Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Unauthorized Disclosure of Employee Personal Information in CBSA’s Information Management System

Complaint under the Privacy Act (the “Act”)

March 24, 2026

Description

The personal information of a Canada Border Services Agency (CBSA) employee, including sensitive information relating to their accommodation request, was accidentally visible to other employees because permissions to a folder in the CBSA’s information management system (Apollo) had been improperly set. The issue led to document titles containing personal information being revealed. The CBSA corrected the permissions in question and committed to doing a broader review of folder permissions. It also undertook measures to improve staff awareness of document naming conventions. However, it did not commit to implementing the OPC’s recommendation regarding mandatory training for permissions management and tracking of this training. We therefore found this matter well-founded and not resolved.

Takeaways

  • We expect organizations that manage personal information, including their employees’ information, to ensure that it is stored securely and that it is only accessible by personnel with a need-to-know.
  • Effective employee training in information management is critical to safeguarding personal information. An institution’s privacy and information management training should include content specific to the information management system(s) it uses. Institutions must take effective steps, such as making relevant training mandatory, to ensure staff consistently apply privacy-critical information management practices such as correctly setting folder permissions.

Report of findings

Overview

  1. The Office of the Privacy Commissioner of Canada (OPC) received a complaint from an employee of the Canada Border Services Agency (CBSA) alleging that the CBSA had failed to protect their personal information from unauthorized disclosure when records relating to their work arrangements were inadvertently made accessible to other CBSA employees via Apollo, the CBSA’s information management system.
  2. The CBSA confirmed that the complainant’s personal information was made improperly accessible to CBSA employees via the search function in Apollo. Due to permissions that were improperly applied to an old ATIP file folder, document titles and in some cases the first line of emails, were accessible to all CBSA employees via the Apollo search function. The viewable text included personal information relating to the complainant’s work arrangements.
  3. Given that the complainant’s personal information under the control of the CBSA was inadvertently made accessible to their colleagues who did not have a need-to-know, we conclude that the CBSA contravened section 8 of the Privacy Act (the Act). The complaint is therefore well-founded.
  4. The CBSA took steps to contain the information, provided an explanation to the complainant as to how the error occurred, and agreed to implement measures to bolster its privacy practices.
  5. However, the CBSA has not agreed to our recommendation to implement trackable mandatory training specific to Apollo for employees who use Apollo. As such, we are not satisfied that the CBSA has implemented sufficient safeguards to prevent this type of disclosure from reoccurring and find the matter to be unresolved.

Analysis

Issue: Did the CBSA appropriately respond to the unauthorized disclosure?

  1. Subsection 8(1) of the Act states that government institutions may only disclose personal information with an individual’s consent or in accordance with subsection 8(2), which provides circumstances in which personal information may be disclosed without an individual’s consent.
  2. In this instance, the complainant discovered that when their colleagues conducted searches of their name or other search terms such as “accommodation” in Apollo, documents appeared whose title included the complainant’s name and revealed that they had an accommodation at work. This sensitive personal information was thus disclosed to individuals who did not have a “need to know”.
  3. The disclosure did not occur in accordance with any of the provisions outlined in subsection 8(2) of the Act. The CBSA agreed. We therefore find that the CBSA contravened section 8 of the Act and that the complaint is well-founded.

The CBSA’s Response to the Breach

  1. The OPC sought representations from the CBSA as to how the unauthorized disclosure occurred, how the CBSA responded to it, and what improvements it could make to its privacy practices to reduce the likelihood of recurrence.
  2. The CBSA became aware of the unauthorized disclosure when the complainant filed an employee grievance in this regard. The CBSA subsequently launched an internal investigation and confirmed that the documents at issue were all located under the same ATIP folder. The CBSA explained that an Apollo file folder is created upon receipt of an ATIP retrieval notice and contains all information pertaining to the request. The CBSA completed a review for all ATIP files and found that the folders from 2021 and earlier gave all CBSA employees Apollo permission to “see” the titles and sometimes the first line of email records contained therein. The CBSA confirmed in its response to the complainant that it had corrected the issue and that access restrictions had been restored. The CBSA added that, although the titles of the documents and first lines of some emails found in the folder were viewable in response to a search of the complainant’s name, it verified that there were no unauthorized accesses to the files themselves.
  3. The unauthorized disclosure occurred as a result of an employee allocating the wrong permissions to a folder in Apollo. We therefore inquired as to what kind of privacy training the CBSA provides employees with respect to Apollo.
  4. The CBSA submitted that, while it offers training courses in privacy and information management through the Canada School of Public Service learning platform, these courses pertain to GCdocs, a similar but different information management program. The CBSA confirmed that to understand the CBSA’s Apollo folder structure and features, additional training is required. This additional training is offered by the Apollo Support team who offers two online training sessions: Apollo Basics training and Apollo Permissions training (“Apollo training”). The CBSA clarified that while these sessions are made available to CBSA employees, they are not mandatory and completion of this training is not tracked.
  5. The unauthorized disclosure occurred also in part due to the information included in the documents’ titles. We therefore inquired as to whether the CBSA had implemented a document naming convention to ensure that employees did not include personal information in document titles which might be viewable by individuals without a need to know.
  6. The CBSA confirmed that it promotes standardized naming convention best practices in Apollo, which clearly outline that sensitive personal information or personal identifiers, such as names, must not be included in document titles. It committed to reinforcing these best practices by issuing a reminder to all users and providing additional examples of appropriate naming conventions. Additionally, the CBSA indicated that it is conducting an organization-wide personal information review exercise, which includes identifying files that contain personal names in their titles and having them corrected. The CBSA expects this will help address existing issues and strengthen awareness across their institution.

Recommendations

  1. In addition to the steps the CBSA was already taking in response to the complaint, the OPC recommended that the CBSA make the existing Apollo training mandatory and trackable for all employees responsible for creating or modifying documents and permissions in Apollo to assist in preventing this type of breach from reoccurring.
  2. The CBSA responded that it would continue to raise awareness of Apollo functionalities, including naming conventions and permissions, through monthly “Apollo Cheat Sheets” and that it was also developing a calendar of learning and awareness activities to promote best practices in Apollo through informal learning activities and awareness campaigns. It responded that it would implement an information management Compliance Framework and establish a dedicated IM Compliance Function, which would include validation activities related to permissions in Apollo. The CBSA responded that it would explore the feasibility of adding Apollo-related training as part of its suite of mandatory courses for all employees and that it would assess the development of a dedicated training and learning path—or a National Training Standard—for the information management community, which would include specific modules on the management of records within Apollo and could be made available to all employees. The CBSA indicated that, while tracking completion is currently limited, the CBSA would develop a communication strategy aimed at increasing awareness and participation in existing Apollo training opportunities.
  3. Based on the CBSA’s representations, we understand that multiple ATIP files from before 2021 may have left a number of employees’ personal information vulnerable to unauthorized access due to an error in the permissions applied to the folder. While the CBSA has addressed and rectified the issue in this instance and committed to increasing awareness and participation in Apollo training opportunities; absent mandatory and trackable training pertaining to permissions in Apollo, we are not satisfied that every CBSA employee using Apollo is aware of how to set and check permissions in Apollo to ensure that personal information is protected from unauthorized access and inadvertent disclosure.

Conclusion

  1. The disclosure of the complainant’s personal information did not occur in accordance with any of the provisions outlined in subsection 8(2) of the Act. The CBSA agreed. We therefore find the complaint is well-founded.
  2. We recognize the CBSA’s objective to improve its personal information safeguards by committing to implement the measures it has presented to the OPC. However, without implementing mandatory and trackable training to ensure that every CBSA employee using Apollo is aware of how to properly set and check permissions in Apollo, we are not satisfied that the CBSA has implemented sufficient safeguards to prevent this type of disclosure from reoccurring. We therefore find the matter unresolved.
Date modified: