Privacy complaints and grievances
Early in 2025, the Customs and Immigration Union became aware of cases within the Canada Border Services Agency where documents including personal information pertaining to employees were shared by CBSA management outside of proper channels, pointing to poor internal practices within management regarding data handling.
Notification regarding these data leaks, along with instructions on how to file a complaint with the Office of the Privacy Commissioner and/or a grievance, has been communicated by CIU to our membership to help navigate this significant lapse from the employer but, due to the privacy aspect, questions remain about how these incidents should be best handled.
Longstanding issues
While the Agency has indicated it had taken steps to address these issues, it is obviously concerning that a law enforcement organization such as CBSA would not have stronger standards already in place to prevent these from happening at all.
Indeed, such security incidents are not happening in a vacuum and are part of a larger problem. On several occasions, the union has flagged to the Agency long standing issues with Apollo, CBSA’s data collection system, citing numerous examples of members’ medical accommodations, medical information, disciplinary information, and personal files being open and available to all without seemingly any checks on who can access the information.
Rather than addressing the underlying security issues head on to prevent future problems, the response from CBSA has been to say that employees should not be looking at files and that they could be disciplined for doing so — once again pointing to an inability or a lack of desire to implement more rigorous security standards.
Privacy breaches: What to do?
Incidents involving an alleged breach of privacy can understandably be a source of concern for those involved — past decisions have found that a violation of privacy rights in the workplace can impact the “[…] sense of security and well being [of] employees” (Alberta v Alberta Union of Provincial Employees, 2012 CanLII 47215 (AB GAA)).
The primary recourse for privacy breaches has generally been to address these through a complaint to the Office of the Privacy Commissioner. In a recent decision, however, the FPSLREB acknowledged that a privacy complaint cannot provide redress for any loss or harm suffered (Hogg v Treasury Board (PWGSC) 2024 FPSLREB 25), opening the door to grievances as another potential recourse in cases pertaining to a breach of privacy. This is somewhat new territory, and time will tell where the jurisprudence lands. In any case, we encourage union representatives to pursue grievances in addition to privacy complaints where they deem it relevant.
Filing a privacy complaint
Members who encounter a situation where they feel the employer improperly released personal information may wish to contact the Office of the Privacy Commissioner of Canada for more information on their privacy rights and file a complaint.
Filing a grievance
Should members wish to file a grievance, the following wording may be used. Members should always speak with their CIU Branch representatives or Branch President before filing.
Grievance wording
I grieve that the employer violated the collective agreement including but not limited to article 6 management rights and the Privacy Act, when it failed to keep my personal information private.
Corrective action
That management ensure they have policies and practices in place which ensure that employees’ personal information is not shared inappropriately; that management receive training on the importance of keeping employees’ personal information private in all aspects of employment; that I be compensated for the breach of privacy and for any specific impact this has on me in the future; that management pay for the monitoring of my credit for a period of 5 years to ensure there is no impact on my personal financial credit; that I receive any other recourse deemed appropriate in the circumstance; and that I be made whole.”