Foreign Affairs, Trade and Development Canada
Symbol of the Government of Canada

Foreign Affairs, Trade and Development Canada

Passport Canada – Security Bureau Evaluation

(August 2008)

(PDF Version, 829 KB) *


The evaluation team would like to express their appreciation to the many individuals who have contributed to this evaluation. We extend our thanks to all those employees of Passport Canada, Consular Affairs, RCMP and our colleagues in the United Kingdom, New Zealand and Australia who provided us with their insight, valued opinions and good-will.

Of special mention the evaluation team acknowledges that the conduct of this evaluation occurred during a particularly challenging point in the transformation of Passport Canada. We appreciate the additional effort and cooperation extended to the evaluation team in order to complete this assessment.

List of Acronyms

Canada Border Services Agency
Citizenship and Immigration Canada
Case Management Officer, Passport Canada
Correctional Services Canada
Canadian Police Information Centre
Department of Foreign Affairs and International Trade Canada
Data Quality Analyst, Passport Canada
Entitlement Review Analyst, Passport Canada
Entitlement Review Investigator, Passport Canada
International Processing Service, Passport Canada
National Processing Service, Passport Canada
Office of the Auditor General of Canada
Royal Canadian Mounted Police
Regional Security Advisor, Passport Canada
Security and Intelligence Case Management System, Passport Canada
United Kingdom-Identity Passport Services
Western Hemisphere Travel Initiative

Executive Summary

Passport Canada was established in 1990 as a Special Operating Agency of the Department of Foreign Affairs and International Trade Canada. DFAIT identified the need to evaluate the effectiveness of the Passport Canada Security Bureau in its Report on Plans and Priorities for 2007-08.(1) The undertaking of this evaluation was considered crucial in order to assess organizational effectiveness during a time of heightened global security, high passport demand and organizational re-alignment to meet such demands.

The evaluation found that the Security Bureau continues to remain relevant and has improved its effectiveness in ensuring the integrity of the passport issuance process. However, the Security Bureau would benefit from an assessment of risks and tolerance levels to guide the progress to reduce security risks. The Bureau would also benefit from a sound performance measurement framework.


Passport Canada's Security Bureau "ensures the integrity and effectiveness of the passport issuance process, the security and quality of the passport concept and its compliance with both Passport Canada's eligibility policy and the Government Security Policy."(2) This includes responsibility for the integrity of entitlement decision-making processes and the physical characteristics of the travel document.(3)

The Security Bureau was evaluated at a critical junction in the implementation of its mandate. The events following September 11, 2001 led to a focus on security and a heightened emphasis on the integrity of travel documents world-wide. The Western Hemisphere Travel Initiative,(4) initiated by the United States, contributed to a dramatic increase in demand and security-related measures. For Passport Canada, this translated to a surge of applications from Canadians applying for passports. Over the last six years, Passport Canada saw demand for passport documents increase by 137% and a corresponding 157% jump in resources. Since 2001-02, full-time equivalent staff positions have increased by 206%.

The Office of the Auditor General conducted an audit in 2005 and a follow-up audit in 2007 which identified significant concerns with respect to Passport Canada's capacity to respond to increased demand and meet security requirements. Although Passport Canada has taken many initiatives to address these issues, there still remain numerous jurisdictional and legislative considerations beyond the control of Passport Canada that affect entitlement.

For instance, Passport Canada, like other agencies that require proof of identity to deliver services, has to deal with multiple agencies in different jurisdictions to confirm identity. Vital statistics (e.g. births/deaths) fall under provincial/territorial jurisdiction, each with different document standards. There are also legal provisions to respect individuals' rights to privacy and who can access and share personal information.

The evaluation findings were based on 68 interviews with stakeholders between January and March 2008. Extensive passport documentation was also reviewed. Qualitative and quantitative analyses formed the basis for the evaluation assessment on relevance, success and cost-effectiveness.


The issue of relevance addresses questions pertaining to the contribution of the Security Bureau in achieving Passport Canada's mandate. The evaluation found that the Security Bureau is relevant in addressing passport entitlement but it was challenging to assess the relevance of the Security Bureau's activities in the absence of a risk assessment on entitlement and issuance. Without this assessment, there is no framework to determine which functions are appropriate to the Bureau's mandate.

The Security Bureau's functions(5) contribute to the integrity of the Canadian passport document by supporting entitlement decision-making through expert assistance to the policy and operational units of Passport Canada both at home and at Canadian missions abroad. This centralized approach contributes to ensuring the security aspect of passport issuance. However, the evaluation also found that some functions appear more related to passport operations, rather than to security, including some of the data integrity functions, case management functions and support to foreign operations.

Until recently, the focus of passport security had been to provide a complete and standard review of each and every passport application. This was conducted by a rigid application of rules and procedures. Passport Canada has begun to shift this focus to one that is based on an assessment of risks and the identification of the high risk situations. The simplified renewal process is one example of this new approach. The simplified renewal process is based on the concept of known applicants who present a lower risk. Any previous passport holder who has not reported a lost, stolen or damaged passport as well as other criteria can reapply without resubmitting supporting document and without a guarantor.


The Security Bureau continues on a path of improvement. Efforts are underway to establish a compliance function and to clarify the role of the Regional Security Advisors. The Security Bureau ensures the integrity of the passport issuance process by providing the necessary support to the operational units as well as to Canadian missions responsible for the Passport Program abroad.

The Bureau has also been successful in changing its management culture. It continues to develop new tools to support decision-making, to improve access to information, to strengthen information systems, to increase support to Canadian missions and to include new security measures in passports. These measures are designed to reduce fraud and the misuse of the passport document.

The evaluation found that the Security Bureau responds primarily to identified or known risks based on a narrow scope. Currently, the focus is to develop the tools and processes required to be more systematic in the identification and management of security risks. This will allow for improved management and balance between client service demands and the security of the passport issuance process.

Some informants also had the impression that security was compromised in efforts to maintain client service standards during the unprecedented increase in passport applications in 2006-07. There is insufficient information on the Security Bureau's activities at this time to conduct a review or to assess on a broader scale the Bureau's performance with regard to the impact of increased volume on entitlement decision-making.


The cost-effectiveness of the Security Bureau was found to be affected by such factors as: the unclear communication of the Bureau's role, responsibility and direction; varying levels of standardization of security-related activities; and, on the adequate use of its resources and information holdings.

The evaluation found that many employees did not understand the role of the Security Bureau. This impression was most evident with the role of Regional Security Advisors (RSAs) who are located in the regional directorates. RSAs were intended to increase the Bureau's capacity to enhance the integrity of the Passport Program within the regions in Canada. The evaluation interviews revealed that there has been little direction given to RSAs on their expected role and, as a result, their roles have evolved inconsistently across Canada. In some regions, the Regional Security Advisors may deal with issues beyond the mandate of the Security Bureau for example, physical security.

This lack of clarity on roles and responsibilities may be related to a more general issue on the need for clear communications. Communications on security issues can come from a variety of bureaus within Passport Canada; not just the Security Bureau. While there was no evidence to suggest that there are inconsistencies in entitlement decisions, there was considerable variation in work processes among the issuing offices.

The evaluation also found gaps with respect to the tools and databases available to the Security Bureau to ensure the integrity of entitlement decision-making both in terms of the Bureau's ability to make effective use of its internal information and its ability to access external information from partner organizations. Improvements have been made to increase data availability but there are still issues on data quality (completeness) and comparability. For example, data are either available electronically but cannot be searched or only on a limited case-by-case basis.

Despite an increase in resources, the Security Bureau still needs to fill positions as well as define the roles and responsibilities for new positions. As a result, the evaluation found it difficult to assess if the level of resources required for its mandate is sufficient.


The evaluation found that the Security Bureau performs a critical role in ensuring the integrity of the passport issuance process and the physical characteristics of Canada's travel documents. It continues to work towards reducing barriers to strengthening its processes and tools to provide more efficient service delivery, without compromising security.

The evaluation proposes three recommendations. These recommendations are based on one theme which is to establish an entitlement risk assessment, wide in scope, to guide the effectiveness and progress on reducing security risk.

  1. That Passport Canada conducts an assessment of security risks on passport issuance and that the approaches to managing these risks are within acceptable tolerance levels.
  2. That the Security Bureau develops a management framework for its activities based on the results of the security risk assessment.
  3. That the Security Bureau develops performance measures to monitor its decision-making.

Top of Page

1.0 Introduction

This report presents the results of an evaluation of Passport Canada's Security Bureau conducted between January and March 2008. A case study was also conducted with the United Kingdom's Identity Passport Services as a means to offer similarities and differences in their approach to passport security. The evaluation reports on relevance, success, and cost-effectiveness.

1.1 Evaluation Context

Passport Canada was established in 1990 as a Special Operating Agency of the Department of Foreign Affairs and International Trade Canada (DFAIT). The mandate of Passport Canada is to "ensure secure Canadian travel documents through authentication of identity and entitlement, facilitating travel and contributing to international and domestic security." (6)

As an Agency, Passport Canada finances its operations from the fees charged for passports and other travel documents(7). Passport Canada is considered self-financed and must generate sufficient revenues to meet expenditures. It offers services through 33 local offices located across the country. To better serve Canadians, it also works in cooperation with receiving agents like Canada Post and Service Canada to assist Canadians with their passport applications. The Agency processes applications received by mail, in-person, through receiving agents, and through Members of Parliament. Exhibit 1 provides an overview of Passport Canada.

This evaluation was identified in DFAIT's Report on Plans and Priorities for 2007-08(8). The purpose of the evaluation is to establish to the extent possible a baseline of the effectiveness of the Security Bureau. This would be used to assess the integrity of the passport document and the issuance process. The objectives of the evaluation were to:

  • Examine the relevance, success and cost-effectiveness of the Security Bureau;
  • Identify any vulnerabilities associated with the Security Bureau;
  • Conduct comparative analysis with the United Kingdom;(9) and,
  • Recommend areas of improvement.

Exhibit 1: Overview of Passport Canada

Organizational Chart Presenting an Overview of Passport Canada


Exhibit 2: Overview of Security Bureau

Organizational Chart Presenting an Overview of the Security Bureau

1.2 Evaluation Methodology

The data collection for this evaluation was conducted between January and March 2008. Below are the evaluation issues and questions.

Exhibit 3: Evaluation Issues and Questions


To what extent is the Security Bureau adding value in support of Passport Canada's mission and objectives?

  • How does the Security Bureau contribute to the mandate and mission of Passport Canada?
  • How does it ensure the integrity of the entitlement process?
  • How does the Security Bureau contribute to the implementation of Passport Canada business plans?

To what extent are roles and responsibilities for the Security Bureau clearly communicated and understood?

  • To what extent are the Security Bureau's activities integrated with other parts of the organization and external stakeholders?
  • Are its role and responsibilities understood within the organization?
  • On matters related to security, are the lines of communication among managers, directors and directors general uniformly applied?

To what extent is the Security Bureau achieving objectives and expected results?

  • What are the expected results?
  • Are the objectives for the Security Bureau clear?
  • Are the objectives communicated, understood and agreed upon?
  • To what extent are performance expectations clear?
  • Are the performance expectations communicated, understood, and agreed upon?
  • To what extent are key performance measures measured and monitored consistently?
  • Are there best practices within Passport Canada that could be applied to the organization nationally?

To what extent has the Security Bureau implemented approaches to achieve efficiency and cost-effectiveness?

  • To what extent are there consistent and standardized security functions from one location to another? If variance exists, to what extent are these differences between locations explainable and acceptable?
  • Are there sufficient resources in place for the consistent and uniform application of security functions?
  • How have new technologies, approaches or policies affected the security function?
  • Does the Security Bureau have the capacity to respond and adopt new security standards / processes; for instance, the new implemented guarantor policy? Is there any supporting data?
  • Are there workforce capacity issues that need to be addressed?

The evaluation methodology consisted of a mixed-methods approach. This means that the evidence is based on several different data sources: interview data from internal and external stakeholders, financial data and key documents. The following lists the foundation that was used for evidence:

  • A review of relevant documentation;
  • Interviews with 43 key informants within Passport Canada (representing all regions and with direct contact with Security Bureau functions);(10)
  • Interviews with 11 employees in six Canadian missions responsible for the delivery of the Passport Program abroad;
  • Interviews with three representatives of the Royal Canadian Mounted Police (RCMP) with responsibilities for liaison with Passport Canada;(11) and
  • Interviews with 11 representatives from the United Kingdom Identity Passport Services, the New Zealand Department of Internal Affairs and the Australia Department of Foreign Affairs and Trade.

1.2.1 Data Collection

Interviews were the primary source of data for this evaluation. The interview protocols were established in advance and provided a standard approach to interviews. The questions were open-ended to allow for maximum latitude to explore issues of direct relevance with key informants. On average, each interview lasted one hour. The evaluation findings present divergent opinions as well as consistent themes delineated from interview data.

Passport Canada provided a list of internal and external stakeholders. Seventy-nine percent (79%) of informants were Passport Canada and DFAIT employees, while the remaining 21% were external stakeholders. Of these informants, only three were unable to participate. Evaluation findings are therefore based on a participation rate of 95%. Interview data have also been aggregated to respect confidentiality.

1.2.2 Evaluation Scope

The focus of this evaluation was on the operations of the Security Bureau as opposed to the security function. (12) Given this focus, the list of key informants was a valid frame of reference. The results from the interviews offered reliable data to directly assess the activities and outcomes of the Security Bureau.

The key informants were all involved in the principal bureaus within Passport Canada that have direct contact with Security Bureau. The only Passport Canada bureau that was unavailable for an interview was the Business Information and Technology Bureau. Eleven DFAIT employees involved in the extension of the Passport Program at Canadian missions were included to gain a sense of the relationship among Consular Affairs, Passport Canada and Canadian missions. The mission sample was selected based on geographic representation(13) and volume of passport-related inquires. It is, however, not representative of all mission-related passport activities. Of the three main external stakeholder groups, CIC, CBSA and RCMP, only the RCMP participated.

The evaluation is subject to the following limitations on coverage and data quality:

  • The evaluation team developed a proxy measure (14) of the Security Bureau's mandate, activities and expected results (15) to serve as a framework for the evaluation. Evaluation findings are therefore proxies and, should not be viewed as a validated benchmark inclusive of all the Security Bureau activities, only an approximate of key activities.
  • The evaluation was based mostly on interviews and other source data from Passport Canada.
  • Because the focus of the evaluation was on the functions of the Security Bureau and not the security function within Passport Canada, it was at times challenging to distinguish whether key informants were referring to the functions of the Security Bureau or security in general (e.g. physical security, IT security function, operational security, etc.) This contributed to a lack of clarity on the current role of the Security Bureau.

The impact of these limitations is that the evaluation is an internal assessment of the Security Bureau. Given that most key informants were Passport Canada employees, the findings reflect a localized and biased perception of the organization. Nevertheless, the convergence of the responses validated the findings.

1.3 Description of the Security Bureau

1.3.1 Security Bureau Mandate

Within Passport Canada, the Security Bureau "ensures the integrity and effectiveness of the passport issuance process, the security and quality of the passport concept and its compliance with both [Passport Canada's] eligibility policy and the Government Security Policy." (16) This includes responsibility for the integrity of entitlement decision-making processes and the physical characteristics of all travel documents (17). In the past, the Security Bureau also had responsibility for physical and information technology security functions. Since 2006 these are no longer the responsibility of the Bureau.

1.3.2 Security Bureau Structure and Responsibilities

The Security Bureau is under the responsibility of a Director General and has four divisions:

  • Security Operations Division is responsible for the integrity of passport data, dealing with complex cases and compliance with Passport Canada policies and procedures;
  • Enforcement and Anti-Fraud Division is responsible for intelligence gathering, the review and investigation of cases where there are concerns about entitlement or revocation, physical security characteristics of travel documents, security screening for Passport Canada personnel,(18) and the Regional Security Advisors;
  • Foreign Operations Division provides support for the implementation of the Passport Program in Canadian missions; and,
  • Management Services Division is responsible for providing overall management support to the Bureau, including the development of work plans and performance measurement systems.

The overall structure of the Security Bureau is shown in Exhibit 2. The exhibit also presents a very brief summary of the responsibilities of each section.

The Security Bureau supports:

  • Issuing offices in the Eastern, Ontario and Western regions;
  • The National Processing Services which processes mail-in applications, as well as those from receiving agents and members of Parliament;
  • Passport services at missions abroad.
  • The International Processing Services which processes applications for Canadians living abroad; and
  • The print centres in Quebec and Ontario.

1.4 Challenges

Passport Canada continues to face many challenges that have had an impact on the delivery of the Passport Program including, but not limited to, the specific influence of the Western Hemisphere Travel Initiative (WHTI) on travel requirements to the United States. This initiative requires all travelers including U.S. and Canadian citizens to present a valid passport or other approved secure document when entering the United States from within the western hemisphere. The U.S. WHTI is being implemented in stages by mode of transportation. The WHTI was implemented for air travel on January 23, 2007. Full implementation of the WHTI requirements for entry into the United States by land and water is expected on June 1, 2009.

1.4.1 Changed Security Environment

The post 9/11 environment elevated a global focus on security which led to an increased emphasis on the security and integrity of travel documents around the world. This change in environment drove the pressures to strengthen the passport issuance and control systems, practices, and policies and the physical specifications for passports (including e-passports and the use of biometrics)(19).

1.4.2 Increase in the Demand for Passports and the Impact on Resources

The volume of passports issued rose from 2.04 million in 2001-02 to 4.83 million in 2007-08 (see Exhibit 4)(20). This is a dramatic increase in demand, a surge of 137% over six years, with the 24-page regular passport representing 98% of all passports issued. Year-to-year changes showed steady increases each year with the last three fiscal years being the highest overall. Since 2005-06, the number of passports issued jumped 13% over the previous year and Passport Canada's projections show this level of demand constant until 2009.

Exhibit 4: Volume of Passports Issued, 2001-02 to 2007-08
 Number of passports issued in millions (21)Increase since 2001-02Year to year % change

Source: Passport Canada

There was no noticeable difference in the method by which Passport Canada received its applications for processing (Exhibit 5). Walk-ins continue to be the primary service channel accounting for nearly 80% of all passports. Passport applications received through mail-ins, missions, receiving agents or other sources(22) represent the remaining 20% of total passports.

Exhibit 5: Percentage of Applications by Business Channel, 2003-04 to 2006-07
Service channel2003-042004-052005-062006-07Average
Receiving agents1%2%3%4%2%

Source: Passport Canada

Exhibit 6 shows that the steady increase in the number of passport applications led to a significant increase in Passport Canada resources. Between 2001-02 and 2007-08, revenues rose from $111 million to $284 million representing an increase of 157%. Salaries accounted for 58% of expenditures in 2007-08, up from 50% in 2001-02. Exhibit 7 shows that over the same timeframe, expenditures were generally in pace with revenues.

Exhibit 6: Passport Canada Resources and Percent Change, 2001-02 to 2007-08
YearSalary 23 ($,000’s)O&M
% change# of FTEs% change
2007-08165,753119,222284,97524%2,900 (24)10%

Source: Passport Canada

Since 2001-02, Passport Canada continues to respond to passport demand. In 2001-02, there were 949 full-time equivalents, while in 2007-08, it grew to 2,900. This represents an increase of 206% over six years. This rapid escalation contributed to organizational strain in terms of personnel security screening, (25) training, implementing double shifts, integrating new employees and, of course, the need for new and specialized accommodations.

Exhibit 7: Revenues and Expenses, 2001-02 to 2007-08 ($000's)

Chart depicting Passport Canada's Revenues and Operating Expenses

Source: Passport Canada

1.4.3 External Audit

The timing of an audit by the Office of the Auditor General (OAG) in 2005 was critical in assessing Passport Canada's progress to effectively respond to the passport demand. The OAG audit identified significant concerns with respect to Passport Canada's capacity to respond to increased client demands and meet the new and necessary security requirements. Passport Canada has since launched several new measures to address the issues identified in the audit.

While the impact of these new measures is outside the scope of the evaluation, the timeframe when these measures were initiated is covered by this evaluation. These measures drove much of Passport Canada's planning since 2004-05 and their progress is reflected in the 2007 OAG follow-up audit.

Top of Page

2.0 Relevance

Evaluation findings as they relate to the relevance of the Security Bureau to achieve Passport Canada's mandate are reported below:

2.1 Most Security Bureau Functions Remain Relevant

The issuance of a travel document is essentially a security-based process. All aspects of the process have security components - from checking the legitimacy of evidentiary documents which support the applicant's identity and entitlement to a passport, to the secure printing and delivery of the passport. While Passport Canada is aware of the client service aspect of its work and has made public commitments to client service standards, ensuring the integrity of the passport document requires a security focus at all stages of the entitlement process.

Finding 1:
Most Security Bureau functions contribute to protecting the integrity of the decision-making and the Canadian passport document.

Most Security Bureau functions contributed to mitigating two passport security threats that were identified in the Passport Canada Business Plan 2006-2009:

  • The fraudulent use of another person's identity or a false identity to obtain a passport by focusing on ensuring the security and integrity of the entitlement process; and,
  • The tampering or counterfeiting of the passport book by focusing on high security physical characteristics of travel documents.

Security of Entitlement Decision-Making

The Security Bureau supports decision-making on entitlement. Specific Security Bureau functions that are consistent with the Bureau's mandate and its role in supporting passport integrity include:

  • Contributing to the development of entitlement decision-making policies, as reflected in the Passport Policy Manual and commenting specifically on the impact of policy on the security and integrity of the entitlement decision-making process;
  • Gathering intelligence for the System Lookout database(26) also referred to as "watch list." This database is the first check for identifying cases where there may be a security concern;
  • Maintaining the integrity of the data in IRIS (Passport Canada's issuance system) through the work of the Data Quality Analysts (DQAs);
  • Supporting issuing offices and the National Processing Service with advice and guidance on complex cases (e.g. cases involving custody of children, multiple lost or stolen passports or travelers who have incurred a debt to the Crown for repatriation costs) through the work of the Case Management Officers (CMOs);
  • Investigating cases related to suspected criminal or fraudulent activities. These are referred to Entitlement Review Analysts (ERAs) or Entitlement Review Investigators (ERIs); and,
  • Collecting and managing information on lost or stolen passports and sharing this with relevant partner organizations.

Physical Characteristics of Travel Documents

The Security Bureau is responsible for researching and recommending changes to the physical characteristics of travel documents. It is also responsible for liaising with partner organizations to ensure that entitlement officers are aware of any changes to key documents used in the passport issuance process - for example, birth certificates, driver's licenses or citizenship certificates.

Finding 2:
Some Security Bureau functions do not appear to be distinct from the ongoing operations of Passport Canada.

It appears that the Security Bureau currently has five key functions:(27)

  • Supporting operational decision-making by addressing issues related to inconsistent or incomplete data and providing advice and guidance on complex cases;
  • Ensuring the integrity of the passport issuance process through security compliance reviews;
  • Gathering of intelligence and using this information to conduct entitlement reviews and investigations;(28)
  • Recommending security features for all travel documents; and,
  • Supporting Canadian missions with implementation of the Passport Program abroad.(29)

Only three of these five functions appear to be uniquely related to security activities beyond those that are inherent in the ongoing passport issuance process, which is the responsibility of the Operations Bureau. These are:

  • Ensuring compliance with security provisions;
  • Intelligence gathering and investigations; and
  • Recommending security features.

The other functions appear to be more an extension of passport operations than specific Security Bureau functions. In the interviews, key informants specifically questioned the relevance of some of these activities and whether they are consistent with mandate of the Bureau. Informants also questioned the relevance of maintaining functions related to foreign operations, data quality analysis and, in some case, case management in a security-focused bureau.

Support for Foreign Operations

Most informants questioned the appropriateness of maintaining the support functions for foreign operations in the Security Bureau. There was little doubt expressed that it was important to maintain a group focused on supporting the Passport Program in Canadian missions. Most of these activities, however, related more to operational activities than to the Security Bureau itself. Some of these activities included: advising missions, liaising between Passport Canada and the missions, providing input to policy development on the specific impact of policy changes on missions, monitoring the implementation of passport training in missions and providing an emergency response for passport-related issues in missions. The ongoing work and projects for 2007-08 currently being carried out by the Foreign Operations Division reflects this operational focus.

Data Quality Analysis

Some informants questioned the relevance of the data quality analysis function in the Security Bureau. The vast majority of client index alerts addressed by the DQAs relate to data integrity of the master client index in the passport issuance system - IRIS. Some informants indicated that the responsibility for maintaining the quality of operational data more appropriately belongs with the Operational Bureau. Additionally, interviews indicated that these alerts detect very few cases of fraud because of limited scope. The Security Bureau recently undertook a review of all the DQA activities and identified a number of data verification edits that could be considered more operational than security activities.

Case Management

The Security Bureau's case management functions appear to constitute both operational and security-related functions. The primary case management function is to support decision-making on complex applications such as applications involving child custody, lost or stolen passports, and applicants with debts to the Crown. While these applications are more complex, they are not necessarily applications that seem to involve a specific security-related issue. On average less than 5% of alerts generated represented any known security issues. Case management would also reveal if a lost or stolen passport is deemed to be related to the fraudulent use of a passport, although this occurrence appeared rare.

2.2 Absence of an Entitlement Risk Assessment

Finding 3:
Passport Canada has not developed an overall risk assessment of the entitlement decision-making process that would provide the framework for the Security Bureau's activities.

In 2007, Passport Canada commissioned a study that resulted in a report entitled "Passport Issuance Process - Risk and Controls Self-Assessment." (30) Security Bureau employees noted specifically that the report focused primarily on how to address the rapid increase in the demand for passports, rather than on the overall entitlement decision-making process - perhaps because it was developed on the basis of a self-assessment conducted during the peak period for passport applications.

Passport Canada reported in its Annual Report for 2006-07 that a risk management framework and plan (31) was developed and approved by senior management. Evaluation interviews indicated that this study was not sufficiently detailed to provide the necessary framework for the security functions. The Annual Report also notes that further work on the risk assessment has been delayed by the unavailability of employees to work on this initiative.(32)

Although an adequate risk assessment is not yet in place, the Security Bureau has proceeded to redefine its mandate and functions using a risk-based approach. It is working towards developing work transformation processes and tools required to address risks in the passport entitlement process.

2.3 Shifting to a Risk-Based Approach

Finding 4:
Passport Canada is shifting to a risk-based approach to manage the entitlement decision-making.

In the past, the focus of passport security has been on ensuring that all elements of the application process are respected. The application process was based on a one-to-one review of all supporting documents for each application to ensure that the documentation used for entitlement decisions contained no gaps or errors. To be security conscious meant to apply the same procedures in each and every case. Most informants indicated that there was a good awareness of security - a security "culture" - in the Agency, but that the awareness was based on the idea that the only way to ensure security was to apply the same procedures exactly the same way in each and every instance.

Recently, Passport Canada has begun to shift the emphasis from a rigid and standard examination for each and every case (commonly referred to as "rules-based" approach) to focus on the identification and management of higher risk cases. This new approach is underway. The Agency introduced "exceptional measures" in 2007 to streamline applications based on known risk factors, without a risk framework to support these decisions on risk.

"Exceptional measures" defined the concept of "known" and "unknown" passport applicants. Known applicants were defined as previous passport holders, and depending on their behavioural pattern, risk-levels were assessed. Entitlement officers were instructed to focus on high-risk applicants; namely applicants unknown to Passport Canada (i.e. first time applicants) or for applicants where there was evidence of risk-related behaviour (e.g. multiple lost or stolen passports).

The "exceptional measures" were announced in May 2007 to allow for the implementation of procedures that were going to be formalized in the simplified renewal process announced in August 2007. The simplified renewal process is based on the concept of known applicants who present a lower risk.

Finding 5:
Without an assessment of the risks and mitigating strategies in the passport issuance process, it is not possible to assess whether the security provisions in place are adequate.

The shift to a risk-based approach has reportedly been difficult in the Agency because it requires a change in the culture of the organization. The introduction of the "exceptional measures" was the first formal implementation of a risk-based approach to entitlement decision-making. Since the measures were implemented at the peak of the elevated volume of applications, there was limited training or explanation of the rationale for the changes. As a result, many key informants felt that these measures had been driven by the need to improve client service and potentially compromised passport security.

Many of these informants also felt that the simplified renewal process and the changes in the policy on guarantors also compromised security. However, some of the informants interviewed who were in management positions, challenged this impression by indicating that there were legitimate reasons for the changes related to both a risk-based approach to passport issuance and increased security in the guarantor process. Again, without a formal assessment of the risk associated with the passport issuance process, the perceptions are difficult to validate and assess the effectiveness of the implications of the "exceptional measures."

Currently the "exceptional measures" remain in place but, Passport Canada's policies and procedures have not yet been updated to reflect this new risk-based approach.

2.4 Impact of Authorities

Finding 6:
The Canadian Passport Order gives Passport Canada limited recourse mechanisms.

Passport Canada's mandate to issue, refuse or revoke a passport falls under the responsibility of two bureaus: the Operations Bureau and the Security Bureau. The authority to refuse a passport is shared between these two bureaus. The requirements of the Privacy Act that affect the passport entitlement and issuance process is the responsibility of only the Security Bureau. This allows the Security Bureau to receive personal information on a specific applicant for the purpose of rendering an entitlement decision (33). Access to an individual's information may only be granted to the Security Bureau under specific justification for the disclosure.

Although there are many different types of complex cases, there are only a limited number that are considered to have a security focus(34). These aspects represent a relatively narrow scope when considering the wide range of security related possibilities.

Passport Canada's mandate comes from the Canadian Passport Order - an order-in-Council, which is a legally recognized document approved by the Governor-in-Council. The Order specifies who is entitled to a Canadian passport and the conditions that must be met to determine eligibility. The Order does not proclaim any powers to the same extent as legislation.

Unlike an Act of Parliament, the Order does not include any regulations to govern the issuance of passports(35) and, as a result, Passport Canada's mandate is open to interpretation with respect to definition, authorities and controls. For example, the conditions in the Canadian Passport Order are vague on issues related to revoking or refusing passports (sections 9 and 10). The use of "may refuse to issue" or "may revoke a passport under certain conditions" presents ambiguity in the application of the conditions.

The Order does not provide strong recourse mechanisms or any administrative penalties in the case of applicants who attempt to obtain a passport fraudulently. Although the Security Bureau, in its enforcement role can refer cases to law enforcement agencies, including the RCMP for investigation, evaluation interviews reported that law enforcement agencies only have the capacity to investigate cases when significant evidence has been documented. Other than that, the only recourses open to Passport Canada are to:

  • Refuse or revoke the passport - a remedy that requires strong grounds and is subject to the approval of the Passport Canada ombudsman;
  • Require applicants to resubmit their applications - thereby, paying twice for the service; or
  • Limit the validity of the passport.
Finding 7:
Passport Canada must depend on the provinces and territories for essential information on passport applicants.

Passport Canada is also challenged by the absence of a national centralized database (or several interoperable databases) that would contain all necessary elements to verify the identity and citizenship of a passport applicant. The reason is that vital statistics in Canada (e.g. births, deaths) are under the legal jurisdiction of a province or territory. The 2005 OAG report noted that Passport Canada and DFAIT have taken great strides in addressing this identity documentation issue. (36)

For Passport Canada, there are two ways to demonstrate Canadian citizenship. The applicants can either provide a Canadian birth certificate or a Certificate of citizenship. Although citizenship certificates are provided by Citizenship and Immigration Canada, the provision of birth certificates is a provincial responsibility and, as a result, there is considerable variation in both the physical nature of birth certificates across Canada and the way in which the information is stored electronically by provincial governments.

Faced with jurisdictional differences, Passport Canada has to deal with a wide variety of documents, sources and systems to verify the authenticity of documents. It is a major challenge to confirm an individual's identity. Although the level of potential identity theft is presently unknown in Canada, the birth/death registrars are considered as the main source of vulnerability because names (and hence identity) can be duplicated between jurisdictions.

A passport applicant could assume a false identity. When undetected this could result in the issuance of a valid passport. This could introduce a systematic error in the issuance process that could also go undetected through the current simplified renewal process. This process was introduced to increase efficiency for re-issuance.

In the absence of a national identity system in Canada, Passport Canada must depend significantly on individual provinces/territories for vital statistics information on a case-by-case basis. When and where possible, it must corroborate such information to address the identity and entitlement of an individual's right to a passport.

Top of Page

3.0 Success

Evaluation findings as they relate to the achievement of the Security Bureau's objectives, including the adequacy of the Bureau's performance measurement, are reported below.

3.1 On a Track of Ongoing Improvements

Finding 8:
The Security Bureau has contributed to the integrity of the passport issuance process and travel documents. It continues to work towards more improvements.

The 2005 OAG audit on Passport Canada identified many concerns with the Agency's operations - some specifically related to the activities of the Security Bureau. Over the past two years, Passport Canada has made significant efforts to address these concerns and, in 2007, the OAG gave Passport Canada an overall satisfactory rating for these changes. Many key informants interviewed for this evaluation also noted favourably the changes made in response to the audit.

The specific improvements within the Security Bureau included organizational, management and culture changes; improved tools for entitlement decision-making; improved physical characteristics of travel documents; and strengthening the integrity of the use of travel documents.

Management and Culture Change

In 2006-07, the Security Bureau began a process of redefining its mandate and developing a three-year strategic plan(37). However, for most of 2007, the Security Bureau did not have stable leadership, with two acting directors general responsible for the Bureau. In the fall of 2007, a new director general was appointed. Informants noted that, prior to the appointment, there was considerable uncertainty within the Bureau, which contributed to a decline in the level of communication among Security Bureau managers.

The Security Bureau has undertaken a number of change initiatives since the fall of 2007. A Management Services Directorate has been established and the Bureau has begun the development of systematic work planning.

Tools and Processes for Entitlement Decision-Making

The Security Bureau continued to develop new tools to ensure the integrity of entitlement decision-making including improved access to partner information, strengthened information systems, development of a Compliance Program, increased support to Canadian missions, and improvements to the physical characteristics of the passport document.

The Security Bureau has strengthened its information sources and analytic capacity to support decision-making. It has expanded existing and developed new links with partner organizations for increased sharing of information with partners including Correctional Services Canada, RCMP, Department of Justice, Canadian Security Intelligence Service and Citizenship and Immigration Canada. In addition, a new case management system - Security and Intelligence Case Management System (SICMS) - is being developed to increase the Bureau's capacity to analyze and use existing passport information. This will mean that the Bureau will have additional information on the entitlement process and will be able to identify risk areas such as a large number of applications from the same address or a person who is acting as a guarantor for an unusually large number of applicants. It will also assist the Bureau in an effort to clear many alerts automatically - rather than through manual data processing.

Improvements in accessing information for decision-making are important first steps, yet there remain areas where gaps in the availability of electronic access to information affect the entitlement decisions. Passport Canada cannot confirm electronically the information provided by applicants to determine Canadian citizenship (birth certificates, citizenship certificates) and to gather intelligence to support the decision-making process(38). Electronic data verification would greatly reduce the need for manual data edits and checks.

Another element to ensure the integrity of the entitlement process is the Compliance Program which is a quality assurance mechanism. The implementation of this Program was deferred due to the need to focus on passport demand. Now, efforts have begun to fully staff and to define the mandate of the Compliance Program. Initially, this Program was to focus on physical security but this responsibility was transferred to the Corporate Security. Once the Compliance Program is fully established, it would be vital in providing quality assurance measures including but not limited to entitlement decision-making within a risk-based approach to security management. For example, a good start to the Compliance Program was the review of access rights of employees to the passport issuance system. The review identified what personnel categories had access to sensitive components of the system. Following this review, a manual was developed to list the appropriate access rights for the tasks to be performed. A revision of system access permissions is in progress.

Another key component of the issuance process is the decision-making that occurs at Canadian missions. As a result of concerns raised in the OAG report, Passport Canada created the Foreign Operations Division in the Security Bureau to provide a focus for the Passport Program being delivered at missions. The entitlement decision-making processes at missions is being supported by online training that all mission employees engaged in the Passport Program are required to complete this fiscal year. While the training is developed outside the Security Bureau, the implementation of the training is being monitored by the Foreign Operations Division. Passport Canada and DFAIT are also exploring the option of repatriating the entitlement decision-making for applications from missions to the International Processing Service.

Physical Characteristics of Travel Documents

The Security Bureau continues to strengthen the physical characteristics of the travel documents. The officer responsible for the travel document meets regularly with partners to ensure that Canada's travel documents meet international standards and keep pace with those of the Five Nations Group (Australia, Canada, New Zealand, United Kingdom and United States). Based on recommendations from the Security Bureau, Passport Canada is moving to the implementation of facial recognition and a new e-passport.(39)

Contributions to the Integrity of the Use of Travel Documents

The integrity of the passport entitlement process extends beyond the issuance of the passports. It includes the integrity of the use of Canadian travel documents. The Security Bureau is responsible for collecting and managing information about lost or stolen passports. This information is shared regularly with CPIC, CIC, CBSA and Interpol.

Finding 9:
The contributions of the Security Bureau mainly focus on responding to known security-related issues.

Currently the processes in the Security Bureau focus primarily on responding to system-generated alerts (based on known passport applications stored in databases) or alerts brought to the attention of the Security Bureau. This would suggest more of a response-based approach as opposed to one based on risk.

System-generated alerts appear when the passport application information is verified against IRIS data verification rules and matched to its "watch list" - a list that contains information on cases of interest or potential problems. The "watch list" holds individual names received from key partner agencies and departments. Passport Canada uses this "watch list" to identify potentially ineligible cases or cases where the individual should receive a limited validity period passport. The reasons for ineligibility or for limited validity vary. The most common reasons were restrictions as determined by the judicial system. This query process generates three types of alerts:

  • Alerts related to data integrity. Information from data collected in two separate months suggests that the Data Quality Analysts (DQAs) address about 85,000 client index alerts a month. The vast majority of these are generated because the system has identified more than one person with the same surname, date of birth and gender;(40) Interviews with Security Bureau employees indicated that the vast majority of these alerts relate to data entry issues and not security threats. The DQAs reportedly detect very few cases of fraud;
  • Alerts related to complex cases (e.g. custody cases, lost or stolen passports) identified through the "watch list" - Case Management Officer (CMOs) respond to these alerts. CMOs also provide support to issuing office and Canadian missions when employees have questions about these types of cases; and
  • Alerts related to potential criminal activities identified through the "watch list" - These alerts are directed to the Entitlement Review Team(41). These alerts may result in an investigation which is carried out by an ERI. In 2007-08, the Security Bureau conducted 124 investigations(42) which represented less than a percentage point of passport applications. One-third of the investigations result in a recommendation to the adjudicator to revoke or refuse the passport and to withhold passport service for a period of time. Of these, 95% were refused or revoked. In 2007, 293 two-year limited validity passports were issued based on a review of the "watch list" files. In addition to this, full validity passports and limited validity passports of other duration would have been authorized.

Given the high volume of alerts of various types, the largest component of the work of the Security Bureau is associated with responding to potential issues rather than developing and analyzing the information necessary to anticipate potential security threats.

The Intelligence Section of the Enforcement and Anti-Fraud Division currently gathers information for the "watch list." Similar to alerts, the work is primarily responsive to information provided by partners or the public, rather than proactive in terms of the analysis of security threats. Informants suggested that SICMS could enable the Security Bureau to institute electronic data verification edit-check rules as well as enable officers to analyse alert patterns. This shift in work process also could change the composition of resources to assume responsibility for critical tasks requiring different skills.

In the absence of a Compliance Program, there is no accurate and comprehensive measure of the nature and extent of compliance to PPTC entitlement and corporate policies, procedures and directives related to security. The DQAs perform systematic monitoring of the entitlement process only on a sample of applications from missions.

3.2 Balancing Client Service and Security

Finding 10:
It is not clear to what extent security may have been compromised during the period of high volumes in 2006-07.

Passport Canada must balance the demands of client service with security. Delays in meeting the demand for passports have the potential to impact on the mobility of Canadians. On the other hand, failure to manage adequately the security risks ultimately increases the risk of inappropriate issuing and use of Canadian passports and would affect the credibility of the Canadian passport and Canada's image in the world.

Many key informants, notably in the issuing offices, expressed concern that when Passport Canada was struggling to cope with an unprecedented high volume of passport applications in 2006-07, security may have been compromised in the efforts to maintain client service. There are a number of factors that led these key informants to have this impression:

  • At the time, issuing offices and the NPS were working long hours to cope with the demand and facing applicants who were experiencing extended time delays. Under those conditions, employees suggested that it was possible that less time was spent on details when compared to periods of normal volumes.
  • In order to cope with the volumes, Passport Canada increased its capacity. There were more clerks hired and assigned to pre-screen applications for their review by entitlement officers. Some key informants raised concern that the new hires did not receive enough training. Pre-screeners received only one week of training but, in many offices, they were also responsible for client interface, review of the identity and entitlement documents which normally was the function of the Entitlement Officer. Officers usually receive three weeks of classroom training (reduced from four weeks) and ten weeks of on-the-job supervision. While the new employees relieved some pressure on the entitlement officers, supervising the new employees also reportedly reduced the time experienced officers could attend on passport applications.
  • Many interviews with informants indicated that any policy/procedural changes on entitlement decision-making were often transmitted by email. Such changes were not reflected in a timely fashion in the Passport Policy Manual. While email is a good way to transmit information quickly, it was not read by all especially when employees were too busy with working at the counters. As a result, some employees did not comply with some procedural changes.
  • Many informants also indicated that the application of "exceptional measures" in the summer of 2007 signalled that application shortcuts were authorized because of the high volume of applications. Many informants believed this because they were unaware of, or unconvinced by, the need for the "exceptional measures."
  • Finally, some informants believed that the public pressures contributed significantly to maintain client service standards rather than strict and rigid adherence to passport examination procedures.

While many informants believed that the entitlement process was compromised, the evaluation cannot determine the extent to which it may have occurred, without a review of decisions taken during the peak periods and the ability to compare this to decisions made prior to the increase in the volume of applications. It is not possible to assess this even qualitatively without an assessment of the security risks in the passport issuance process and the activities that are being carried out to manage these risks.

3.3 Inadequacy of Performance Information

Finding 11:
There is insufficient performance information on the activities of the Security Bureau.

Passport Canada at present does not have a comprehensive framework for monitoring and evaluating its performance. Passport Canada only has performance measures related to client service standards (i.e. waiting times, turnaround times for applications etc.) The evaluation team was unable to find systematic information, collected over time, on measures that could have assisted in evaluation findings. While data were available on the volume of alerts, data were not available on:

  • Volume of different types of alerts(43) or the disposition of these alerts;
  • Volume of cases referred to CMOs, ERAs or ERIs and the disposition of these cases; or
  • Numbers of passports denied based on the activities of the Security Bureau.

In consideration of data availability issues, the Security Bureau has not been able to analyze alert trends or client patterns which could have been useful for resource management.(44)

Finding 12:
An assessment of the nature and extent of passport entitlement security risks is not available.

A common method to assess the effectiveness of passport security is to review its approach relative to others; in this case, through a study with the United Kingdom's Identity Passport Services (UK-IPS). Direct comparative studies among any of the Five Nations Group could not be conducted at this time because there are no international guidelines or standards on passport issuance in consideration of the rights of sovereignty. However, security is viewed similarly among this group of five and based on evaluation observations, Canada, while facing unique challenges in passport demand, has not developed a strong evidence-based approach to determine the nature or level of security risks on passport issuance. The Security Bureau, in its deliberations, on security risks could consider the quantitative assessment now in place at the UK IPS, to be tailored to the Canadian environment, as a means to systematically address security risks.

Such an approach would offer a wider assessment from which to develop more comprehensive scenarios or profiles. The evaluation found that given the current gaps in risk identification, there is a possibility that passport applicants could obtain their identity fraudulently. Such an occurrence could be undetected by the current examination process, resulting in a passport being issued to an ineligible applicant. Once in the system, any subsequent renewal request may not yield any alerts and hence, would have created a systematic bias in the issuance process. One way to mitigate this occurrence would be to establish a system of monitoring the nature and extent of fraud as was found in the UK IPS.

Finding 13:
The risk is high that personal information between business contacts is transmitted electronically over the internet.

Passport Canada and Consular Services have an obligation to protect private and personal information. Access to protected information is governed by the "need-to-know" principle and the level of security for the persons requiring access to perform a job function. In order to protect personal information sent electronically over the internet, DFAIT's "Policy on the Use of the DFAIT Electronic Networks" restricts the transmission of electronic information to the DFAIT network only. Personal information is never to be sent over public networks like the internet where the risk of interception is very high. The Policy states:

"Anyone in the world can be registered on the INTERNET under any name they wish, and access will be granted. Therefore, in dealing with business contacts via the INTERNET, it must be remembered that, at this time, it is impossible to properly authenticate INTERNET users. Also, the path taken by information travelling on the INTERNET from one user to another is unknown. Hence, it must be assumed that the path has no security protection. That is to say, any information flow may be read and/or altered without the knowledge of the sender or receiver. Therefore, no sensitive data is to be sent over the INTERNET."(45)

Passport Canada and DFAIT do not share the same network. Passport Canada uses PPTCNet, while DFAIT uses SIGNET. Therefore, there is a high risk that any personal information sent electronically over the internet between DFAIT and Passport Canada can be subject to interception. For example, an email sent from an employee with PPTCNet email account to an employee with a SIGNET email account must first travel through the public internet to reach its destination.

Evaluation interviews confirmed that there is no secure channel between PPTCNet and SIGNET at this time. No personal or protected information, on a passport file, should be sent via email between Passport Canada and DFAIT, because the transmission is considered non-secure. Both organizations must therefore manage this risk accordingly.

Top of Page

4.0 Cost-Effectiveness

Evaluation findings on cost-effectiveness including the clarity of roles, responsibilities and communications, the adequacy of standardization of decision-making as well as resources are reported below.

4.1 Clarifying Roles and Responsibilities

Finding 14:
The role of the Security Bureau is not well understood.

The role of the Security Bureau was not well understood among regional directorates and issuing offices. Evaluation interviews suggested that informants knew generally of the roles of the DQAs, CMOs and ERAs but, they were often unable to distinguish the specific roles of each group in terms of the types of alerts (46) they dealt with, and who should be contacted. Frequently, informants also included physical and IT security within the mandate of the Security Bureau when these functions are no longer part of the Security Bureau mandate.

One key issue identified was who retained the final responsibility to render entitlement decisions. The Policy Manual clearly stated that for custody cases the issuing office had the authority to refuse a passport but for files related to misleading information in an application, multiple losses of passports or criminality, the final authority for passport refusal rested with the Security Bureau. (47)

Responses also varied from key informants about who had authority for both approvals and refusals for cases that had been referred to the Security Bureau. While there was a lack of clarity on authorities for security cases, employees generally agreed that entitlement officers retained authority to decide to issue a passport (once any security concerns had been cleared by the Security Bureau), whereas the Security Bureau appeared to have the authority for passport refusal.

Finding 15:
There was lack of clarity and agreement on the roles and responsibilities of the Regional Security Advisors.

The Security Bureau established RSAs in 2006-07 in response to the 2005 OAG audit of Passport Canada. The evaluation found that the role of RSAs varied across regional directorates and their purpose was unclear. A number of events also contributed to this lack of clarity.

First, a Memorandum of Understanding between the Security Bureau and the Operations Bureau, drafted in 2005, remains incomplete. While the Security Bureau is responsible for the RSAs, the role of RSAs has evolved differently across the regions. In the absence of any specific direction from headquarters on RSAs, the roles in each region appear to have been determined to a large extent by regional directors. Therefore, the nature of the work by RSAs varies considerably across regions.

The evaluation also found that communication on the role of RSAs has been rather sparse and incomplete. RSAs were created as the first step towards a decentralized approach to support the passport issuance processes in Canada. Information on the role of RSAs(48) indicated that their role is to increase the Bureau's capacity to enhance the integrity of the Passport Program within the regions. (49)

Furthermore, communications have been unclear on the overall rationale for RSAs. Evaluation interviews among the regional directorates and the issuing offices indicated that the role of the RSAs was not precise. RSAs generally reported that many requests for their support related to components of security (e.g. physical security) that were not within the mandate of the Security Bureau.

Although headquarters confirmed that the "functions and organization of the regional security advisor network will continue to be refined through the program evaluation of the Security Bureau as well as the Corporate Services Bureau's work towards developing a management framework for the administration of the Government Security Policy…"(50), there still seems to be considerable effort ahead to discuss the standardization of the RSA. Headquarters has started the process to establish the work parameters of the RSA through information updates to staff that the role of RSAs should focus on "entitlement and program fraud prevention, detection and response"(51) and indicated that, when physical security issues arise, they should notify the Physical Security Section at headquarters.

4.2 Improving Communications

Finding 16:
There were mixed views on the adequacy of communication both on general security issues and specific cases within Passport Canada and with Canadian missions.

There were mixed views from key informants on general communications within Passport Canada. Most key informants felt that communications within headquarters were adequate. Some noted though that this had been true when the organization was small but the rapid growth at headquarters, resulting from the increased volume of passports issued, may have reduced the adequacy of communications.

The views of key informants varied among regional directorates, issuing offices and missions with respect to general communications on security-related policy and procedural matters. Some felt that there was adequate communication of security issues; others felt that they were overwhelmed with communications particularly by email and were likely to miss the important messages in the volume of communications. Some noted that communications on security issues can come from a variety of units within Passport Canada - Security, Policy and Planning or Operations. Some regret that the former security bulletin is no longer available; others felt that information was readily available on the Passport Canada intranet site. Still, others noted that the Policy Manual and the intranet site are not current with changes that have been communicated to the issuing offices and missions.

Most informants revealed that the Security Bureau could improve communications to the regions. Interview data suggested that inconsistent communication approaches contributed to a lack of knowledge on security related issues. It was found that some communicate with the Security Bureau on individual cases through a generic email address, while others indicated that a specific agent in Security Operations was assigned to their office.

Most key informants in issuing offices and missions expressed concern over time-delays in responding to security queries and the need for regular status reports on the progress of security cases to share with passport applicants. It should be noted though that many also recognized that time-lines have improved and efforts continue to close the gap further.

Many key informants raised the need for more robust communications from headquarters on case related information especially on notifying applicants of passport refusal. The current approach is that the Security Bureau notifies denied applicants by mail. The communication issue occurs when denied applicants attempt to pick-up their passport prior to receiving a notice from the Security Bureau. In this case, the office manager at the issuing office will notify the applicant that their application is under review, however, the manager cannot provide any details. Issuing offices therefore quite frequently deal with customer services issues when applicants, concerned by the lack of information on the reasons for refusal and the limited options for getting more information from Passport Canada, expressed dissatisfaction.

The evaluation found that communications between Passport Canada and missions with respect to policy interpretation and procedures has improved significantly since the establishment of the Foreign Operations Division. Most informants in missions were satisfied with the communications with the Foreign Operations Division.

4.3 Improving Standardization

Finding 17:
The physical security characteristics of the Canadian travel document have been standardized.

The physical security characteristics of Canadian travel documents are standard because of the centralization of the passport printing process. Most passports are printed in one of two locations - one in Quebec and one in Ontario.

In 2005-06, Passport Canada repatriated the printing of passports issued by consular offices overseas. The repatriation of the printing of travel documents in Canada has contributed to the centralization (52) of the production of passports and ensuring control to reduce misuse of the passport document.

Finding 18:
Passport security features are consistent with but are reportedly not at the leading edge of the security features of other members of the Five Nations Group.

Canada is a member of the Five Nations Group (Australia, Canada, New Zealand, United Kingdom and United States). Passport Canada representatives meet regularly with colleagues from these countries to discuss passport security. While Canada's passport security features have improved, all other member countries have security features in passport documents that exceed those of Canada. For example, the four other countries in the Five Nations Group have e-passports. Canada, however, is only expected to pilot e-passports in 2008-09. Passport Canada's Security Bureau believes it provides a secure Canadian passport at an affordable cost at this time.

Finding 19:
Although there is no evidence that there are inconsistencies in entitlement decisions, there are differences in work-processes among issuing offices and the National and International Processing Service.

While there is considerable variation in the organization of the work for entitlement decision-making in issuing offices in Canada, there is no evidence of inconsistencies in the entitlement decisions.

The site visits to issuing offices and interviews suggested that there is considerable variation in the organization of the work flows in the different issuing offices. A number of different processes were put in place to cope with the volume of applications in 2006-07. Passport clerks were reassigned other duties. This included reviewing pre-screened applications. The organization of the work is dictated, to a large extent, by the physical space available to offices - particularly as they have had to cope with significant increases in the volume of applications. The choices of which processes to follow and when are largely determined by the managers in each office and may vary by the volume and the time of day.

Interviews with key informants in the issuing offices indicated that, regardless of differences in work organization, entitlement officers apply standard entitlement policies and procedures consistently. The only change was with the "exceptional measures" implemented in 2007, where more latitude was given to entitlement officers. It is too premature at this time to understand the impact of the "exceptional measures." A more accurate assessment of the impact of these measures could be conducted when the Compliance Program has been established.

Based on interview data, some issuing offices believe that face-to-face interaction with applicants is a distinct advantage in the entitlement process. Statistics show that a vast majority of passport applications (79%) were presented in-person at issuing offices in Canada - see Exhibit 5. (53) The remaining applications in Canada were mailed, or forwarded by receiving agents to the National and International Processing Service. It is likely that the majority of entitlement decisions are made after an entitlement officer has interacted with the applicant. (54)

Most key informants in issuing offices strongly believe that the interaction with the applicant provided much valued additional information to assist in the entitlement decision-making. While a decision to deny a passport has to be made on the basis of documented evidence, some would argue that face-to-face interactions, as an added source of verification, contributed to the ability to identify cases of potential fraud (55). Other key informants argued that the benefits of face-to-face interactions have been exaggerated. All entitlement officers - whether they are working in an issuing office or the National and International Processing Service - receive the same training but are not specifically trained to read verbal or visual signs. (56)

Without a risk assessment framework, there is no explicit consideration of how the in-person interaction with applicants helps to mitigate the risks in entitlement decision-making and, by extension, whether there are inherent risks in decisions made solely on the basis of documents (and often scanned copies of these documents). This issue has potentially important implications, since Passport Canada is increasingly moving the decision-making process away from the front-line people at issuing office counters. It is unknown how this change in workflow would affect the ability to assess the reliability of the passport applicant.

4.4 Impact of Security Bureau Resources

Finding 20:
Although the Security Bureau continues to receive more resources, it still represents approximately 3% of Passport Canada resources since 2003-04.

The unprecedented increase in the number of passport applications led to a significant increase in Passport Canada revenues (see Exhibits 4 and 6).

While Passport Canada resources increased, so did those of the Security Bureau - see Exhibits 8 and 9. The Bureau's resources increased substantially between 2003-04 and 2007-08 - an 89% increase over this period. Between 2006-07 and 2007-08, FTEs for the Security Bureau had grown from 81.5 to 95.7 representing an increase of 15%.

Exhibit 8: Security Bureau Resources, (57) 2001-02 to 2007-08 ($000's)
YearPassport CanadaSecurity Bureau
 Salary (including EBP)O&MTotal# of FTEsSalary (including EBP)O&MTotal# of FTEs

Source: Passport Canada

Exhibit 9: Passport Canada and Security Bureau Resources, 2003-04 to 2007-08 ($000's)

Passport Canada and Security Bureau Resources

Source: Passport Canada

While resources for the Security Bureau increased annually, its relative growth has remained constant since 2003-04. The Security Bureau's resources represent approximately 3% of Passport Canada - see Exhibit 10. These resources were needed to address two factors: the increased volume of passport applications and additional resources for new functions namely: the RSAs and the Compliance Program. These two pressure points drove the need to increase resources to the Security Bureau based on the assumption that security-related cases grow in proportion relative to passport demand.

Exhibit 10: Security Bureau and Passport Canada Resources, 2003-04 to 2007-08

Security Bureau and Passport Canada Resources

Source: Passport Canada

The Security Bureau has also not been able to complete the staffing of all positions. All but two of the eight RSA positions and two positions for the Compliance Program have been staffed. Given the need to clarify roles and responsibilities as well as to complete the staffing of positions, it is too early to assess the impact of these additional resources.

4.5 Need Better Tools for Decision-Making

Finding 21:
The Security Bureau lacks adequate tools for ensuring the integrity of the passport issuance process.

Passport Canada relies on information from both internal and external sources to ensure the integrity of the passport issuance process. This information is used to confirm the identity of applicants. This includes the statement from the guarantor and provincial documents that include applicants' photographs (e.g. health card or driver's license). Even though applicants may be Canadian citizens, there may be other information that would indicate that applicants are not eligible for a passport (e.g. because they have been charged with an indictable offence or their mobility is restricted as a result of criminal charges). (58)

The information to support these decisions currently comes from three sources:

  • the entitlement database - IRIS(59) which includes historical information about passports issued;
  • the "watch list," which includes the names of applicants who are potential risks; and
  • information from external sources (partner organizations): information from the vital statistics units of provincial/territorial governments, other provincial licensing bodies and other federal government departments.

The integration of information from internal and external sources present challenges in terms of data comparability, quality and completeness.

Processes for Gathering Intelligence and Quality Control

Passport Canada currently has limited ability to search and analyze information on passport applications and documents. Passport Canada's IRIS database includes a "watch list" with information on people whose passport application may need additional review.

Currently, the alerts generated by queries against the entitlement database - IRIS - are verified manually, which is time consuming and subject to human error. This situation is expected to improve with SICMS, which will not provide different information but it will provide a relational database, automated information and intelligence repository, integrated with existing Passport Canada systems. SICMS will provide the Security Bureau with a "systematic tool to manage cases to administer the alerts process, and to identify and analyze trends by case."(60) This will allow for standard and automated data verification edits, which may implicate current resource levels. SICMS is expected to improve the management of information available to the Security Bureau. Phase I of SICMS is expected to be operational by April 2009.

External Data for Entitlement Decision-Making

Over the past year, the Security Bureau has improved information-sharing with a number of partner organizations, including:

  • Correctional Services Canada (CSC) to secure electronic access to data on federal offenders;
  • RCMP to establish a secure link for access to data from the Canadian Police Information Centre; and
  • Department of Justice to access information on people in arrears with family support payments.

The Bureau is currently working on MOUs with the Canadian Security Intelligence Service (CSIS) and Citizenship and Immigration Canada (CIC). However, there remain three challenges in the availability of data for decision-making:

  • Data that is available electronically but not searchable;
  • Data that is available only on a case-by-case basis; or
  • Data that may be available but is not systematically provided
Exhibit 11: Challenges in the Availably of Data for Decision-Making
Data available electronically but not searchableThe Security Bureau has electronic access to some information but the data cannot to be searched systematically. For example, although CPIC provides information on people with criminal records, the information, which is in free text format, cannot be easily searched in order to identify people charged with an indictable offence or whose mobility is restricted. Much of the searching has to be done manually.
Data that is available only on a case-by-case basisIn other cases, information is available on case-by-case basis, but not systematically. For example, passport entitlement officers can check citizenship documents directly with the CIC Case Processing Centre in Nova Scotia but they do not have electronic access to citizenship information. The same is true of data from provincial/territorial vital statistics organizations.

In 2004, in partnership with two provinces and other federal departments, Passport Canada undertook a pilot project (National Routing System) to test the automation of the verification of vital statistics information in two provinces. The pilot was reportedly very successful, but the initiative is not proceeding. It was superseded by a Treasury Board Secretariat initiative to develop a more comprehensive business case to be aligned with a national identity management framework. The pilot project, although successful, was reportedly very expensive and would be difficult to implement on a national basis because of the lack of automation of vital statistics records in some provinces. As a result, there is still no systematic process for confirming the validity of identity documents used in the passport application process.

Data that may be available but is not systematically providedSome information is not available even on a case-by-case basis. For example, while Passport Canada has access to data on federal offenders to identify applicants who may have been charged with an indictable offence, it does not have access to provincial correctional or court data. As a result, it relies on provincial authorities to report cases of relevance to passport decision-making. For example, one role fulfilled by the RSAs has been to establish links with court authorities to ensure that Passport Canada is notified when a passport has been seized.

4.6 Passport Canada is Making Progress

Finding 22:
Passport productivity is improving.

The evaluation found that with the increase in resources between 2001-02 and 2007-08, the average daily number of passports issued per employee decreased steadily from a high of 8.7 in 2001-02 to a low of 6.3 in 2004-05 - see Exhibit 12. Productivity appears to have improved recently. This is likely the result of new resources in place to deal with increased passport demand. In addition, new measures such as the implementation of "exceptional measures" as well as operational improvements including double-shifts (e.g., evening shifts) to deal with increased demand would contribute to increased productivity. The best way, however, to measure improved passport productivity would be to assess if the average amount of time spent per application has been reduced.

Exhibit 12: Passport Productivity per Employee,(61) 2001-02 to 2007-08

Productivity per Employee

Source: Passport Canada

Public funds have been made available for new initiatives beyond the resources received through passport fees. This additional funding is to assist with passport demand and with implementing new security initiatives to respond to the WHTI.

Top of Page

5.0 Conclusion and Recommendation

The Security Bureau is central to Passport Canada. It offers a relevant and critical role in guiding the integrity of the passport entitlement and issuance process and the physical characteristics of Canada's travel documents. Its main contribution to the entitlement decision-making process is the support that it provides to the operational units of Passport Canada namely: the issuing offices, the National Processing Service and the International Processing Service, and the Canadian missions responsible for the Passport Program abroad. It supports these offices by ensuring the integrity of the Canadian passport document and entitlement information, assisting with addressing complex civil and criminal cases and investigating cases of possible fraud.

Progress continues in redefining its mandate, improving management processes and developing the necessary tools to provide adequate support for entitlement decision-making. The Security Bureau management is aware of the gaps but also faces barriers in strengthening its processes and tools. For instance, in recent years Passport Canada has faced major organizational strain in dealing with high passport demand. Passport Canada had to quickly re-adjust its business to meet client demand and, as a result the Security Bureau activities for transformation were delayed and recommenced only in the latter part of 2007.

The evaluation has proposed one key recommendation for Passport Canada's Security Bureau. It was initially identified in the Office of the Auditor General audit. That is, the need for a security risks assessment to guide the rest of the work of the Security Bureau and other security activities at Passport Canada. The establishment of security risk assessment would provide greater direction on the way forward for the Security Bureau. Once completed, a risk based approach would form the foundation for either additional, financial or organizational needs or authorities for consideration to ensure a reliable passport entitlement and issuance process.

Exhibit 13: Overview of Recommendations

Overview of Recommendations

Recommendation 1:
That Passport Canada conducts an assessment of security risks on passport issuance and that the approaches to managing these risks are within acceptable tolerance levels.

The security risk assessment would frame the necessary direction for the development of a performance framework for the Security Bureau. One component of this would be the identification of those risks that require the Security Bureau's attention (see Exhibit 13).

It is expected that the security risk assessment would also highlight the importance of shifting from a rules-based approach to a decision-based approach. This would mean that entitlement officers would have more individual discretion in reviewing passport applications. Central to this risk assessment strategy would be to address the risks associated with passport applicants as well as different business channels. The UK-IPS has been successful in implementing an effective and efficient risk assessment strategy. It is based on an objective quantitative method to identify the nature and extent of passport-related fraud and, Passport Canada could benefit from a similar approach to determine its risks.

Recommendation 2:
That the Security Bureau develops a management framework for its activities based on the results of the security risk assessment.

A management framework would define the mandate, policies, procedures, organizational structures, resources, tools for the Bureau to support its responsibilities. An appropriate management framework contributes to sound and effective program management. It enhances program performance in achieving the expected results, while appropriately managing financial and non-financial risks.

The development of this framework would lead the Bureau to assess a number of issues raised in this evaluation, including those related to:

  • Functions and structure: the relevance of some current Security Bureau functions, the role of the Regional Security Advisors, the need to focus on security functions that provide added value to passport integrity, the role of the Compliance Program and additional functions that might be supported by the Security Bureau;
  • Communications: the communication of the role of the Security Bureau within Passport Canada; and,
  • Resources: the adequacy of the Bureau's resources to fulfill its mandate.
Recommendation 3:
That the Security Bureau develops performance measures to monitor its decision-making.

Integral to a management framework is performance measurement. Its main purpose is to support decision-making. Establishing this would allow the objective monitoring of progress on results in a systematic manner. This would provide information to assist decision makers on activities, the results achieved, work structure and resource needs.

Top of Page

Appendix A: Management Response

RecommendationsPPTC Management Response and Action PlanResponsibility CentreTime Frame
Recommendation 1:

That Passport Canada conducts an assessment of security risks on passport issuance and that the approaches to managing these risks are within acceptable tolerance levels.

Passport Canada agrees with this recommendation, and has identified the assessment of Security Risks as a priority to be completed prior to the end of the third quarter of 2008-09. Work is currently underway to identify and assess security risks and accompanying mitigation strategies in the application, entitlement and issuance processes. Follow-up efforts will focus on enhancing mitigation strategies where required in order to ensure that risks are being managed within acceptable tolerance levels.PPSDSecurity Risk Assessment to be completed by the end of October 2008
Recommendation 2:

That the Security Bureau develops a management framework for its activities based on the results of the security risk assessment.

Passport Canada agrees with the recommendation that the Security Bureau review its management framework, and is currently undertaking work to develop a new model that is not only more closely aligned with known security risks, but which allows the organization the flexibility to adapt in a fluctuating risk environment. In the second quarter of 2008-09, the Bureau worked with an external consultant to review its organizational structure, and, in June 2008, put forth an initial proposal to realign its core management framework to reflect known risks. This proposal will be validated against the results of the Security Risk Assessment in Fall 2008.PPSDOrganizational Review complete

Validation against risk assessment third quarter 2008-09

Recommendation 3:

That the Security Bureau develops performance measures to monitor its decision-making.

Passport Canada agrees with this recommendation, and has committed to developing draft performance measures that will better reflect the nature of the Security Bureau's work, enhance its decision-making capacity and provide a meaningful assessment of its performance. The Bureau's ability to capture and track performance information will be greatly assisted with the implementation of a security case management system at the end of 2008-09.PPSDDraft performance measures to be developed by end of fourth quarter 2008-09

Top of Page

1 Department of Foreign Affairs and International Trade: Report on Plans and Priorities 2007 - 2008, p. 110.

2 Responding to Change: Annual Report 2006 - 2007, Passport Canada, p. 5.

3 There are seven types of travel documents: regular "blue" passports (with either 24-page or 48-pages), temporary passports, diplomatic passports, special passports, emergency passports, refugee travel documents and certificates of identity. (Passport Canada Business Plan 2006 - 2009, Appendix A).

4 This initiative will require all travelers including citizens from the United States and those living in the Americas to have a passport to enter the United States by June 2009.

5 Security Bureau is responsible for gathering intelligence, maintaining the integrity of the data in Passport Canada's passport issuance system, providing advice on complex applications, investigating applications related to suspected criminal or fraudulent activities, collecting and sharing information on lost or stolen passports, and recommending changes to the physical characteristics of travel documents.

6 Responding to Change: Annual Report 2006 - 2007, Passport Canada, p. 3.

7 Passport fees cover the production of the travel document. Passport Canada receives money from TBS to support capital projects.

8 Department of Foreign Affairs and International Trade: Report on Plans and Priorities 2007 - 2008, p. 110.

9 This component is addressed in a separate case study.

10 This included thirteen from the Security Bureau and the remaining from the Policy and Planning Bureau and the Operations Bureau (including twenty-seven from operational units - Regional Directorates and Issuing Offices). Only two planned interviews were not able to be completed - one with Passport Canada's Business Information and Technology Bureau and one with the Canada Border Services Agency.

11 Ibid.

12 A description of the Security Bureau is provided in Section 1.3. The Security Bureau is not responsible for end-to-end security functions.

13 Representation was defined by continent and by Canadians residents abroad.

14 Proxies for the Security Bureau mandate, expected results and outcomes were defined based on Passport Canada's business plan. These were further established based on key informant responses from Passport Canada employees conducted in the course of this evaluation.

15 Responding to Change: Annual Report 2006 - 2007, Passport Canada.

16 Responding to Change: Annual Report 2006 - 2007, Passport Canada., p. 5.

17 There are seven types of travel documents: regular "blue" passports (with either 24-page or 48-pages), temporary passports, diplomatic passports, special passports, emergency passports, refugee travel documents and certificates of identity (Passport Canada Business Plan 2006 - 2009, Appendix A).

18 This function is under consideration for transfer to the Corporate Services Bureau.

19 An e-passport is a passport document that will include an embedded electronic chip that could contain various data such as: basic passport bearer information in the machine-readable zone and/or fingerprints and digital photo.

20 Data from Passport Canada.

21 Includes all types of passports including passports issued through Consular services.

22 Passport Canada Annual Report.

23 Includes employee benefits.

24 Preliminary numbers.

25 This had a direct impact on the Security Bureau, which is currently responsible for personnel security screening.

26 System Lookout is a database containing information on persons whose request for passport services might be subject to refusal or limitation.

27 Not including the management services function that supports the other functions of the Bureau.

28 This function is also supported by the Regional Security Advisers; although, as will be noted in Section 2.2, the RSAs' roles are not yet clear.

29 The personnel screening function (although shown in Exhibit 2) has already been identified for transfer to the human resources unit of Passport Canada, although a date for the transfer has not yet been set.

30 "Passport Issuance Process - Risk and Controls Self-Assessment", Interis, 3 August 2007.

31 "Passport Canada Annual Report 2006 - 2007" p. 27.

32 "Passport Canada Annual Report 2006 - 2007", Appendix A, p. 41.

33 Passport Canada - Ombudsman's Annual Report for 2006-2007.

34 This includes fraud, multiple loss, mutilation, damaged, custody, repatriation and alerts relating to potential criminal activity.

35 Passport Canada has begun consultations on the creation of a Passport Act which would strengthen its ability to fulfill its mandate (see Responding to Change: Annual Report 2006 - 2007, Passport Canada, p. 25).

36 Report of the Auditor General of Canada to the House of Commons, Chapter 3: Passport Office - Passport Services, Office of the OAG, April 2005, p. 10.

37 "Passport Canada Annual Report 2006 - 2007," Appendix A, p. 41.

38 The Security Bureau receives information regularly on deactivated birth certificates from Ontario Vital Statistics. This information is entered in Passport Canada's database.

39 The February 2008 budget of the Government of Canada indicated that these e-passports would be valid for ten years. (

Data from Data Quality Analysis Section, Security Bureau.

40 ERAs and EROs are included in the Entitlement Review section. EROs, entitlement review officers, were established in 2007. They are front line for inquiries from regional offices in Canada and for missions abroad pertaining to watch list alerts.

42 Draft Passport Canada Annual Report 2007-08.

43 Information was available on the volume of alerts, by type, for two one-month periods in 2007 and 2008. This gave an indication of the types of alerts - see Finding 9.

44 SICMS will assist in providing management information. Phase I of SICMS is expected to be operational by April 2009.

45 Policy on the Use of the DFAIT Electronic Networks, ISD/SXD - 2000-03-15 - Amended 2007-09-10. Emphasis (i.e. caps and bolded text) is copied from original text.

46 Alerts related to administrative/data integrity issues, alerts related to complex cases or alerts related to potential criminal activities.

47 Passport Policy Manual, Section 1910.

48 Communication to staff from Director, Enforcement and Anti-fraud.

49 Staff Email from Director, Enforcement and Anti-fraud, Security Bureau, 19 February 2008.

50 Security Bureau Internal email, 19 February 2008.

51 Ibid.

52 Centralization was implemented to standardize the print process and to mitigate theft of blank passports, and new passports.

53 A small percent (4% in 2006/07) are presented at foreign missions but these are processed in a similar manner to those presented to Issuing Offices in Canada.

54 However, not all applicants who present their applications at an Issuing Office are seen by the Entitlement Officer. Some applicants are represented by other family members; some applications are received in the Issuing Office by pre-screening clerks.

55 For example, an application for a child's passport in which the applicant may have forged the signature of a custodial parent or an application where the guarantor has not known the applicant for two years.

56 One respondent did indicate that this had been included in training for Entitlement Officers many years ago. In addition, some offices have received training from the RCMP on the identification of fraudulent documents.

57 The Security Bureau was established in 2003-04.

58 Under the new simplified renewal process, introduced in August 2007, the requirement to present these documents (which have already been examined for an earlier passport) is waived.

59 This is the name given to Passport Canada's passport issuance system.

60 SCIMS Project Charter, June 2006, p. 4.

61 This is defined as the average daily number of passports issued based on FTE and volumes.

Office of the Inspector General

* If you require a plug-in or a third-party software to view this file, please visit the alternative formats section of our help page.


Date Modified: