Unauthorized Disclosure of Employee Personal Information in CBSA’s Information Management System
An employee of the Canada Border Services Agency (CBSA) complained that their personal information was inadvertently disclosed to colleagues due to improperly set folder permissions in the CBSA's information management system, Apollo. The CBSA confirmed the contravention of section 8 of the Privacy Act. While the CBSA took steps to correct the issue and improve practices, it did not commit to mandatory, trackable training for managing permissions, leading the OPC to find the complaint well-founded but unresolved.
- Whether CBSA contravened section 8 of the Privacy Act by improperly disclosing employee personal information.
- Adequacy of CBSA's response and corrective measures.
- Whether CBSA's training and awareness initiatives for managing information system permissions are sufficient.
- Whether the matter is resolved given CBSA's non-commitment to mandatory, trackable training.
Complaint well-founded but unresolved.
The CBSA contravened section 8 of the Privacy Act by improperly disclosing personal information. The complaint is considered unresolved because the CBSA did not commit to implementing mandatory and trackable training for managing system permissions, which the OPC deemed necessary to prevent recurrence.
AI-generated summary for reference only. Always verify against the official decision ↗
The CBSA was recommended to make existing Apollo training mandatory and trackable for employees responsible for managing documents and permissions, and to ensure sufficient safeguards against unauthorized disclosure.
- s. 8 Privacy Act
This summary is informational only and not legal advice.