Canada's border agency breached a refugee claimant's privacy when personal information that was encrypted on a USB key disappeared — with the password written on a Post-it note left wrapped around the device.

The USB key and the note have never been found and the Canada Border Services Agency (CBSA) failed to report the incident, as required, for more than 18 months. The incident highlights longstanding criticisms of the border service's commitment to safeguarding personal information.

The USB privacy breach occurred on Oct. 7, 2016, after an unidentified man came forward to ask for refugee status in Canada.

"The affected individual had [deleted] and made a refugee claim," says a censored internal report, obtained by CBC News under the Access to Information Act.

"He was carrying a USB [key] of information to support this claim and had asked that the CBSA make a copy of the USB so that he can keep his original.

"The USB key (the copy made by CBSA) was then lost during transport on its way to [deleted]. The USB key was encrypted but the password was on a post-it wrapped around the key …

"The Border Services Officer who mailed the USB key along with the password itself understands the obvious mistake made, and will be completing the Security Awareness Training as a refresher."

A spokesperson for the border agency, Jayden Robertson, said the missing USB key has not been recovered. Robertson acknowledged that a "lack of understanding by implicated staff of its Privacy Breach Protocol, as well as human error, resulted in delays" in reporting the incident.

Reporting mandatory

Cases of serious breaches – called "material breaches" – must be reported soon after they occur to Canada's privacy commissioner and to the Treasury Board of Canada Secretariat. In the case of the missing USB key, those offices were not notified until May 25, 2018 — 595 days after the event.

The claimant's National Identity Card — with his signature and information about his citizenship and nationality, date and place of birth, gender and one more category of information (which is censored in the released report) — was on the portable memory device.

Robertson said there have been no other breach incidents at the CBSA related to anyone seeking asylum or refugee protection. Robertson would not state whether the individual was successful in his refugee claim, saying the Privacy Act prevents disclosure, and would not say whether the officer was reprimanded.

The internal report says the individual was contacted by telephone to alert him to the breach; it quotes him as saying "that's ok" and as expressing "no concern."

... the employee's network access was revoked. - CBSA report on action taken against a worker who divulged personal information to two people outside the country.

The CBSA's annual privacy report to Parliament for 2017-2018 cites another major privacy breach in which an employee, without authorization, disclosed confidential personal information to two individuals outside the agency.

"In this case, the matter was investigated and the employee's network access was revoked," says the report, which provided no further details.

The border agency has been criticized previously by Privacy Commissioner Daniel Therrien for its sometimes cavalier attitude toward privacy.

Commercial airlines bringing people to Canada must submit to CBSA advance information about their passengers' ages, genders and nationalities, the time they spent abroad, their travel patterns and other data for detailed security screening.

Computer algorithms do the first cut, currently flagging between 450 and 550 people each day for further review by CBSA officers, who then winnow down the number of suspicious travellers for special examination, further research and interviews. The algorithm-based screening process is known as 'Scenario-Based Targeting'.

Red-flagged group

In 2018, 12,436 air travellers earmarked for this additional scrutiny were red-flagged for potential contraband, immigration and national-security issues, Robertson said.

A privacy review of the process by Therrien's office in 2017 found that CBSA officers too often added unverified social-media information to an individual's security file — such as Facebook postings — along with apparently non-relevant tax information from the Canada Revenue Agency.

Sometimes, CBSA officers also added to the files medical information with little obvious bearing on security screening — such as medications being taken by the traveller and by relatives.

"… CBSA collects and retains personal information that is not directly related to or demonstrably necessary for the objectives of the program," said the 2017 report.

Therrien also warned that potentially erroneous personal data was being shared routinely with U.S. Customs and Border Protection — and with Canadian public safety partners, such as the RCMP — for possible retention in those agencies' databases.

Privacy Commissioner Daniel Therrien has criticized CBSA privacy safeguards at airports. (Adrian Wyld/Canadian Press)

"CBSA should revise its MOUs (Memoranda of Understanding) with domestic and international partners to ensure they contain specific provisions to limit retention and use of data that is obtained from CBSA for purposes of database checks," Therrien recommended.

"The potential for abuse is enormous," said Tim McSorley of the Ottawa-based International Civil Liberties Monitoring Group, criticizing the Scenario-Based Targeting system. "CBSA should immediately limit what it shares with U.S. officers."

Robertson said the agency is still talking about privacy concerns with its international partners.

"Discussions with international partners related to the safeguarding and use of personal information are ongoing, including with the U.S. CPB (Customs and Border Protection); as such it would be inappropriate to provide further detail," Robertson said in an email.

Follow @DeanBeeby on Twitter