Canada's privacy czar says the national air security agency is collecting too much information about travellers.
In a newly released audit, Jennifer Stoddart says the agency is not always safeguarding the information properly, either.
The review of the Canadian Air Transport Security Authority concluded it was reaching beyond its mandate by filing reports on incidents unrelated to air security.
"This presents a risk to privacy by making available for use and disclosure information that should not have been obtained," says the audit.
Ms. Stoddart said the agency violates the Privacy Act by informing police when a large sum of money is discovered in the baggage of a passenger about to board a domestic flight.
"It is not an offence to travel domestically with a large sum of money," says the report.
"Therefore, information that would not otherwise be collected during the course of ordinary screening should not be collected to facilitate disclosure to the police."
In a response, the air security agency agreed with Ms. Stoddart's recommendation to halt the practice.
The audit also raises concerns about the agency's airport scanners that can see through clothes.
The system, in place at 23 Canadian airports, allows a screening officer to see whether someone is carrying plastic explosives or other dangerous items by viewing a ghost-like but fairly detailed outline of their body.
When auditors visited the rooms where officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera — even though these types of devices are strictly prohibited because of their recording capabilities.
The camera was disabled after the privacy commissioner's office alerted the air security agency.
During site visits to airports, Ms. Stoddart's reviewers found security incident reports containing travellers' personal information stored on open shelving units, on the floor and in cabinets that did not meet required security specifications.
"At one airport, we found security incident reports stored in boxes in a room used to conduct private searches," the audit says.
The air security agency has outsourced passenger screening to private-sector companies, but this does not mean it can ignore the Privacy Act, Ms. Stoddart notes.
She suggests an ongoing monitoring strategy, including internal audits, to provide assurance that good privacy practices are being followed.