Vol. 150, No. 6 — March 23, 2016

Registration

SOR/2016-39 March 11, 2016

AERONAUTICS ACT

Regulations Amending the Canadian Aviation Security Regulations, 2012 (Enhanced Access Controls)

P.C. 2016-122 March 11, 2016

His Excellency the Governor General in Council, on the recommendation of the Minister of Transport, pursuant to paragraphs 4.71(2)(b) (see footnote a), (c) (see footnote b), (g) (see footnote c) and (o) (see footnote d) of the Aeronautics Act (see footnote e), makes the annexed Regulations Amending the Canadian Aviation Security Regulations, 2012 (Enhanced Access Controls).

Regulations Amending the Canadian Aviation Security Regulations, 2012 (Enhanced Access Controls)

Amendments

1 The definition restricted area identity card in section 3 of the Canadian Aviation Security Regulations, 2012 (see footnote 1) is replaced by the following:

restricted area identity card means a restricted area pass that is issued by or under the authority of the operator of an aerodrome and that can be automatically verified by an identity verification system maintained by CATSA under section 56. (carte d’identité de zone réglementée)

2 Subsection 452(1) of the Regulations is amended by adding the following after paragraph (a):

3 The Regulations are amended by adding the following after section 452:

DIVISION 7.1

Enhanced Access Controls

Overview

Division overview

452.01 This Division sets out enhanced access control requirements, including requirements respecting the identity verification system referred to in section 56.

Identity Verification System

Disclosure of information

452.02 (1) The operator of an aerodrome is authorized to disclose to the Minister or CATSA any information that is necessary for the proper operation of the identity verification system.

Identity protection

(2) Despite subsection (1), the operator of an aerodrome must not disclose to CATSA the identity of an applicant for a restricted area identity card or the identity of a person to whom a restricted area identity card has been issued unless the operator grants CATSA access to its databases to maintain or repair the identity verification system and CATSA’s access to the person’s identity is incidental to the maintenance or repairs.

Information to Be Displayed on a Restricted Area Identity Card

Required information

452.03 (1) The operator of an aerodrome must ensure that the following information is displayed on each restricted area identity card that it issues:

Expiration date

(2) A restricted area identity card expires no later than five years after the day on which it is issued or on the day on which the security clearance of the person to whom the card is issued expires, whichever is earlier.

Expiration date — multi-aerodrome card

(3) Despite subsection (2), a restricted area identity card that is issued to a person who requires access to restricted areas at more than one aerodrome, but who is not a crew member, expires no later than one year after the day on which it is issued or on the day on which the person’s security clearance expires, whichever is earlier.

Official languages

(4) The operator of an aerodrome must ensure that all information that is displayed on a restricted area identity card is in both official languages.

Issuance of Restricted Area Identity Cards

Issuance criteria

452.04 (1) The operator of an aerodrome must not issue a restricted area identity card to a person unless the person

Activation requirement

(2) The operator of an aerodrome must not issue a restricted area identity card to a person unless the card has been activated.

False information

452.05 A person must not provide false information for the purpose of obtaining a restricted area identity card.

Sponsorship

452.06 An employer must not

Issuance of multiple cards

452.07 The operator of an aerodrome must not issue more than one restricted area identity card at a time to a person.

Replacement of cards

452.08 Before replacing a lost, stolen or non-functional restricted area identity card, the operator of an aerodrome must ensure that

Requirement to inform

452.09 Before collecting information from an applicant under this Division, the operator of an aerodrome must bring to the applicant’s attention the purposes for which the information is collected and the manner in which the information will be used, retained, disclosed and destroyed.

Collection of information

452.1 (1) For the purpose of creating a restricted area identity card for an applicant, the operator of an aerodrome must collect the following information from the applicant:

Destruction of images and templates

(2) The operator of the aerodrome must, immediately after issuing the restricted area identity card, destroy all fingerprint images and iris images that the operator collected from the applicant and any biometric template created from those images that is not stored on the card.

Quality control

452.11 For the purpose of allowing CATSA to monitor the quality of biometric templates and determining if a restricted area identity card is already active in respect of an applicant, the operator of an aerodrome must, before issuing the card, disclose to CATSA any biometric templates created from the fingerprint images and iris images collected from the applicant.

Protection of information

452.12 The operator of an aerodrome must take appropriate measures to protect information that is collected, used, retained or disclosed in accordance with this Division from loss or theft and from unauthorized access, use, disclosure, duplication or alteration.

Deactivation of Restricted Area Identity Cards

Deactivation request

452.13 (1) The operator of an aerodrome who has issued a restricted area identity card must immediately ask CATSA to deactivate the card if

Reason for deactivation

(2) If the operator of an aerodrome asks CATSA to deactivate a restricted area identity card, the operator must inform CATSA of the reason for the request.

Prohibition

(3) The operator of an aerodrome must not ask CATSA to deactivate a restricted area identity card for a reason other than a reason set out in subsection (1).

Notification of Minister

(4) The operator of an aerodrome must notify the Minister if the operator asks CATSA to deactivate a restricted area identity card.

Change in employment

452.14 The operator of an aerodrome who has issued a restricted area identity card must notify the Minister immediately if

Duty of employer

452.15 The employer of a person to whom a restricted area identity card has been issued must immediately notify the operator of an aerodrome who issued the card if the person ceases to be an employee or no longer requires ongoing access to restricted areas in the course of their employment.

Retrieval of cards

452.16 (1) The operator of an aerodrome who has issued a restricted area identity card must take reasonable steps to retrieve the card if it has been deactivated and must notify CATSA if the card is not retrieved.

Return of cards

(2) If a restricted area identity card has been deactivated, the person to whom the card has been issued must immediately return it to the operator of an aerodrome who issued it unless the card was surrendered in accordance with this Division or was lost or stolen.

Keys, Combination Codes and Personal Identification Codes

Issuance or assignment

452.17 The operator of an aerodrome must not issue a key or assign a combination code or personal identification code to a person for a restricted area unless

Addition of key

452.18 The operator of an aerodrome may add a key to a restricted area identity card only if it is possible to cancel or remove the key without damaging or altering any other elements of the card.

Protection of information

452.19 The operator of an aerodrome must not add to or modify a restricted area identity card in any way that might allow the disclosure to CATSA of information about the person to whom the card has been issued.

Cancellation, withdrawal or retrieval

452.2 The operator of an aerodrome must cancel, withdraw or retrieve a key that has been issued to a person who has been issued a restricted area identity card, or a combination code or personal identification code that has been assigned to that person, if

Records

General requirement

452.21 (1) The operator of an aerodrome and any person designated by the operator to issue restricted area identity cards or keys or to assign combination codes or personal identification codes must keep updated records at the aerodrome respecting

Deactivated cards

(2) Subject to subsection (3), a record respecting a restricted area identity card that has been deactivated must be retained for at least one year from the day on which the card was deactivated.

Lost or stolen cards

(3) A record respecting a restricted area identity card that has been reported as lost or stolen must be retained for at least one year from the card’s expiry date.

Provision to Minister

(4) The operator of the aerodrome must provide the Minister with the records on reasonable notice given by the Minister.

Restricted Area Access Control Process

Use of identity verification system

452.22 The operator of an aerodrome must implement and maintain a restricted area access control process that uses the identity verification system.

Control of Access to Restricted Areas

Unauthorized access prohibition

452.23 A person must not enter or remain in a restricted area unless the person

Restricted area identity cards — conditions of use

452.24 (1) A person to whom a restricted area identity card has been issued must not enter or remain in a restricted area unless

Exception

(2) Paragraph (1)(d) does not apply to crew members.

Display of restricted area identity cards

452.25 (1) A person to whom a restricted area identity card has been issued must not enter or remain in a restricted area unless they visibly display the card on their outer clothing at all times.

Display of temporary passes

(2) A person to whom a temporary pass has been issued must not enter or remain in a restricted area unless they visibly display the pass on their outer clothing at all times.

Oversight

452.26 The operator of an aerodrome must ensure that a person is not allowed to enter or remain in a restricted area at the aerodrome unless the person is in possession of

Business Continuity Plans

Business continuity plans

452.27 (1) The operator of an aerodrome must develop and maintain a business continuity plan that, at a minimum, sets out how the operator will re-establish normal operations and comply with section 452.26 in the event that the operator is unable to use its restricted area access control process to comply with that section.

Implementation

(2) The operator of the aerodrome must immediately implement its business continuity plan and notify the Minister and CATSA if the operator discovers that it is unable to use its restricted area access control process to comply with section 452.26.

Notification of delay

(3) The operator of the aerodrome must immediately notify the Minister if the operator discovers that it will be unable, for more than 24 hours, to use its restricted area access control process to comply with section 452.26.

Ministerial access

(4) The operator of the aerodrome must make its business continuity plan available to the Minister on reasonable notice given by the Minister.

Database backup

452.28 The operator of an aerodrome must regularly back up any database that the operator uses as part of the identity verification system.

Use of Restricted Area Identity Cards, Keys, Combination Codes and Personal Identification Codes

General prohibitions

452.29 (1) A person must not

Disclosure or use of codes

(2) A person, other than the operator of an aerodrome or a person designated by the operator, must not

Report of loss or theft

452.3 (1) A person to whom a restricted area identity card or a key has been issued must immediately report its loss or theft to their employer or to the operator of an aerodrome who issued the card or key.

Employer’s duty to report

(2) An employer who is informed by an employee of the loss or theft of a restricted area identity card or a key must immediately report the loss or theft to the operator of an aerodrome who issued the card or key.

Report of non-functioning card

452.31 An employer who is informed by an employee that a restricted area identity card is not functioning must immediately notify the operator of an aerodrome who issued the card.

Presentation and Surrender of Restricted Area Identity Cards

Presentation on demand

452.32 (1) A person in possession of a restricted area identity card who is in a restricted area at an aerodrome must, on demand, present the card to the Minister, the operator of the aerodrome, the person’s employer or a peace officer.

Presentation during screening

(2) A person in possession of a restricted area identity card who is being screened by a screening officer at a restricted area access point or at a location in a restricted area must, on demand, present the card to the screening officer.

Surrender on demand

452.33 (1) A person in possession of a restricted area identity card must, on demand, surrender it to the Minister, the operator of an aerodrome, a screening officer or a peace officer.

Demand by Minister or operator

(2) The Minister or the operator of an aerodrome may demand the surrender of a restricted area identity card if

Demand by screening officer

(3) A screening officer may demand the surrender of a restricted area identity card if

Demand by peace officer

(4) A peace officer may demand the surrender of a restricted area identity card if

Return of cards

452.34 A screening officer or a peace officer to whom a person surrenders a restricted area identity card must return the card to the operator of the aerodrome where the card is surrendered or to the operator of an aerodrome who issued the card.

Notification of Minister

452.35 The operator of an aerodrome to whom a person surrenders a restricted area identity card must notify the Minister if the operator demanded the surrender in accordance with paragraph 452.33(2)(c).

Escort and Surveillance

General requirement

452.36 (1) The operator of an aerodrome must ensure that any person who is in a restricted area at the aerodrome and is not in possession of a restricted area identity card

Exceptions

(2) This section does not apply in respect of the following persons:

Escort ratio

452.37 (1) The operator of an aerodrome must ensure that at least one escort is provided for every 10 persons who require escort.

Surveillance ratio

(2) The operator of an aerodrome must ensure that no more than 20 persons at a time are kept under surveillance by one person.

Requirement to remain together

452.38 (1) A person under escort must remain with the escort while the person is in a restricted area.

Idem

(2) An escort must remain with the person under escort while the person is in a restricted area.

Requirement to inform

(3) The person who appoints an escort must inform the escort of the requirement to remain with the person under escort while that person is in a restricted area.

Screening requirement

452.39 The operator of an aerodrome must ensure that a person under escort or surveillance at the aerodrome and any goods in the person’s possession or control are screened at a screening checkpoint before the person enters a sterile area.

Exception — conveyances

452.4 (1) The operator of an aerodrome is not required to place an escort or surveillance personnel in a conveyance that is in a restricted area at the aerodrome and is carrying persons who require escort or surveillance if the conveyance travels in a convoy with an escort conveyance that contains at least one person in possession of an active restricted area identity card that has been issued to them.

Exception to exception

(2) The operator of the aerodrome must ensure that, if a person who requires escort or surveillance disembarks from a conveyance in a restricted area at the aerodrome, the person is escorted or kept under surveillance in accordance with section 452.37.

Escort conveyances

452.41 The operator of an aerodrome must ensure that, at the aerodrome, at least one escort conveyance is provided for

Inspectors

Exemption

452.42 Nothing in this Division requires an inspector acting in the course of their employment to be in possession of a restricted area identity card or any other document issued or approved by the operator of an aerodrome as authorization for the inspector to enter or remain in a restricted area.

Inspector’s credentials

452.43 The credentials issued by the Minister to an inspector do not constitute a restricted area identity card even if the credentials are compatible with the identity verification system or with an access control system established by the operator of an aerodrome.

Escort privileges

452.44 Nothing in this Division prohibits an inspector from escorting a person who is in a restricted area and is not in possession of a restricted area identity card if the inspector

Conveyance escort privileges

452.45 (1) Nothing in this Division prohibits an inspector from escorting a person who is in a conveyance in a restricted area and is not in possession of a restricted area identity card if the inspector

Additional conditions

(2) If a person under escort disembarks from a conveyance in a restricted area, the inspector must

Idem

(3) If a person under escort is travelling to or from an air terminal building apron area, the Minister must ensure that at least one escort conveyance is provided for every three conveyances requiring escort in a convoy and that at least one inspector is in each escort conveyance.

Idem

(4) If a person under escort is travelling to or from a restricted area other than an air terminal building apron area, the Minister must ensure that at least one escort conveyance is provided for every six conveyances requiring escort in a convoy and that at least one inspector is in each escort conveyance.

4 Schedule 4 to the Regulations is amended by adding the following after the reference “Section 450”:

Column 1



Designated Provision

Column 2

Maximum Amount Payable ($)
Individual

Column 3

Maximum Amount Payable ($)
Corporation

Division 7.1 — Enhanced Access Controls

Subsection 452.02(2)

 

25,000

Subsection 452.03(1)

 

25,000

Subsection 452.03(4)

 

25,000

Subsection 452.04(1)

 

25,000

Subsection 452.04(2)

 

25,000

Section 452.05

5,000

25,000

Paragraph 452.06(a)

5,000

25,000

Paragraph 452.06(b)

5,000

25,000

Section 452.07

 

25,000

Section 452.08

 

25,000

Section 452.09

 

25,000

Subsection 452.1(1)

 

25,000

Subsection 452.1(2)

 

25,000

Section 452.11

 

25,000

Section 452.12

 

25,000

Subsection 452.13(1)

 

25,000

Subsection 452.13(2)

 

25,000

Subsection 452.13(3)

 

25,000

Subsection 452.13(4)

 

25,000

Section 452.14

 

25,000

Section 452.15

5,000

25,000

Subsection 452.16(1)

 

25,000

Subsection 452.16(2)

5,000

25,000

Section 452.17

 

25,000

Section 452.19

 

25,000

Section 452.2

 

25,000

Subsection 452.21(1)

 

25,000

Subsection 452.21(2)

 

25,000

Subsection 452.21(3)

 

25,000

Subsection 452.21(4)

 

25,000

Section 452.22

 

25,000

Section 452.23

5,000

 

Subsection 452.24(1)

5,000

 

Subsection 452.25(1)

5,000

 

Subsection 452.25(2)

5,000

 

Section 452.26

 

25,000

Subsection 452.27(1)

 

25,000

Subsection 452.27(2)

 

25,000

Subsection 452.27(3)

 

25,000

Subsection 452.27(4)

 

25,000

Section 452.28

 

25,000

Paragraph 452.29(1)(a)

5,000

 

Paragraph 452.29(1)(b)

5,000

 

Paragraph 452.29(1)(c)

5,000

25,000

Paragraph 452.29(1)(d)

5,000

 

Paragraph 452.29(1)(e)

5,000

 

Paragraph 452.29(1)(f)

5,000

 

Paragraph 452.29(1)(g)

5,000

25,000

Paragraph 452.29(2)(a)

5,000

25,000

Paragraph 452.29(2)(b)

5,000

 

Subsection 452.3(1)

5,000

 

Subsection 452.3(2)

5,000

25,000

Section 452.31

5,000

25,000

Subsection 452.32(1)

5,000

 

Subsection 452.32(2)

5,000

 

Subsection 452.33(1)

5,000

25,000

Section 452.34

5,000

 

Section 452.35

 

25,000

Subsection 452.36(1)

 

25,000

Subsection 452.37(1)

 

25,000

Subsection 452.37(2)

 

25,000

Subsection 452.38(1)

5,000

 

Subsection 452.38(2)

5,000

 

Subsection 452.38(3)

5,000

25,000

Section 452.39

 

25,000

Subsection 452.4(2)

 

25,000

Section 452.41

 

25,000

Coming Into Force

5 These Regulations come into force on April 1, 2016.

REGULATORY IMPACT ANALYSIS STATEMENT

(This statement is not part of the Regulations.)

Executive summary

Issues: In order to mitigate vulnerabilities that could be intentionally exploited, existing access control systems at certain Class 3 airports, based on an assessment of threat and risk, need enhancement.

Description: The amendments will require certain Class 3 airports to enhance their access control systems, similar to those already in place at Class 1 and Class 2 airports. This enhancement will require airport workers at the affected airports to use a biometric identity card to access the restricted areas of the airport. Operators of the affected airports will be required to add the biometric identity verification aspect to their existing access control system and to manage it.

Cost-benefit statement: The amendments could result in up to $12.94 million in costs to airports, the Canadian Air Transport Security Authority (CATSA) and Transport Canada over a 10-year period, with an annualized cost of $1.8 million. The highest of these costs would be incurred by CATSA. This additional layer of security is being implemented to reduce the risk of an aviation security incident, to strengthen Canada’s aviation transportation system in compliance with an international standard.

“One-for-One” Rule and small business lens: The “One-for-One” Rule applies to these amendments as they will result in an administrative burden of $2,869 in annualized costs for the affected airports and the workers at those airports.

Background

All 89 of Canada’s airports listed in Schedules 1 to 3 of the Canadian Aviation Security Regulations, 2012 (the Regulations) are required to have access control systems in place to prevent unauthorized access to airport restricted areas. Canada’s 29 larger airports, identified as Class 1 and Class 2 airports, are required to have a biometric Restricted Area Identity Card (RAIC) so that non-passengers’ (e.g. airport workers) identity be verified using biometrics (fingerprint or iris-scan) when accessing the restricted area through a restricted area access point equipped with a RAIC reader.

RAIC requirements for Class 1 and Class 2 airports were added to the Regulations in 2006 after consultation with airport operators, airport workers and the Privacy Commissioner. (see footnote 2)

RAIC readers, that form part of the identity verification system, are located at restricted area access points leading into the restricted areas. The RAIC readers automatically verify that the RAIC holder is the person to whom the RAIC was issued and confirm that the RAIC is valid. CATSA is responsible for implementing and maintaining the identity verification system and airports are responsible for managing the RAIC program and controlling access to the restricted areas.

A transportation security clearance is a prerequisite to obtain a RAIC. Background checks are conducted by Transport Canada in cooperation with the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, and Citizenship and Immigration Canada. Transport Canada conducts an evaluation upon receipt of all the information collected. The recommendation on whether or not to grant a transportation security clearance is based on an evaluation of the information obtained from the applicant and from the background checks, as to whether the applicant poses a risk to aviation security.

Canada’s 60 smaller airports, known as Class 3 airports, are required to have an access control system, but not the biometric access component mandated at larger airports. Instead, these airports use alternate access controls, such as restricted area passes, proximity card readers, and keypad or keyed doors to control access to the restricted areas.

CATSA has been responsible for the implementation of the non-passenger screening program in place at Canadian airports since 2004, which is supported by the RAIC program to validate a non-passenger’s identity. In July 2013, a more stringent International Civil Aviation Organization (ICAO) standard for screening non-passengers came into effect. The standard requires countries to ensure that non-passengers and the items they carry are subject to screening and security controls, prior to entering restricted areas of airports serving international civil aviation operations. When the standard came into effect, CATSA immediately increased its non-passenger screening operations as a result of the new standard. In July 2014, to further conform to the international standard, the Regulations were amended to allow non-passengers to only enter restricted areas through access points where CATSA is present and carrying out screening operations. (see footnote 3)

In general, the Regulations contain requirements applicable to air carriers, airport operators, CATSA and persons, and are designed to prevent acts of unlawful interference with civil aviation. The Minister of Transport is responsible for the development and regulation of aeronautics under section 4.2 of the Aeronautics Act. The Governor in Council has the authority to make Regulations under sections 4.71 and 4.9 of the Aeronautics Act.

Issues

In order to mitigate vulnerabilities that could be intentionally exploited, existing access control systems at certain Class 3 airports need to be enhanced. The absence of a biometrically-enhanced access control system is inconsistent with the results of the risk assessment, in which case the resulting gap could enable unauthorized access to an airport restricted area using a lost, stolen or duplicated key or pass.

The amendments to the Regulations will also require airport workers at Class 3 airports who need a RAIC to also possess a transportation security clearance. The affected airports, which will be identified in confidential security measures, will be required to implement and manage a RAIC program.

Expanding the RAIC program to some Class 3 airports reinforces Canada’s commitment to securing aviation and meeting international non-passenger screening standards, using risk based approaches. If not implemented, the risks identified in Transport Canada’s assessment for the affected airports would remain unmitigated and inconsistent with the government’s security activities.

Objectives

These Regulations will reinforce Canada’s compliance with the ICAO standard and improve the security of Canada’s aviation system. The objective of these Regulations is to align the security activities with the risk identified at certain Class 3 airports. Transport Canada drew upon risk assessment results, international benchmarking and industry consultations to identify the enhancements necessary.

Description

The affected Class 3 airports will be required to have enhanced access control systems similar to those already in place at Class 1 and Class 2 airports. Airport workers who are granted a transportation security clearance will have a RAIC that must be biometrically validated when accessing the restricted area through a restricted area access point equipped with a RAIC reader.

RAIC holders at doors providing access to the restricted areas will scan either their fingerprint or iris using a biometric RAIC reader. This system performs three tasks. Firstly, it confirms a cardholder’s identity by matching the biometrics on the card with the cardholder’s fingerprint or iris that is being scanned. Secondly, it confirms that a transportation security clearance issued by Transport Canada is valid for the holder of the card. Thirdly, it determines if the airport operator has granted access to the cardholder at a particular restricted area access point.

Since airport access control remains an airport responsibility, the airport must ask CATSA to immediately deactivate a RAIC if it is reported as lost or stolen or if the cardholder’s transportation security clearance has been suspended or cancelled. The cards may be confiscated if they have been deactivated or if the confiscation is required for an aviation security reason.

Key aspects of the amendments to the Regulations to expand a RAIC program to some Class 3 airports include the following:

In addition, the definition of “restricted area identity card” is amended to remove the reference to aerodromes listed in Schedule 1 or 2 and instead will refer to a pass that can be verified by an identity verification system.

Other requirements that would compromise aviation security if made public in regulations will not appear in the Regulations. These additional requirements will be contained in aviation security measures made under the Aeronautics Act and made available to persons with a need and right to have the information.

Regulatory and non-regulatory options considered

Option 1: Status quo

Although maintaining the status quo would minimize operational costs, failure to enhance the security at the affected Class 3 airports would result in the enhanced security not targeting the identified risk, create vulnerability, and create a surplus by not using funding provided specifically for RAIC enhancements. Therefore, this was not the preferred option.

Option 2: Voluntary program

A voluntary program was considered unfeasible, as the program would be based on contractual law which would limit the government’s involvement, it would be unenforceable, and would not provide the necessary assurances that privacy rights would be respected, or provide the legal framework to grant, revoke or suspend clearances, if information suggested that a person seeking a RAIC would pose a risk to aviation security. As the objectives to align the security activities with the risk identified at certain Class 3 airports could not be met using a voluntary approach, it was not the preferred option.

Option 3: Implementation of the RAIC program

In keeping with international requirements and practices, Canada’s civil aviation program is based on regulation, where other options are deemed insufficient. This provides for the highest possible assurances of compliance, consistency, transparency, and fairness. Implementing a RAIC program at certain Class 3 airports will mitigate the associated risks identified through the assessment process in order to support the department’s mandate to provide a secure air transportation system. In addition, as the funding for this program has already been committed, there would be little financial impact to government or industry. The disadvantages of this option are that airport operators will incur some costs, but the impacts are not expected to be significant, and the benefits will outweigh the costs. As a result, this is the preferred option.

Benefits and costs — all 60 Class 3 airports

Although only some of the Class 3 airports will be required to comply with the Regulations, the costs that could be borne by CATSA, Transport Canada and airports were calculated as if these amendments applied to all 60 Class 3 airports. For all 60 airports, the Present Value of the costs could be up to $12.94 million with annualized costs of $1.8 million. These costs would be distributed as in the following table.

A. Quantified Impacts (in Can$, 2015/constant dollars)

Base Year (2016)

2017

Final Year (2025)

Total (Present Value)

Annualized Average

Costs

Canadian Air Transportation Security Authority (CATSA)

$8,481,924

$103,304

$653,960

$11,450,669

$1,630,318

Transport Canada

$371,233

$82,353

$82,353

$1,013,021

$144,231

Class 3 Airports

$98,824

$55,366

$55,366

$478,871

$68,180

Total

$8,951,981

$241,023

$791,679

$12,942,561

$1,842,730

B. Qualitative Impacts

Canadians and the Canadian Economy

Fewer aviation security breaches (potential lives saved and injuries avoided).

Reduce the risk of acts or attempted acts of unlawful interference with civil aviation that disrupt air travel.

Ensure the continued access to the international aviation system by recognizing international standards.

Canadian Government

Maintain reputation in international civil aviation.

Airports and their partners

Increased airport security and security of business operations.

Improved business continuity.

While the benefits of the amendments are difficult to quantify or monetize, the additional layers of security (enhanced security controls, RAIC program and transportation security clearances) are expected to reduce the risk of an aviation security incident and will strengthen Canada’s aviation transportation system, using a risk-based approach, rather than the one-size-fits-all approach. A major aviation security incident could result in damage or the destruction of property and injuries or loss of life and would have negative rippling consequences on the broader aviation transportation system. Failure to adequately address risk identified through assessments at the affected Class 3 airports could negatively affect international relations, restrict or complicate access to international markets, result in other countries imposing additional screening measures and ultimately decrease passenger confidence and reduce the associated economic benefits for Canada.

A full cost-benefit analysis report is available upon request.

“One-for-One” Rule

The “One-for-One” Rule applies to these amendments, as they will result in an administrative burden increase of $2,869 in annualized costs for the affected airports and the workers at those airports. The administrative burden calculations contain security sensitive information and are therefore contained in a confidential document not available to the public.

Small business lens

While the estimated incremental cost to the affected airports may not be significant, the small business lens would nevertheless apply since the annual nation-wide costs of the regulatory change would exceed $1 million if it applied to all 60 Class 3 airports. A small business is defined as any business with fewer than 100 employees or between $30,000 and $5 million in annual gross revenues. That said, 55 of the 60 Class 3 airports would fall under this definition. While small businesses could be affected by this proposal, the affected airports and any related requirements will be contained in confidential security measures to ensure that public safety is duly protected. As such, the flexibility analysis is also confidential. A small business checklist has been completed according to the requirements of the small business lens. Transport Canada has been working closely with CATSA and the affected airports to minimize the compliance and operational costs associated with meeting the more stringent ICAO standard.

Consultation

In 2011, Transport Canada began consulting stakeholders including CATSA, airports and air carriers on enhancements to the non-passenger screening program. In 2013 and 2014, it conducted several consultative meetings with the Canadian Airports Council and CATSA to discuss the enhancements of the program and their implementation.  The Class 3 airports that will be affected by these RAIC-related amendments to the Regulations were informed in writing in August 2014 and were consulted individually in early 2015. All support the requirements to enhance their existing access control systems.

Rationale

The RAIC has been in use for almost 10 years and uses biometric technology as the basis of a secure credential card for airport workers who require access to restricted areas of Class 1 and Class 2 airports. It uses smart card technology to store two kinds of biometric data: fingerprint and iris templates.

The existing Regulations require CATSA to destroy biometric templates disclosed to CATSA in connection with an application for a RAIC as soon as feasible in accordance with the Access to Information Act, the Library and Archives of Canada Act and the Privacy Act. In addition, CATSA cannot collect, use, disclose or retain the identity of a RAIC holder.

To allow for the program to work despite this prohibition, an algorithm is used to create biometric templates from the biometric images provided during the enrollment process. A biometric template is a mathematically generated number extracted from key points within a biometric image. The template cannot be used to recreate an image of an iris or fingerprint, and cannot be used to identify an individual other than for the purposes of the RAIC program.

During the enrollment process, an airport worker’s biometric templates are stored on the card and in the central CATSA identification databank along with a unique RAIC information number. Only iris and fingerprint templates are stored on the card, not images. Once the templates are stored on the card and the card has been issued, the biometric images supplied during the enrollment process are purged from the airport database. No information that can be traced to a RAIC holder is disclosed to CATSA by an airport. An airport may, however, provide information to Transport Canada about a RAIC holder or an applicant for a RAIC for transportation security clearance purposes.

The amendments will require some Class 3 airports to implement a RAIC program, which will support and enhance the existing non-passenger screening program. These programs will add another layer of security and will further secure Canada’s aviation transportation system. CATSA and the affected airports fully support the amendments and are preparing to implement the RAIC program. CATSA has received funding to add the infrastructure necessary for the RAIC program at the affected airports.

Implementation, enforcement and service standards

The regulatory amendments come into force on April 1, 2016. Communications efforts have been ongoing with the affected airports and CATSA since mid 2014. Consultations with affected airports will be undertaken to ensure that additional enhancements are implemented effectively and efficiently.

The proposal includes amending the designated provisions of the Regulations in order to provide for the imposition of monetary penalties as a means to enforce the regulation. Under the Aeronautics Act, the maximum monetary penalty that can be assessed for the contravention of a regulation is $5,000 for individuals and $25,000 for corporations.

Transport Canada’s philosophy on the enforcement of the Regulations stresses promoting compliance as the preferred means of achieving a secure aviation environment. However, the Aeronautics Act provides that enforcement actions could be taken in the form of administrative monetary penalties pursuant to sections 7.6 to 8.2, charges could be laid for the commission of an offence set out under subsection 7.3(3), or a Canadian aviation document could be suspended or cancelled in accordance with section 6.9.

Contact

Francine Massicotte
Chief
Regulatory Programs and Projects
Aviation Security Regulatory Affairs
Transport Canada
330 Sparks Street, 13th Floor, Tower C
Ottawa, Ontario
K1A 0N5
Telephone: 613-949-4349
Fax: 613-949-9590
Email: francine.massicotte@tc.gc.ca

Small Business Lens Checklist

1. Name of the sponsoring regulatory organization:

Transport Canada

2. Title of the regulatory proposal:

Regulations Amending the Canadian Aviation Security Regulations, 2012 (Enhanced Access Controls)

3. Is the checklist submitted with a RIAS for the Canada Gazette, Part I or Part II?

Canada Gazette, Part I ☑ Canada Gazette, Part II

A. Small business regulatory design

I

Communication and transparency

Yes

No

N/A

1.

Are the proposed Regulations or requirements easily understandable in everyday language?

The same text is already in place in Division 8 of the Regulations for Class 1 and 2 airports and have been drafted to be as clear as possible.

2.

Is there a clear connection between the requirements and the purpose (or intent) of the proposed Regulations?

As described in the RIAS and communicated to the affected stakeholders, the purpose is to improve the existing access control systems at certain Class 3 airports.

3.

Will there be an implementation plan that includes communications and compliance promotion activities, that informs small business of a regulatory change and guides them on how to comply with it (e.g. information sessions, sample assessments, toolkits, Web sites)?

There are ongoing consultations with CATSA and the affected airports to ensure that the additional enhancements are implemented effectively and efficiently.

4.

If new forms, reports or processes are introduced, are they consistent in appearance and format with other relevant government forms, reports or processes?

The affected Class 3 airports will be required to keep updated records and a business continuity plan which is consistent with the processes/procedures already in place at all Class 1 and 2 airports. Airport workers at the affected airports will need to complete a transportation security clearance application form. Although this will be a new form for those airports, it is the same form that is already used by airport workers at the Class 1 and 2 airports.

II

Simplification and streamlining

Yes

No

N/A

1.

Will streamlined processes be put in place (e.g. through BizPaL, Canada Border Services Agency single window) to collect information from small businesses where possible?

The amendments to the Regulations do not require the collection of information from small businesses.

2.

Have opportunities to align with other obligations imposed on business by federal, provincial, municipal or international or multinational regulatory bodies been assessed?

It was determined that the unique nature of federally regulated requirements on aviation security could not be aligned with any other obligations imposed by other regulatory bodies but would be consistent with ICAO standards.

3.

Has the impact of the proposed Regulations on international or interprovincial trade been assessed?

There is no expected impact on international or interprovincial trade as a result of the amendments to the Regulations.

4.

If the data or information, other than personal information, required to comply with the proposed Regulations is already collected by another department or jurisdiction, will this information be obtained from that department or jurisdiction instead of requesting the same information from small businesses or other stakeholders? (The collection, retention, use, disclosure and disposal of personal information are all subject to the requirements of the Privacy Act. Any questions with respect to compliance with the Privacy Act should be referred to the department’s or agency’s ATIP office or legal services unit.)

The information collected from airport workers before a RAIC is issued is personal information.

5.

Will forms be pre-populated with information or data already available to the department to reduce the time and cost necessary to complete them? (Example: When a business completes an online application for a licence, upon entering an identifier or a name, the system pre-populates the application with the applicant’s personal particulars such as contact information, date, etc. when that information is already available to the department.)

Airport workers will be required to complete and submit a new application form every time their transportation security clearance needs to be renewed. Typically, this is every 5 years.

6.

Will electronic reporting and data collection be used, including electronic validation and confirmation of receipt of reports where appropriate?

Airport workers can apply for a transportation security clearance electronically through a secure Web site.

7.

Will reporting, if required by the proposed Regulations, be aligned with generally used business processes or international standards if possible?

The amendments to the Regulations do not have reporting requirements.

8.

If additional forms are required, can they be streamlined with existing forms that must be completed for other government information requirements?

The transportation security clearance application is unique to Transport Canada and, once completed, will contain personal information that is only used for the purpose of conducting the necessary background checks.

III

Implementation, compliance and service standards

Yes

No

N/A

1.

Has consideration been given to small businesses in remote areas, with special consideration to those that do not have access to high-speed (broadband) Internet?

The amendments to the Regulations will not affect small businesses in remote areas.

2.

If regulatory authorizations (e.g. licences, permits or certifications) are introduced, will service standards addressing timeliness of decision making be developed that are inclusive of complaints about poor service?

The amendments to the Regulations do not introduce regulatory authorizations.

3.

Is there a clearly identified contact point or help desk for small businesses and other stakeholders?

Airports and other stakeholders will continue to use their existing regional contacts.

B. Regulatory flexibility analysis and reverse onus

IV

Regulatory flexibility analysis

Yes

No

N/A

1.

Does the RIAS identify at least one flexible option that has lower compliance or administrative costs for small businesses in the small business lens section?

Examples of flexible options to minimize costs are as follows:

  • Longer time periods to comply with the requirements, longer transition periods or temporary exemptions;
  • Performance-based standards;
  • Partial or complete exemptions from compliance, especially for firms that have good track records (legal advice should be sought when considering such an option);
  • Reduced compliance costs;
  • Reduced fees or other charges or penalties;
  • Use of market incentives;
  • A range of options to comply with requirements, including lower-cost options;
  • Simplified and less frequent reporting obligations and inspections; and
  • Licences granted on a permanent basis or renewed less frequently.

The names of the airports that will be affected and any related security sensitive requirements will be contained in confidential security measures to ensure that public safety is duly protected. Therefore, the flexibility analysis is also confidential.

2.

Does the RIAS include, as part of the Regulatory Flexibility Analysis Statement, quantified and monetized compliance and administrative costs for small businesses associated with the initial option assessed, as well as the flexible, lower-cost option?

  • Use the Regulatory Cost Calculator to quantify and monetize administrative and compliance costs and include the completed calculator in your submission to TBS-RAS.

The names of the airports that will be affected and any related security sensitive requirements will be contained in confidential security measures to ensure that public safety is duly protected. Therefore, the flexibility analysis is also confidential.

3.

Does the RIAS include, as part of the Regulatory Flexibility Analysis Statement, a consideration of the risks associated with the flexible option? (Minimizing administrative or compliance costs for small business cannot be at the expense of greater health, security or safety or create environmental risks for Canadians.)

The names of the airports that will be affected and any related security sensitive requirements will be contained in confidential security measures to ensure that public safety is duly protected. Therefore, the flexibility analysis is also confidential.

4.

Does the RIAS include a summary of feedback provided by small business during consultations?

The affected airports were consulted and support the amendments to the Regulations.

V

Reverse onus

Yes

No

N/A

1.

If the recommended option is not the lower-cost option for small business in terms of administrative or compliance costs, is a reasonable justification provided in the RIAS?

The recommended option is the lower-cost option for small businesses.