done. This is a big problem.”
The Treasury Board, which is responsible for handling this breach of protocol, did not respond to requests for comment in time for publication of this story.
Immigration, Refugees and Citizenship Canada confirmed earlier this week that it had not filed the privacy impact assessment, but it has not responded to follow-up questions from National Observer about why. In an emailed statement, it said that it has plans to file one in the future, but did not offer a timeline.
The program is already underway.
Canadian citizen files exempt
The expanded Five Eyes agreement allows immigration officials in the five countries to automatically share documents, decisions, notes and material submitted by anyone who visited one of the five countries or applied for a work permit, study permit, refugee status or permanent resident status.
Documents that can be shared include personal photos and correspondence, medical files, financial statements and court records that are included in immigration files. The agreement allows the countries to share information collected long before the agreement went into effect.
Files of Canadian citizens are exempt from the agreement. Files will be shared automatically using fingerprints or other biometric markers. Canadian officials have said they will use the system to screen refugee claimants and “high-risk” applicants.
The Office of the Privacy Commissioner confirmed that it has had “some discussions” with IRCC about the program, but said it did not have enough information to comment on the plan because it has not received a privacy impact assessment, though it expects to receive one eventually.
McPhail warned that Canada risks a repeat of a case similar to that of Maher Arar, a Syrian-Canadian who was kidnapped in New York, taken to Syria and tortured for a year on the basis of bad information provided by Canadian authorities.
“That information was not correct, not vetted and had a horrific effect on Arar,” said McPhail. “Canada has a duty of care and a special obligation to make sure this doesn’t happen again.”
McPhail said that privacy impact assessments aren’t designed to stop new programs; they are supposed to help improve them.
Regulations already in effect
In the case of the expanded Five Eyes system, it is unclear how people will be able to review their files, ensure that the information from other countries is accurate or correct it if it’s wrong.
“Once this information is shared with another country, you lose the ability to control how it is used,” McPhail said. “This is profoundly intimate and personal information, affecting a very vulnerable population and it involves a complex technical system.”
In a written statement, IRCC officials have said that they do plan to complete a privacy impact assessment. However, the Treasury Board directive demands that “privacy implications... be appropriately identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented.”
Regulations for the new spy system went into effect in May. According to a written statement from IRCC, automated file-sharing with Australia began this spring.
"It's too late"
McPhail said privacy impact assessments must be done before programs begin so that experts can offer recommendations and so that problems are fixed before harm is done.
“If the information has already flowed and then you detect a problem, it’s too late. Decisions will have been made on the basis of that information. Lives will have been altered.”
The 2010 Treasury Board directive was put in place to ensure that “privacy protection is a core consideration in the initial framing and subsequent administration of programs and activities involving personal information.
“In recent years, Canadians and parliamentarians have been concerned with the complex and sensitive privacy issues that stem from proactive anti-terrorism measures, use of surveillance and privacy-intrusive technology, sharing of personal information across borders and threats to privacy posed by security breaches. Canadians want to be informed of how their personal information is handled and assured of its protection.”
The Treasury Board is responsible for enforcing the directive.