Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Canada Border Services Agency’s Unauthorized Disclosure of Employee Personal Information Extracted from the Corporate Administrative Software Portal

Complaint under the Privacy Act (the “Act”)

February 26, 2026

Description

In February 2025, the Office of the Privacy Commissioner (the OPC) received a number of complaints regarding the unauthorized disclosure of more than 18,000 Canada Border Services Agency (CBSA) employees’ personal information to other CBSA employees who were not authorized to receive it. While the CBSA’s internal investigation uncovered four additional previous breaches caused by similar practices, we found that the CBSA responded appropriately to the breaches and took corrective action to reduce the likelihood of similar breaches occurring again in the future.

Takeaways

  • When an organization accidentally discloses employee personal information in a way that poses a real risk of significant harm to the individual, we expect the organization to (a) notify affected individuals, (b) take steps to try to contain the impact on affected employees, and, (c) reduce the risk of similar incidents re-occurring in the future.
  • We expect organizations that manage employees’ personal information, and especially larger organizations with significant data holdings, to have clear, structured processes and tools to ensure that employee personal information that needs to be shared with specific staff for operational functions is made available to them in a privacy-protective way.
  • This should include processes, tools, and oversight to ensure that information is provided only to individuals with a need-to-know and does not include personal information beyond that which is required for the purpose at hand.

Report of findings

Overview

  1. In February 2025, personal information of more than 18,000 CBSA employees was accidentally disclosed to 70 CBSA employees when a spreadsheet created by HR to facilitate shift scheduling for that group accidentally included data for over 18,000 staff. The spreadsheet also contained more information about the employees than was needed for the purpose of shift scheduling.
  2. In investigating this incident, the CBSA discovered four other incidents in 2024 and 2025 where spreadsheets created by HR staff were shared with line managers without appropriately restricting the information to (a) only that which was needed for the purpose, and (b) only that which pertained to a given line manager’s own employees.
  3. Our investigation, launched after we received complaints from individuals affected by the February incident above, found that these incidents were contraventions of the CBSA’s obligations under section 8 of the Privacy Act (the Act) to limit disclosure of personal information. In this context, we expected CBSA to (a) notify affected individuals, (b) take steps to try to contain the impact on affected employees, and, critically, (c) reduce the risk of similar incidents in the future.
  4. We found that the CBSA took appropriate steps to notify affected individuals and contain the impact on them.
  5. We also found that the CBSA took appropriate steps to reduce the risk of future similar incidents in both the short and long term. Specifically, it is developing a new information management system which will, in the long term, eliminate the need for HR staff to extract personal information in the form of reports and transmit them to program areas. Once operational, the new system will allow authorized managers to directly access the personal information of their employees based on role-based permissions. The CBSA’s current timeline for implementation of the new system is 2027.
  6. In the short term, the CBSA has rolled out a structured process for providing spreadsheets to line managers in response to their needs, which includes processes to check that (a) the data elements included are for a clear and legitimate purpose, and (b) the information is segregated so managers only have access to their own employees’ information.
  7. Based on the above, we consider the complaints to be well-founded and resolved.

Background

  1. Our investigation covered five instances of unauthorized disclosure of employee information. Each instance of unauthorized disclosure is outlined below.

Port Of Entry Shift Scheduling (February 3, 2025 & February 2024)

  1. On February 3, 2025, a manager at a port of entry (POE) requested a list of staff from HR for the purpose of shift scheduling. Once the manager received the spreadsheet, they sent it to 70 CBSA employees at professional and personal email addresses to enable them to engage in the shift scheduling process.Footnote 1 The spreadsheet included the information requested by the manager as well as excess data elements not required for shift scheduling, such as the employees’ Personal Record Identifier (PRI), classification level, language profile and leave balances. The spreadsheet also included a secondary tab containing the same shift scheduling information requested and excess data elements for more than 18,000 CBSA employees not involved in the shift scheduling process at hand.
  2. Once informed of the breach by an individual who received the spreadsheet, the CBSA notified all affected individuals via email on February 7, 2025, and followed up with an article in the Daily, the CBSA’s staff newsletter, on February 10, 2025. The notification emails and article included the details of the breach, the CBSA’s efforts at containing the breach, and the steps taken to mitigate any impact on affected parties and reduce the likelihood of reoccurrence.
  3. The CBSA reported that, as of February 17, 2025, all recipients had confirmed the deletion of the email from their professional and personal inboxes and deleted folders.
  4. During its investigation into this breach, the CBSA discovered a similar breach from February 2024 and notified affected parties via email on February 20, 2025. The CBSA confirmed it also identified and contacted the recipients of the personal information to request that they delete any remaining copies of the email in question.

Category III Assessment Information (February 14, 2025 & June 3, 2024)

  1. On February 14, 2025, a CBSA HR employee sent the Category III assessment resultsFootnote 2 of 18,500 employees to all 48 CBSA managers tasked with sharing the results with their respective employees. The managers were each meant to inform their respective team members about the expiration dates of their examinations. However, the complete list of results was improperly shared with all regional managers, resulting in revealing the examination results of employees not under their management.
  2. The CBSA notified all affected employees via email on February 20, 2025. The notification included the details of the breach, the personal information at issue, and the steps taken by the CBSA to mitigate any impact on affected parties and to reduce the likelihood of reoccurrence.
  3. On February 14, 2025, the CBSA contacted all unauthorized recipients to request the deletion of the spreadsheet at issue. It confirmed that all emails sent in error were deleted. The CBSA also advised that in several cases, the email was never viewed as it was successfully recalled before it was opened.
  4. During its investigation into this breach, the CBSA discovered a similar breach from June 2024 and notified affected parties via email on February 20, 2025. The agency confirmed it identified and contacted the recipients of the personal information to request the deletion of any remaining copies of the email in question.

Mandatory Leave Cash-out (February 6, 2025)

  1. On February 6, 2025, a manager in the CBSA’s Financial Planning, Budget, Reporting and Efficiency Division (FCMB) forwarded a spreadsheet containing the mandatory leave cash-out informationFootnote 3 of 2,608 employees to 28 Financial Management Advisors (FMA) without separating the employee data into their respective areas of responsibility. They did not verify that they had limited the personal information they were sending to recipients with a ‘need to know’.
  2. The CBSA notified all affected employees via email on February 20, 2025. The notification included the details of the breach and the steps taken by the CBSA to mitigate any impact on affected parties and to reduce the likelihood of reoccurrence.
  3. The CBSA reported that as of February 18, 2025, all 28 recipients had confirmed deletion of the email from both their inboxes and deleted folders.

Analysis

Issue: Did the CBSA take adequate steps to address the incidents?

  1. Subsection 8(1) of the Act states that government institutions may only disclose personal information with an individual’s consent or in accordance with subsection 8(2), which allows for disclosure without consent in limited circumstances, such as to fulfill the purpose for which the information was obtained, or a consistent use with that purpose.
  2. As a preliminary matter, we note that some complainants affected by the POE Shift Scheduling breach expressed concerns that their information was sent to the personal email addresses of some CBSA employees. The CBSA confirmed that, although it does not encourage the use of personal email addresses for work purposes, in this case the information was sent to personal email addresses to enable employees who were absent or otherwise unable to access the CBSA network to participate in the shift scheduling process. In our view, sending information outside CBSA’s secured systems creates some additional risk of disclosures to unauthorized third parties. Institutions should therefore carefully consider the risks of doing so for operational reasons such as this. Given the technological limitations presented, we accept that in this case, for the data elements necessary for the purpose of shift scheduling, the use of personal email addresses did not contravene the disclosure provisions of the Act.
  3. With respect to the inclusion of excess information in the spreadsheets in question, the CBSA and the OPC agreed that these accidental disclosures did not constitute one of the circumstances listed in subsection 8(2) where disclosure without consent is permitted. As such, the CBSA required consent to disclose the personal information at issue. We therefore find that, for these disclosures, the CBSA contravened section 8 of the Act.
  4. For the reasons explained below, we find that the CBSA subsequently took appropriate actions to respond to the breaches, such that we consider the complaints to be well-founded and resolved.

Notification to Affected Individuals was Warranted Due to the Risk of Significant Harm

  1. The Treasury Board’s Directive on Privacy Practices makes heads of government institutions or their delegates responsible for establishing a plan for addressing privacy breaches within their institutions. In the event of a material privacy breach, institutions are required to notify the affected individuals to mitigate risks of harm resulting from the breach.Footnote 4
  2. The Treasury Board’s Policy on Privacy Protection defines a material privacy breach as a “privacy breach that could reasonably be expected to create a real risk of significant harm to an individual. Significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
  3. The CBSA acknowledged that the breaches were material, and indicated that, in all cases, it considered the risk of identity theft and financial loss low as the information inadvertently disclosed did not contain information such as social insurance numbers, home phone numbers, addresses, or any banking information. It submitted that the information involved in the breach was information that was useful internally to the CBSA and to the Government of Canada.
  4. The CBSA also submitted that the anticipated risks of significant harm to affected individuals included humiliation and damage to individuals’ reputations or relationships. It noted that most of the information disclosed was related to employment matters and noted that the breaches could cause a degree of embarrassment to the affected individuals.

The CBSA’s Notification to Affected Individuals and Containment of Impact of the breaches were Reasonable

  1. The CBSA issued breach notices to individuals via email on February 7 and February 20, 2025. It also included a general notice of the February 3, 2025 breach in the CBSA’s newsletter, The Daily, on February 10, 2025.
  2. We found that, in all cases, the breach notifications contained sufficient detail to allow the affected individuals to understand the information that had been compromised and the actions they should take to mitigate risks, such as remaining vigilant, avoiding phishing emails and fraudulent messages, and reporting any suspicious activity to their supervisor. We are satisfied that the CBSA fulfilled its duty to notify the affected individuals in the context of these complaints.
  3. With respect to containment, the CBSA confirmed that it had contacted the unintended recipients of the information at issue to request its deletion. Further, to mitigate risks of identity theft and financial loss resulting from the breaches, it advised compensation teams and the pension centre to take additional verification measures in the event they received any requests from external email addresses. The agency also advised the IT Service desk to take additional verification measures if an individual attempted to change their password in the Corporate Administrative Software portal (CAS), CBSA’s employee information management system.

Measures to Reduce Risk of Recurrence are Reasonable

  1. The breaches resulted from the systemic practice of CBSA’s HR unit generating large spreadsheets of employee data in CAS and providing them to managers in order to assist them in carrying out operational tasks. CBSA did not have adequate safeguards to ensure that HR was limiting the personal information in the spreadsheets to only what was required for the managers’ intended purposes.
  2. We expect that organizations managing large numbers of employees have clear, structured processes and tools to ensure that HR information needed by line managers for routine operational functions is made available to them in a privacy-protective way. This should include processes, tools, and checks for compliance to ensure that information is provided only to individuals with a need-to-know (i.e. does not include excessive personal information or personal information of employees outside of their management).
  3. Upon discovery of the breaches, the CBSA restricted HR’s access to CAS and paused the processing of similar data extracts to prevent additional breaches while it conducted its internal investigation. The CBSA conducted reviews of standard operating procedures and identified methods to reduce the likelihood of reoccurrence. The agency’s Chief Privacy Officer worked directly with HR to critically assess all requests for reports containing employee personal information. Procedures were modified such that, when an employee requires access to an HR report containing employee personal information, the employee must fill out an “HR Data Request Form” (Request Form) demonstrating the necessity of the information being requested and that the need-to-know principle will be followed.
  4. The Request Form outlines:
    1. The business justification for why the report is required;
    2. The list of data elements that are required;
    3. The list of teams and/or individuals who will have access to the data; and,
    4. Up to three authorized individuals to receive the report (a team lead or a manager).

  5. The Request Form must be signed by a director to ensure proper authorization and adherence to the need-to-know principle. The director must also attest that the contents of the Request Form accurately outline the data elements required for business operations, and that access to and sharing of employee personal information is granted strictly on a need-to-know basis.
  6. Furthermore, prior to fulfilling a request, the HR employee actioning the request is now required to consult the “HR Data Sharing Checklist” (Checklist), an additional form that must be reviewed and signed by two separate individuals. The Checklist asks:
    1. Is the client’s request suitable and justified?
    2. Is this the sole source from which the client can obtain the requested information?
    3. Does the client possess the necessary rights to access this information?
    4. Are all data elements essential for fulfilling the request?
    5. Have unnecessary rows and columns been removed, rather than hidden, to ensure only relevant data is shared?
    6. Will the data be sent exclusively to authorized individuals?
    7. Is the sensitivity level of the data clearly indicated in the email response?
    8. Is the email containing sensitive employee information encrypted?
    9. If using ApolloFootnote 5 for data sharing, have the permissions and role groups been verified to ensure access is limited to authorized personnel?

  7. In providing their signatures, the individuals who sign off on the Checklist attest that they have reviewed and confirmed all items on the Checklist, that clients will only receive the data elements required for business operations, and that access to employee data is granted strictly on a need-to-know basis.
  8. The resulting HR reports are then password-protected and sent only to the authorized individuals identified on the Request Form who then securely distribute the report to the remaining authorized team members. In establishing this new procedure, the CBSA hopes to reduce the potential for human error and avoid future breaches of this nature.
  9. The CBSA advised that, in addition to adopting new procedures, it is currently progressing toward the implementation of a new information management system which will eventually eliminate the need to extract personal information in the form of reports and transmit them to program areas. Once operational, the new system will allow authorized managers to directly access the personal information of their employees based on role-based permissions, without requiring support from HR. The CBSA aims to implement the new system in 2027.
  10. In the interim, the CBSA’s HR team is currently developing a “CAS Data Warehouse”, a temporary solution intended to provide similar functionalities until the new system is deployed. The CAS Data Warehouse is expected to support a cloud-based environment, enable audit trails to track who has viewed or extracted data, prevent unauthorized data exfiltration, and apply permission controls to limit access to personal information according to user roles.
  11. In view of all of the above, we are satisfied with the measures taken by the CBSA to contain the breach and prevent reoccurrence. We therefore consider the complaints to be well-founded and resolved.

Conclusion

  1. Without diminishing the severity of the breaches, we appreciate the expedient actions taken by the CBSA once an employee alerted them to the first breach – to both investigate and address the underlying causes and mitigate the risk of harm to affected individuals from both the original breach and the additional ones its investigation uncovered. A robust response to individual breaches, which includes striving to identify and correct broader underlying issues, is a key component of a strong privacy management program.
  2. Going forward, we encourage the CBSA to closely monitor employee compliance with the Request Form and Checklist processes in retrieving employee data from HR until these processes are rendered moot by the improved safeguards offered by the CBSA’s pending new information management system.
Date modified: