IRCC data compliance: what the rules actually require
IRCC-funded organizations handle Protected B personal information on behalf of the federal government. The privacy and security requirements attached to that responsibility are specific, mandatory, and, in our experience, frequently not followed.
Why IRCC data compliance is different from general privacy
Organizations that receive IRCC funding through contribution agreements are collecting personal client information on behalf of the federal government. That changes your obligations. You aren’t just subject to PIPEDA or provincial privacy law; you’re also bound by the privacy and security requirements that IRCC has built into the contribution agreement itself.
Client information collected for settlement and resettlement programs is designated Protected B, classification IRCC uses for information where unauthorized disclosure could reasonably be expected to cause serious injury. That classification carries specific, mandatory requirements for how you store, handle, transmit, and destroy that information.
These requirements apply whether you’re running a LINC program, a settlement services program, an employment program, or any other IRCC-funded programming that involves client data. If you report through iCARE, you are subject to all of them.
In our experience, compliance problems in IRCC-funded organizations are rarely deliberate. They’re almost always the result of programs running for years without anyone reviewing whether the practices that were set up at the start still meet current requirements, or ever did.
The most common trigger is a new person coming into a role (a new ED, a newly promoted program manager, or an IT consultant) who starts reading the contribution agreement and realizes how much isn’t in place.
IRCC tends to be lenient with smaller organizations and will generally work with a funding recipient to remediate issues. But continued non-compliance puts your funding relationship at risk, and IRCC wants to see that the organization is taking it seriously. The starting point is understanding exactly where you stand.
Eight principles every IRCC funding recipient must follow
These are the core privacy obligations built into the contribution agreement. They apply to every organization that collects personal client information under an IRCC-funded program.
Tell clients why you're collecting their information
Before delivering any IRCC-funded service, clients must be informed of how their information will be collected, used, disclosed, and retained. The "Gathering Information" pamphlet must be provided or reviewed with the client at their first service.
Only collect what you actually need
Collection must be limited to what is necessary for delivering IRCC-funded programming; not what might be useful. Collecting additional information requires either client consent or compliance with applicable privacy legislation, and that information must be physically and logically separated from IRCC program data.
Keep information accurate and give clients access to it
Reasonable steps must be taken to ensure information in iCARE is accurate and current. Clients have the right to access their own records and request corrections.
Only use information for its original purpose
Personal client information can only be used for the settlement or resettlement programming purposes for which it was first collected. Any secondary use (including aggregate analysis) requires written client consent.
Don't share or disclose client information
Information collected for IRCC purposes is confidential and cannot be disclosed to anyone other than the client themselves, except where required by law.
Securely destroy information when it's no longer needed
Once a client is no longer receiving services, their information must be disposed of in a manner appropriate to its Protected B classification. Information not entered into iCARE must not be retained beyond two years after the project file close-out date.
Keep information safe and secure
Funding Recipients must implement the minimum security measures outlined in the iCARE Privacy and Security Requirements document and attest to compliance by completing the Minimum Security Requirements (MSR) checklist.
Designate someone accountable for compliance
An individual must be formally accountable for the organization's compliance with IRCC privacy and security requirements. IRCC may undertake or request an audit or compliance review at any time.
Google Drive and Dropbox are not permitted for client data
The IRCC Privacy and Security Requirements document is direct on this point. For cloud storage:
“If based in the US: a Funding Recipient cannot use these services (such as Dropbox or Google Drive) to store personal client information due to concerns with privacy legislation. If based in Canada: they can be used if services or parent company is not based in the US.”
Google and Dropbox are US-based companies. Their services fall under US law, including legislation that permits US authorities to access data held by US companies regardless of where that data is physically stored. This is the same extraterritorial risk that concerns organizations working with refugee claimants, protected persons, and clients whose immigration status or personal history could put them at risk if their information were exposed.
The requirement is for cloud services where both the service and its parent company are based outside the US. For most organizations, this means choosing Canadian-owned storage and infrastructure: the same Canadian providers we recommend in our digital tools guide.
The requirements are equally clear on email: “The most secure approach is not to share personal client information (Protected B) through email.”
If email must be used, both the sender’s and recipient’s networks must be fully secure, and the information must be encrypted to FIPS 140-2 Level 3 standards. Routine email between staff, between organizations, or to clients does not meet this standard. Sharing intake forms, client notes, or case information by email is a compliance violation.
Portable storage devices used for Protected B information must be encrypted to FIPS 140-2 Level 3. They cannot be used as permanent storage repositories. When information is no longer needed, devices must be properly “cleared”: deleting files or reformatting is not sufficient.
The iCARE Minimum Security Requirements (MSR) checklist
The MSR checklist is a mandatory document that every IRCC funding recipient must complete and submit through iCARE. It covers four areas: technological security, physical security, user requirements, and organizational policies and training. The checklist must be signed by the Executive Director or their designated authority.
If an organization has multiple contribution agreements, a separate MSR must be submitted for each one. If the checklist is not submitted, iCARE access can be locked: which means no data can be entered by any user associated with that agreement.
Importantly, organizations that are not yet fully compliant are still required to submit the checklist, a plan for how they will come into compliance. IRCC uses the MSR as a tool to track progress, not just to flag failures. Funding may even be available within the contribution agreement to cover the cost of meeting security requirements.
- Firewall and anti-malware software on all computers handling client data
- Up-to-date security patches on all systems
- Password protection and screen-lock policies
- Physical security: monitor placement, document marking, locked storage
- Reliability assessments for all staff with access to client information
- Documented organizational policies for data handling and incident response
- Staff training on privacy and security requirements
All staff who handle IRCC client information, including volunteers, must undergo a reliability assessment before accessing that data. This includes employment history verification, reference checks, and a criminal record check. The assessment must use IRCC’s official form and be retained in the staff member’s personnel file. This requirement applies even if the staff member doesn’t have a direct iCARE account.
Where most IRCC-funded organizations fall short
These are the compliance gaps we encounter most often when working with settlement and newcomer-serving organizations. Most are fixable, but they need to be identified before they can be addressed.
Sensitive data shared over regular email
The IRCC requirements are explicit: Protected B information should never be shared via email unless both networks are fully secure and the information is encrypted. In practice, most email (including Gmail, Outlook, and any email sent over public internet) does not meet this standard. Staff who routinely email client files, intake forms, or case notes are in violation of their contribution agreement.
Client files stored on US-based servers
Google Drive, Dropbox, Microsoft OneDrive, and most other popular cloud storage tools are headquartered in the United States. IRCC explicitly prohibits using US-based services to store personal client information. This means that if your organization uses Google Workspace or a Dropbox shared folder for client files, you are not compliant, regardless of where your office is located.
No written data collection rationale
Canadian privacy law and IRCC requirements both state that organizations can only collect information they have a genuine need to collect, and they must be able to explain why. Most organizations that have been running programs for years have never formally documented their rationale for collecting the fields they collect. This is one of the first things an auditor looks for.
No data retention or destruction policy
IRCC sets specific timelines for how long client information can be retained, and requires that Protected B information be destroyed in a manner appropriate to its classification; not just deleted or thrown in a recycling bin. Paper documents must be shredded. Digital files must be properly purged, not simply moved to a trash folder. Most organizations have no written policy governing either.
Staff reliability assessments not completed or documented
All staff who handle personal client information of IRCC-funded clients must undergo an IRCC-approved reliability assessment (including a criminal record check) before accessing that information. This applies to volunteers as well if they handle client data. The assessment must be completed using the official iCARE User Reliability Assessment Form and kept in personnel files. This requirement is frequently overlooked, especially in organizations that hired staff before the requirement was understood.
No organizational security policies or staff training
IRCC requires documented procedures for data handling, device use, and incident response, and regular staff training on those procedures. Many organizations operate on informal norms rather than written policy. When staff turn over, those norms walk out the door with them.
Direct experience with IRCC compliance in settlement programming
We’ve set up client management systems, data infrastructure, and organizational security policies for IRCC-funded organizations, including work that needed to meet IRCC’s data residency requirements for immigrant and refugee-serving programs. We understand both the technical requirements and what IRCC actually looks for in a compliance review.
If your organization is in a situation where someone has just flagged compliance issues, or where you’re approaching a contribution agreement renewal and aren’t sure where you stand, the right place to start is a conversation, not a tool purchase.
Replacing non-compliant tools with Canadian-owned, IRCC-appropriate alternatives: set up, documented, and trained. Includes the data residency assessment your contribution agreement requires.
Our Standard tier runs entirely on Canadian-owned infrastructure. Client information is never processed by a US-based service; relevant for organizations where client inquiries contain Protected B information.
A custom client management system built to IRCC standards: Canadian-hosted, multi-layered security, full staff training, and IRCC-compliant data handling from day one.
A note on currency: The IRCC Privacy and Security Requirements document was last updated in February 2016. The core principles described on this page remain in effect, but the specific technical requirements and procedures in your organization’s contribution agreement are the authoritative source. Always refer to your current CA and consult directly with IRCC if you have questions about specific requirements.
If someone at your organization has flagged a compliance concern, now is the right time.
IRCC works with organizations to address compliance issues, but they want to see that it's being taken seriously. We can help you understand exactly where you stand and what needs to change.