Investigation into a privacy breach at a Canada Border Services Agency contractor
This investigation examined a privacy breach experienced by a contractor for the Canada Border Services Agency (CBSA), which was targeted by a ransomware attack. Personal information, specifically licence plate images captured at Canadian border crossings, was accessed and some was posted online. The OPC found that the CBSA had contravened the Privacy Act due to inadequate security safeguards in its contract with the contractor and its inconsistent handling of licence plate data as personal information. The investigation concluded the complaint was well-founded but resolved, as the CBSA agreed to implement recommendations to improve its contracting and data protection practices.
- Whether licence plate image files, including metadata, constitute personal information under the Privacy Act.
- Whether the CBSA contravened the disclosure provisions of the Privacy Act.
- Whether the CBSA had adequate security safeguards in its contract with a third-party contractor.
- Whether the CBSA adequately managed the retention of personal information.
Complaint well-founded and resolved
The OPC determined that the licence plate image files, along with their metadata, constituted personal information in this context. The investigation also found that the CBSA's contract with its contractor lacked sufficient security safeguards and clear data retention clauses, leading to an improper disclosure of personal information.
AI-generated summary for reference only. Always verify against the official decision ↗
The CBSA agreed to implement recommendations including updating its contract to include clear language on licence plate images as personal information with appropriate protection clauses, seeking confirmation of data destruction, and demonstrating oversight of the contractor's compliance.
- s. 3 Privacy Act
- s. 8 Privacy Act
- s. 8(1) Privacy Act
- s. 8(2) Privacy Act
This summary is informational only and not legal advice.