Citizenship and Immigration Canada has released Operational Bulletin 226, which discusses the sharing of biometric information further to the Five Country Conference (FCC) High Value Data Sharing Protocol. The FCC (which consists of Canada, the United States, the United Kingdom, Australia, and New Zealand) meets annually at the Deputy Minister level to discuss ways to improve immigration. In 2007, the FCC committed to work towards the systemic exchange of biometric data for immigration purposes.
Biometric sharing has now commenced.
Under the Protocol, Canada has indicated that it will share approximately 3,000 fingerprint records per year for possible matching against the fingerprint holdings of the other FCC members. The fingerprints will be primarily those of refugee claimants, as well as those involving foreign nations subject to enforcement measures.
The decision to share information was made in order to address the issue of people traveling using fake documents, as well as to prevent people from giving different stories to different nations. The information received is expected to help corroborate refugee claimant narratives and expose inconsistencies. The information exchanged is expected to be available to the Immigration and Refugee Board.
According to the Operational Bulletin, refugee claimant cases will be randomly selected based on time periods.
Canada and the United States already share such information. Last November, the CBC reported that during a two-year trial period authorities exchanged fingerprints on 343 refugee claimants. One-third had applied to live in both Canada and the United States. Five percent were discovered to have had a criminal history in the United States.
Privacy advocates will wonder if the exchange of such information is a breach of Canada’s privacy laws. The answer appears to be that it is not. Section 8(2)(f) of the Privacy Act provides that:
Disclosure of personal information
8. (1) Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.
Where personal information may be disclosed
(2) Subject to any other Act of Parliament, personal information under the control of a government institution may be disclosed
(f) under an agreement or arrangement between the Government of Canada or an institution thereof and the government of a province, the council of the Westbank First Nation, the council of a participating First Nation — as defined in subsection 2(1) of the First Nations Jurisdiction over Education in British Columbia Act —, the government of a foreign state, an international organization of states or an international organization established by the governments of states, or any institution of any such government or organization, for the purpose of administering or enforcing any law or carrying out a lawful investigation;
Having said that, in the 2008-2009 Annual Report to Parliament, the Office of the Privacy Commissioner of Canada expressed concerns over the FCC plan. It stated that:
Citizenship and Immigration Canada plans to implement initiatives involving the use of biometrics.
One, planned for 2011, involves collecting biometrics to support the process of issuing visas to foreign nationals entering Canada. The goal is to prevent criminals from entering Canada, while making the processing of legitimate applicants more efficient.
The program builds on a 2006 biometrics field trial that involved the introduction of fingerprint and facial recognition technologies to the processing of temporary resident visa applicants and refugee claimants. The technologies helped officials uncover cases of identity fraud.
We have expressed to Citizenship and Immigration Canada our concern that the use of biometrics data tends to be privacy intrusive. We have asked the department to provide more information about the need for biometrics data sharing.
Biometric information is highly sensitive information about a person’s physical characteristics that is truly unique to each of us. The ability provided by the use of biometrics to uniquely identify someone is both one of the main reasons it is gaining in popularity and one of the main risks posed to privacy. The broad use of a unique identifier such as someone’s biometric data increases the risk of identity theft and can have a greater impact on the individual in the event identity theft occurs.
There may be serious consequences for individuals if biometrics are used improperly, which is why it is so important that legal safeguards are introduced at the same rate as advances in biometrics technology occur and that sufficient protections are designed to ensure that biometrics are not used in a privacy-invasive fashion.
With 3,000 fingerprint records to be shared every year, it seems inevitable that eventually someone will challenge whether this exchange of biometric information is legitimate, and I’m sure we’ll be hearing more about biometric information sharing in the future. This is especially likely given that, like most government security schemes, these things are always more likely to expand rather than maintain a narrow focus.