Special report to Parliament: Investigation into the contracting practices of the Canada Border Services Agency related to the development of the ArriveCAN application
The Office of the Privacy Commissioner of Canada (OPC) investigated the Canada Border Services Agency's (CBSA) contracting practices related to the ArriveCAN application following a complaint and a request from a parliamentary committee. The investigation examined whether contractors had inappropriate access to travellers' personal information. While the OPC found no contravention of the Privacy Act, it identified shortcomings in the CBSA's contracting processes, such as issues with the timeliness and accuracy of security assessments and broad task descriptions in contracts. The OPC made recommendations to improve the CBSA's practices, which the agency accepted.
- Whether CBSA authorized contractors to access personal information without required security clearances.
- Accuracy and timeliness of security requirement assessments for contracts.
- Clarity and specificity of task descriptions in contracts and task authorizations.
- CBSA's compliance with security requirements for personnel and organizations involved in ArriveCAN contracts.
Complaint not well-founded.
The OPC found no evidence that personal information collected through ArriveCAN was used or disclosed in contravention of the Privacy Act, despite some identified shortcomings in the CBSA's contracting and security clearance processes.
AI-generated summary for reference only. Always verify against the official decision ↗
The OPC recommended that the CBSA ensure rigorous and accurate security requirement assessments, clear task descriptions, proactive management of security clearances, and restriction of access to only what is strictly necessary.
- s. 7 Privacy Act
- s. 8 Privacy Act
This summary is informational only and not legal advice.