Erroneous quarantine notifications from ArriveCAN

Complaint under the Privacy Act

May 29, 2023

Update

In the course of the OPC’s investigation into the ArriveCAN application, the OPC recommended that the CBSA correct the inaccurate information in their database. The CBSA initially advised the OPC on February 21, 2023 that they would not correct the inaccurate information. The OPC’s Report of Findings was issued on that basis. On May 30, 2023, the date of tabling the Special Report to Parliament, the CBSA informed the OPC that it has corrected the inaccurate information in its database.

Description

Beginning June 28th, 2022, approximately 10,200 Apple device users received erroneous notifications from the ArriveCAN application, instructing them to quarantine under emergency measures imposed during the COVID-19 pandemic. These notifications were due to a defect in ArriveCAN version 3.0 not detected prior to release which generated inaccurate information about affected travellers’ quarantine exemption status. Due to the design of the system, the inaccuracies were not corrected by screening officers at the border. The defect was fixed three weeks later, and affected individuals were notified a week after that. We determined that the Canada Border Services Agency (CBSA) did not take all reasonable steps to ensure the accuracy of the personal information it used for an administrative purpose, as required by subsection 6(2) of the Privacy Act (the Act). Despite our recommendation to CBSA to do so, it refused to correct the inaccurate and sensitive information it still holds for the affected travellers concerning quarantine status.

Takeaways

The accuracy provision of the Act applies to information that institutions generate, produce or derive about an individual, including data produced through automated, algorithmic, actuarial or statistical processes.
A high degree of due diligence is required under subsection 6(2) of the Act to ensure the accuracy of personal information when administrative decision using that information may have important consequences for individuals.
To ensure the accuracy of information generated by automated processes, institutions are notably expected to implement, among other measures:
- Rigorous pre-release testing for issues that could lead to the highest negative impacts on individuals.
- Effective human intervention with respect to high impact decisions on individuals.
- Effective and timely correction and recourse for individuals.

Report of Findings

Overview

In the wake of the COVID-19 pandemic, 80 Emergency Orders issued by the Governor in Council pursuant to the Quarantine Act were in effect from February 3rd, 2020 to September 30th, 2022. The purpose of these Emergency Orders was to prevent the introduction and spread of COVID-19 in Canada, by subjecting travellers to certain requirements prior to and after entering Canada. To determine a given traveller’s applicable entry requirements and to ensure that these requirements were being respected, the Canada Border Services Agency (“CBSA”) and the Public Health Agency of Canada (“PHAC”) collected personal information from individuals entering Canada, primarily through the ArriveCAN mobile application and web application (“ArriveCAN”).

On June 28th, 2022, version 3.0 of ArriveCAN was released. An error in this version caused approximately 10,000 fully vaccinated Apple device users to receive erroneous messages to quarantine, despite respecting all the conditions of the quarantine exemption for fully vaccinated travellers. CBSA indicated that it identified the defect on July 14th, 2022 and resolved it on July 20th, 2022.

Given that the information and instructions generated by ArriveCAN were inaccurate for certain Apple device users, the complainant alleges that the CBSA had failed to take all reasonable steps to ensure that the personal information used to determine an individual’s quarantine requirements was as accurate as possible.

Ultimately, we found that the CBSA did not meet the requirements of the Privacy Act, as it did not take all reasonable steps to ensure the accuracy of the information that it used for an administrative decision-making process. Accordingly, our Office finds that the CBSA failed to respect its obligations under subsection 6(2) of the Privacy Act, and this complaint is therefore well-founded.

After the error was detected, CBSA introduced expanded testing for ArriveCan releases and indicated that it will continue to adopt more nimble testing procedures for situations like the pandemic where the speed of changing business requirements and releases results in compressed testing timelines. CBSA disagreed with our finding that it failed to take all reasonable steps to ensure accuracy. It also refused to implement our recommendation to correct the inaccurate and sensitive information it holds for the affected travellers concerning quarantine status. We call on CBSA to reconsider its refusal to correct the erroneous data generated by the ArriveCan error and to put in place all necessary measures should it decide to proceed with similar tools in the future.

Background

From February 3rd, 2020^{Footnote 1} to September 30th, 2022^{Footnote 2}, 80 emergency orders (“Emergency Orders” or “Orders”) were in effect pursuant to section 58 of the Quarantine Act. The Emergency Orders were issued by the Governor in Council, on the recommendation of the Minister of Health, and imposed conditions on individuals entering Canada in order to reduce the risk of importing and spreading the coronavirus disease 2019 (“COVID-19”).
The last Emergency Order^{Footnote 3}, which was issued on June 25th , 2022 and in effect during the events in question, notably required:
- all individuals to disclose information relating to their COVID-19 vaccination status^{Footnote 4} and other prescribed information through the ArriveCAN mobile application or web application (“ArriveCAN”)^{Footnote 5};
- individuals who were not fully vaccinated to submit themselves to pre-arrival^{Footnote 6}, on-arrival and post-arrival^{Footnote 7} COVID-19 testing, as well as a 14-day quarantine^{Footnote 8}; and
- individuals who were fully vaccinated to provide evidence of their COVID-19 vaccination (‘proof of vaccination credential’, ‘vaccination credential’, ‘proof of vaccination’). Individuals who qualified as fully vaccinated were exempt from the 14-day quarantine.
Based on the information they submitted, ArriveCAN would determine whether incoming travellers were exempt from the obligation to quarantine. This determination relied on information provided directly from users (e.g., date of birth), as well as information generated automatically by ArriveCAN (e.g., validity of the proof of vaccination credential^{Footnote 9}). If ArriveCAN: (i) determined that a traveller arriving by air was required to quarantine, or (ii) was unsure whether they were exempt (e.g, if the authenticity of the proof of vaccination credential could not be verified), then the traveller’s ArriveCAN submission would be reviewed by a CBSA officer upon their arrival at the port of entry (e.g. an international airport). At land ports of entry (e.g., highway crossing along the Canada-US border), all ArriveCAN submissions were reviewed by a CBSA officer.
ArriveCAN submissions were accessible to CBSA officers through the “Contact Trace Desktop App”, an information and case management system designed specifically for the administration of the Emergency Orders. After examining a traveller’s submission, the CBSA officer would make changes to the traveller’s file if warranted based on either their validation or rejection of the traveller’s supporting documents (e.g., proof of vaccination credential, attestation of medical exemption). Post -entry requirements would then be communicated to the traveller. For example, if a traveller was not fully vaccinated or if their vaccination credential was rejected, a CBSA officer would instruct the traveller to test and to quarantine.
On June 28th, 2022, version 3.0 of ArriveCAN was released. In this iteration of the application, travellers using the iOS version of ArriveCAN (i.e., the version of ArriveCAN for Apple mobile devices) who had saved their submission form after selecting the travellers for the trip and who later returned to the form to complete the submission would incorrectly have their “quarantine_exempted” value set as ‘false’ by ArriveCAN. We note that this value was determined by the ArriveCAN application and was thus not a data field submitted directly by the user.
When entering Canada and having their ArriveCAN submission reviewed by a CBSA officer, travellers affected by this error would nevertheless appear as fully vaccinated and exempt from the quarantine requirements in the Contact Trace Desktop App. This was due to the fact that the Contact Trace Desktop App did not use the “quarantine_exempted” value from ArriveCAN, and instead conducted its own assessment of the traveller’s post-entry requirements. Individuals affected by the error were therefore not instructed to quarantine by CBSA officers when crossing the border.
After entering into Canada, ArriveCAN would send automated notifications and emails to users whose “quarantine_exempted” value was set as false (i.e., all travellers affected by the error), instructing them to quarantine and to report on their health status, or else risk receiving fines of up to $5,000. Individuals who did not respond to these notifications could then receive compliance verification calls from PHAC representatives. These representatives would have believed that the affected individuals were required to quarantine, as the data transferred to PHAC included the erroneous “quarantine_exempted” value.
Ultimately, the CBSA indicated it identified this error on July 14th, 2022, and released an update for ArriveCAN by July 20th, 2022^{Footnote 10} which no longer contained the defect.
Accordingly, from June 28th to July 20th, 2022, approximately 10,200^{Footnote 11} Apple device users received erroneous quarantine instructions directly from ArriveCAN (via an application notification) and from an email generated by ArriveCAN.
The CBSA has stated that, since before the error in question^{Footnote 12}, fully vaccinated travellers who received erroneous notifications and who subsequently called the ArriveCAN or COVID-19 support lines for guidance were instructed to:
- not respond to the notifications;
- update ArriveCAN to the latest version; and
- answer the compliance verification call they would receive and explain their situation to the public health officer^{Footnote 13}.
PHAC advised impacted travellers by email on July 26th, 2022, and again on August 4th, 2022, to ignore the erroneous quarantine notifications they had received and confirmed that they were not actually required to quarantine.

Analysis

Issue: Did the CBSA take all reasonable steps to ensure that personal information used for an administrative decision was as accurate as possible?

The complainant has taken issue with the existence of the error caused by version 3.0 of ArriveCAN, and its significant impact on the rights of affected travellers, who were instructed to quarantine, prevented from filing any new ArriveCAN submissions^{Footnote 14} and who may have experienced heightened psychological stress from the ensuing confusion. The complainant states that the CBSA should have done more to prevent this situation from transpiring.
Subsection 6(2) of the Act requires government institutions to take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.
Section 3 of the Act defines:
- ‘personal information’ as information about an identifiable individual that is recorded in any form; and
- ‘administrative purpose’ as the use of personal information about an individual in a decision making process that directly affects that individual.
In Ewert v. Canada, 2018 SCC 30 (“Ewert”), the Supreme Court of Canada interpreted the accuracy requirement in subsection 24(1) of the Corrections and Conditional Release Act (S.C. 1992, c. 20) (CCRA), a provision nearly identical to subsection 6(2) of the Privacy Act^{Footnote 15}, as applying not only to information gathering and record keeping, but also to tools which analyze collected information and which produce new information^{Footnote 16}. Furthermore, Alberta’s Office of the Information and Privacy Commissioner recently applied Ewert to privacy legislation in Edmonton Police Service (Re), 2021 CanLII 13336 (AB OIPC) at paragraphs 39-40.
Similarly, within the context of the Privacy Act, we consider subsection 6(2) to not only apply to information collected from an individual, but to information generated by an institution about an individual as well. This includes data produced through automated, algorithmic, actuarial or statistical processes, such as ArriveCAN’s assessment of travellers’ quarantine exemption status.

Sub-issue I: Is the information in question ‘personal information used for an administrative purpose’?

The information identified as being erroneous was the “quarantine_exempted” data field in ArriveCAN, which was normally generated based on ArriveCAN’s assessment and calculation of other data fields^{Footnote 17}. For example, if: (i) the traveller’s proof of vaccination credential was found to be valid, (ii) the traveller benefitted from a medical exemption, or (iii) the traveller was a child accompanied by a fully vaccinated adult, then the “quarantine_exempted” value would be set to ‘true’, thereby indicating that the individual was exempt from the quarantine obligation. For individuals who were affected by the error, the “quarantine_exempted” data field was never properly calculated and was thus saved as its default value: ‘false’.
This data field constitutes personal information under the Act, as it relates to an identifiable individual and is recorded electronically within both ArriveCAN and the CBSA’s information management system. We consider each traveller to be an identifiable individual as they must provide their full name, date of birth, email, phone number, quarantine location address, travel information (e.g., flight number), travel document ID (e.g., passport number) and proof of vaccination credential as part of their ArriveCAN submission, all of which can be used to deduce the traveller’s identity.
CBSA asserted that it was collecting the information for PHAC’s administrative use rather than its own use. We do not dispute that PHAC ultimately used the information in question for administrative purposes as well (for follow-up enforcement communications), but information can be used by multiple departments for their respective administrative purposes. Further, in our view, the erroneous information was clearly used by CBSA for an administrative purpose (i.e. a decision-making process directly affecting the individuals). Specifically,the information was used by the ArriveCan application, under CBSA’s control, to “decide” to: (i) instruct the affected travellers to quarantine, via the notifications/emails the ArriveCan application automatically sent, and (ii) notify PHAC, for enforcement purposes, that the individuals were required to quarantine. These decisions, while unintended and at odds with decisions made by CBSA screening officers at the border, nonetheless directly affected the indviduals.
For these reasons, we find that the data field affected by the error constituted personal information used for an administrative purpose by the CBSA, and that it was thus subject to the accuracy requirements prescribed by subsection 6(2) of the Act.

Sub-issue II: Did the CBSA take all reasonable steps to ensure that the information was as accurate, up-to-date and complete as possible?

Given the Emergency Orders’ important consequences on the rights and mobility of incoming travellers, it is our view that a high degree of due diligence was required under subsection 6(2) of the Act to ensure the accuracy of the information that was contained in ArriveCAN and that was used in administrative decisions relating to the Orders.
There are a number of measures that have been prescribed by policy requirements or recommended as best practices in public guidance which are instructive in assessing what reasonable steps institutions are required to take to ensure the accuracy, currency and completeness of information generated by automated processes. These notably include:
1. passive oversight and monitoring of the system’s results, particularly to detect anomalous outcomes^{Footnote 18};
2. the possibility for human intervention^{Footnote 19};
3. opportunities for individuals to access the information used in decision making, and to contest/flag inaccurate information^{Footnote 20};
4. information/decision traceability, explainability and logging^{Footnote 21}; and
5. testing and independent review of the system prior to implementation^{Footnote 22}.
In their representations to our Office, the CBSA indicated that they took the following steps to ensure the accuracy of such information:
1. Individuals who were not definitively assessed by ArriveCAN as being exempt from the quarantine requirements were screened by a CBSA officer (i.e., a human intervener), who would review their ArriveCAN submission and verify whether the traveller was indeed required to quarantine;
2. The CBSA performed over 1,800 test cases for the version of ArriveCAN containing the defect (i.e., ArriveCAN v3.0, released on June 28th) prior to the version’s release, in addition to over 2,700 regression test cases^{Footnote 23};
3. Fully vaccinated travellers who received erroneous notifications from ArriveCAN and who called the ArriveCAN or COVID-19 support lines for guidance were instructed to not respond to the notifications, to update ArriveCAN to its latest version and to explain their situation during compliance verification calls they would receive;
4. The CBSA had resolved the error by July 20th, 6 days after the date it indicated it discovered the error on July 14th, 2022; and
5. After resolving the error, emails were sent out to affected travellers on July 26th, 2022 and on August 4th, 2022, advising them that they were not required to quarantine and that they had been receiving notifications in error.
Notwithstanding the above, we find that the CBSA did not take the following reasonable steps, to ensure the accuracy of the information used by CBSA, via ArriveCAN, to make decisions affecting the individuals in question. Specifically these measures relate to: (i) rigorous pre-release testing for issues that could lead to the highest negative impacts on individual users; (ii) effective human intervention with respect to high impact decisions on individuals and (iii) effective and timely correction and recourse for individuals.

Rigorous pre-release testing for issues that could lead to the highest negative impacts on individual users

CBSA argued that “it is unfortunately not possible nor industry standard to identify all possible errors in advance of a release. Reasonableness cannot be equated to perfection.“ We agree. However, CBSA did not demonstrate that the conditions which triggered the error (i.e. using an apple device to return to complete a saved form after previously selecting the trip’s travellers) were an unusual or unforeseeable edge case.
We would expect an institution making use of automated decision-making systems, even ones designed only to ‘assist’ human decision makers, would identify the types of erroneous outcomes that could cause the highest negative impact on affected individuals, and ensure rigorous testing for errors that could lead to those adverse outcomes.
CBSA also argued that the context of emergency response in which ArriveCAN app was developed and evolved over time should be acknowledged. Following its initial release, the CBSA indicated that it developed 177 subsequent ArriveCAN releases across three platforms over 2 ½ years as a result of constantly changing requirements under Emergency Orders issued under the Quarantine Act on a 30 or 60 day renewal cycle. CBSA indicated that it uses industry best practices with regards to system and application testing in its maintenance of over 180 IT systems, and that this testing regime includes extensive regression testing, automated testing so that more time can be dedicated to testing new features, and pair testing. However, it also stated that the need to respond to changing requirements above “forced compromises to established best practices under normal IT working conditions.”
We appreciate that the onset of the COVID-19 pandemic resulted in exceptional work conditions on many fronts. However, the incident in question occurred well after the onset of the pandemic and more than two years after the launch of ArriveCan. While during the initial phase of a crisis, certain latitude might be reasonable, two years in, we would expect an institution operating a system relying on a software application to allocate adequate time and resources to test for high impact errors prior to release. CBSA did not indicate that any particular and pressing change requirement stemming from a recently issued Emergency Order led to the error in question. Further, the error did not appear to have occurred due to any change to vaccination requirements during the time period when version 3.0 was released.
Further, the risk that travellers could be erroneously notified through ArriveCan of a requirement to quarantine despite being fully vaccinated appears to have been a risk that CBSA had turned their minds to well before the release of version 3.0 of ArriveCan on June 28, 2022. Since at least April 27, 2022, on the “contact us” page that individuals receiving quarantine notifications were directed to in case of issues, CBSA included a form for users to complete if they were “experiencing technical or account and password issues with ArriveCAN [or] receiving notifications from ArriveCAN to quarantine or report symptoms even though you qualified as fully vaccinated at the border.” [emphasis added]
In this context we remain of the view that CBSA did not take all the reasonable steps with respect to pre-release testing to prevent inaccurate personal information being used in decision-making affecting individuals.
In response to the error, the CBSA expanded its ArriveCan testing to include:
- an additional 100 regression test cases to detect issues with the ‘save’ feature of the ArriveCAN form;
- automated regression test capability (i.e., executing regression tests automatically, using automation frameworks and software platforms with minimal human input);
- scheduling and performing ad hoc test cases during each release (i.e., testing the live version of ArriveCAN post-release); and
- increasing the number of tester resources.
CBSA also indicated that it will continue to adopt more nimble testing procedures for exceptional circumstances like a pandemic where the speed of changing business requirements and releases result in compressed testing timelines.

Effective human intervention with respect to high impact decisions on individuals

We would expect that where a system relies on human-decision makers to make the final decisions on impactful ‘adverse’ decisions, that clear ‘positive action’ by an identifiable human decision-maker should be required to initiate any impacts flowing from that decision. In other words:
1. the human decision-maker should take some positive action (selecting a digital option, signing a form, etc.) to clearly indicate what their decision is;
2. this should be accompanied by a record of what information the human decision maker relied on; and
3. that ‘positive action’ should be the trigger to initiate any results flowing from the adverse decision. i.e. the system should be designed so the suggested decision by the automated system cannot trigger any adverse action ‘by default’.
In this respect it is important to note that at the time of the incident the suite of tools and processes used to enforce the Emergency Orders, which included ArriveCan, was designed to include human decision-making in any case where an individual was required to quarantine. This was an important positive design feature. Having a human in the loop for critical and impactful decisions – such as validating whether an individual has been correctly identified as needing to quarantine – can significantly reduce the risks associated with automated decision-making, including the risk that inaccuracies in personal information introduced via software errors are not caught and corrected.
This was highlighted in the Algorithmic Impact Assessment (AIA)^{Footnote 24} completed for ArriveCan in October of 2021 by PHAC which noted that “While decisions concerning eligibility to enter Canada and post-border public health requirements may be impactful, the impacts of ArriveCAN outputs aren't necessarily significant and can be considered reversible. For example, if ArriveCAN is unable to recognize a traveller's proof of vaccination, a border services officer will manually inspect the proof of vaccination and determine eligibility and post-border requirements accordingly. In this scenario, the impact of the platform's outputs is both reversible and brief in duration.” This contributed to the AIA’s conclusion that the impact of the automated decision-making in that case was only level 2 on a scale of 1 to 4.
However, in this case, several design choices meant that in the case of individuals affected by this error, the final decision (i.e. the one communicated to individuals and PHAC for follow-up enforcement) was not made by the CBSA screening officer. Specifically:
1. First, while the ArriveCan application was used to direct individuals to a CBSA screening officer and subsequently to send quarantine notifications, the CBSA Officer reviewed travellers information (uploaded from ArriveCan) in a separate application: the ContactTrace Desktop application. This application did not display the field containing ArriveCan’s erroneous conclusion that the affected travellers needed to quarantine.
2. Second, and most critically, the information in the “quarantine exempt” field in ArriveCan (used to generate the erroneous quarantine notifications) was only updated in cases where the CBSA screening officer changed something visible to them in the ContactTrace application. This did not occur for affected travellers in this incident as the CBSA screening officers in question were unaware anything needed changing.
In our view, and particularly in light of the fact that CBSA had contemplated the risk of erroneous quarantine decisions being communicated by ArriveCan to individuals (see paragraph 29), CBSA did not take adequate steps to ensure the effectiveness of human intervention to confirm that these impactful decisions were made on the basis of accurate information. It should have ensured that the adverse decisions ‘actioned’ by ArriveCan (when it sent quarantine notifications to individuals and informed PHAC) were, verifiably, the decision of the human decision maker in all cases.

Effective and timely correction and recourse for individuals

We would expect that an institution relying on automated communications to convey impactful decisions with a potential immediate and prolonged prejudicial effect would have in place robust mechanisms to: (i) monitor for potential errors, (ii) enable individuals to raise accuracy concerns and (iii) correct errors in a timely manner.
It is a positive remedial step that the erroneous notifications redirected individuals to an ArriveCan “contact us” page that included a range of contact options for individuals, including a 24/7 Service Canada phone line and a specific form to complete if individuals felt that they had been wrongly notified to quarantine despite being fully vaccinated. CBSA indicated that it was via these mechanisms that it ultimately detected and subsequently corrected the software error, and sent an email to all affected individuals on July 26.
However, despite these mechanisms being in place, according to CBSA it took more than two weeks to detect the error and more than three weeks to stop the error from affecting decision-making about new travellers. CBSA indicated that since May 2022 (i.e. well in advance of this incident), travellers who reached an agent through the phone lines above and complained that they had received an erroneous quarantine notification from ArriveCan despite being fully vaccinated, were instructed to ignore the notifications and explain their situation to the PHAC enforcement officer when the officer called. However, it took nearly a month until a correction was sent to all affected individuals. Further, CBSA has still not corrected the erroneous information in its own data holdings.
We acknowledge that the volume of travellers processed on any given day, and therefore the volume of individuals raising issues with ArriveCan through these mechanisms before and during the incident, was likely very high. CBSA also noted, and we accept, that as the error affected only 0.5% of all submissions received during the affected period, and given the shifting travel patterns at the time, passive monitoring of submissions would have been unlikely to detect the error in question. However, in our view, a significant (and presumably elevated) number of individuals complaining that ArriveCan had told them to quarantine despite them being fully vaccinated should have raised flags and been resolved in a matter of days not weeks given the high adverse impact on affected individuals. Further, we emphasize that this incident happened more than two years after the beginning of the pandemic and the introduction of ArriveCan, and we would therefore expect a commensurate level of resourcing and maturation of incident response mechanisms.
We therefore conclude that CBSA did not take all the reasonable steps to ensure that concerns raised by affected individuals about inaccurate information being used to make decisions, were actioned and corrected in timely way – commensurate to the adverse impact on already affected individuals and individuals who could become affected.
In conclusion, we find that the three issues identified above, individually and collectively, constitute a failure by CBSA to take all reasonable steps to ensure the accuracy of the information that it used in an administrative decision, and thereby contravene subsection 6(2) of the Act. We therefore find the complaint well-founded.

Recommendation

To address this contravention of the Act, we recommended that within six months of the issuances of this report, CBSA update inaccurate information (i.e., the “quarantine_exempted” value) generated by the error for all individuals.
CBSA disagreed with our finding that it did not take all reasonable steps to ensure the accuracy of the information that it used in an administrative decision, as required by subsection 6(2) of the Act. Further, it informed our office of its refusal to implement the above recommendation, stating that the objective of correcting the erroneous information was not clear. Specifically, it noted that:
1. the COVID-19 border measures had ended on October 1st, 2022;
2. the information was no longer being used by the CBSA for any administrative purpose;
3. the data would be automatically disposed of after the two-year retention period; and
4. all affected individuals had already been notified of the error in July of 2022.
While we acknowledge that the CBSA does not intend to use the information in question, we would expect an institution to correct erroneous information that it holds, especially sensitive information with past and potential adverse impacts. Further, while left uncorrected, there is a risk that this erroneous information could be relied upon by PHAC and/or other government entities (if access were to be authorized), to inform trend analyses and future compliance and enforcement activities, such as the issuance of fines and the prosecution of offences under the Quarantine Act. In light of these circumstances, we urge the CBSA to collaborate with PHAC, and with any other external party to whom the ArriveCAN data was disclosed, to correct the erroneous information within six months.

Conclusion

We found that CBSA did not take all reasonable steps to ensure the accuracy of the information that it used in an administrative decision, as required by the accuracy provisions of subsection 6(2) of the Act.
After the error was detected, CBSA took certain positive remedial steps, including: (i) introducing expanded testing for ArriveCan releases and (ii) indicating that it will continue to adopt more nimble testing procedures for situations like the pandemic.
CBSA disagreed with our finding that it failed to take all reasonable steps to ensure accuracy. It also did not agree to implement our recommendation to correct the inaccurate information it holds for the affected travellers. We therefore find the complaint well-founded and not resolved.
We call on CBSA to reconsider its refusal to correct the erroneous data generated by the ArriveCan error and to put in place all necessary measures should it decide to proceed with similar tools in the future.

Footnotes

Footnote 1

Minimizing the Risk of Exposure to 2019-nCoV Acute Respiratory Disease in Canada Order, PC Number 2020-0059, issued February 3rd, 2020.

Return to footnote 1

Footnote 2

Government of Canada to remove COVID-19 border and travel measures effective October 1, News release from Public Health Agency of Canada, issued September 26th, 2022.

Return to footnote 2

Footnote 3

Minimizing the Risk of Exposure to COVID-19 in Canada Order, PC Number 2022-0836, issued June 25th, 2022.

Return to footnote 3

Footnote 4

Id., paragraph 20(2)(a).

Return to footnote 4

Footnote 5

Id., subsections 19(4) and 20(8), and section 23. Note: ‘electronic means specified by the Minister of Health’ refers to ArriveCAN.

Return to footnote 5

Footnote 6

Id., sections 11 to 13.

Return to footnote 6

Footnote 7

Id., section 15.

Return to footnote 7

Footnote 8

Id., sections 22 and 23.

Return to footnote 8

Footnote 9

Note: For each proof of vaccination credential, an “ocr_result” would be produced based on the results of an optical character recognition scan for a fixed set of criteria (e.g., traveller’s name, the name of an approved vaccine, etc.). For credentials with a quick response (“QR”) code, a “qr_result” would also be generated based on ArriveCAN’s ability to decrypt and validate the credential’s ‘payload’ using the credential issuer’s public key. These steps served to validate, to varying degrees of certainty, the authenticity of the vaccination credentials.

Return to footnote 9

Footnote 10

Note: Prior to July 20th, the Vancouver Sun news outlet reported on the glitch. A number of other news reports were then released after the error had been resolved.

Return to footnote 10

Footnote 11

For context, the CBSA noted that nearly 47 million travellers submitted their personal information in ArriveCAN from April of 2020 to September of 2022 to determine their quarantine requirements without incident.

Return to footnote 11

Footnote 12

Version 3.0 of ArriveCAN was released on June 28th, 2022. Despite the CBSA only identifying the error on July 14th, 2022, ArriveCAN support staff had been providing the instructions listed in paragraph 10 since as early as May of 2022 to respond to user generated errors.

Return to footnote 12

Footnote 13

Note: In a news article published on July 22nd, 2022, travellers affected by the error claimed that a PHAC enforcement officer had confirmed by phone that they were required to quarantine, despite being fully vaccinated. Our Office did not confirm the veracity of this account.

Return to footnote 13

Footnote 14

Note: During the period ArriveCAN believed an individual was required to quarantine, that individual was unable to file a new ArriveCAN submission, which was mandatory for those entering into Canada. One news outlet reported on an individual residing in a border community who traveled frequently to and from Canada, and who was affected by the error. Given that the failure to make an ArriveCAN submission prior to arriving at the border would result in a $5,000 fine and that the error prevented affected travellers from creating new submissions, this individual chose to forgo their regular travel across the border.

Return to footnote 14

Footnote 15

Corrections and Conditional Release Act, S.C. 1992, c. 20, subsection 24(1): “The Service shall take all reasonable steps to ensure that any information about an offender that it uses is as accurate, up to date and complete as possible.” For comparison, see Privacy Act, R.S.C. 1985, c. P-21, subsection 6(2): “A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.”

Return to footnote 15

Footnote 16

Ewert v. Canada, 2018 SCC 30, paragraph 42 and paragraph 45.

Return to footnote 16

Footnote 17

Note: These ‘other data fields’ were the “proof_of_vaccine_final_decision”, “medical_exempt_final_decision” and “child_with_fully_vaccinated_adult” data fields.

Return to footnote 17

Footnote 18

Directive on Automated Decision Making, Treasury Board of Canada Secretariat – Policies, directives, standards and guidelines, last modified June 28th , 2021, section 6.3.2 ; Directive on Service and Digital, Treasury Board of Canada Secretariat – Policies, directives, standards and guidelines, last modified May 6th, 2022, section 4.2.1.5; Artificial Intelligence Risk Management Framework (AI RMF 1.0), Elham Tabassi for the National Institute of Standards and Technology – U.S. Department of Commerce, NIST AI 100-1, published January 26th, 2023, MEASURE 1.1, MEASURE 2.4, MEASURE 3.1, MEASURE 4.1, MEASURE 4.2, MANAGE 2.3 and MANAGE 4.1.

Return to footnote 18

Footnote 19

Directive on Automated Decision Making, supra footnote 20, sections 6.3.3, 6.3.5, 6.3.6, and 6.3.9; Directive on Privacy Practices, Treasury Board of Canada Secretariat – Policies, directives, standards and guidelines, last modified June 18th, 2020, section 4.2.16.2; AI RMF 1.0, supra footnote 18, GOVERN 6.2, MAP 3.5, MANAGE 2.4 and MANAGE 4.1; Recommendation of the Council on Artificial Intelligence (“OECD AI”), Organisation for Economic Co-operation and Development, OECD/LEGAL/0449, adopted on May 21st, 2019, Principle 1.2.b).

Return to footnote 19

Footnote 20

Privacy Act, R.S.C. 1985, c. P-21, section 12; Directive on Automated Decision Making, supra footnote 18, sections 6.3.6 and 6.4.1; Directive on Privacy Practices, supra footnote 19, sections 4.2.10.5 and 4.2.19; Directive on Service and Digital, supra footnote 18, sections 4.2.1.1 and 4.2.1.2; AI RMF 1.0, supra footnote 18, GOVERN 2.1, MEASURE 3.3, MANAGE 4.1, MANAGE 4.2 and MANAGE 4.3; OECD AI, supra footnote 19, Principle 1.3.iv.

Return to footnote 20

Footnote 21

Privacy Regulations, SOR/83-508, section 4; Directive on Automated Decision Making, supra footnote 18, sections 6.2.3 and 6.2.8; Directive on Privacy Practices, supra footnote 19, section 4.2.17; Directive on Service and Digital, supra footnote 18, section 4.3.1.12; AI RMF 1.0, supra footnote 18, MEASURE 2.9, MEASURE 2.13, MEASURE 3.1 and MANAGE 4.1; OECD AI, supra footnote 19, Principles 1.3.iii. and 1.4.b).

Return to footnote 21

Footnote 22

Directive on Automated Decision Making, supra footnote 18, sections 6.3.1 and 6.3.4; AI RMF 1.0, supra footnote 18, GOVERN 4.3, MEASURE 2.3 and MEASURE 2.5; OECD AI, supra footnote 19, Principle 1.4.a).

Return to footnote 22

Footnote 23

Regression testing re-executes completed tests to ensure existing functionalities are not affected by new changes.

Return to footnote 23

Footnote 24

AIA is a mandatory risk assessment tool required by TBS’s Directive on Automated Decision-Making, prior to the production of any Automated Decision System by federal government institutions.

Return to footnote 24

Date modified:: 2023-05-31

Language selection

Search and menus

Search