Three government agencies collaborating on a $68 million initiative to upgrade Canada’s asylum system did not conduct required privacy safeguard assessments during the project’s implementation phase, as per CBC News findings. The absence of privacy protections has raised concerns among legal professionals, potentially jeopardizing the security of refugee claimants’ information and submissions.
The joint effort involving Immigration, Refugees and Citizenship Canada (IRCC), the Canada Border Services Agency (CBSA), and the Immigration and Refugee Board (IRB) aimed to modernize the asylum process through the “asylum interoperability project.” This initiative sought to streamline the asylum system digitally and address the mounting backlog of over 290,000 pending asylum applications.
Earlier reports revealed that the project, launched in 2019, abruptly ceased operations in 2024, surprising many stakeholders. Recent access-to-information documents disclosed that essential privacy impact assessments (PIAs) were pending completion for the project, which was terminated when only 64% finished.
According to the government’s digital privacy guidelines, a PIA is a critical process to anticipate, evaluate, and mitigate potential privacy risks before their occurrence. Despite the project’s discontinuation, the incorporation of digital data collection and usage changes underscores the necessity of completing PIAs to identify potential risks, emphasized by Andrew Koltun, an immigration and privacy lawyer.
While the departments informed CBC via email that the privacy assessments remain unfinished, IRCC mentioned ongoing drafting of its PIA section, anticipating completion by the end of 2025. This delay in the assessment process raises significant concerns, as highlighted by Koltun, who warned about heightened data leakage risks without a comprehensive PIA in place.
The asylum interoperability project introduced digital advancements such as an online refugee application system, enhancing automation and real-time data exchange among departments. Notably, the project included functionalities allowing automatic cancellation of valid permits upon issuance of removal orders, among other enhancements.
The Office of the Privacy Commissioner of Canada views privacy assessments as vital for ensuring legal compliance and safeguarding privacy, acting as an early warning mechanism. Internal documentation indicated confusion among the involved agencies regarding PIA responsibilities, transitioning from a unified assessment approach to individual partner assessments.
Critics have pointed out the imperative nature of privacy protections, especially within the refugee space, emphasizing the need for meticulous risk assessment before deploying digital modernization initiatives. Privacy breaches in such contexts can have severe repercussions, as illustrated by real-life instances shared by refugee lawyers, underscoring the gravity of safeguarding sensitive information.
IRCC affirmed adherence to Treasury Board Secretariat directives, emphasizing information security during data exchange. However, concerns persist over incomplete PIAs, with CBSA discontinuing PIA pursuits and IRB claiming existing systems adequately address privacy concerns. Critics like Koltun have labeled the responses from IRCC and IRB as inadequate, stressing the importance of upholding legal obligations when implementing IT-related projects.
