Administration of the Privacy Act Annual Report 2016–17

Table of Contents

Introduction

This report to Parliament, prepared and tabled in accordance with Section 72 of the Privacy Act (hereafter the “Act”), describes the activities of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in administrating the Act during fiscal year 2016–17.

The purpose of the Act is to:

  • extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by government institutions;
  • set strict guidelines and conditions regulating the collection, accuracy, use, access and distribution, retention, and disposal of personal information necessary to the administration of government programs; and
  • provide individuals with the right of access to information about themselves and to request correction of that information, thereby promoting both transparency and accountability in government institutions.

About FINTRAC

FINTRAC was established by, and operates within the ambit of, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its regulations. FINTRAC is one of several domestic partners in Canada’s anti-money laundering and anti-terrorist financing regime, which is led by the Department of Finance.

As Canada’s financial intelligence unit, FINTRAC helps protect the safety of Canadians and the integrity of Canada’s financial system through the detection, prevention, and deterrence of money laundering and the financing of terrorist activities.

FINTRAC fulfills its mandate through the following activities:

  • Receiving financial transaction reports and voluntary information on money laundering and terrorism financing in accordance with the Proceeds of Crime (Money Laundering) and Terrorism Financing Act and regulations, and safeguarding personal information under its control
  • Ensuring reporting entities comply with the legislation and regulations
  • Producing financial intelligence relevant to investigations of money laundering, terrorist activity financing and threats to the security of Canada
  • Researching and analyzing data from a variety of information sources that shed light on trends and patterns in money laundering and terrorism financing
  • Maintaining a registry of money services businesses in Canada
  • Enhancing public awareness and understanding of money laundering and terrorist activity financing

In addition, FINTRAC is part of the Egmont Group, an international network of financial intelligence units that collaborate and exchange information to combat money laundering and terrorist activity financing. FINTRAC also contributes to other multilateral fora such as the Financial Action Task Force, the Asia-Pacific Group on Money Laundering and the Caribbean Financial Action Task Force, participating in international policy making and the provision of technical assistance to other financial intelligence units.

In 2016–17, FINTRAC provided 2,015 disclosures of financial intelligence to Canada’s police and national security agencies to assist their money laundering and terrorist activity financing investigations. Of these disclosures, 462 were relevant to terrorism financing and threats to the security of Canada, an increase of 40% over the previous year.

FINTRAC’s financial intelligence also assists money laundering investigations in the context of a variety of criminal investigations, where the origins of the suspected criminal proceeds are linked to drug offences, fraud, tax evasion, corruption, human smuggling, and other offences.

FINTRAC’s financial intelligence is also used by policy leaders and decision-makers to assess current and emerging trends and patterns in money laundering and terrorism financing, and the impact they may have on national security and broader government policy. Over the past year, the Centre completed a number of strategic intelligence projects, particularly in relation to foreign terrorist fighters and Daesh.

Delegation of Authority

Order in Council P.C. 2000-1066 designates the Director of FINTRAC as head of FINTRAC for the purposes of administering the Act and FINTRAC’s privacy program. However, pursuant to Section 73 of the Act, the authority to exercise the powers and perform the functions and duties of the Director under the Act has been delegated to the Manager of Communications within the Corporate Management Services Sector. Certain functions have also been delegated to the Access to Information and Privacy (ATIP) Coordinator.

A copy of the Director’s Delegation Order may be found in Annex A.

The Access to Information and Privacy Office

FINTRAC’s ATIP Office is part of FINTRAC’s Communications Group within the Corporate Management Services Sector. The Office consists of the ATIP Coordinator, a Senior ATIP Advisor and an ATIP Advisor.

The ATIP Office is responsible for the coordination, development and implementation of policies, procedures, and guidelines to ensure FINTRAC’s compliance with the Act and the Access to Information Act, and with related government policies and directives. The Office is primarily responsible for processing and responding to requests made under the Act––including consultations from other institutions––and providing training, advice, and guidance to FINTRAC employees, contractors and students on ATIP-related matters.

The ATIP Coordinator’s role is to promote and ensure compliance with the Act and its regulations, including parliamentary reporting requirements and related government policy requirements. The Coordinator is responsible for overseeing the creation of procedures, processing standards and implementing an awareness program to broaden the general knowledge and understanding of the principles of access to information and the management of information requests within FINTRAC. The Coordinator is also responsible for communicating and consulting with the Treasury Board Secretariat, the Office of the Information Commissioner, government departments and agencies, and the Canadian public at large.

The ATIP advisors are responsible for processing requests for access to information submitted under the Act including consultation requirements, and for providing subject matter expertise and guidance. The Senior ATIP Advisor in particular is responsible for developing procedures and guidelines, for leading the ATIP representatives’ networking forums, and for developing and delivering a training and awareness program.

FINTRAC maintains a network of 25 ATIP representatives who coordinate requests within their area of responsibility, participate in networking forums, and liaise with the ATIP Office.

The ATIP Office is also supported by Legal Services, which provides advice as required.

Activities and Accomplishments

Performance

In fiscal year 2016–17, there was a 58.8% decrease in the volume of requests received by FINTRAC under the Act compared to the previous year. A total of 20 new Privacy Act requests were received this fiscal year compared to 34 in 2015–16. The table below identifies the number of requests received and completed over the past five years, including this fiscal year.

Number of requests received and completed over the past five years
Number of requests received and completed over the past five years
View the text equivalent Number of requests received and completed over the past five years

This chart identifies the number of requests received and completed over the past five years.

16 requests were received in 2011–12

14 requests were received in 2012–13

12 requests were received in 2013–14

23 requests were received in 2014–15

34 requests were received in 2015–16

20 requests were received in 2016–17

16 requests were completed in 2011–12

13 requests were completed in 2012–13

13 requests were completed in 2013–14

20 requests were completed in 2014–15

34 requests were completed in 2015–16

20 requests were completed in 2016–17


FINTRAC's response rate for all privacy requests was 100%. This compares favourably with the federal government's overall average of 80.4% for 2015–16.

Significant Changes to the Organization, Programs, Operations, or Policy

In order to better align its program activities to deliver more efficiently on its legislative and operational mandate FINTRAC undertook an organizational change in 2016–17. FINTRAC’s Collaboration, Development, and Research Sector created two separate units: Strategic Intelligence and Data Exploitation Lab, and Strategic Policy and Reviews. The Strategic Policy and Reviews unit saw the consolidation of International Relationships, Review and Appeals, and Policy and Coordination functions.

Following these changes, the ATIP processing structure was further modified to ensure proper coverage of responsibilities and efficiencies between the newly consolidated units.

New Privacy-related Policies, Guidelines, or Procedures Implemented

Nothing to report.

Education and Training

The FINTRAC Code of Conduct, Values and Ethics specifically describes employees’ legal obligations to protect information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and also makes reference to the Privacy Act, the Canadian Charter of Rights and Freedoms, the Access to Information Act, and FINTRAC’s Privacy, Security and Information Management policies. Adherence to the Code of Conduct, Values and Ethics is a condition of employment for every FINTRAC employee. The education and training activities organized for FINTRAC employees in fiscal year 2016–17 served to reinforce the obligations and values outlined in the Code of Conduct, Values and Ethics, legislation, and policies.

Given FINTRAC’s legislated mandate to protect personal information, employees’ awareness of their privacy responsibilities is a priority and is achieved across FINTRAC in operational and corporate training. With respect to obligations under the Act and its related policy instruments, FINTRAC promotes privacy requirements and raises ATIP awareness among employees using specific and targeted methods, including face-to-face meetings, learning products, all-staff messages, and innovative media. It also raises awareness through mandatory group awareness sessions, held for employees on a cyclical basis.

In 2015–16, 95% of FINTRAC employees received mandatory ATIP training. Over the past fiscal year, the following education and training activities took place:

  • The ATIP Office provided two mandatory ATIP awareness sessions to a total of 25 new or returning employees, or those who were unable to attend a session in the previous reporting year. The training focused on:
    • employees’ legal responsibilities and obligations under the Act;
    • the principles for assisting applicants;
    • applicable definitions, delegations, exemption decisions and the exercise of discretion;
    • the requirement to provide complete, accurate and timely responses;
    • the complaint process and reviews by the courts;
    • consequences of obstructing the right of access;
    • the Proceeds of Crime, Money Laundering, Terrorist Financing Act, and FINTRAC’s obligations regarding the 10 privacy principles including its privacy governance;
    • the definition of personal information;
    • the legal authority on use, collection and disclosure of personal information as per sections 7 and 8 of the Act;
    • accountability and risk management of personal information, including the conduct of privacy impact assessments and related activities;
    • what constitutes a privacy breach and reporting requirements; and
    • the consequences of non-compliance with the Act.
  • One employee completed an Access to Information and Privacy Fundamentals Course held by the Canada School of Public Service.
  • Information notices regarding privacy protection and ATIP were published on a monthly basis on FINTRAC’s intranet site. The notices included Info Source publishing responsibilities, information in relation to privacy risk-assessment requirements and offences for the obstruction of access.
  • Key messages on privacy principles––including employee obligations and the consequences of obstructing the right of access––are included in the mandatory Corporate Overview training and in FINTRAC’s Information Management awareness sessions for all new employees, including contractors and students. In the reporting year, 12 Corporate Overview sessions were provided to 24 new employees, and 42 sessions of FINTRAC’s Information Management awareness sessions were delivered to 69 employees. The sessions raised employee awareness about their responsibilities under the Act, and covered the obligations and best practices for managing personal information in accordance with the Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and FINTRAC’s Privacy, Security, and Information Management policies.
  • FINTRAC’s Intelligence and Compliance programs have integrated fundamental ATIP concepts, privacy practices, and the protection of information into their core training programs. In 2016–17, 11 new employees participated in the mandatory Financial Intelligence Operations Training program. For the 115 employees in the Compliance program, privacy is reinforced at various regional and headquarters training forums, and through a variety of integrated business processes (institutionalized policies and procedures).
  • In its promotion of privacy and information protection, the Security Office delivered 37 mandatory security awareness sessions to a total of 91 new or returning FINTRAC employees, contractors, and students. These sessions provided participants with an overview of:
    • the importance of security given FINTRAC’s mandate;
    • employee roles and responsibilities in relation to protecting information;
    • classification, transmission and storage of information;
    • the need to know/need to share principle; and
    • the consequences of unauthorized disclosure and inappropriate use of information.

FINTRAC’s network of ATIP representatives––comprised of the employees who have primary responsibility for ATIP activities within their sectors––continued to meet on a quarterly basis in 2016–17. The network meetings are a forum for the ATIP Office to communicate updates and clarifications to all sectors, helping to ensure that a consistent approach is taken Centre-wide. The meetings also provide a venue to discuss common challenges and look for efficiencies related to the administration of the ATIP Acts. In addition to these meetings, the ATIP Office raises awareness by providing day-to-day responses and contextual training, coaching and guidance to ATIP representatives and their colleagues. These activities have been essential to the success of FINTRAC’s ATIP program as they foster collaboration and enable the exchange of ideas and solutions with respect to FINTRAC’s ability to deliver on its privacy requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Act.

Program Performance and Monitoring

FINTRAC’s ATIP Office uses case management software (AccessPro Suite) to coordinate and facilitate the processing of requests, including monitoring performance, documenting important actions and decisions, and ensuring that requests are completed within legislated timelines.

FINTRAC’s ATIP Coordinator provides regular briefings to the Corporate Management Services Sector Management Committee, FINTRAC’s Management Advisory Committee and its Executive Committee on access and privacy statistics, issues, performance and compliance. Policy issues, issues of non-compliance, or processing delays are also discussed and addressed.

Statistical Overview

Privacy Request Case Activity

During the reporting period of April 1, 2016, to March 31, 2017, the ATIP Office received 20 new requests for access to personal information in addition to the 2 outstanding requests from the previous reporting period. Twenty requests were completed in 2016–17, while 2 were carried over to the next reporting period.

Method of Access

With the exception of one applicant, all applicants received paper copies of responsive documents as the number of pages for each release package was very low.

Disposition of Completed Requests

Twenty access requests were completed by FINTRAC in 2016–17:

  • in 2 cases, the applicant received full disclosure of the information;
  • in 1 case, the applicant received partial disclosure of the information;
  • in 10 cases, FINTRAC responded that it was unable to acknowledge the existence of information;
  • in 2 cases, the requests were abandoned by the applicant; and
  • in 5 cases, it was determined that no records existed within FINTRAC’s information holdings.

Completion Times and Extensions

All requests were completed within the 30-day statutory deadline.

Exclusions and Exemptions Invoked

The ATIP Office invoked exemptions under the Act, as follows:

  • Section 22 (law enforcement and investigation) 10 instances  
  • Section 25 (safety of individuals) 10 instances  
  • Section 26 (personal information about another individual) 10 instances
  • Section 27 (solicitor-client privilege) 1 instance

No exclusions were invoked.

Other Requests

FINTRAC responded to two formal consultation requests from another government institution concerning a request they received under the Act.

In both cases, FINTRAC responded within the deadline stipulated by the consulting organization.

Corrections and Notations

The ATIP Office received no requests for corrections of personal information.

Complaints and Investigations

Subsection 29(1) of the Act describes how the Office of the Privacy Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. Examples of complaints the Office of the Privacy Commissioner may choose to investigate include personal information being used or disclosed otherwise than in accordance with section 7 or 8 of the Act, refusal to provide access to personal information requested under the Act, failure to provide information in the official language requested by the individual, the collection, retention or disposal of personal information, etc.

During fiscal year 2016–17, FINTRAC received one complaint related to FINTRAC’s decision to withhold information under the Act. The complaint is ongoing.

Federal Court Cases

Nothing to report.

Privacy Breaches

Nothing to report.

Privacy Impact Assessments (PIA)

The Government’s Directive on Privacy Impact Assessments (PIAs) requires that FINTRAC ensures privacy principles are taken into account when there are proposals for, and during the design, implementation, and evolution of, programs and services that raise privacy issues. FINTRAC currently has core PIA reports in place for all of its main programs and services.

In 2016–17, FINTRAC completed no new core PIAs. However, in accordance with its Privacy Policy, FINTRAC routinely conducts privacy impact checklists that must be completed during the design phase of any project involving an addition or a change to a program using personal data. Along with these checklists, FINTRAC’s Security, Information Management, and ATIP experts are engaged in all projects involving personal information. The ATIP Office provides regular advice and guidance to all FINTRAC employees to further ensure that FINTRAC manages its personal information holdings effectively and in accordance with the Act.

Disclosures of Personal Information under Subsection 8(2)(m) of the Act

In accordance with subsection 8(2)(m) of the Act, a government institution may disclose personal information under its control without the consent of the individual to whom the information relates if the disclosure is in the public interest or would clearly benefit the individual. In 2016–17, FINTRAC did not make any disclosures under subsection 8(2)(m) of the Act.

Annex A – Copy of the Director's Delegation Order

Delegation Order – Privacy Act and Regulations

Pursuant to Section 73 of the Privacy Act, the Director of the Financial Transactions and Reports Analysis Centre of Canada hereby makes the following designations to exercise the powers and perform the duties and functions of the Director of the Centre as the head under the provisions of the Privacy Act. The designation also applies to those persons occupying the listed positions on an acting basis.

Section/Article Deputy Director,
Corporate Management Sector
Manager,
Communications
ATIP Coordinator,
Communications

8(2)

Where personal information may be disclosed

Yes Yes  

8(2)(m)

Disclose in the public interest or in the interest of the individual

Yes Yes  

8(5)

Notice of disclosure under 8(2)(m)

Yes Yes  

9(1)

Record of disclosures to be retained

Yes Yes Yes

9(4)

Consistent uses

Yes Yes Yes

10

Personal information to be included in personal information banks

Yes Yes Yes

14

Notice where access requested

Yes Yes Yes

15

Extension of time limits

Yes Yes Yes

16(1)

Where access is refused

Yes Yes Yes

16(2)

Existence not required to be disclosed

Yes Yes Yes

17

Forms of Access

Yes Yes Yes

17(3)(b)

Access to personal information in alternative format

Yes Yes Yes

18(2)

Exemption (exempt bank) – Disclosure may be refused

Yes Yes Yes

19(1)

Exemption – Personal information obtained in confidence

Yes Yes  

19(2)

Exemption – Where authorized to disclose

Yes Yes  

20

Exemption – Federal-provincial affairs

Yes Yes  

21

Exemption – International affairs and defence

Yes Yes  

22

Exemption – Law enforcement and investigation

Yes Yes  

22.3

Exemption – Public Servants Disclosure Protection Act

Yes Yes  

23

Exemption – Security clearances

Yes Yes  

24

Exemption – Individuals sentenced for an offence

Yes Yes  

25

Exemption – Safety of individuals

Yes Yes  

26

Exemption – Information about another individual

Yes Yes  

27

Exemption – Solicitor-client privilege

Yes Yes  

28

Exemption – Medical record

Yes Yes  

33(2)

Investigations – Right to make representation

Yes Yes  

35(4)

Investigations – Access to be given

Yes Yes Yes

51

Review by the Federal Court – Actions relating to international affairs and defence

Yes Yes  

72

Report to Parliament

Yes Yes  


 

Regulations Deputy Director,
Corporate Management Sector
Manager,
Communications
ATIP Coordinator,
Communications

9

Reasonable facilities and time provided to examine personal information

Yes Yes Yes

11(2)

Notification that correction to personal information has been made

Yes Yes Yes

11(4)

Notification that correction to personal information has been refused

Yes Yes Yes

13(1)

Disclosure of information relating to physical or mental health

Yes Yes Yes

This designation takes effect as of September 15, 2015.

Dated at Ottawa this 14th day of August, 2015.

Gérald Cossette
Director, Financial Transactions and Reports Analysis Centre of Canada

Date Modified: