Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Privacy Commissioner of Canada’s Special Report on the ArriveCAN app highlights key takeaways in the context of contracting by federal institutions

March 12, 2026

Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal government. We encourage you to share this information with employees across your organization, including teams involved in technology, communications and program-delivery.

A Special Report on an investigation by the Privacy Commissioner of Canada into the ArriveCAN application was tabled today in Parliament.

The investigation was launched following a complaint against the Canada Border Services Agency (CBSA) related to contracting practices during the development of the ArriveCAN app. The app was launched during the COVID-19 pandemic to digitize the collection of traveller information and expedite the processing of travellers at the border.

The investigation found no evidence to suggest that personal information collected through the ArriveCAN app was used or disclosed in contravention of the Privacy Act, which applies to the personal information handling practices of federal institutions.

All ArriveCAN-related contracts that allowed access to personal information included appropriate clauses to describe the contract’s security requirements and outlined specific safeguards that should be implemented.

The investigation highlights the importance of privacy as a core consideration when developing outsourcing contracts. The findings are an opportunity to raise the awareness for all federal institutions about best practices in contracting to ensure strong privacy protections for Canadians.

Key takeaways for all federal institutions

  • Ensure that the assessment of security requirements is completed within a reasonable time prior to contract award to mitigate the risks associated with outdated or inaccurate data. Security requirements should be rigorously assessed and accurately identify the sensitivity of information and the safeguards that are required to execute the contract.
  • Describe the projects or work to be performed under task authorizations clearly and accurately, which is key to ensuring that the corresponding privacy and security requirements are properly assessed (based on factors such as the sensitivity of information and the location or type of work to be performed).
  • Manage security clearances and renewal processes proactively and with strong oversight to mitigate against potential privacy risks related to contractors’ access to personal information. This should include, for example, the implementation of a risk-based approach to assess contractors’ continued eligibility to access personal information in cases where clearances may not be valid or up to date.
  • Restrict permissions and access to personal information to what is strictly necessary.

Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.

Date modified: