OTTAWA — Canada’s privacy czar says the national air security agency is collecting too much information about travellers, and sometimes breaches the law when it tells police about the cash they take on trips.
In a newly released audit, Jennifer Stoddart says the agency is not always safeguarding the sensitive information properly either.
A second report issued by the privacy commissioner Thursday reveals a key RCMP database continues to hold information about people who have received a criminal pardon or who were wrongfully convicted.
Both special audits were released as Stoddart tabled her annual report on federal privacy practices in Parliament.
The review of the Canadian Air Transport Security Authority concluded the agency was reaching beyond its mandate by filing reports on incidents unrelated to air security.
Stoddart’s office looked at a random sample of 150 of the agency’s 10,400 incident reports on file.
“Over half of the reports — approximately 57 per cent — concerned matters unrelated to aviation security, including the discovery of narcotics, tobacco and large sums of money,” says the audit.
In a response, the air security agency agreed with Stoddart’s recommendation to limit collection of personal information to aviation security incidents.
The air security agency violated the Privacy Act by sometimes informing police when a large sum of money was discovered in the baggage of passengers about to board a domestic flight, the audit says.
“It is not an offence to travel domestically with a large sum of money.”
However, Stoddart’s office concluded it is acceptable for the air agency to notify authorities when it happens to discover narcotics or other contraband in a passenger’s luggage on any flight.
The agency also has the green light to tell the Canada Border Services Agency when it comes across an international traveller carrying more than $10,000 in currency, given the rules about crossing borders with large sums.
Still, Stoddart stresses the air agency cannot keep such information in its files since it has nothing to do with air security.
The audit also raises concerns about the agency’s airport scanners that can see through clothes.
The system, in place at 23 Canadian airports, allows a screening officer to see whether someone is carrying plastic explosives or other dangerous items by viewing a ghost-like but fairly detailed outline of their body.
When auditors visited the rooms where officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera — even though these types of devices are strictly prohibited because of their recording capabilities.
The TV camera was disabled after the privacy commissioner’s office alerted the air security agency.
During site visits to airports, Stoddart’s reviewers found security incident reports containing travellers’ personal information stored on open shelving units, on the floor and in cabinets that did not meet required security specifications.
“At one airport, we found security incident reports stored in boxes in a room used to conduct private searches,” the audit says.
The air security agency has outsourced passenger screening to private-sector companies, but this does not mean it can ignore the Privacy Act, Stoddart notes.
She suggests an ongoing monitoring strategy, including internal audits, to provide assurance that good privacy practices are being followed.
Federal agencies can hire outside firms without running afoul of the law, said Chantal Bernier, the assistant privacy commissioner.
“But it means that you need to have a very tight governance framework to make sure you monitor your contractors, and ensure that they live up to the obligations that the Privacy Act provides for,” she said in an interview.