Three government agencies that were associated in a $ 68 million project to renew the Canadian asylum system could not complete the mandatory privacy safeguard tests for years while the project was implemented, according to CBC News.
The lack of privacy protections increases the “red flags”, the lawyers say, and they may have put the data and requests of refugee claimants at risk.
Immigration, refugees and citizenship of Canada (IRCC), the Canadian Border Services Agency (CBSA) and the Immigration Board and Refugees (IRB) worked together in the “Project of Interoperability of Asylum”, which would transform the asylum system into a more efficient digital system and address the delay in which it grows each time.
Earlier this year, CBC reported that the project, which was launched in 2019, It had been closed prematurely in 2024 In what CBSA called an “unexpected” movement.
Now, the documents obtained through the access to information access shows that there were impact assessments (PIA) “outstanding” for the project, which was discarded silently when it was only complete of 64 percent.
According to a Government digital privacy play book, a PIA is a “policy process to identify, evaluate and mitigate potential privacy risks before they occur.”
“All these steps must be completed before the launch of the initiative,” says that guide.
Although the interoperability project has now been ruled out, it implemented changes in the way in which the data is digitally collected and used, which means that the completion of Pias remains an essential part of this risk identification process, said Andrew Koltun, an immigration lawyer and refugees who also practice the privacy law.
The departments told CBC by email, however, that privacy evaluations are still incomplete. IRCC said it is currently writing its part of the PIA and hopes that it will be done at the end of 2025.
The fact that they are not yet finished, said Koltun, raises “many red flags.”
“Unfortunately, if it does not have an impact assessment of established privacy, the risk is extended as to how these data could be filtered and obtained by adverse actors,” he said.
The Treasury Secretariat of the Canada Treasury Board directive It requires that this privacy health check be carried out “before” launching or updating projects, in cases where an institution “substantially modify” the way in which information is collected and used for administrative reasons.
The asylum interoperability project created an online refugee application process, a significant change in paper applications.
The project helped incorporate some automation and allow a greater exchange of real -time information between the departments, according to the documents. It also incorporated the government’s ability to automatically cancel the work or valid study permits when an elimination order is issued, among other improvements.
‘Hot dad’ with responsibilities
The Canadian privacy commissioner office calls privacy evaluations an “early warning system” that can help generate public trust by ensuring that government agencies legally comply and protect people’s privacy.
Privacy surveillance rejected an interview, saying that he conducts privacy consultations in confidence, but reiterated in an email that the commissioner had recommended that PIA’s obligations be integrated into the law.
According to an informative note from CBSA that CBC obtained, there seemed to be an internal confusion with respect to who was responsible for the PIA.
The documents reveal that there was an initial expectation of a great privacy evaluation directed by IRCC.
But three years later, at the end of 2022, IRCC notified CBSA and IRB that they were no longer doing a pia “for the entire project and that each partner would be responsible for theirs.”
Then, CBSA said IRCC changed the approach “and extended the scope to an evaluation at the program level,” according to the documents.
When the project was unexpectedly closed last year, CBSA said that the PIA were “an exceptional issue” and that IRCC still expected the other partners to still complete their privacy plans.
“However, given the lack of funds, the lack of resources … more discussions are required,” says CBSA’s note.
Koltun, who reviewed the internal documents, describes the departments that play “hot potato” with privacy controls, when it should have been a “basic construction block.”
“[This] It is emblematic of IRCC’s relentless impulse to follow digital modernization at a vertiginous speed without necessarily guaranteeing that all appropriate risks mitigate is carried out in advance, “he said.
“The refugee space is a poor area to adopt a beta test approach of ‘works fast and breaks things and then solve it later'”.
The lawyer says that privacy influences customers, says the lawyer
Greg Willoughby, a refugee lawyer in London, Ontario, says that IRCC sends emails “more frequently than [he] You can tell “that they disseminate private documents and highly sensitive information for applicants who are not their clients.
“It seems to be a systemic lack of concern for privacy and confidentiality problems,” said Willoughby.
He recalled that one of the worst examples was when IRCC sent an email to one of his client ‘family members in Iran, members of the family who were fleeing, alerting them like this about their refugee protection claim.
“I thought, ‘What is this? These are the agents of the persecution,” Willooughby said. “It was really traumatic and harmful to her. It was horrible.”
It is not clear if there is a link between digital updates in the asylum interoperability project and Willoughby’s experiences with privacy violations in recent years.
But Willoughby warns the government’s approach to efficiency and technological integration without adequate privacy safeguards is “very, very dangerous”, especially if the data is at risk of being incorrectly accessed by bad actors.
“Governments and immigration departments should be very paranoid. This should be the most important.”
Last year an important project was closed to ensure and renew the asylum system of Canada, an “unexpected” movement for some in the government, CBC News reported. Now, some critics fear that the results that were achieved can be more harmful than beneficial for people looking for protection in Canada.
Department, response of the ‘inadequate’ court
In a statement, IRCC said that the type of information that is collected and shared among the partners did not change, but “El” [project] He created interfaces to guarantee the safe transmission of this information. “
IRCC still states that it is following the directive of the Secretariat of the Treasury Board, although the directive establishes that PIA must be complete before implementing initiatives, especially when there is “use of any new or modified information technology.”
“All agreements between government partners include strong safeguards,” IRCC wrote.
Meanwhile, CBSA said that “he is no longer looking for” an impact assessment of privacy, and pointed to IRCC as the leader in this project.
“CBSA recognizes the importance of the PIA process,” wrote a spokesman.
IRB said that “it carefully observed the implications of privacy” when the project was launched, and the privacy concerns “were still adequately addressed” in an existing PIA for their own systems.
Koltun said that IRCC and IRB responses are “inadequate” because “ignores legal tasks” under the federal directive.
“When an information technology or a new or modified IT process is used, the minimum requirement is that an updated PIA is created,” he said.
