11/17/2011 11:02 EST | Updated 01/17/2012 05:12 EST

Privacy Office Finds Air Passenger Breaches

The federal government is collecting too much information on airline passengers and is not doing enough to safeguard it, the privacy commissioner said in her annual report to Parliament on Thursday.

Privacy Commmissioner Jennifer Stoddart focuses on the privacy policies of the Canadian Air Transport Security Authority (CATSA) in one of two audits included in her annual report. That audit concludes CATSA acted beyond its authority by producing security reports on incidents not related to aviation security, and even contacting police about the legal activities of some passengers.

In a news release Thursday, the privacy commissioner's office noted that CATSA agreed with the audit's findings and said it would stop collecting personal information related to legal activities.

The audit also raised concerns about privacy procedures surrounding new full-body airport scanners, although it said the breaches were "uncommon."

Stoddart's office found in two cases there were forbidden devices in the room used for screening the full-body scans: a cellphone and a closed-circuit TV camera.

In other cases, CATSA staff had left incident reports and other documents with personal information on open shelves or in plain view of passengers.

Database handling examined

The privacy commissioner also found a handful of problems with the RCMP's record management systems.

The Mounties share records with smaller police forces, and a third of those agencies are more than two years late on setting up user authentication procedures to log into the Canadian Police Information Centre.

Stoddart also found problems with the Police Reporting and Occurrence System, including that the RCMP had disabled a function that would automatically delete records once they get too old.

The RCMP agrees in the report to turn the function back on. They also agreed to delete 1,000 unused accounts for the system, and implement an audit log review tool that would help with investigations when it's suspected someone misused the tool.

The commissioner's annual report summarizes her office's key investigations into privacy complaints and breaches involving the collection, use and disclosure of information about Canadians.

Stoddart's report also:

- Recommended Citizenship and Immigration Canada strengthen privacy safeguards for biometric identifiers of vulnerable populations such as refugee claimants.

- Assessed the privacy impact of passenger behaviour observation at airports, raising concerns including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.

- Details a record number of reports of personal information breaches last year. One involved a malfunction of the new My Service Canada Account website, a day after its launch, that allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.

- Found 32 of 34 of the office's recommendations in 2008 and 2009 audits had been fully or substantially implemented. For example, the RCMP reported it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the privacy commissioner’s recommendations.