CBSA’s use of commercial genetic genealogy in a deportation case contravenes the Privacy Act
Complaint under the Privacy Act
April 24, 2023
Description
A former refugee complained that the Canadian Border Services Agency (CBSA) contravened his privacy rights in collecting his DNA and using genetic genealogy analysis to try to identify potential relatives in order to determine his nationality to deport him. He argued that the CBSA lacked legal authority for the exercise, collected unnecessary information, obtained his consent under duress, did not provide him adequate information and acted deceptively in its collection via the commercial genetic genealogy company, FamilyTreeDNA (FTDNA). He also alleged the CBSA did not limit disclosure of his personal information and did not adequately describe the collection at issue in any published Personal Information Bank (“PIB”) description. We found contraventions of the collection, disclosure and transparency provisions of the Act.
Takeaways
- Biometrics, including DNA, are used by law enforcement either to authenticate credentials or, as in this case, to compare one individual’s biometrics to biometrics from another source to learn something. These sources, like FTDNA in this case, can include many individuals who are innocent of any crime. Privacy impacts on both the subject and these other individuals must be assessed and addressed to be compliant with the Privacy Act.
- Government institutions are responsible for the collection, use, disclosure and retention of personal information in accounts they control on third-party platforms. Institutions should ensure procedures are in place for careful management of accounts with third-party platforms from cradle to grave. This is critical to avoid issues, such as those that arose in this case, with: (i) failure to obtain valid authorization from the complainant for indirect collection from FTDNA, (ii) secondary disclosures that contravened the Act, and (iii) accounts left active and unattended (continuing to hold, collect and disclose personal information).
- To comply with the transparency requirements of the Privacy Act, including the requirement that institutions establish Personal Information Banks, publicly available descriptions of personal information collected under a program should allow a member of the public to: (i) meaningfully determine whether their personal information is held by an institution, and (ii) meaningfully determine the nature of that information. The publicly available description of the personal information collected under CBSA’s Removals Program did not do so as FTDNA users whose information was collected by CBSA would be unaware that their genetic profile information had been collected by CBSA.
- The DNA Identification Act of 1997 that limits law enforcement use of the National DNA Data Bank does not regulate law enforcement use of commercial genetic genealogy companies. We encourage the government to have a public discussion regarding the risk and benefits of novel types of DNA use, including genetic genealogy, in a law enforcement context.
Report of Findings
Overview
- The complainant, a former convention refugee and then a permanent resident of Canada, was held in long-term detention by the CBSA while it attempted to determine his nationality in order to deport him after he became subject to a removal order. He alleged that a speech analysis and genetic genealogy analysis the CBSA undertook, beginning in 2017, to try, unsuccessfully, to determine his nationality contravened the Privacy Act (the “Act”). The complaint related to the speech analysis, which we determined was not well-founded, is addressed separately in another report.
- The complainant, represented by counsel during this investigation, argued that with respect to genetic genealogy collection: (i) the CBSA lacked the legal authority for the exercise, (ii) not all information the CBSA collected was necessary for its stated purpose, (iii) due to the circumstances of his detention his consent was invalid, (iv) the CBSA did not provide him adequate information about the details of the collection from FamilyTreeDNA (“FTDNA”) and (v) the CBSA acted deceptively in its collection via the commercial genetic genealogy company, FTDNA. He also alleged the CBSA (vi) did not take adequate steps to limit disclosure of his personal information and (vii) did not adequately describe the collection at issue in any published Personal Information Bank (“PIB”) description. We therefore examined compliance with the collection provisions of sections 4 and 5 as well as the disclosure provisions of section 8 and the transparency provisions of section 11.
- Based on the representations received, we determined that the collections in this case were directly related to an authorized operating program or activity and therefore compliant with section 4. We additionally found that while the CBSA indicated that it relied on consent for the collection of this DNA, this was not expressly required by section 4 of the Act.
- However, we did find that the CBSA was required, under section 5, to obtain valid authorization from the complainant for the indirect collection of his personal information from FTDNA. Although we found that the CBSA’s practices with FTDNA were not deceptive and that the circumstances of the complainant’s detention did not invalidate the complainant’s authorization, we did find that the CBSA’s failure to provide the complainant with key information about FTDNA’s terms meant that he was not fully aware of his rights as a DNA donor. As a result, we found that the complainant’s authorization for the CBSA’s collections from FTDNA was invalid and the collections contravened section 5 of the Act.
- We also found that the CBSA contravened section 8 of the Act when it disclosed certain personal information about the complainant to other FTDNA users. Finally, we found that while the related content in the personal information index does mention that biometric information of individuals subject to removal orders could be collected, it does not explain that genetic profile information about relatives of individuals subject to removal orders could also be collected. Therefore, the personal information index content did not comply with the transparency obligations under section 11 of the Act.Footnote 1
- With respect to corrective action, the CBSA indicated that it placed a moratorium on its use of genetic genealogy in 2018, pending the development of a national policy to govern the collection and use of DNA related information in the context of its removals program. However, the CBSA did not close the FTDNA user accounts that it held for the complainant and others until recently, and only in response to our recommendation.
- We made several recommendations for further action by CBSA to mitigate the impact of the contraventions and reduce the risk of recurrence. As described in detail in the Recommendations Section of this report, CBSA has committed to implement all but one of our recommendations. The complaint is therefore well-founded in part and conditionally resolved in part.
Background
- When the complainant first arrived in Canada as a refugee, he claimed to hold Liberian citizenship. While he was later given permanent residence status, he later became inadmissible to remain in Canada due to criminal activity and was therefore subject to a removal order.Footnote 2 CBSA attempted to deport him to Liberia, but Liberia rejected his claim of nationality. In response, in 2017, the CBSA set out to confirm his country of origin by asking him to undergo a speech analysis with the third party company SPRAKAB. SPRAKAB is a language analysis company that offers assistance with identifying an individual’s geographic or national origin by analyzing their vocabulary and speech patterns.Footnote 3
- The resulting analysis that the CBSA collected from SPRAKAB suggested the complainant to be Nigerian. In an effort to collect further evidence, also in 2017, the CBSA obtained the complainant’s consent to collect a biological sample, disclose that sample to the genetic genealogy company FTDNA, and collect information about his potential genetic relationships to other users of FTDNA.
- FTDNA is one of a number of companies that offer direct to consumer DNA analysis and genetic genealogy matching services. It allows its users to learn about their genetic relationships with other FTDNA users (and thereby common ancestors), build family trees, and obtain information on general ancestry based on their DNA profile. FTDNA maintains a database that contains the DNA profiles of over two million individuals.Footnote 4
- Both in 2017, when the CBSA opened the account in question, and currently, FTDNA offers its “family finder” (genetic matching) services to third party account holders for someone else’s DNA, provided that the actual DNA donor provides consent on a related FTDNA release form (“the FTDNA form”). The matching services FTDNA provides are reciprocal. In order to receive certain information about potential genetic matches (including the account holder’s username and contact email), users must agree to share their own information with other users. Under FTDNA policy, the DNA donor also retains certain rights – such as the right to take over the account at any time.
- Prior to collecting the complainant’s DNA, the CBSA drafted a consent form (“the CBSA form”). The CBSA form permitted the CBSA to collect a cheek swab from the complaint, submit it to FTDNA for analysis, collect information from FTDNA, and to contact any genetic matches to seek information from them about his nationality. The complainant signed the form, as well as the FTDNA release form, when he provided his DNA sample to the CBSA.
- The CBSA utilized FTDNA’s database because it provides the opportunity to identify potential relatives who could speak to the complainant’s nationality – a task that it lacked the ability to carry out itself. The CBSA collected information about hundreds of individuals who were genetically matched with the complainant since the opening of the account, and contacted a small number of these other users to question them about the complainant. We understand that the information received did not prove to be sufficiently conclusive regarding the complainant’s nationality and that the CBSA subsequently released the complainant from detention.
- Historically, law enforcement bodies have utilized one to one DNA matching for identification purposes - for example, matching DNA at a crime scene against the National DNA Data Bank, established pursuant to the DNA Identification Act, to look for an identical match. The purpose of the DNA Identification Act is to help law enforcement agencies identify individuals alleged to have committed a list of designated offences, to find missing persons and to identify human remains. The DNA profiles stored in this bank are derived from biological samples from specific sources, such as those found at crime scenes, from relatives of missing persons, from individuals who are legally required to submit a sample, and from other voluntary donors (whose DNA profile may be relevant to an investigation). The DNA Identification Act imposes specific limits on how DNA profiles can be added to or matched with the National DNA Data Bank.
- It is our understanding that this Canadian data bank did not suit the needs of the CBSA in this case, as it was seeking potential relatives of the complainant living in Africa, and because the DNA Identification Act does not specify the determination of the nationality of an individual subject to a removal order as an acceptable use of the National DNA Data Bank. No specific legislation currently controls the use of genetic genealogy matching services by law enforcement in Canada.
- The CBSA told our Office that genetic genealogy was used as an investigative technique on a case-by-case basis by CBSA regional investigators in consultation with the CBSA National Headquarters prior to 2017, but that in 2018, after concerns about the practice were highlighted in the media, the practice was placed on hold until current policies could be reviewed.
Analysis
Issue 1: CBSA’s collection of genetic genealogy information was directly related to one of its operating programs or activities, as required by Section 4 of the Act
IRPA provides broad legislative authority to the CBSA to collect personal information for its removals program.
- Section 4 of the Privacy Act requires federal institutions to restrict their collection of personal information to information “directly related to an operating program or activity”. In order to determine if a collection satisfies this requirement, as a first step, the scope or nature of the “operating program or activity” must be clearly defined.
- The complainant questioned whether the CBSA had the legal authority to collect his DNA, via a collection of a biological sample, and asked us to specifically focus on this question. Noting that the CBSA lacks a national policy or protocol for the collection of DNA by enforcement and intelligence officials, he suggested that there is no underlying authority to incorporate DNA analysis into its programming. He also questioned why, if the CBSA had the legal authority to collect his DNA sample, the CBSA obtained consent at all. On these points, he argued:
Generally speaking, legal authority for government programs or activities can be obtained by way of an Act of Parliament or following the issuance of supporting regulations. The type of legal authority that is required to support the specific collection of personal information depends, in part, on the nature of the conduct in question. The more the conduct in question interferes with the rights or freedoms of an individual, the higher the test or threshold is for the identification of a specific and positive legal authority.
In this case, the CBSA engaged in the surreptitious collection and disclosure of highly rich and sensitive personal information for the purposes of removing [the complainant] from Canada. There can be no more intrusive collection and use of personal information by the state. As such, the CBSA cannot justify its actions without clear and express authority for the collection and use of [the complainant’s] biological sample and DNA information. Any attempt by the CBSA to reference its general broad powers under the Immigration and Refugee Protection Act (IRPA) are therefore, in the circumstances, inappropriate.
- The CBSA submitted that section 6 and subsection 48(2) of the Immigration and Refugee Protection Act (“the IRPA”) and section 12 of the Canada Border Services Agency Act (“CBSA Act”) grant it the authority to collect the information pursuant to section 4 of the Act. It explained that the collection of personal information related to the mandate of the CBSA and its programs under the IRPA. Section 6 of IRPA and section 12 of the CBSA Act set out the delegation from the minister to enforce those acts. The CBSA submitted that the specific program in question is its “removals program” that is set out in subsection 48(2) of the IRPA, which states that “If a removal order is enforceable, the foreign national against whom it is made must leave Canada immediately and the order must be enforced as soon as possible.”
- In keeping with applicable jurisprudence concerning the purpose of, and obligations contained in, IRPA’s removal provisionsFootnote 5, we accept that the enforcement of removal orders is a program or activity of the CBSA that falls under the CBSA’s mandate as per subsection 48(2) of the IRPA. Moreover, subsection 16(3) of the IRPA specifically grants the CBSA broad authority to collect information from an individual subject to a removal order, including “any evidence – photographic, fingerprint, or otherwise – that may be used to establish their identity…” Canadian courts have confirmed that this provision can be used to collect personal information of a different nature than simply photographic or fingerprint evidence.Footnote 6 In our view, the power granted to the CBSA by this provision is broad enough to permit it to collect DNA information.
There are no indications the CBSA collected information that was not directly related to the activity of enforcing the removal order
- The second step in assessing compliance with Section 4 is determining whether the collections are directly related to a program or activity. In this respect, the complainant suggested that even if CBSA had the lawful authority to collect information to identify and remove him, its collection was overly broad because it collected information that was unnecessary, such as estimated ancestry and ethnicity. He further alleged that the CBSA made no effort to limit its collection of this personal information.
- For its part, the CBSA indicated that it did not have any records of which settings were checked when setting up the account, but that its officers would not have opted into receive any optional personal information beyond genetic matches with the complainant, for the purpose of identifying potential relatives it could contact to try to determine the complainant’s nationality.
- We carefully considered the positions of the parties. We note that the complainant appears to argue that section 4 of the Act includes a necessity and proportionality test. We are sympathetic with the complainant’s position and understand their perspective. Our Office has consistently advocated that the Act be reformed to include a stronger collection threshold.Footnote 7 However, we must apply the Act as it is written today, as confirmed by the Courts. As such, pursuant to section 4 of the Act, personal information need only be directly related to an operating program or activity of an institution for the institution to collect it under the Act.Footnote 8
- With respect to the scope and breadth of the information collected, in our view, the information collected all related directly to the CBSA’s removals program. Although some information, such as the ethnicity report, may not have been necessary for its purposes, CBSA could not have meaningfully separated it from the information that it did need. We understand that the ethnicity report, for example, was part of the FTDNA package that CBSA purchased and that it could not purchase the matching service on its own. As we found no indication that CBSA collected any personal information that was not directly related to the program in question, we determined the collection complaint under section 4 of the Act to be not well-founded.
Issue 2: Authorization for indirect collection was not compliant with Subsection 5(1) of the Act
- We determined above that the CBSA’s collection of genetic genealogy information of the complainant and his genetic relatives was compliant with section 4 of the Act, which does not impose any obligation to obtain consent from individuals for collection. However, the Privacy Act does require, under subsection 5(1) that, wherever possible, an institution “collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise or where personal information may be disclosed to the institution under subsection 8(2).” Subsection 5(3) allows an institution not to comply with 5(1) where doing so might “(a) result in the collection of inaccurate information or (b) defeat the purpose or prejudice the use for which information is collected.” However, as described below, FTDNA does not offer a mechanism for indirect collection of an individual’s personal information from FTDNA without the individual’s authorization, except in limited law enforcement circumstances - which the CBSA’s purpose of trying to remove an individual from Canada does not meet.
- In this context, the complainant’s authorization was required for the collection of information about him, including his genetic relatedness to other FTDNA users, via FTDNA’s commercial services. We therefore examined whether CBSA obtained valid authorization from the complainant for this indirect collection. The complainant does not contest that he gave written authorization to the CBSA to collect information about his genetic relatedness to other FTDNA users from FTDNA. He did so when he signed a CBSA consent form which described the collection and its purpose, as well as a related FTDNA release form. However, the complainant alleged that his authorization was not valid as it was given under duress, due to the implicit threat of indefinite detention if he did not cooperate. He also alleged that he was not provided sufficient information about what was involved in the indirect collection from FTDNA, and that CBSA acted deceptively in its indirect collection of his personal information from FTDNA.
- There is very limited jurisprudence on what constitutes valid authorization under section 5(1), and none of it is directly on point to the circumstances in this case. However, the Supreme Court of Canada (“SCC”) has commented on the issue of valid consent with respect to collection of biometric information in a law enforcement context in R v Borden.Footnote 9 In its decision, the SCC cited, with approval, the Ontario Court of Appeal (“ONCA”)’s decision in R v Wills.Footnote 10 In Wills, the ONCA ruled that the collection of the results of an individual’s breathalyzer test violated section 8 of the Canadian Charter of Rights and Freedoms (“Charter”) because valid consent was not obtained by police.Footnote 11 The ONCA set out that for consent to be valid it must be established on the balance of probabilities that:
- there was a consent, express or implied;
- the giver of the consent had the authority to give the consent in question;
- the consent was voluntary in the sense that that word is used in GoldmanFootnote 12 and was not the product of police oppression, coercion or other external conduct which negated the freedom to choose whether or not to allow the police to pursue the course of conduct requested;
- the giver of the consent was aware of the nature of the police conduct to which he or she was being asked to consent;
- the giver of the consent was aware of his or her right to refuse to permit the police to engage in the conduct requested; and
- the giver of the consent was aware of the potential consequences of giving the consent.
- Although the above test was developed in a law enforcement context for the purpose of determining whether a search or seizure by the state was compliant with section 8 of the Charter, we have elected to use the analytical framework that forms the basis of this test for assessing consent in this specific complaint for two reasons. First, the test provides a useful means of analyzing various aspects of “consent” contextually, with regard both to the point of view of the individual as well as the actions and objectives of the government institution. Second, the circumstances of the complainant – being held in long-term detention and being asked to supply biometric information to a government institution – bear similarities to the circumstances from which this test was developed.
Complainant’s authorization for indirect collection from FTDNA was not adequately informed
- Part (i) of the test has clearly been met as both parties submit that the complainant signed the CBSA form and the related FTDNA release form. Part (ii) of the test is also clearly met because it is agreed upon that the complainant signed the consent form himself and no other signed on his behalf.
- Part (iii) of the test requires consent to be given voluntarily and not as the product of external conduct such as oppression or coercion. The complainant argued his consent was given under duress as refusal to give his consent, he submitted, would have caused him to have been deemed uncooperative and detained indefinitely.
- The Federal Court of Appeal, in the decision Lunyamila, explained:
In a detention review, the [Immigration Division of the IRB] must assess whether there are grounds for detention: whether, among other things, the detainee is a danger to the public, a flight risk, or a foreign national whose identity has not been established…
By subsection 247(1) of the Regulations, in assessing whether the identity ground is established, the [Immigration Division] must consider among other things the detainee’s cooperation, including whether the detainee provided or assisted the Department of Citizenship and Immigration in obtaining evidence of identity…Footnote 13
- As this excerpt clarifies, what the complainant characterizes as “duress” was in fact the application of the detention review scheme set out in the IRPA and its Regulations and cannot be considered duress. While the decision to consent or not may be a difficult choice to make for an individual in this situation, in our view, the complainant’s consent was voluntary for the collections at issue from FTDNA and satisfied part (iii) of the Wills test.
- Part (iv) of the test requires that an individual be aware of the nature of the police conduct to which he or she is being asked to consent to. We are of the view that CBSA was clear and detailed about the nature of the search in the CBSA consent form it provided to the complainant.Footnote 14 We also note that the description provided a clear notice to the complainant of the purpose of collection, as required by subsection 5(2) of the Privacy Act when information is collected by an institution from an individual.
- However, the complainant more specifically alleged that the CBSA did not provide him with information about what FTDNA would or could do with his personal information. Material to the complainant’s concern on this front, the CBSA provided the complainant with an FTDNA release form (the “FTDNA form”) for his review and signature, which he signed, although he did not receive a copy. Under FTDNA policy, FTDNA would not release matching data to an account (i.e. in this case matching data about the complainant to CBSA) unless this form was signed by the DNA donor. The form began with:
RELEASE FORM (OPTIONAL)
I, , give permission to Family Tree DNA (“FTDNA”) to make my name and email address available to my relevant genetic match(es). A relevant genetic match is defined in the section entitled “Privacy Policy, Terms of Service and Refunds” on the FTDNA web site, that I have read, understand and agree. … [emphasis added]
- The complainant did not have an opportunity to read the web page referenced above because the form referred to an online link, and he had no internet access due to the security requirements of the facility he was held in. The web page included a range of information relevant to the handling of the complainant’s personal information, such as the retention period for his DNA sample (25 years) and that as the DNA donor, he was entitled to take over the account from the CBSA at any time.Footnote 15 Of note, once informed of this right during the course of our investigation, the complainant did take over the account from the CBSA.
- In other words, the CBSA did not give the complainant access to all the information in the Privacy Policy and Terms of Service that FTDNA considered it necessary for a DNA donor to have, in order to authorize a third party to create an account and collect personal information about them via FTDNA’s services. In our view, when considered through the lens of part (iv) of the Wills test, the complainant’s authorization for the indirect collection from FTDNA cannot be considered adequately informed in these circumstances.
- Part (v) of the test requires that an individual be aware of their right to refuse, while part (vi) of the test requires that an individual be aware of potential consequences of giving consent.
- While the complainant states that he felt he could not refuse to sign the CBSA consent form, we are of the view that part (v) of the test was met in the case of this particular form. The CBSA consent form specified that “I provide this full consent to CBSA freely and without fear or promise.” Although there may have been consequences to his refusing to consent, such as his refusal being noted in IRB hearings, this does not mean that he could not refuse. Given the context of his situation, that he was represented by counsel and provided the above language in the consent form, we are of the view that the complainant did have sufficient awareness that he could refuse to consent.
- Similarly, as explained in paragraph 33, the CBSA did provide him with information about the purposes for the collection and he was aware that consenting could lead to the identification of his nationality in order to effect the removal order.
- However, the failure of the CBSA to provide the complainant with key FTDNA information as part of signing the FTDNA release form was material. Among other things, it meant that the complainant was unaware that there were various opt-out provisions, or that the continued indirect collection by the CBSA via the account was permissible only as long as he chose not to take control of the account, which he had the right to do at any time. This meant that the complainant was not fully aware of his rights as DNA donor or the potential consequences of his consent, contrary to parts (v) and (vi) of the Wills test.
- We therefore find that the authorization the CBSA obtained from the complainant in this case for the indirect collection of his personal information from FTDNA was not valid. It failed parts (iv), (v) and (vi) of the Wills test, and therefore this aspect of the complaint is well-founded due to a contravention of subsection 5(1) of the Act.
- We therefore recommended that the CBSA ensure that for any future collection it undertakes that relies on an individual’s authorization for collection from a third party, the individual is provided access to all relevant documentation from the third party.
The CBSA’s manner of collection from FTDNA was not deceptive, though greater care was warranted
- In our view, in addition to the above analysis, an individual cannot reasonably be said to authorize the collection of their personal information from a third party in a manner that is deceptive or contrary to that third party’s personal information handling policies. Therefore, in examining the CBSA’s compliance with subsection 5(1) we examined two further allegations by the complainant First, that: a) it was inappropriate for the CBSA to “pretend in their submissions of DNA to FTDNA to be the individuals themselves”; and b) second, that the CBSA did not follow FTDNA’s current policy requiring law enforcement to apply for and create special law enforcement accounts. These accounts require FTDNA approval, are limited to specific types of crimes; and other FTDNA users can opt out of sharing their personal information with these law enforcement created accounts.
- Regarding the allegation that the CBSA “pretended” to be the complainant when it utilized FTDNA’s services, we found that (i) the CBSA properly completed the forms required by FTDNA for an account created using someone else’s DNA, (i) the name associated with the account was the complainant’s name ‘care of’ the responsible CBSA officer, and (iii) the account used a CBSA email. The CBSA also submitted that the officer who contacted a small number of the complainant’s genetic matches identified himself when he did so. In our view, this clarifies that the CBSA did not pretend to be the complainant when it used FTDNA’s services.
- Regarding the allegation that the CBSA did not use a special law enforcement account, with which other users could opt out of sharing their genetic profile information, we found that the CBSA created the account before this policy came into effect in 2018.Footnote 16 The CBSA’s account was still active when the policy came into effect, but FTDNA clarified to OPC that the policy only applies to accounts created by law enforcement that are associated with crime scene data, not to accounts created with biological samples provided by a DNA donor with their consent. We therefore found no indications that the CBSA contravened this policy,Footnote 17 and find this aspect of the complaint to be not well-founded.
- Nevertheless, we note that the fact that the policy only applies to use by law enforcement without consent is not clear from FTDNA’s website, and the CBSA provided no indications that it checked the details of this requirement with FTDNA before choosing to continue to operate the account (and therefore be able to collect information on new genetic matches identified).
- We therefore recommended that the CBSA ensure that for any future collection of personal information it undertakes from a third party source, it actively monitor changing terms and conditions throughout the life cycle of any accounts it maintains, to ensure its collection remains compliant.
Incidental indirect collection of genetic profile information of hundreds of other individuals did not contravene the Act
- In addition to collecting information about the complainant, the CBSA also collected personal information of hundreds of other individuals (i.e. contact information and genetic relatedness to the complainant). This is an important aspect of biometric investigative tools in general – they generally cannot be used without incidentally collecting personal information of individuals who may well, as in this case, not be the ‘target’ of an institution’s activities. For genetic genealogy, the implications for other individuals are significantly elevated because of the ‘shared’ nature of personal information in a genetic context. While an individual’s genetic profile is intensely personal and unique, it also, by its nature, reveals potentially sensitive personal information about others and can therefore be considered partly ‘their’ personal information – as was the case here.
- As noted above, subsection 5(1) of the Act requires that, wherever possible, an institution “collect personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates except where the individual authorizes otherwise…” However, the Act specifies, in Section 3, that “administrative purpose, in relation to the use of personal information about an individual, means the use of that information in a decision-making process that directly affects that individual.” [emphasis added] Because the other FTDNA users were not directly affected by the CBSA’s decision making process in this case the requirements of subsection 5(1) do not apply with respect to these individuals despite the sensitivity of the personal information collected, and we find this aspect of the complaint to be not well-founded.
Issue 3: Incidental disclosures of the personal information contravened the limits set in Section 8 of the Act
- Section 8 requires that an institution only disclose an individual’s personal information with their consent under subsection 8(1) or without consent in accordance with one of the limited exceptions found under subsection 8(2). These include, under paragraph 8(2)(a), disclosures made for the purpose for which the information was collected or for a use consistent with that purpose.
- The complainant alleged that the CBSA caused his personal information to be shared widely because it made no attempt to limit its disclosure or use via the FTDNA platform. We concluded that the CBSA did contravene the disclosure provisions in Section 8 because of the following three issues:
- The potential disclosure of the complainant’s personal information to other law enforcement bodies (for the purpose of matching with crime scene DNA), which is optional under FTDNA’s current Terms of Service.
- The disclosure of ancillary personal information, specifically ethnicity, to genetic matches based on optional settings in the account.
- The disclosure of the complainant’s identity to genetic matches as the CBSA used the complainant’s name (rather than a pseudonym) for sharing with genetic ‘matches’.
- With respect to issue (a), we confirmed that FTDNA updated its Terms of Service and implemented new law enforcement guidelines after CBSA originally created the account in question (see paragraph 45 above). This included a new option for users called “law enforcement matching” that permits users to choose whether DNA in their account will be ‘matched’ with DNA submitted by law enforcement agencies. Such a disclosure was not described to the complainant on the CBSA consent form, nor on the FTDNA release form.
- We understand that when FTDNA made this update, existing Canadian account holders were automatically ‘opted-in’ to matching with such law enforcement accounts, and would therefore have had to opt-out of this option.Footnote 18 The CBSA indicated that it had no record of having made any selections with respect to this option. This is consistent with representations from the complainant who indicated that when they took over the account, the option of matching with law enforcement accounts was opted-in.
- We are concerned that the CBSA apparently did not monitor the account for updates to FTDNA policy during the multi-year period it kept the account open. Although we did not investigate to determine whether any occurred, allowing disclosures to law enforcement in relation to unidentified crime scene DNA are not, in our view, a consistent use with the purpose of determining the complainant’s country of origin, and therefore not permitted under paragraph 8(2)(a) of the Act. It is our view that the CBSA did not take sufficient measures to monitor changes to terms of use and options available during the life of the account to ensure that unauthorized disclosures did not occur.
- Similarly, in relation to (b) above, the records submitted by the complainant indicate that another setting was opted into – “Origins Sharing.” It is our understanding that with these settings enabled the complainant’s matches (of which there were hundreds) received information related to his potential ethnicity. The CBSA submitted that it had no record of having opted-in to this setting, and we do not have evidence to suggest that the CBSA deliberately did so. However, similar to our position with respect to issue (a), the CBSA needed to take care to ensure that unauthorized disclosures did not occur because of the failure to opt-out of settings.
- With respect to (c), at issue is that the CBSA shared the complainant’s name with all FTDNA users ‘matched’ to the complainant, resulting in the disclosure of the complainant’s identity to hundreds of matches. The CBSA did not take advantage of FTDNA’s option to utilize a pseudonym, despite this being permitted by FTDNA’s policies.Footnote 19 In this case, the FTDNA release form the complaint consented to did indicate that his name would be shared with his genetic matches.Footnote 20 However, the CBSA did not inform him that this was something he could opt out of via the use of a pseudonym, so in our view the complainant did not provide valid consent for the disclosure of his identity to genetic matches as permitted under subsection 8(1) of the Act.
- The CBSA argued that they disclosed the complainant’s name to matches with the hope that individuals might proactively contact the CBSA email with information about the complainant, rather than the CBSA contacting the individuals. However, we did not find this a compelling argument that the disclosures could be permitted as a ‘consistent use’ under paragraph 8(2)(a) of the Act. The CBSA did not actually contact the vast majority of individuals who received the complainant’s personal information, and it did not attempt to obtain any information from these matches to determine the complainant’s country of origin. Therefore, we are of the view that the disclosure of the complainant’s identity (connected with his genetic profile) to other users in these cases was not done for the purpose for which the CBSA collected the personal information.
- In our view, the CBSA should therefore have taken available steps to minimize the incidental disclosure of the complainant’s personal information. Specifically: a) opting-out of sharing with law enforcement accounts, b) opting-out of sharing the complainant’s ethnicity with matches, and c) using a pseudonym for the account and only disclosing the complainant’s identity to only those matches that it chose to contact to try to determine the complainant’s nationality. Because the CBSA did not take these available measures, the complainant’s personal information was disclosed without a clear purpose, and therefore we find that these incidental disclosures by the CBSA contravened section 8 of the Act and this aspect of the complaint is well-founded.
- We emphasize that these disclosure issues were exacerbated by the fact that the CBSA left the account to remain active indefinitely, despite its own moratorium, in 2018, on further use of genetic genealogy. Matches continued to be made until the complainant took control of the account in mid-2020 during the course of the investigation.
- We therefore recommended that should the CBSA use third party services such as FTDNA in the future, that it carefully considers secondary and ongoing disclosures. It should ensure it takes appropriate steps, such as: (i) reasonable contractual arrangements, (ii) activating and limiting account options only to what is required by the program, (iii) careful due diligence throughout the life cycle of any accounts, and (iv) clear and enforced guidance on timely account deletion, to control disclosures for secondary purposes and to secondary individuals or organizations. Finally, we note that the complainant also alleged in his complaint that CBSA disclosed his DNA sample to a second genetic genealogy company, Ancestry.com. With respect to this allegation, we confirmed with the CBSA that this did not occur. The CBSA only collected one sample of the complainant’s DNA and it submitted that sample to FTDNA.
Issue 4: The transparency obligations set out by Section 11 were not met
- The complainant alleged that the personal information bank (“PIB”) descriptions in InfoSource do not indicate that the CBSA may collect DNA information for removal purposes. After careful review detailed below, we determined that a contravention of section 11 of the Act occurred because the information in InfoSource did not adequately describe the personal information held by CBSA in this case. Specifically, while the descriptions explain that biometric information of individuals subject to removal orders could be collected, they did not describe the CBSA’s collection of the personal information of other FTDNA users, i.e. information about individuals not subject to removal orders.
- Section 11 of the Act requires the designated Minister (President of the Treasury Board, who is responsible for the Treasury Board Secretariat) to publish, at a minimum annually, an index of all personal information banksFootnote 21 of government institutions, and all classes of personal information under the control of government institutions that are not contained in personal information banks. The index shall include, among other elements: (i) descriptions of the personal information banks and (ii) descriptions of the classes of individuals to whom the personal information relates.Footnote 22
- Although section 11 of the Act specifies that it is the designated Minister of TBS which is responsible for publishing the index (currently this is done via TBS’s InfoSource platform), in our view ensuring accurate and timely content to meet the requirements of section 11 is a shared responsibility with individual institutions. In order for the TBS to publish an accurate personal information index, government institutions need to provide it with complete information about their PIBs and the classes of personal information they collect both within PIBs and outside PIBs.Footnote 23,Footnote 24
- No specific guidance is currently provided in the Act or elsewhere as to how explicit and detailed the descriptions in the personal information index should be. Although the Act does not explicitly describe the purpose of section 11, it is our view that when read harmoniously within the overall scheme of the statute, the purpose is to promote transparency and access by individuals to their personal information. Accordingly, we assessed whether the description of the personal information collected under CBSA’s Removals Program is sufficiently detailed and transparent such that individuals could consult the index and (i) meaningfully determine whether their personal information is held by the CBSA, and (ii) meaningfully determine the nature of that information, to facilitate transparency and access to their personal information.
- The level of detail needed in descriptions of personal information and classes of individuals published in the index to fulfil this function will be highly context specific. The description for CBSA’s PIB entitled “PPU 1301 – Removals Program”Footnote 25 explains that personal information in this PIB, collected for the purpose administering the CBSA’s removals program, can include “biometric information” of individuals subject to removal orders. It does not specifically mention biological samples or DNA.
- For the genetic information collected about the complainant, as an individual subject to a removal order, we determined that on balance, in these specific circumstances, the term “biometric information of individuals subject to removal orders” was adequately descriptive. First, individuals subject to removal orders are aware they fall into this class of individuals and therefore can reasonably understand that these potential collections relate to them. Second, the term biometric information is generally understood to include DNA and is a relatively specific term, relating to a category of sensitive information that has similar privacy implication due to its unique, intrinsic and immutable nature.
- However, the description of PPU 1301 does not describe that personal information, specifically genetic profiles, of potential ‘matches’ could be collected. These individuals are clearly a distinct class of individuals from individuals subject to removal orders. Subsection 11(1) of the Act therefore requires that this class of individuals be described either within a PIB description, under paragraph 11(1)(a)(i) of the Act, or in a separate description of the class outside the PIB, under paragraph 11(1)(b)(i) of the Act.Footnote 26
- We found no description in the personal information index, either within PPU 1301 or outside it that describes the CBSA’s collection from genetic relatives of individuals subject to removal orders. As such, other FTDNA users whose information was collected by the CBSA under this program would not be able to tell from reviewing the index that the CBSA held their personal information, or what type of personal information about them it held. We note that this is significant given that genetic profile information is sensitive, and that the CBSA collected and retained control of personal information of hundreds individuals in the complainant’s case alone. Accordingly, we are of the view that section 11 of the Act was contravened and the complaint is well-founded on this basis.
- We therefore recommended that should the CBSA use genetic genealogy services in the future, it work with the designated Minister of TBS to update the index content to appropriately describe the personal information collected for all classes of individuals affected.
Recommendations for improved governance in light of the contraventions and issues observed
- The complainant expressed concern that the CBSA had not conducted a Privacy Impact Assessment (“PIA”) prior to incorporating genetic genealogy into its programming. We share this concern. While not a requirement of the Act, TBS policy requires that all institutions complete a PIA for new or substantially modified programs and activities involving personal information.Footnote 27 A key purpose of a PIA is to ensure that privacy risks and potential privacy contraventions with respect to collection, use, disclosure and transparency are identified and mitigated in advance.
- We note that CBSA did take the positive and important step of obtaining an internal legal opinion prior to proceeding. However, as evidenced by the concerns and contraventions described in the issue sections above, we determined the collection contravened the Act and not all the related issues were properly identified, assessed and mitigated through appropriate controls and transparency measures.
- Conducting assessments for compliance with the Act, in the form of PIAs or otherwise, is not an express requirement of the Act. However, similar to expectations stated by our Office previously,Footnote 28 we would expect that an institutional program collecting biometric personal information that could present a high risk to individuals’ privacy would have in place robust structures, informed by appropriate expertise, to ensure compliance with the Act with respect to the biometric personal information it collects. This is particularly important when considering any novel collection of biometric personal information. At a minimum, in our view, this should include:
- Knowledge of obligations: Training programs to ensure all individuals who are empowered to make decisions about the collection and disclosure of biometric personal information understand the limitations under the Act in a nuanced and meaningful way.
- Awareness of novel collections: Systems and procedures to track and control potential and actual novel collection of biometric personal information.
- Processes to identify potential compliance issues: Procedures, including checkpoints within processes where novel collection and disclosure may become known, to alert decision-makers that an assessment to ensure compliance with the Act may be warranted.
- Processes to complete timely assessments where warranted: Systems, procedures, and training on roles and responsibilities to ensure that if a fulsome assessment for compliance (with collection, use, disclosure and transparency requirements of the Act) is warranted, that such assessments are completed in a timely way, before collection or disclosure begins.
- Effective controls on collection, use and disclosure: Effective controls to mitigate the risks of unauthorized collection, use or disclosure identified in assessments – including the development of specific procedures and training covering the full life cycle of the biometric personal information in question, accompanied by monitoring and follow-up.
- As noted above, the CBSA indicated that it placed a moratorium on the use of genetic genealogy in 2018. We therefore recommended (a) that the CBSA immediately ensure it closes any genetic genealogy accounts it controls that it may still have active, or informs the individual to which any account pertains that they may take control.Footnote 29
- However, we recognize that the CBSA has a continuing need to consider novel collection methods and sources of biometric personal information in support of its mandates. In this context, we also recommended (b) that within 12 months, the CBSA institute robust structures including training, systems and procedures, as outlined above, to assess and control novel collection and disclosure of biometric personal information for its programs that could collect or disclose biometric personal information that presents a high risk to individuals’ privacy. The goal of these structures should be to ensure that novel collections and disclosures of high risk personal information are assessed, before implementation, so that appropriate controls on collection, use and disclosure are put in place to mitigate risks of contraventions of the Act.
- Recommendations (a) and (b) above are in addition to the specific recommendations made in paragraphs 42, 47, 60, and 69 in Issue Sections 2, 3 and 4. For ease of reference, these are:
- the CBSA should ensure that for any future collection it undertakes that rely on an individual’s authorization for indirect collection from a third party, the individual is provided access to relevant documentation from the third party;
- the CBSA should ensure that for any future collection of personal information it undertakes from a third party source, it actively monitor changing terms and conditions throughout the life cycle of any accounts it maintains, to ensure its collection remains compliant;
- the CBSA should ensure that for any future use of a third party services such as FTDNA it carefully considers secondary and ongoing disclosures. It should ensure it takes appropriate steps, such as: (i) reasonable contractual arrangements, (ii) activating and limiting account options only to what is required by the program, (iii) careful due diligence throughout the life cycle of any accounts, and (iv) clear and enforced guidance on timely account deletion, to control disclosures for secondary purposes and to secondary individuals or organizations.
- the CBSA should ensure that for any future use of genetic genealogy services, it works with the designated Minister to update the index content to appropriately account for personal information of all individuals that is collected, whether that be the content of the removals program PIB or class of information, whichever is more appropriate.
- With respect to recommendation (a), the CBSA took steps to close some but not all of the nine FTDNA accounts that it had opened, citing that four accounts were created by an employee no longer working for CBSA. In response we clarified for CBSA our expectation that it take all reasonable steps needed to ensure that all FTDNA accounts CBSA created were either closed, or that the individuals to which they pertain were informed they may take control of the accounts. We note that these unclosed accounts could continue to disclose the affected individuals’ personal information to other FTDNA users ‘matched’ to the affected individuals’ DNA, including to law enforcement for crime scene DNA matches without the individuals’ consent.
- Unfortunately, citing an inability to locate relevant account details, for two of the FTDNA accounts CBSA created it has not closed the accounts. It has also not indicated that it has informed the individuals to which the accounts pertain that they may take control of the accounts – the alternative included in our recommendation. Therefore, due to inadequate controls, CBSA is responsible for the ongoing disclosures of two individuals’ genetic profiles to new genetic ‘matches' via FTDNA’s platform which serve no CBSA purpose. In our view this constitutes an ongoing and unresolved contravention of the disclosure provisions of the Act. We restate our recommendation to CBSA that it immediately ensure it closes any genetic genealogy accounts it controls that it still has active, or informs the individual to which any account pertains that they may take control of the accounts.
- Regarding recommendation (b), the CBSA has taken the positive step of establishing an “Office of Biometrics and Identity Management” (“OBIM”) that it describes as the intended “strategic leader” for biometrics within the CBSA. It has also taken the positive step of working to develop and implement a “Biometrics Information Privacy Framework.” This framework is intended to require program managers to consider and ensure compliance with privacy guidance and legislation early in a program’s lifecycle, and to ask questions related to privacy risks and mitigations on an ongoing basis. It is intended that the OBIM can flag and follow up on any program that is not in compliance with the Framework. Building on this positive foundation the CBSA committed to implementing recommendation (b) within the 12 months.
- Finally, the CBSA also accepted recommendations (c) – (f). As noted earlier in this report, the CBSA has ceased using genetic genealogy services of the type offered by FTDNA for its removals program, and it currently has no plans to do so again. However, it indicated that, should these activities resume, the CBSA will endeavor to ensure that these four recommendations are implemented.
Conclusion
- As described above, we ultimately determined that the collections in this case were compliant with section 4 of the Act because they directly related to an operating program or activity of the CBSA. However, we found that CBSA contravened section 5 of the Act by failing to obtain appropriate authorization from the complainant when it sought to collect his personal information indirectly from FTDNA. As elaborated earlier in this report, institutions must ensure an individual is adequately informed when they authorize indirect collection.
- Further, we found contraventions with respect to disclosures to other FTDNA users that CBSA did not take readily available steps to prevent.
- Finally, the CBSA contravened the transparency provisions of the Act because it failed to account for the collection of other FTDNA users genetic profile information in any of its published descriptions of PIBs or classes of information. It is important for institutions to consider its transparency obligation with respect to individuals whose personal information is indirectly or incidentally collected in their programming.
- As noted in the recommendations section of our report above, CBSA has not implemented or committed to implement all of our recommendations. We therefore find the complaint well-founded in part and conditionally resolved in part. We urge CBSA to commit to implementing all of our recommendations in light of the high sensitivity of biometric information generally and genetic information specifically.
- Additionally, there are important broader takeaways from what happened in this case, as well as questions raised which warrant further discussion. These fall under two overlapping themes: (i) considerations specific to the law enforcement use of third party commercial services, and (ii) considerations specific to law enforcement use of genetic genealogy and biometrics more generally.
Takeaways Related to Law Enforcement use of Third Party Commercial Services
- A first key takeaway is the complexities associated with law enforcement collection of personal information from third party commercial services. We have commented previously on some of the implications in our investigation of the RCMP’s use of Clearview AI.Footnote 30 Commercial entities have commitments to the privacy of individuals whose information they collect. Law enforcement users of such services need to take steps to be, and remain, fully aware of these. For instance, in this case, FTDNA’s policies had certain requirements for consent of DNA donors for the handling of their personal information, and evolving commitments to its users on how it would share their personal information with law enforcement users of its services that had important implications for the CBSA’s use of FTDNA’s services.
- Second, when using a commercial service which is empowered to use or disclose personal information collected by law enforcement for secondary purposes, special care must be taken to control such uses and disclosures. It is possible that some services may simply be unsuitable for law enforcement use if it is not possible to avoid secondary uses or disclosures of information collected for law enforcement purposes. In other cases, special contractual clauses and careful account monitoring and management may be sufficient to adequately reduce the privacy risks. In this case, such measures could have reduced the severity of the impact of the contraventions – by avoiding the ongoing collection, retention and disclosure of personal information of the complainant and other FTDNA users via the account that the CBSA kept open for several years.
Takeaways Related to Law Enforcement use of Biometrics Including Genetic Genealogy
- A third key takeaway is that biometrics collection by law enforcement rarely implicates just one individual.Footnote 31 Normally, the goal of biometrics collection is to compare one individual’s biometric information (face, fingerprints, DNA) against other sources of biometric information – in order to learn something new about the individual for law enforcement purposes. These sources can include personal information of many individuals innocent of any crime. The privacy impacts of any collection, use and disclosure of those other individuals’ biometric information must be properly assessed and addressed.
- For genetic genealogy the implications for other individuals are significantly elevated because of the ‘shared’ nature of personal information in a genetic context. While your genetic profile is intensely personal and unique, it also, by its nature, reveals potentially sensitive personal information about others and can therefore be considered partly ‘their’ personal information – as was the case here. Because of this, genetic genealogy never involves the collection of just one individual’s personal information. The privacy implications for all individuals whose genetic profile information may be collected, used or disclosed must be considered.
- Therefore it is critical, in any assessment of collection, use or disclosure of biometric information (including, but not limited to genetic profiles) to consider the privacy implications of ‘both sides’ of the equation. I.e. consider the privacy of both the individual (or individuals) the institution is seeking to learn more about, and the privacy of individuals in any source of potential matching biometric information. This dual reflection should permeate every step, from assessment of initial collection, to procedures for retention, use and disclosure, to transparency.
- Finally, we note that the special sensitivity of genetic information in a law enforcement context was recognized by law makers in 1997 when the DNA Identification Act came into force. The DNA Identification Act imposed specific limitations on both matchingFootnote 32 with the National DNA Data Bank and adding to the bank. At the time, commercial genetic genealogy services such as FTDNA did not exist, so the law provided relatively comprehensive regulation of the use of genetic information in a law enforcement context. This is no longer the case.
- We have already called on the government to have a public discussion regarding the risks and benefits of facial recognition technology and to consider implementing rules through legislation to govern its use. In a similar vein, we encourage the government to have a public discussion regarding the risk and benefits of novel types of DNA use, including genetic genealogy, in a law enforcement context.
Update
Prior to the conclusion of this investigation, the OPC recommended that the CBSA close all genetic genealogy accounts that it opened, or to transfer control of them to the individuals to which they pertained. At the time that the OPC issued this Report of Findings, two accounts remained open. This is reflected in the Report. However, the CBSA has now confirmed that one of these accounts had never been activated and that the other is under the individual’s control. Therefore, we are satisfied that the conditions of this recommendation have now been met.
- Date modified: