Annual Report 2010-2011
Administration of the Privacy Act

Table of Contents

• Introduction
  • Overview of the Financial Transactions and Reports Analysis Centre
  • The Access to Information and Privacy Section
  • Delegation of Authority
• Performance
  • Privacy Request Case Activity
  • Method of Access
  • Disposition of Completed Requests
  • Completion Times and Extensions
  • Exclusions and Exemptions Invoked
  • Other Requests
  • Corrections and Notations
  • Costs
  • Disclosures of Personal Information Under Section 8 of The Act
  • Privacy Impact Assessments (PIA)
  • Data Matching and Data Sharing Activities
• Education and Training
• Significant Changes to the Organization, Programs, Operations or Policy
• New Privacy Related Policies or Procedures Implemented
• Complaints and Investigations
  • Federal Court Cases

Administration of the Privacy Act Annual Report 2010-2011 (PDF version, 594 KB)

Introduction

The Privacy Act (hereafter the "Act") was enacted on July 1, 1983. The purpose of the Act is to:

• extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by government institutions.
• set strict guidelines and conditions regulating the collection, accuracy, use, access and distribution, retention, and disposal of personal information necessary to the administration of government programs.
• provide individuals with the right to access to information about themselves and to request correction of that information thereby promoting both transparency and accountability in government institutions.

Section 72 of the Act requires the head of every government institution to prepare and table in Parliament an annual report on the administration of the Act during the fiscal year. This report describes how the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) administered the Act throughout fiscal year 2010-2011.

Overview of the Financial Transactions and Reports Analysis Centre

FINTRAC's mandate is to facilitate the detection, prevention and deterrence of money laundering, terrorist activity financing and other threats to the security of Canada by receiving, collecting and analyzing information on financial activities; ensuring those subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) comply with reporting, record keeping and other obligations; and making case disclosures of financial intelligence to the appropriate law enforcement agency, the Canadian Security Intelligence Service, or other agencies designated by legislation in support of investigations and prosecutions. FINTRAC's mandate also includes the creation of strategic intelligence products and the enhancement of public awareness and understanding of matters related to money laundering and terrorist financing. In undertaking these activities FINTRAC is required to ensure the protection of the personal information under its control.

The Access to Information and Privacy Section

FINTRAC's Access to Information and Privacy (ATIP) Office is part of FINTRAC's Communications Division, within the Strategic Policy and Public Affairs Sector. The office consists of the Access to Information and Privacy Coordinator (ATIP Coordinator) who is supported by an Access to Information and Privacy Officer (ATIP Officer).

Legal Services provides advisory guidance whenever required.

Delegation of Authority

Order in Council P.C. 2000-1066 designates the Director of FINTRAC as head of the Centre for the purposes of the Act and FINTRAC's Privacy Program. However, pursuant to section 73 of the Act, the authority to exercise the powers and perform the functions and duties of the Director under the Act has been delegated to the ATIP Coordinator.

The Coordinator's mandate is to promote and enforce compliance with the Act and its regulations, as well as related government policy. Further, the Coordinator is responsible for creating procedures, establishing processing standards and instituting an awareness program to broaden the general knowledge and understanding of the principles of privacy protection within FINTRAC. The Coordinator is also responsible for communicating and consulting with the Treasury Board Secretariat (TBS), the Office of the Privacy Commissioner (OPC), government departments and agencies, as well as with the Canadian public at large.

The ATIP Officer holds the responsibility of processing requests for access to information submitted under both the Access to Information Act and the Act, and for providing guidance and awareness training.

Performance

Privacy Request Case Activity

During the current reporting period of April 1, 2010 and March 31, 2011, the ATIP Office:

• had 3 outstanding cases from the previous reporting period; and
• received 20 new requests for access to personal information which were all completed during the reporting year.

Method of Access

All applicants received copies of responsive documents where applicable.

Disposition of Completed Requests

Of the 23 cases received at FINTRAC, in 12 cases the applicant received a partial disclosure of the information requested, while in 3 cases the applicant received a nil response (i.e., neither confirm nor deny the existence of information). FINTRAC was unable to process 6 cases, and 2 cases were abandoned by the applicant.

Completion Times and Extensions

Of the 23 completed cases, 18 applicants were provided with a response within the statutory time frame, while 5 cases required a time extension to complete search requirements in order to comply with the processing of the response.

Exclusions and Exemptions Invoked

The ATIP Office invoked exemptions under the Act a total of 32 times, as follows:

• 14 times under section 22 (Law enforcement and investigation);
• 7 times under section 25 (Safety of individuals);
• 7 times under section 26 (Personal information about another individual); and
• 4 times under section 27 (Solicitor-client privilege).

No exclusions were invoked.

Other Requests

FINTRAC received 4 requests for consultation from other departments and/or agencies related to requests submitted to them under the Act. Our response included a recommendation of full disclosure on 1 case, and a neither confirm nor deny the existence of any information on 2 cases. The 4^th case was treated informally because FINTRAC responded to the consulting government institution that it had already received an identical request under the Act (whereby the requested document was partially disclosed to the applicant).

Corrections and Notations

The ATIP Office received no requests for correction of personal information.

Costs

During the reporting year, the ATIP Office incurred an estimated $80,000 in salary costs to administer the Act.

Disclosures of Personal Information Under Section 8 of the Act

Under paragraph 8(2)(b) of the Act, FINTRAC only discloses personal information pursuant to the PCMLTFA.Under subsection 55(1) of the PCMLTFA, FINTRAC is prohibited from disclosing any information to any third party except in accordance with the provisions of the PCMLTFA. The prohibition on disclosure of information contained in subsection 55(1) of the PCMLTFA is subject to section 12 of the Act.

In 2010-2011, FINTRAC did not disclose any information under paragraph 8(2)(m) of the Act.

Privacy Impact Assessments (PIA)

The Government's Directive on Privacy Impact Assessments (PIA) requires FINTRAC to ensure that privacy principles are being taken into account when there are proposals for, and during the design, implementation and evolution of, programs and services which raise privacy issues. FINTRAC currently has four baseline PIA reports in place for all its Programs and Services.

In 2010-2011, FINTRAC updated its Regional Operations and Compliance Program PIA to address examinations and the collection and use of third-party personal information.

Further, in accordance with FINTRAC's Privacy Policy, FINTRAC has conducted numerous privacy risk assessments which must be completed during the design phase of any project involving a new or substantial change to a program using personal data.

The following is a link to FINTRAC's current PIA report summaries: http://www.fintrac-canafe.gc.ca/atip-aiprp/privacy-privee-eng.asp?pageIndex=3

Data Matching and Data Sharing Activities

FINTRAC is a financial intelligence agency which receives financial transaction data from reporting entities, information provided voluntarily from law enforcement and other governmental agencies and from foreign financial intelligence units, information gathered from public and commercial databases and other databases maintained by provincial or federal governments for the purpose of law enforcement or national security. FINTRAC discloses intelligence relating to financial transactions to designated recipients set out in the PCMLTFA when specific statutory tests have been met.

Given its intelligence mandate, FINTRAC does not reveal all of the sources of information it accesses for the purposes of furthering its analysis of financial transactions reported to it. FINTRAC is, however, subject to the Act and to the PCMLTFA, which sets out offences for non-authorized use or disclosure of information and requires that FINTRAC be subject to mandated biennial reviews conducted by the OPC of the measures taken by FINTRAC to protect the information it receives and collects.

Pursuant to sections 56 and 56.1 of the PCMLTFA, FINTRAC may make disclosures to foreign financial intelligence agencies in an effort to further its analytical work. According to the PCMLTFA, such queries can only be made if FINTRAC and the foreign agency have entered into an agreement which stipulates the purposes for which the information can be used, the fact that the information must be treated in confidence and that it cannot be further disclosed without FINTRAC's express permission. FINTRAC has signed 73 memoranda of understanding, 11 of which were entered into during the 2010-2011 fiscal year.

Education and Training

An awareness session was provided to an additional 20 employees who had not yet received the mandatory training which was provided in 2009-2010. Course content included:

• FINTRAC's responsibilities under the Act;
• how requests are administered by the FINTRAC ATIP Office;
• purpose and exemptions of the Act;
• description of what includes personal information;
• 10 generally accepted fair information practices;
• authorities for the collection of personal information; and
• how FINTRAC protects and manages personal information under its control.

A corporate training strategy has been created to address FINTRAC knowledge needs and to ensure that employees are aware of their specific functional responsibilities under the ATIP legislation and relevant policy instruments. The strategy looks at incorporating new and innovative media, as well as collaborating internally with other information management and security specialists, to bridge knowledge gaps within FINTRAC. In 2010-2011, ATIP collaborated with Human Resources (HR) to include key messages on the protection of privacy in HR's corporate overview presentation to 10 new employees.

Significant Changes to the Organization, Programs, Operations or Policy

In 2010-2011 FINTRAC appointed a member of its Executive Committee to be its Chief Privacy Officer (CPO). The role of the CPO is to strengthen FINTRAC's privacy management framework and to coordinate and oversee privacy-related activities. The CPO's role also includes chairing a Privacy Committee, which is made up of representatives from all sectors and directorates of FINTRAC.

New Privacy Related Policies or Procedures Implemented

In the reporting year, FINTRAC revamped its Privacy Policy to reflect current government policy instruments. The policy confirms the Centre's commitment to protect the information with which it is entrusted and to ensure that FINTRAC complies not only to the legislative requirements of the Act and the PCMLTFA, but to the spirits of both of these Acts as well. To demonstrate its commitment to openness about the Centre's privacy practices and how it manages personal information, the Privacy Policy will be posted on the external Website for the public to see.

To support the requirements of the new Privacy Policy, FINTRAC has also developed a Privacy Breach Incident Guidelines, a Privacy Impact Checklist, and a Privacy Impact Assessment Approval Procedure.

In relation to the management of requests for information under the Act, the Centre created FINTRAC's ATIP Requests Management Guidelines and a User Manual for the Administration of ATIP Requests.

Complaints and Investigations

In the reporting year, only one complaint was filed with the OPC. The complaint, which is ongoing, is based on FINTRAC's refusal to disclose information under section 16 of the Act.

Federal Court Cases

There were no court cases involving FINTRAC.