Other: Standing Committee on Government Operations and Estimates—March 24, 2021

Document navigation for "Standing Committee on Government Operations and Estimates: March 24, 2021"

Contract security for visa application centres


Media and members of Parliament have raised the security of personal information at Canadian visa application centres and its main supplier VFS Global being affiliated with China.

Suggested response

If pressed on PSPC’s responsibilities:

If pressed on the verification process:


The contract on VAC was awarded to VFS Global in February 2018 and the initial contract period will expire October 31, 2023 with an option to extend the contract by up to 3 additional years. A privacy impact assessment was conducted by IRCC to assess the risk of the contract. On August 20, 2018, VFS Global subcontracted their Beijing facility to Beijing Shuangxiong, the same subcontractor identified in the previous 2013 contract on VAC.

A personnel security verification was completed for each employee working at the visa centre in Beijing as per the provisions of the contract. This is an ongoing activity that began in 2013. The verification is done before employment starts at any visa centre. This requirement was included in both the 2013 contract and the 2018 contract. As per the provisions of the contract, VFS Global is responsible for verifying the reliability and trustworthiness of all employees at the visa centre in Beijing and employees working in support of the centre prior to employment. Assurances are provided to PSPC and IRCC that these checks have been completed, and are being kept informed of any findings that would affect the employees’ security status.

Prior to contract award, the contractor provided site specific security plans that were reviewed and approved through a rigid evaluation process. All VAC are required to provide a threat and risk assessment to address any additional security and privacy mitigations that may be required. Annual security plans for each VAC are submitted and reviewed by PSPC Contract Security Program. All building plans are reviewed and approved by the Contract Security Program in conjunction with IRCC. Compliance visits are carried out regularly to ensure that all privacy and security requirements of the contract are being met.

All computers at each VAC including the self-serve workstations, have strict contract requirements to purge all information. There is no biometric information stored on any VAC computer; the information is transmitted to Canada. Any other personal information collected by the VAC (for example, name and phone number related to an appointment) must be erased or destroyed (purged) within 30 calendar days after services rendered to the applicant are complete. The contractor subcontracted its IT requirement to [Redacted] who have been vetted and inspected by PSPC Contract Security Program.

All privacy and security incidents are reported to IRCC and PSPC for review and immediate resolution. Every year security reviews are done on VAC by PSPC’s Contract Security Program. Based on the number of security incidents, some are done on-site by IRCC in collaboration with the Contract Security Program and others using pictures and diagrams. The last review of the security plan was conducted in December 2020 for all VACs located in China. Compliance on-site visits were conducted in 2019 for 11 sites in Mainland China (Beijing, Chongqing, Chengdu, Shenyang, Nanjing, Kunming, Shanghai, Jinan, Hangzhou, Wuhan and Guangzhou). VFS Global and their subcontractors have been compliant with all the security requirements set out in the 2018 VAC contract.

Document navigation for "Standing Committee on Government Operations and Estimates: March 24, 2021"

Date modified: