Three government agencies that partnered on a $68-million project to revamp Canada’s asylum system failed to complete mandatory privacy safeguard tests for years while the project was being implemented, CBC News has learned.
The lack of privacy protections raises “red flags,” lawyers say, and may have put refugee claimants’ data and applications at risk.
Immigration, Refugees and Citizenship Canada (IRCC), the Canada Border Services Agency (CBSA) and the Immigration and Refugee Board (IRB) worked together on the “asylum interoperability project,” which would transform the asylum system into a more efficient digital one and address the ever-growing backlog of pending asylum applications, which currently sits at more than 290,000.
Earlier this year, CBC reported that the project, which launched in 2019, had been prematurely shut down in 2024 in what CBSA called an “unexpected” move.
Now, documents obtained through access-to-information legislation show there were “outstanding” privacy impact assessments (PIA) for the project, which was quietly scrapped when it was only 64 per cent complete.
According to a government digital privacy playbook, a PIA is a “policy process to identify, assess, and mitigate potential privacy risks before they happen.”
“All these steps need to be completed before the launch of the initiative,” that guide says.
Even though the interoperability project has now been scrapped, it implemented changes to how data is collected digitally and used — meaning that the completion of PIAs remains an essential part of that risk identification process, said Andrew Koltun, an immigration and refugee lawyer who also practices privacy law.
The departments told CBC over email, however, that the privacy assessments are still incomplete. IRCC said it’s currently drafting its portion of the PIA and expects it to be done by the end of 2025.
The fact they still aren’t finished, Koltun said, raises “a lot of red flags.”
“Unfortunately, if you don’t have a privacy impact assessment in place, the risk is magnified as to how that data could be leaked out and obtained by adverse actors,” he said.
The Treasury Board of Canada Secretariat’s directive requires this privacy health checkup be done “prior to” launching or updating projects, in cases where an institution plans to “substantially modify” the way information is being collected and used for administrative reasons.
The asylum interoperability project built an online refugee application process, a significant shift from paper applications.
The project helped incorporate some automation and allow more real-time information exchange between departments, according to documents. It also built in the government’s ability to automatically cancel valid work or study permits when a removal order is issued, among other improvements.
‘Hot potato’ with responsibilities
The Office of the Privacy Commissioner of Canada calls privacy assessments an “early warning system” that can help build public trust by ensuring government agencies are legally compliant and protecting people’s privacy.
The privacy watchdog declined an interview, saying that it conducts privacy consultations in confidence, but reiterated in an email that the commissioner had previously recommended PIA obligations be integrated into law.
According to a CBSA briefing note that CBC obtained, there appeared to be internal confusion regarding who was responsible for the PIAs.
Documents reveal there was an initial expectation for one large privacy assessment led by IRCC.
But three years later in late 2022, IRCC notified both CBSA and IRB that they were no longer doing one PIA “for the whole project and that each partner would be responsible for their own.”
Then, CBSA said IRCC changed the approach “and broadened the scope to a program-level” assessment, documents show.
When the project unexpectedly shut down last year, CBSA said the PIAs were “an outstanding matter” and IRCC still expected the other partners to still complete their privacy plans.
“However, given the lack of funding, the lack of resources … further discussions are required,” reads the CBSA note.
Koltun, who reviewed the internal documents, describes departments playing “hot potato” with privacy checks, when it should have been a “basic building block.”
“[This] is emblematic of IRCC’s relentless drive to pursue digital modernization at a breakneck speed without necessarily ensuring that all the proper risk mitigation is done beforehand,” he said.
“The refugee space is a poor area to take a beta-testing approach of, ‘Work fast and break things and then fix it afterwards.'”
Privacy breaches ‘traumatizing’ clients, lawyer says
Greg Willoughby, a refugee lawyer in London, Ont., says IRCC sends him emails “more often than [he] can count” that disclose private documents and highly-sensitive information for applicants who aren’t his clients.
“It seems to be a systemic lack of concern about privacy and confidentiality issues,” Willoughby said.
One of the worst examples, he recalled, was when IRCC emailed one his client’s family members in Iran — family members she was fleeing — thus alerting them to her refugee protection claim.
“I thought, ‘What is this? These are the agents of persecution,'” Willoughby said. “It was really traumatizing and damaging for her. It was horrible.”
It’s not clear if there’s a link between the digital updates in the asylum interoperability project and Willoughby’s experiences with privacy breaches in recent years.
But Willoughby warns the government’s focus on efficiency and technological integration without proper privacy safeguards is “very, very dangerous” — especially if data is at risk of improperly being accessed by bad actors.
“The governments and the immigration departments should be very paranoid. This should be top of mind.”
A major project to secure and revamp Canada’s asylum system was shut down last year — an “unexpected” move for some in the government, CBC News has learned. Now, some critics fear the outcomes that were achieved may be more harmful than beneficial for people seeking protection in Canada.
Department, tribunal response ‘inadequate’
In a statement, IRCC said the type of information being collected and shared between the partners didn’t change, but rather “the [project] created IT interfaces to ensure the secure transmission of this information.”
IRCC still claims it’s following the Treasury Board Secretariat’s directive — though that directive states PIAs must be complete prior to implementing initiatives, especially when there’s “use of any new or modified information technology.”
“All agreements between government partners include strong safeguards,” IRCC wrote.
Meanwhile, CBSA said it is “no longer pursuing” a privacy impact assessment, and pointed to IRCC as the lead on this project.
“CBSA recognizes the importance of the PIA process,” a spokesperson wrote.
IRB said it “carefully looked at the privacy implications” when the project launched, and determined privacy concerns “was still adequately addressed” in an existing PIA for its own systems.
Koltun said IRCC and IRB’s responses are “inadequate” because “it disregards the legal duties” under the federal directive.
“When a new or modified information technology or IT process is used, the bare minimum requirement is that an updated PIA be created,” he said.
