In a newly released audit, Jennifer Stoddart says the agency is not always safeguarding the sensitive information properly either.
A second report issued by the privacy commissioner Thursday reveals a key RCMP database continues to hold information about people who have received a criminal pardon or who were wrongfully convicted.
Both special audits were released as Stoddart tabled her annual report on federal privacy practices in Parliament.
The review of the Canadian Air Transport Security Authority concluded the agency was reaching beyond its mandate by filing reports on incidents unrelated to air security.
Stoddart's office looked at a random sample of 150 of the agency's 10,400 incident reports on file.
"Over half of the reports — approximately 57 per cent — concerned matters unrelated to aviation security, including the discovery of narcotics, tobacco and large sums of money," says the audit.
In a response, the air security agency agreed with Stoddart's recommendation to limit collection of personal information to aviation security incidents.
The air security agency violated the Privacy Act by sometimes informing police when a large sum of money was discovered in the baggage of passengers about to board a domestic flight, the audit says.
"It is not an offence to travel domestically with a large sum of money."
However, Stoddart's office concluded it is acceptable for the air agency to notify authorities when it happens to discover narcotics or other contraband in a passenger's luggage on any flight.
The agency also has the green light to tell the Canada Border Services Agency when it comes across an international traveller carrying more than $10,000 in currency, given the rules about crossing borders with large sums.
Still, Stoddart stresses the air agency cannot keep such information in its files since it has nothing to do with air security.
The audit also raises concerns about the agency's airport scanners that can see through clothes.
The system, in place at 23 Canadian airports, allows a screening officer to see whether someone is carrying plastic explosives or other dangerous items by viewing a ghost-like but fairly detailed outline of their body.
When auditors visited the rooms where officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera — even though these types of devices are strictly prohibited because of their recording capabilities.
The TV camera was disabled after the privacy commissioner's office alerted the air security agency.
During site visits to airports, Stoddart's reviewers found security incident reports containing travellers' personal information stored on open shelving units, on the floor and in cabinets that did not meet required security specifications.
"At one airport, we found security incident reports stored in boxes in a room used to conduct private searches," the audit says.
The air security agency has outsourced passenger screening to private-sector companies, but this does not mean it can ignore the Privacy Act, Stoddart notes.
She suggests an ongoing monitoring strategy, including internal audits, to provide assurance that good privacy practices are being followed.
Federal agencies can hire outside firms without running afoul of the law, said Chantal Bernier, the assistant privacy commissioner.
"But it means that you need to have a very tight governance framework to make sure you monitor your contractors, and ensure that they live up to the obligations that the Privacy Act provides for," she said in an interview.
Stoddart said in a statement that while the agency has moved quickly to correct problems, federal institutions are obliged to handle information with "an uncompromising level of care — not some of the time, or even most of the time, but all of the time."
The commissioner's audit of the RCMP looked at operational databases that are widely shared with other police forces, government agencies and various organizations.
Stoddart found that while the RCMP has policies and procedures to protect the sensitive information in these electronic systems, there were also disturbing gaps.
"People who were convicted of an offence they did not commit, or who have been granted a pardon, have a right to go about their lives without information — and especially misinformation — about their past coming to light," Stoddart said in her statement.
"Such information must be more tightly controlled."
The commissioner's annual report notes government agencies are becoming increasingly interested in biometric systems — which rely on unique physical traits — to manage access to programs and services.
For instance, Citizenship and Immigration Canada plans to ask visitors, temporary foreign workers and students applying for visas to enroll from abroad by providing 10 fingerprints and a digital photo.
While such systems can be more reliable than paper-based ones, they can also be used to surreptitiously monitor and track people's movement and behaviour, Stoddart warns.
Her office was advised by government agencies of 64 inappropriate disclosures of personal information in the last year, many due to "sloppiness" including binders left on public transit and airplanes, incorrect address labels, and documents sent to the wrong office.