Question Period Note: AFGHANISTAN CLIENT PRIVACY BREACH

On October 18, 2021, the personal information of 636 individuals was inadvertently released in emails sent by IRCC’s Client Support Centre to these individuals who were seeking information on special programs to welcome Afghan refugees to Canada.

• The Government of Canada holds itself to the highest standards when protecting the personal information of our clients.

• In the event of a breach, IRCC responds quickly to contain the breach and reviews its processes with a view of adjusting or implementing measures to help prevent a breach from happening again.

• In this case, as with all breaches, IRCC notified affected clients via a letter, to apologize and request that they delete the email they had received.

• IRCC is taking this situation very seriously and has engaged the Office of the Privacy Commissioner.

• IRCC is committed to safeguarding clients’ personal information and ensuring clients’ data are properly managed and protected by having strong privacy and security policies in place.

If pressed:
• We are determining whether additional mitigation measures may be appropriate for the individuals impacted by the privacy breach.

IRCC’s Client Support Centre

• Located in Montréal, IRCC’s Client Support Centre provides personalized telephone support to in-Canada applicants, email support for enquiries received primarily via an online Webform, as well as a 24/7 self-serve interactive voice response telephone system.

• IRCC also has a dedicated Information Centre for Members of Parliament and Senators for clients who reach out to their local Member of Parliament or Senator’s office for support.

• In 2020-21, the Client Support Centre received over 4.2 million calls (2.6M asked to speak to an agent) and 1.5M email enquiries.

• The Client Support Centre also offers support to clients during emergency situations.

Client Support for Afghanistan

• In July 2021, Canada established Special Immigration Measures for the resettlement of Afghan nationals who had a significant or enduring relationship with Canada, along with their family members.

• This was followed by an announcement in August that the Government would resettle 20,000 Afghan nationals, including those identified through the special immigration measures, as well as a broader humanitarian effort with a focus on particularly vulnerable groups that are already welcomed to Canada through existing resettlement streams. The Government doubled this commitment to 40,000 Afghan nationals in September 2021.

• Since August 23, 2021, the Client Support Centre has been providing a single point of contact for assistance via telephone and email to vulnerable clients in-Canada and outside Canada by providing guidance and support on special measures put in place by IRCC in response to the situation in Afghanistan. As of October 31, 2021, IRCC has responded to approximately 36,000 phone calls and 320,000 emails.

• On October 18, 2021, personal information of 636 individuals was inadvertently released in four emails sent by the Client Support Centre. individuals. These individuals were addressed in the ‘To’ line instead of the ‘BCC’ (or blind copy line), exposing their email addresses to all recipients. The subject/topic of the message, which was related to Afghanistan, was also released. The breach was limited to the people within each of the four emails; one person did not receive the information of the 635 other people.

• This error was discovered on the same day the breach occurred.

• On October 22, 2021, a letter of apology was sent to all affected individuals and they were also asked to delete all copies of the email received.

• On October 26, 2021, the CBC published an article on the privacy breach, claiming that the names and photos of individuals were released and that families further fear for their safety as a result of this privacy breach.

• On October 28, 2021, as this privacy breach is considered a “material” privacy breach, IRCC informed the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat (TBS), as per TBS Guidelines for Privacy Breaches.

• The Department has assessed that no client’s name or photo was included by IRCC issued emails. However, a client's preference as defined in their user profile with their personal email provider (e.g. gmail or Hotmail), may have displayed their profile picture or name.

Measures underway to address the privacy breach

• IRCC has conducted a preliminary analysis of the risk to the physical integrity of the individuals whose names were released. The key identified risk to these individuals is the use of the email addresses and profile pictures (if available) to identify individuals affected by the privacy breach with the intent to harm them.

• Proposed mitigation measures include [REDACTED], and disseminating further messaging to inform affected individuals of various protective measures they may wish to consider.
o This could include suggesting that they: change/delete the breached email address; remove profile pictures associated to their email accounts; create or use a different email address for future correspondence with IRCC; and be on alert for individuals who may seek to exploit their situation for financial gain.

• As is the case for privacy breaches, an investigation into this incident is currently underway. Once the incident has been fully assessed, IRCC will evaluate next steps.

IRCC is also reviewing its current internal processes and procedures to prevent this situation from happening again and to minimize human error. Moving forward, a new Webform (email form) has been implemented to help streamline intake and better triage client enquiries upon receipt.

None