Privacy Impact Assessment Summary for the Pre-load Air Cargo Targeting Program

Introduction

On April 1, 2025, amendments to the Canadian Aviation Security Regulations, 2012 will come into force. The Regulations require that all air carriers transporting cargo on flights from outside Canada to an aerodrome in Canada submit cargo shipment data elements internationally known as Pre-Loading Advance Cargo Information (PLACI) to Transport Canada prior to the cargo being loaded onto the aircraft. Cargo information collected includes:

• the name and foreign address of the original shipper (the first person or company sending the goods)
• the name and address of the consignee (the person or company who is receiving the goods)
• a simple, precise description of each piece of cargo
• the number of pieces of cargo in the shipment
• the cargo’s total weight
• the air waybill number

The Pre-load Air Cargo Targeting (PACT) Program identifies and mitigates high-risk air cargo shipments before they’re transported to Canada. It uses artificial intelligence to assist in finding risk in PLACI.

Why a privacy impact assessment was completed

This privacy impact assessment (PIA) was carried out in accordance with section C.2.2.9.1 – Appendix C of the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Practices, which requires a PIA upon a new program or activity that will involve the creation, collection, use, disclosure, retention or disposal of personal information for an administrative purpose.

The new PACT Program involves the collection of a dataset that may relate to a specific individual and is used as part of a decision-making process about the shipment. Additionally, since the PACT Program involves the collection of personal information, the development of an institution-specific personal information bank (PIB) is required and will be established by PACT. This PIA will accompany the PIB to be registered with TBS, as required by the TBS Directive on Privacy Practices.

The purpose of this PIA is to identify the privacy risks associated with administering the PACT Program and develop an informed assessment of those risks. This PIA will also inform and provide recommendations to mitigate any identified privacy risks to an acceptable level. The recommendations made in this document serve as mitigating measures for the privacy risks that were identified throughout this PIA process.

PIA risk summary and mitigation strategies

Based upon available information, the PIA identified the following potential risks to the privacy of personal information related to the collection, use, disclosure and retention of personal information:

1. Disposal: Risk level – Low
   1. a) It is recommended that the program document a standardized procedure for managing the lifecycle of retained personal information, including a clear plan for its secure disposal.
2. Safeguards: Risk level - Low
   1. a) Security: It is recommended that the program develop a plan for quality assurance and auditing to ensure safeguards for the PACT system are properly working.
   2. b) Security: It is recommended that there be a process to remove or change access controls when an employee leaves or changes duties so that the level of access reflects the current responsibilities of their job.

Program officials established multiple security and privacy safeguards to protect personal information. Examples of these safeguards include, but are not limited to:

• Clearly defined legislative and regulatory authorities for the collection, use, disclosure and retention of personal information
• Ongoing consultation with Transport Canada’s Privacy and Access to Information (ATIP) branch
• Ongoing consultation with Transport Canada’s Legal Services Group to identify and address potential legal risks arising from the use of personal information by the Program
• Consultation with Transport Canada’s Information Management branch and Library and Archives Canada on appropriate retention and disposition authorizations for personal information used by the Program
• Well-defined and documented internal privacy breach protocols and procedures within Transport Canada
• Clearly defined procedures to receive and respond to complaints or inquiries about policies and practices related to the handling of personal information
• Clearly defined security controls and limitations for the access rights to personal information to only those for whom it is required to carry out the risk assessment
• Logging of users accesses and actions within the system
• A Security Assessment completed to obtain an Authority to Operate (ATO)
• Quality assurance and auditing of system safeguards are carried out on an annual basis through the renewal of the system’s ATO
• Documentation of the procedures for the collection, transmission, storage and disposal of personal information contained in the digital airway bills collected by PACT within the ATO
• An offboarding process for staff who leave the PACT targeting roles has been established
• Annual checks of access controls
• Consultation with TBS and the Office of the Chief Information Officer on the responsible use of automation and Artificial Intelligence by the system under the Algorithmic Impact Assessment
• Training of staff on privacy awareness, best practices on protection of privacy and personal information and access to the departmental Privacy Incident Response Plan.

Related personal information bank: TC PPU 064

For more information about this privacy impact assessment please contact PACT-Information-CFAPC@tc.gc.ca.