CBSA should only retain travellers’ digital device passcodes when necessary

Complaint under the Privacy Act (the “Act”)

March 31, 2020

Description

A Canadian returning to Canada complained that the Canada Border Services Agency (CBSA) contravened the Act when it required him to provide the passcode to unlock his cell phone for inspection purposes. We found that the CBSA had the authority to do so under the Customs Act.

Case Summary

Our office received a complaint that the CBSA inappropriately collected an individual’s cell phone passcode when he returned to Canada.

The complainant asserted this collection was unauthorized because the border services officer who inspected his cell phone could not point to any specific legislation, policy, or procedure that requires it. He also argued the collection was unnecessary because he offered to unlock the cell phone himself, but the officer refused.

A separate investigation by our office summarized in our previous annual report to Parliament concluded the CBSA has the authority under the Customs Act to examine material stored directly on digital devices under certain conditions. In that investigation we nonetheless made a number of recommendations in light of the fact that a search of an electronic device at the border is an extremely privacy intrusive procedure. Digital device passcodes, examined in this investigation, are similarly sensitive.

Our office considers passcodes to be sensitive personal information when paired with other identifiers or if it is matched with the device it unlocks. A device protected by a passcode may contain information that an individual considers most sensitive. Additionally, the sensitivity of a passcode may be increased if it is reused across multiple accounts or activities.

CBSA asserted that it collects passcodes, rather than allowing an individual to unlock their digital device themselves, in order to: (i) prevent travellers from intentionally or inadvertently erasing or altering data before providing the unlocked device to the border service officer for inspection, and (ii) ensure the continuity of evidence should the interaction be implicated in judicial proceedings. In this context, our office accepted that the CBSA does have the authority to require individuals to provide a passcode to unlock a digital device under the Customs Act.

However, when handling such sensitive personal information, government institutions should take care to be aware of and follow their own policies. They should also only retain personal information when it is necessary to do so.

In this case, the CBSA acknowledged the officer failed to follow policy when she did not take handwritten notes about the interaction. Further, the officer could not recall whether she had informed the complainant, as required by the policy, that his passcode would be retained, and that he may change his passcode.

In response to these errors, the CBSA committed to providing more training to officers with respect to collecting personal information from travellers. It also committed to rewriting the policy to provide clearer direction to officers.

Further, in retaining passcodes even when the search of the device led to no further action, the CBSA was retaining personal information unnecessarily and keeping it alongside other personal identifiers. We questioned whether it was necessary to retain the passcodes beyond the examination process if the CBSA had not seized the device.

The CBSA has since revised its policy that covers the examination of digital devices at the border. Border services officers now take a more privacy sensitive approach of writing passcodes on a separate piece of paper and returning that paper to the traveller unless the traveller is detained further, or their device is seized.