Investigation into a privacy breach at Immigration, Refugees and Citizenship Canada

Complaint under the Privacy Act

January 24, 2024

Overview

Under the Temporary Resident to Permanent Resident Pathway^{Footnote 1} (“TRPRP”) public policy, IRCC was notifying eligible individuals of a special measure to allow them to remain in Canada on a work permit while the department finalized their permanent resident application. These individuals held open work permits valid until December 31, 2022, and IRCC was notifying them to advise that the conditions on their work permit would be extended to allow them to work until December 31, 2024, while their application for permanent residency was being finalized by the department.

The data required to contact these individuals was organized in an Excel spreadsheet. In processing the data, IRCC inadvertently failed to apply a filter to all the data columns in the spreadsheet, which resulted in individuals’ email addresses being misaligned from the rest of their data. Consequently, when IRCC began to notify eligible individuals of the special measure by email, the notification was sent to the wrong email address [i.e., an individual’s personal information was disclosed to another (single) individual in electronic form].

IRCC was notified of the error by several email recipients, and immediately halted all notifications. IRCC took steps to identify and notify the 497 individuals who were impacted by the breach. The scope of the disclosures included:

the individual’s name;
mailing address;
email address;
application number; and
Unique Client Identifier (“UCI”)^{Footnote 2}.

The context of the email notification (that these individuals held open work permits and had applied for permanent residence) was also disclosed.

The matter was subsequently raised in the media^{Footnote 3} and the OPC received a complaint (from an individual not directly affected by the breach). The complainant raised concerns that sensitive personal data was released as a result of this breach, putting the privacy of these individuals at risk.

In this case, as IRCC acknowledged that the disclosures were done erroneously and without an appropriate purpose, the disclosure provisions of section 8 of the Privacy Act (the “Act”) were contravened. We examined the adequacy of IRCC’s measures to:

prevent disclosures of this nature,
mitigate the potential damage of the incident on affected individuals, and
reduce the risk of a recurrence in the future.

While we accept that human error was a factor in this case, we found that IRCC had insufficient administrative and procedural controls in place to mitigate the risk of error in the circumstances (i.e., when processing personal information for the notification to eligible individuals), including no oversight or compliance monitoring procedures to ensure the necessary due diligence in protecting individuals’ personal information.

With respect to mitigation of the impact on affected individuals, we found that IRCC took important mitigation steps, including notifying affected individuals and requesting that the email received in error be deleted. We also examined IRCC’s assessment of the breach and accept that, in these particular circumstances, it did not constitute a material breach, given the low risk of harm to the individuals impacted. However, we highlighted to IRCC that contextual factors may inform the sensitivity of information that is breached, and under other circumstances, a similar breach may present a real risk of significant harm^{Footnote 4} to individuals, particularly, given IRCC’s mandate and the high volume of sensitive personal information it processes. This underscores the importance of ensuring that adequate safeguards are in place to protect personal information and to mitigate the risk of unauthorized disclosure.

Following the breach, IRCC indicated that the employee is now verifying their work to reduce the risk of recurrence of a similar incident. Indeed, the notification to affected individuals following the breach was independently reviewed by two separate individuals before the mailout. However, in our view, the implementation of additional procedural measures was necessary to further reduce the risk of inappropriate disclosures, and effectively, for IRCC to remain accountable for the personal information that it collects, uses and discloses. As we underscored to IRCC following a breach investigation in 2022^{Footnote 5}, IRCC must:

have robust protections and procedures in place as part of its security architecture to ensure that a human error does not automatically result in a breach, and
continuously assess its prevention mechanisms to mitigate the risk of an accidental disclosure.

We therefore recommended that IRCC review its internal processes and safeguards to identify weak points or gaps in practices and take steps to implement measures to mitigate the risk of future accidental disclosures of this nature by ensuring that the appropriate controls are in place. Recommended measures included:

the development of a standard operating procedure or step-by-step job aid for employees responsible for these tasks, including necessary training and the requirement to double-check one’s work;
implementing oversight measures (such as the integration of a “two pairs of eyes” rule); and
regular compliance monitoring to ensure the necessary due diligence in protecting individuals’ personal information.

IRCC accepted our recommendations and shared with our Office the additional measures it is undertaking to prevent the occurrence of similar privacy breaches. These measures include updates to the operating procedures to include the addition of an oversight step which will require the cross-referencing of data in Excel spreadsheets against the system data to ensure that filters are appropriately applied. Further, IRCC reported that it has integrated data quality assurance checks into its process before initiating a mass mailout process to promote compliance with procedures and to minimize the risk of human error.

Background

Under the TRPRP public policy, IRCC was notifying eligible individuals of a special measure to allow them to remain in Canada on a work permit while the department finalized their permanent resident application. These individuals held open work permits valid until December 31, 2022, and IRCC was contacting them to advise that the conditions on their work permit would be varied to allow them to work until December 31, 2024.
IRCC’s Immigration Program Guidance Branch (“IPG”) was the lead to notify eligible individuals of the special measure and provided the operational data to IRCC’s Centralized Network^{Footnote 6} (the “processing centre”) for processing. The operational data was provided by IPG in an Excel spreadsheet according to departmental procedure.
According to IRCC, in certain cases, the processing centre may determine that it is necessary to filter^{Footnote 7} the data to ensure that public policy requirements^Footnote 8 are met. This requirement is assessed on a case-by-case basis depending on the initiative. In this case, the data had to be verified to ensure that the individuals on the list were eligible for the extension of their work permit.

How the breach occurred

On August 3, 2022, an employee in the processing centre determined that it was necessary to filter the data by passport validity (i.e., to ensure that an individual’s passport was still valid) in order to meet public policy requirements and eligibility for the special measure.^{Footnote 9} This required the employee to manually apply a filter to each column of data in the Excel spreadsheet.
According to IRCC, there were 12 columns in the spreadsheet that required the filter – these 12 columns contained the data necessary to contact eligible individuals about the special measure.^{Footnote 10} However, the employee inadvertently only applied the filter to 11 of the 12 columns and failed to apply the filter to the email address column. As a result, when the employee sorted^{Footnote 11} the data, this column did not sort accordingly, which resulted in the individual’s email address being misaligned from the rest of their data in the spreadsheet.
The employee in question relied on the sorted data in the Excel spreadsheet and proceeded with the notification phase of the initiative. However, given that the email address column did not align with the correct individual’s data in the spreadsheet, each notification was inadvertently sent to the wrong email address (i.e., an email did not go to multiple email addresses, it was just sent to one email address in error).
IRCC confirmed that a total of 497 emails were sent to wrong email addresses before IRCC learned of the breach and halted the notifications. The emails in question each contained an attached letter personalized for the intended email recipient with details regarding the special measure (i.e., extension of their work permit), the eligibility criteria, and the opt-out instructions. The following elements of personal information were disclosed as a result of the breach:
1. email address,
2. individual’s first and last name,
3. individual’s mailing address,
4. application number, and
5. UCI.
IRCC learned of the breach after being contacted by several individuals who had received the email in error (i.e., the email contained a letter with another individual’s personal information).

Complaint

Concerns regarding this IRCC breach were reported to our Office by an individual who was not directly affected by the breach. The complainant referenced a CIC News article which provided certain details regarding the breach, and raised concerns that sending emails containing sensitive private information to the wrong email addresses puts the privacy of these individuals at risk. The complainant further submitted that this breach “signifies the severe lack of measures to guard the privacy of those involved in Canada’s immigration system”.
The CIC News article also reported that individuals in the Post Graduate Work Permit (“PGWP”) Program were impacted by the breach; however, IRCC confirmed that only individuals determined to be eligible under the TRPRP were affected in this case.

Scope

Our investigation focused on:
1. IRCC’s measures to prevent unauthorized disclosures of personal information of this nature;
2. the adequacy of IRCC’s measures to mitigate the impact of the breach on affected individuals; and
3. IRCC’s actions to reduce the risk of recurrence in the future.

Analysis

Issue 1: The disclosures were not for a permissible purpose and therefore contravened section 8 of the Act

Given that IRCC inadvertently sent 497 individual emails to the wrong email addresses, the recipients of those emails received the personal information of another individual. This represented a disclosure of an individual’s personal information to another individual, including the context of the email (i.e., that the individual was the holder of an open work permit and that they had applied for permanent residence).
Subsection 8(1) of the Act states that personal information can only be disclosed with an individual’s consent or in accordance with the provisions of subsection 8(2) of the Act, which permits disclosures without consent for a range of specified purposes. As none of the circumstances in subsection 8(2) would apply to accidental disclosures to unintended recipients, we determined that IRCC disclosed personal information in contravention of section 8 of the Act, and the complaint is therefore well-founded.

Issue 2: IRCC’s measures in place to prevent the breach were insufficient

The Act is silent about what measures institutions should take to prevent unauthorized disclosures of personal information under section 8. We take the view that an institution has an obligation to take reasonable measures which are appropriate to the sensitivity of the information and the likelihood of misuse (if a disclosure did occur). This expectation is aligned with the guiding principles found in TBS’s Framework for the Management of Risks which assesses and identifies the risk impacts to an institution through a privacy lens, and other privacy breach management tools created to assist in evaluating the impact of a breach, including the ATIP Privacy Breach Risk Impact Instrument.^{Footnote 12}
We therefore examined the measures that IRCC had in place for ensuring the protection of personal information when processing the information necessary for the extension of work permits under the TRPRP. While IRCC submitted that it was an unintentional human error that resulted in the breach, we found that it was not caused by human error in isolation. We found that IRCC did not have adequate administrative controls and procedures in place to reduce the risk of accidental disclosures in the circumstances (i.e., when processing personal information in Excel for the mass mailout).
Any process used to support a mass mailout must be accompanied by procedures and checks to promote compliance with those procedures to minimize the risk of human error. While IRCC reported that the normal process was followed in this case (i.e., the operational data was provided in an Excel spreadsheet), it confirmed that the process of applying filters to each column was not a regular procedure and there were no specific written instructions. Consequently, there were no safeguards in place that would have enabled the employee to check each step in the process, nor was there an oversight process to ensure that the information was verified before proceeding to use it for the mailout.
IRCC confirmed that the employee tasked to review and prepare the data for processing determined that it was necessary to manually filter the data to ensure that the individuals were eligible for the special measure. According to IRCC, there is no automated or other procedure that would normally be followed to validate the data. In this case, the error occurred because the employee failed to manually apply a filter to the “email address” column in the Excel spreadsheet.
IRCC submitted that the employee in question was experienced and knowledgeable regarding the public policy requirements for the TRPRP. Further, the employee was experienced in using Excel, and had performed this type of filtering in the past. IRCC reported that this type of error hadn’t happened to the employee before, so a reminder to “check that all filters are on” didn’t seem necessary. There were no other safeguards (e.g., checklists) or Standard Operating Procedures available that would have enabled the employee to check each step in the process. The employee proceeded with the exercise assuming that everything was done correctly. IRCC also noted that there was a deadline for the exercise, as such, the employee did not have time to complete a verification of the outlay of the spreadsheet before the information was used for the mailout.
IRCC submitted that training in Excel is not required for the employee’s daily tasks, and no such training has been taken by the employee. Indeed, IRCC reported that the employee was the most versed and experienced in performing the task and was experienced in using the filtering and sorting tools in Excel.
According to IRCC, there was no impact to a client’s ability to continue working (i.e., a client’s status was not affected, and they could continue to work in Canada according to the conditions of their work permit, and for those eligible, with an extension on their work permit). Nevertheless, when personal information is disclosed in error, even if only to one individual, there is a risk for misuse, as the motivations of the recipients of the information cannot be determined.
IRCC indicated that, following the breach, any lists of personal information will be verified by more than one person to minimize human error. In fact, prior to sending the apology emails to the affected individuals, IRCC confirmed that the information was reviewed independently by two different employees to ensure accuracy.
In light of the above, we recommended that IRCC implement additional measures to mitigate the risk of future accidental disclosures of this nature by ensuring that the appropriate controls are in place. At a minimum, these measures should include:
1. a review of internal processes and safeguards to identify weak points or gaps in practices;
2. the development of a standard operating procedure or step-by-step job aid for employees responsible for these tasks (including necessary training and the requirement to double check/verify one’s work);
3. implementing oversight measures (such as the integration of a “two pairs of eyes” rule); and
4. regular compliance monitoring to ensure the necessary due diligence in protecting individuals’ personal information.
We noted that such measures will assist IRCC in reducing the risk of unauthorized disclosures and in remaining accountable for the personal information it collects, uses and discloses.
Since the breach, IRCC shared with our Office the additional measures it is undertaking to prevent a similar privacy breach and to ensure the protection of client information. These measures include updates to the operating procedures to include the addition of an oversight step which will require the cross-referencing of data in Excel spreadsheets against the system data to ensure that filters are appropriately applied. Further, IRCC reported that it has integrated data quality assurance checks into its process before initiating a mass mailout process to promote compliance with procedures and to minimize the risk of human error.
In our view, these are positive mitigation measures and will assist IRCC in promoting compliance with its obligations and accountability for the protection of personal information under the Act.

Issue 3: IRCC’s response to mitigate the impact on affected individuals was adequate

Subsection 6.1.2 of the Directive on Privacy Practices (the “Directive”) makes heads of government institutions or their delegates responsible for establishing a plan for addressing privacy breaches within their institution. Further, Appendix B of the Directive, “Mandatory Procedures for Privacy Breaches”, requires to the extent possible, that institutions notify all affected individuals “as soon as possible following a breach to allow individuals to take actions to protect themselves against, or mitigate the damage from, […] other possible harm”.^{Footnote 13} We also note that subsection 4.2.8 of the Policy on Privacy Protection requires institutions to report material privacy breaches to TBS and our Office after making efforts to contain, assess and mitigate the breach and no later than seven days after the institution determines the breach is material.
IRCC’s “Mandatory Procedures for Managing Privacy Breaches” (the “Procedures”) include a 7-step process for managing privacy breaches at IRCC. This process includes notification to IRCC’s Privacy Program Management Division (“PPMD”), and requires the PPMD to assess the materiality of the breach and to notify our Office and TBS of material breaches. The Procedures also require the Program Area to notify affected individual(s) in all cases so that they can take the necessary measures to protect themselves against or mitigate the damage from identity theft or other possible harm, which IRCC did in this case.
IRCC reported that upon being alerted to the breach by several individuals who had received an email containing another individual’s personal information (within hours of the email being sent by the department), prompt action was taken to halt the notifications. IRCC submitted that immediate steps were taken to manage the breach, including reporting the breach to management, investigating the error and identifying the affected individuals. IRCC also conducted a risk assessment based on the then TBS Guidelines for Privacy Breaches^{Footnote 14}, which included an assessment of the sensitivity of the personal information disclosed in error, and the likelihood of injury or harm to the affected individuals. IRCC concluded that the breach did not constitute a material privacy breach; however, it recognized that the damage caused by the privacy breach cannot be undone and took important steps to contact all individuals affected by the breach (as required by IRCC’s mandatory breach Procedures).
We examined IRCC’s assessment of the breach and accept that, in these particular circumstances, it did not constitute a material breach, given the low risk of harm to the individuals impacted.^{Footnote 15} However, we noted to IRCC that contextual factors may inform the sensitivity of information that is breached, and under other circumstances, a similar breach may present a real risk of significant harm^{Footnote 16} to individuals, particularly, given IRCC’s mandate and the high volume of sensitive personal information it processes. This underscores the importance of ensuring that adequate safeguards are in place to protect personal information and to mitigate the risk of unauthorized disclosure.
IRCC’s review confirmed that the individuals impacted by the breach fell into four different categories:
1. an individual whose personal information was sent to another individual;
2. an individual was the recipient of another individual’s personal information;
3. an individual whose personal information was sent to another individual and they received another individual’s personal information; and
4. an immigration representative received the personal information of an individual who is not their client.
As a result, four different versions of the follow-up apology email were created. IRCC provided our Office with the templates of the four emails sent to affected individuals.
The apology email informed impacted individuals of the privacy breach and apologized for the error and the inconvenience it may have caused. Individuals who received another individual’s personal information in error were advised not to share the email/information with others and were requested to delete it in order to protect the privacy of the individual whose information was disclosed in error. IRCC also provided advice and information on the format of the Government of Canada’s email and on how to recognize phishing emails or calls in order to highlight potential harms that the recipient may not have considered. The email also contained a new letter with the individual’s correct information and details regarding the special measure (i.e., extension of their work permit). IRCC notified all individuals affected by the breach by email between August 10 and 11, 2022.
In our view, IRCC’s response following the breach was adequate – the notification to affected individuals is an important practice when a breach of personal information occurs, and a key mitigation strategy to lessen any damage and negative impacts from the breach.
Notwithstanding the notification, risks to individuals cannot be fully eliminated after a breach of personal information of this nature. As a result, we highlighted to IRCC that it is imperative for it to strengthen its prevention and mitigation measures to ensure a similar incident does not reoccur. As noted in IRCC’s Mandatory Procedures for Managing Privacy Breaches, mitigation measures to prevent the re-occurrence of a breach may require changes to internal processes or safeguards, particularly when the breach assessment uncovers weak points in a program area’s plans and practices. Therefore, as we underscored in a breach investigation of IRCC in 2022^{Footnote 17}, they must:
1. have robust protections and procedures in place as part of its security architecture to ensure that a human error does not automatically result in a breach, and
2. continuously assess its prevention mechanisms to mitigate the risk of an accidental disclosure.

Findings and Recommendations

Given that the disclosures of personal information in this case were done erroneously, without an appropriate purpose, we found IRCC to be in contravention of section 8 of the Act and the complaint to be well-founded.
Our review found that IRCC used important mitigation strategies to lessen the impact of the breach on affected individuals, including notifying them and requesting that the emails received in error be deleted. However, we found that there were gaps in IRCC’s practices and that the measures that were in place to prevent the breach were insufficient.
In light of this, to resolve the matter, we recommended that IRCC review its internal processes and safeguards to identify weak points or gaps in practices and take steps to implement measures to mitigate the risk of future accidental disclosures of this nature by ensuring that the appropriate controls are in place. Specific recommended measures consisted of:
1. the development of a standard operating procedure or step-by-step job aid for employees responsible for these tasks, including necessary training and the requirement to double-check one’s work;
2. implementing oversight measures (such as the integration of a “two pairs of eyes” rule); and
3. regular compliance monitoring to ensure the necessary due diligence in protecting individuals’ personal information.
IRCC fully accepted our recommendations and has implemented additional measures to mitigate the risk of future accidental disclosures of this nature. Of note, IRCC has added an oversight step as part of its operating procedures which requires the cross-referencing of data in Excel spreadsheets against the system data to ensure that filters are appropriately applied. IRCC has also integrated quality assurance checks of data before initiating a mass mailout process to ensure and promote compliance with procedures and to minimize the risk of human error. In our view, these additional measures will significantly enhance IRCC’s breach prevention efforts against similar incidents.
Based on the information we received from IRCC and its actions to implement our recommendations, we now consider this matter resolved.

Footnotes

Footnote 1

The Temporary Resident to Permanent Resident Pathway is a limited-time pathway to permanent residence for qualifying temporary residents and their families. Applicants who have work experience in Canada in an essential occupation or the health or health services field, or have recently graduated from a Canadian post-secondary institution, may be able to apply for permanent residence. Graduates and workers must be present in Canada and currently working (with authorization) at the time of their application, have proficiency in one of Canada’s official languages and meet general admissibility requirements to qualify.

Return to footnote 1

Footnote 2

A Unique Client Identifier (UCI) is a numeric reference which is assigned by IRCC and unique to a client. The UCI is also referred to as a Client Identification Number (Client ID).

Return to footnote 2

Footnote 3

The complainant referenced a CIC News article which provided certain details regarding the breach.

Return to footnote 3

Footnote 4

The Policy on Privacy Protection defines a material privacy breach as “A privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”

Return to footnote 4

Footnote 5

See OPC’s website: “IRCC email breach creates risk of harm to individuals seeking Afghan emergency assistance” (December 2022)

Return to footnote 5

Footnote 6

The Centralized Network is IRCC’s cross-Canada network responsible for the support and delivery of centralized processing functions and is comprised of six offices: four Case Processing Centres (CPCs), the Operational Support Centre (OSC), and the Call Centre.

Return to footnote 6

Footnote 7

The filter tool in Excel is a function that allows you to filter a column of data in order to display data that meets certain criteria (i.e., to isolate the key components/data needed).

Return to footnote 7

Footnote 8

For example, clients must be physically in Canada to be eligible for the work permit and meet general admissibility requirements.

Return to footnote 8

Footnote 9

Note that ‘passport validity’ (i.e., expiry date) was the filter applied to the data in the spreadsheet; this information was not used/included in the notifications to eligible individuals and was not part of the information breached in this case.

Return to footnote 9

Footnote 10

The 12 columns included: client UCI, given name, family name, application number, official language, street number, street address, PO box number, city/town, province/state, postal code/ZIP, and email address.

Return to footnote 10

Footnote 11

The sorting tool in Excel is a function that allows you to sort by specific parameters (e.g., date, number, alphabetic order, etc.). In this case, the data was sorted by work permit application number.

Return to footnote 11

Footnote 12

This instrument is no longer available online. Refer to the privacy breach risk assessment tool, which is part of the privacy breach management toolkit.

Return to footnote 12

Footnote 13

This requirement was in the Guidelines for Privacy Breaches which were rescinded in October 2022 when TBS published updates to its policy suite on privacy protection. The Directive on Privacy Practices requires notification of affected individuals in the event of a material privacy breach, unless such notification would be inappropriate for security, confidentiality, legal or other reasons.

Return to footnote 13

Footnote 14

The Guidelines for Privacy Breaches were rescinded in October 2022, when TBS published updates to its policy suite on privacy protection.

Return to footnote 14

Footnote 15

We considered the nature and sensitivity of the information disclosed in error, the likelihood that the information may be misused, any possible harms to the individuals impacted, and the number of individuals that received the information in error.

Return to footnote 15

Footnote 16