Annual Report 2009-2010
Administration of the Privacy Act
Introduction
The Privacy Act (the Act) was enacted on July 1, 1983. The purpose of the Act is to:
- Extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by government institutions.
- Set strict guidelines and conditions regulating the collection, accuracy, use, access and distribution, retention, and disposal of personal information necessary to the administration of government programs.
- Provide individuals with the right to access to information about themselves and to request correction of that information thereby promoting both transparency and accountability in government institutions.
Overview of the Financial Transactions and Reports Analysis Centre
FINTRAC's mandate is to facilitate the detection, prevention and deterrence of money laundering, terrorist activity financing and other threats to the security of Canada by receiving, collecting and analyzing information on financial activities; ensuring those subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) comply with reporting, record keeping and other obligations; and making case disclosures of financial intelligence to the appropriate law enforcement agency, CSIS, or other agencies designated by legislation in support of investigations and prosecutions. FINTRAC's mandate also includes the creation of strategic intelligence products and the enhancement of public awareness and understanding of matters related to money laundering and terrorist financing. In undertaking these activities FINTRAC is required to ensure the protection of the personal information under its control.
Access and Privacy (ATIP) Program Administration
FINTRAC's ATIP Office is part of FINTRAC's Communications Division, within the Strategic Policy and Public Affairs Sector. The office consists of the Access to Information and Privacy Coordinator (ATIP Coordinator) who is supported by an Access to Information and Privacy Officer (ATIP Officer).
Legal Services provides advisory guidance whenever required.
Delegation of Authority
Delegation of Authority Order in Council P.C. 2000-1066 designates the Director of the Financial Transactions and Reports Analysis Centre (FINTRAC) as head of the Centre for the purposes of the Privacy Act and FINTRAC's Privacy Program. However, pursuant to s. 73 of the Privacy Act, the authority to exercise the powers and perform the functions and duties of the Director under the Privacy Act have been delegated to the ATIP Coordinator.
The Coordinator's mandate is to promote and enforce compliance with the Privacy Act, legislative regulations, as well as related government policy. Further, the Coordinator is responsible to create procedures, establish processing standards and institute a training program to broaden the general knowledge and understanding of the principles of privacy protection within FINTRAC. The Coordinator is also responsible for communicating and consulting with the Treasury Board Secretariat, the Office of the Privacy Commissioner, government departments and agencies, as well as with the Canadian public at large.
The ATIP Officer holds the responsibility of processing requests for access submitted under both the Access to Information Act and the Privacy Act, and for providing guidance and awareness training.
A copy of the Director's Delegation Order is attached at Appendix 'A'.
Privacy Request Case Activity
During the current reporting period of April 1, 2009 and March 31, 2010, the ATIP Office had 1 request carried over from the previous reporting period and received 15 new requests for access to personal information. Of the total 16 cases in hand, 13 cases were completed and the remaining 3 cases were carried over to the 2010-2011 reporting period.
Other Requests
FINTRAC received 2 requests for consultation from other departments and/or agencies related to requests submitted to them under the Privacy Act. Our response to 1 case was to recommend that some of the information be exempted from disclosure. Our response to the other case was to recommend the complete exemption of all information.
Method of Access
All applicants received copies of responsive documents where applicable.
Disposition of Completed Requests
Of the 13 completed cases received at FINTRAC, in 6 cases the applicant received full disclosure of the information requested, while in 5 cases the applicant either received a partial response or received a nil response (i.e. neither confirm nor deny the existence of information), and 2 cases were abandoned by the applicant.
Completion Times and Extensions
In all 13 completed cases the applicant was provided with a response within the statutory time frame. No time extension was required for the processing of a response to any of the completed cases.
Exclusions and Exemptions Invoked
The ATIP Office invoked exclusions and exemptions as follows:
22(1) Law enforcement and investigation was invoked in 5 cases
26 Personal information of another was invoked in 1 case
Corrections and Notations
The ATIP Office received no requests for correction of personal information.
Costs
During the reporting year, the ATIP Office incurred an estimated $80,000 in salary costs to administer the Privacy Act.
Privacy Impact Assessments (PIA)
FINTRAC completed 2 Privacy Impact Assessments during the reporting year:
The first, an addendum of its baseline Privacy Impact Assessment entitled FINTRAC Reports Process, assesses how FINTRAC's consideration of the privacy principles in a proposal relating to the efforts of its strategic intelligence analyst seconded to the Integrated Threat Assessment Centre.
The second is an annex to the Overarching Cross-Jurisdictional Information Sharing Privacy Impact Assessment Report for the use of the Integrated Query Tool prepared by Public Safety Canada (PSC). FINTRAC's annex directly corresponds to FINTRAC's baseline PIA report (FINTRAC Reports Process).
Both reports were forwarded to the Office of the Privacy Commissioner. The following is a link to FINTRAC's PIA report summaries: http://www.fintrac-canafe.gc.ca/atip-aiprp/privacy-privee-eng.asp?pageIndex=3
A Supplemental Report concerning FINTRAC's PIA activities is attached at Appendix 'C'.
Data Matching and Data Sharing Activities
FINTRAC is a financial intelligence agency that receives financial transaction data from reporting entities, information provided voluntarily from law enforcement and other governmental agencies and from foreign financial intelligence units, information gathered from public and commercial databases and other databases maintained by provincial or federal governments for the purpose of law enforcement or national security. FINTRAC discloses intelligence relating to financial transactions to designated recipients set out in the PCMLTFA when specific statutory tests have been met.
Given its intelligence mandate, FINTRAC does not reveal all of the sources of information it accesses for the purposes of furthering its analysis of financial transactions reported to it. FINTRAC is, however, subject to the Privacy Act and to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, which sets out offences for non-authorized use or disclosure of information and requires that FINTRAC be subject to mandated biennial reviews of the measures taken by FINTRAC to protect the information it receives and collects. These reviews are conducted by the Office of the Privacy Commissioner.
Pursuant to sections 56 and 56.1 of the PCMLTFA, FINTRAC may make disclosures to foreign financial intelligence agencies in an effort to further its analytical work. According to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act such queries can only be made if FINTRAC and the foreign agency have entered into an agreement which stipulates the purposes for which the information can be used, the fact that the information must be treated in confidence and that it cannot be further disclosed without FINTRAC's express permission. FINTRAC has signed 62 memoranda of understanding, 8 of which were entered into during the 2009-2010 fiscal year.
Education and Training
A Security Awareness education and training program was developed by FINTRAC's Security Unit in cooperation with the ATIP Office. Although the main topic is focused on information security, there is also a component which involves the principles of privacy as well. Attendance is compulsory and is part of every employee's individual training and development program. In the reporting year, 18 awareness sessions were provided to approximately 278 employees of the Centre.
The ATIP Office is drafting training materials focused on the Privacy Act, request management and privacy responsibility awareness.
Disclosures of Personal Information Under Section 8 of The Act
FINTRAC only discloses personal information pursuant to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA). Under subsection 55(1) of the PCMLTFA, FINTRAC is prohibited from disclosing any information to any third party except in accordance with the provisions of the PCMLTFA. The prohibition on disclosure of information contained in subsection 55(1) of the PCMLTFA is subject to section 12 of the Privacy Act.
Significant Changes to the Organization, Programs, Operations or Policy
None to report.
New Privacy Related Policies or Procedures Implemented
In November of 2009, the Office of the Privacy Commissioner of Canada (OPC) tabled its first report on FINTRAC's measures to protect the personal information under its control, as mandated under a 2006 amendment to the PCMLTFA.
The report recognized the Centre's good work in protecting its information holdings as well as the Centre's strong physical and IT security infrastructures. In order to further strengthen its compliance with the Code of Fair Information Practices and following the audit, FINTRAC has been working on exploring solutions to address the recommendations from the OPC.
Complaints and Investigations
Only two complaints were filed with the Office of the Privacy Commissioner in the fiscal year 2009-2010. Both complaints were based on FINTRAC's refusal to disclose under s. 16 of the Act.
Each complaint was investigated and in each case, the Privacy Commissioner upheld FINTRAC's decision.
Federal Court Cases
There were no court cases involving FINTRAC.
Appendix 'A'
Privacy Act
Designation Orders
The Director of the Financial Transactions Reports and Analysis Centre of Canada (FINTRAC) pursuant to Section 73 of the Privacy Act, hereby designates the person holding the position of Coordinator, Access to Information and Privacy, or the person occupying that position on an acting basis, and in the absence of that person the Assistant Director of Communications, to exercise the powers and perform the duties and functions of the Director of the Centre as the head under the provisions of the Privacy Act.
This designation takes effect as of the 1st of May, 2009.
Dated at Ottawa this 26th day of May, 2009.
Director
Financial Transactions Reports and Analysis
Centre of Canada
Appendix 'C'
Supplemental Reporting Requirements for 2009-2010 Privacy Act
Treasury Board Secretariat is monitoring compliance with the Privacy Impact Assessment (PIA) Policy (which came into effect on May 2, 2002) through a variety of means. Institutions are therefore required to report the following information for the 2009-2010 reporting period.
Indicate the number of: Preliminary Privacy Impact Assessments initiated: ___0___
Preliminary Privacy Impact Assessments completed: ___0___
Privacy Impact Assessments initiated: ___2___
Privacy Impact Assessments completed:___2___
Privacy Impact Assessments forwarded to the Office of the Privacy Commissioner (OPC): ___2___
*As an update to one of its baseline PIA reports (and included as a Privacy Impact Assessment completed above), FINTRAC completed an addendum that was provided to the Office of the Privacy Commissioner for their review.