Privacy office finds air passenger breaches

The federal government is collecting too much information on airline passengers and is not doing enough to safeguard it, the privacy commissioner said in her annual report to Parliament on Thursday.

Privacy Commmissioner Jennifer Stoddart focuses on the privacy policies of the Canadian Air Transport Security Authority (CATSA) in one of two audits included in her annual report. That audit concludes CATSA acts beyond its authority by producing security reports on incidents not related to aviation security, and even contacting police about the legal activities of some passengers.

In a news release Thursday, the privacy commissioner's office noted that CATSA agreed with the audit's findings and said it would stop collecting personal information related to legal activities.

The audit also raised concerns about privacy procedures surrounding new full-body airport scanners, although the breaches were "uncommon."

Stoddart's office found in two cases there were forbidden devices in the room used for screening the full-body scans: a cellphone and a closed-circuit TV camera.

In other cases, CATSA staff had left incident reports and other documents with personal information on open shelves or in plain view of passengers.

Another audit included in Stoddart's report looked at the RCMP's handling of databases that are shared with other police forces in Canada, and noted "disturbing gaps" in procedures to protect the privacy and security of information in the databases.

The commissioner's annual report summarizes her office's key investigations into privacy complaints and breaches involving the collection, use and disclosure of information about Canadians.

Stoddart's report also:

Recommended Citizenship and Immigration Canada strengthen privacy safeguards for biometric identifiers of vulnerable populations like refugee claimants.

Assessed the privacy impact of passenger behaviour observation at airports, raising concerns including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.

Details a record number of reports of personal information breaches last year. One involved a malfunction of the new My Service Canada Account website, a day after its launch, that allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.

Found 32 of 34 of the office's recommendations in 2008 and 2009 audits had been fully or substantially implemented. For example, the RCMP reported it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the privacy commissioner’s recommendations.