ATIpper #3: Second Party privacy incidents

As the CSE Commissioner stated in his last report, "the unintentional sharing or inclusion in a [SIGINT] report... of unminimized Canadian identity information"—such as the name, telephone number, or e-mail address of a Canadian individual or organization—constitutes a "privacy incident". (Other errors, such as unknowingly querying information related to Canadians, are also classified as privacy incidents.)

Privacy incidents are reported to be rare, but publicly available statistical information about their prevalence is, in my experience, even rarer.

That's why it is especially interesting to see this comment about the prevalence of privacy incidents in end product reports issued by Canada's Five Eyes allies (from Access release A-2015-00067, p. 43):



"Despite the vast amount of data shared between the Five Eyes agencies, privacy incidents are exceedingly rare. In an average year the likelihood of a privacy incident occurring in a Second Party end product report is less than one tenth of one percent (0.08%)."

That is a very low number.

It's worth noting, however, that the Five Eyes agencies issue something on the order of 200,000 end product reports per year, maybe even more, so this equates to something like 160 incidents per year, or nearly one every second day.