ARCHIVED - Privacy Impact Assessments
OPC letter in response to the Privacy Impact Assessment (PIA) completed by the Canadian Air Transport Security Authority (CATSA) in anticipation of the deployment of millimetre wave (MMW) screening technology at selected Canadian airports.
October 29, 2009
Canadian Air Transport Security Authority
99 Bank Street, 13th Floor
Ottawa, Ontario K1P 6B9
Re: Millimetre Wave Imager
We are sending this letter in response to the Privacy Impact Assessment (PIA) completed by the Canadian Air Transport Security Authority (CATSA) in anticipation of the deployment of millimetre wave (MMW) screening technology at selected Canadian airports. We received the PIA in our offices on September 2, 2009.
I would like to take this opportunity to thank CATSA for its cooperation in working with us on this file. We previously reviewed a Preliminary Privacy Impact Assessment (PPIA) on CATSA’s operational trial of MMW technology at Kelowna International Airport from June 2008 to January 2009. We visited the test site in Kelowna in October 2008, and have had numerous meetings and discussions with CATSA officials since, in order to ensure the privacy risks of this technology are minimized for Canadians.
Whole body imaging (WBI) units using technologies such as MMW and backscatter X-rays are being tested and deployed as a traveller scanning method at airport security checkpoints internationally, including by the Transportation Safety Administration (TSA) in the United States. These devices are used to complement the more familiar metal detectors the travelling public is used to, and are meant to detect threats to aviation security that metal detectors do not identify, such as ceramic weapons or plastic explosives. CATSA has selected MMW technology for its WBI initiative in Canadian airports.
These technologies penetrate travellers’ clothing to reveal images of the body. Their use is controversial and there has been considerable concern expressed about
the use of WBI where it has been implemented. The European Parliament has called for the European Commission to undertake a study of the impact of WBI devices from an economic, human rights and ethical perspective. The Privacy Coalition, a U.S. group of more than 40 civil liberties, consumer rights and privacy advocacy organizations has asked that this type of screening be optional and for secondary screening only. The German federal government has rejected their use outright. Members of the Canadian public, members of Parliament, Canadian civil rights organizations, and provincial privacy commissioners have expressed their concerns in this regard to our office.
Given the sensitivity of the issues involved and the perceived invasiveness of the screening technique, which shows the outline of a traveller’s body beneath clothing, we continue to urge CATSA to regularly scrutinize implementation of MMW screening technology and justify it against the following four-part test.
- Is the measure demonstrably necessary to meet a specific need?
- Is it likely to be effective in meeting that need?
- Is the loss of privacy proportional to the need?
- Is there a less privacy-invasive way of achieving the same end?
While it is neither our duty nor expertise to assess the aviation threat and risk assessments that buttress the stated need for WBI, it is our responsibility to confirm that such threat and risk assessments are done. To this end, we have challenged CATSA and have been assured that, in cooperation with the Canadian Security Intelligence Service, the RCMP and Transport Canada, CATSA is basing the need for this initiative on a rigorous aviation security threat and risk assessment, and that the chosen MMW technology has been tested against it.
In relation to proportionality and alternatives, CATSA has indicated that, in its opinion, currently available software for blurring the image of specific body parts would defeat the purpose of the screening technique and thus, will not be used at this time.
Going forward, we recommend that CATSA regularly review its perceived need for WBI screening against updated aviation security threat/risk assessments, as
well as against enhancements or refinements to the available technology, such as improved privacy filtering software. New or alternative technologies to achieve the same screening goals in a less privacy-invasive manner should also be considered.
We also recommend that CATSA use MMW technology only as a secondary screening tool, and then, only as a voluntary option to a traveller undergoing a physical pat-down. It is our understanding from the PIA that this is the intended use of the technology in the planned deployment.
PRIVACY RISKS AND RECOMMENDATIONS
As well as consulting with CATSA on the overall necessity of the initiative, OPC has considered the operational privacy risks of the planned deployment against federal privacy legislation and applicable Treasury Board Secretariat (TBS) policies, guidelines and directives. These include the ten privacy principles of the Canadian Standards Association Model Code for the Protection of Personal Information (The Code), which form the basis for the TBS Privacy Impact Assessment Guidelines. Our recommendations and information requests are shown in italics.
1.1 The PIA indicates that accountability for privacy risks and their mitigation has been assigned to CATSA’s General Manager, New Technology. The transitory images used during the screening process will be viewed at the work stations of Image Screening Officers (ISOs) and are not to be stored, disclosed, or transmitted elsewhere. The PIA indicates that CATSA is responsible for safeguarding the images during their brief use, and that no third parties, partners or stakeholders are involved. ISOs will be subject to policies governing the acceptable use of the MMW system and to Airport Screening Services Agreements. CATSA will undertake audits for compliance with privacy policies including technical audits of equipment to ensure settings and configurations have not been modified in a manner that would allow images to be copied or stored.
It is recommended that CATSA forward to OPC the results of its compliance and technical audits of the MMW screening system, as well as copies of all applicable policies governing conduct of Image Screening Officers, in keeping with Principle 1 of the Model Code and the TBS Privacy Impact Assessment Policy and Guidelines.
2.0 Identifying Purposes
2.1 The PIA notes that CATSA has prepared communication materials to explain the MMW imager technology to travellers. Notices identifying the purpose for the collection will be available at airport security checkpoints equipped with MMW units. No secondary uses are contemplated.
It is recommended that CATSA undertake a public information campaign via its website, at airports using posters and brochures, and using other sources such as newspaper or radio announcements, to identify the purposes of the MMW technology to the Canadian public, in keeping with Principle 2 of the Model Code and the TBS Privacy Impact Assessment Policy and Guidelines. A link should be provided to the CATSA information from the Transport Canada website for the convenience of travelers seeking information.
3.0 Consent / Notification
3.1 The PIA notes that travellers must undergo security screenings at airport security checkpoints if they wish to board a plane. Travellers selected for secondary screening are offered a choice between MMW screening and a physical pat-down. The MMW screening is voluntary, and consent is obtained directly from the traveller.
It is recommended that CATSA ensure the images that are presented in its communications materials, posters and brochures are accurate presentations of the images obtained during MMW screening, in order to ensure informed consent.
3.2 The PIA notes that consent for the MMW screening of minors and the incapacitated may be obtained from guardians accompanying these individuals at the security checkpoint.
Given the particularly sensitive nature of the screening, it is recommended that CATSA carefully consider the specific issues affecting the use of MMW scanners to screen minors and the incapacitated.
4.0 Limiting Collection
4.1 No information other than the transitory image generated by the MMW technology is collected.
5.0 Limiting Use, Disclosure and Retention
5.1 The PIA notes the images will not be retained in the system for any period longer than required to complete the screening of an individual, that they will not be disclosed in any fashion, and that they will be immediately and permanently deleted after the screening is completed
It is recommended that CATSA clarify the estimated time frame for the existence of the transitory images, in the interests of public transparency and in keeping with Principle 5 of the Model Code and the TBS Privacy Impact Assessment Policy and Guidelines.
6.1 The PIA notes that the images generated by the MMW technology are of the subject standing in the unit. Any anomalies noted by the Image Screening Officer in the remote viewing room will be further investigated and confirmed by observation and/or a targeted pat-down by a security officer at the screening checkpoint.
7.1 The PIA notes that scanned images are permanently deleted after screening is completed. Images are sent electronically only to the remote viewing room, so that the ISO cannot see and identify the actual traveller. The technology uses proprietary software to preclude any interception. PIA states the operational pilot in Kelowna did not reveal any technology security issues in the system. The PIA states that Standard Operating Procedures (SOPs) are in place for ISOs, who will also receive privacy related training through the CATSA Learning and Development Group. ISOs will not be permitted to have personal electronic devices or cameras in the viewing rooms.
It is recommended that CATSA undertake an IT Threat and Risk Assessment (TRA) for the system used to transmit images to the Remote Viewing Room for each configuration of MMW units at each airport location, to ensure security of the electronic images and prevent inappropriate use or disclosure, in keeping with Principle 7 of the Model Code.
8.1 The PIA notes that CATSA is to post a summary of its PIA on MMW deployment on its website.
9.0 Individual Access
9.1 It will not be possible for CATSA to give access to the images generated by MMW imaging as they will be immediately deleted after screening and would not be, in any case, individually identifiable and thus not retrievable by name or other identifying feature.
10.0 Challenging Compliance
10.1 There are no privacy specific procedures in place for travellers to complain to CATSA. However, the CATSA website offers a process by which any sort of complaint may be made on the “Contact Us” portion of the website.
Given the sensitivity of this issue, it is recommended that CATSA should monitor and report to senior management travellers’ comments, complaints and concerns relating to MMW scanning at Canadian airports.
In conclusion, I would like to thank you again for your continued cooperation and your participation in the PIA process. A response to this letter by November 30 would be appreciated.
(Original signed by)
Steven Morgan, P. Eng.
Audit & Review Branch
Cc Martin Corrigan, Director, Screening Technologies, CATSA