February 9, 2011
Table of Contents
- Effective Date
- Policy Statement
- Roles and Responsibilities
- Policy Requirements
- Risk Management
- Management of Employee Personal Information
- Fair Information Principles
- Legislation Relevant to this Policy
- Companion Policies, Procedures, and Guidelines
Annex A Definitions and Explanations
Annex B Provisions in the PCMLTFA promoting the privacy of Canadians
I. Effective Date
This policy takes effect on February 9, 2011.
This policy applies to all employees (indeterminate, temporary, students) and contractors of the Financial Transactions and Reports Analysis Centre of Canada (hereinafter referred to as FINTRAC). Please refer to Roles and Responsibilities
(Section V below).
In carrying out its mandate under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC receives and collects personal information about individuals as defined by section 3 of the Privacy Act. The PCMLTFA is unique in that it contains a specific provision requiring FINTRAC to ensure the protection of personal information under FINTRAC's control. As a result, safeguarding personal information is a value that is an overarching and fundamental consideration in every aspect of FINTRAC operations. The basis for this value is found in the PCMLTFA, the Privacy Act and the Charter of Rights and Freedoms. A list of the provisions in the PCMLTFA that protect the privacy of individuals can be found in Annex B.
IV. Policy Statement
The objective of this policy is to ensure that FINTRAC effectively manages the personal information under its control by:
- maintaining the careful balance between the need to collect, retain, use and disclose personal information about individuals and the right to privacy of those individuals;
- showing openness about FINTRAC's collection of personal information and its privacy practices;
- outlining the privacy principles on which this policy is based; and
- setting out a framework for the requirements relating to privacy.
The expected results of this policy are:
- collection, use and disclosure of personal information that respects the privacy principles set out in the Privacy Act and related Treasury Board Secretariat policy instruments;
- FINTRAC's mandate is effectively delivered by protecting the personal information under its control from unauthorized disclosure; and
- Privacy is a key consideration in all FINTRAC programs and activities.
V. Roles and Responsibilities
FINTRAC's Director and Chief Executive Officer is accountable for safeguarding personal information under the control of FINTRAC. The Director and Chief Executive Officer's powers as deputy head under the Privacy Act have been delegated to the Manager of Communications and to the Access to Information and Privacy (ATIP) Coordinator.
FINTRAC's Chief Privacy Officer (CPO) provides strategic privacy leadership and oversees privacy related activities involving the functions of FINTRAC. The CPO provides updates to the Director and Chief Executive Officer and the Executive Committee in relation to FINTRAC's privacy program and activities.
The Deputy Directors and Assistant Directors are accountable for safeguarding all personal information within their area of responsibility and for implementing this policy.
All managers, staff and contractors are accountable for ensuring that personal information under their control is protected from unauthorized disclosure and used only for the purpose for which it was retained. Furthermore, all employees are responsible for adhering to the principles and requirements set out in this policy, FINTRAC's Code of Conduct and Ethics and any other of FINTRAC's policies that contain established rules for the treatment and handling of personal information.
VI. Policy Requirements
- Personal information shall be received, collected, used, disclosed and disposed of in compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Privacy Act, and the Library and Archives of Canada Act.
- All personal information collected and used by FINTRAC must be accounted for and published either as Personal Information Banks (PIB) or Classes of Personal Information in FINTRAC's chapter of the Treasury Board Secretariat's Info Source publication Sources of Federal Government Information.
- All personal information that is used for administrative purposes (i.e. to make decisions about the individual to whom the information relates) must be described in a PIB; and
- All personal information that is used for non-administrative purposes (i.e. where no decisions are made that directly have an impact on an identifiable individual) is described as Classes of Personal Information.
- All projects and activities involving the collection and use of personal information, including modifications to its use in any program, activity or service, shall be evaluated to determine the level of impact they have on individual privacy. This includes any operational changes to processes involving the way personal information is assessed (in decision making), used and disclosed. (See Part VIII - Risk Management - to better understand this requirement and how it serves FINTRAC and its privacy management role).
- Personal information must be safeguarded at a proportionate level in relation to relevant statements of sensitivity and threat risk assessments in order to ensure that personal information is not at risk of being misused or mishandled. Also, personal information must be protected from improper access, loss, use, disclosure or destruction through the inclusion of specific confidentiality provisions in contracts or other arrangements with third parties.
- Access to personal information shall be limited to those who have a need-to-know in order to effectively perform their duties and functions.
- All security breaches as defined in FINTRAC's Security Policy must be reported to FINTRAC's Departmental Security Officer (DSO). Upon recognition that a security breach involves the misuse or mishandling of personal information the DSO must inform the Chief Privacy Officer (CPO) as well as the ATIP Coordinator, who is responsible for coordinating and documenting FINTRAC's assessment and possible response in accordance with FINTRAC's Privacy Breach Incident Guidelines.
Violation of this Policy, which constitutes the inappropriate or unauthorized collection, use or disclosure of personal information through intent or neglect, may result in disciplinary action up to and including termination of employment. The PCMLTFA contains its own consequences in relation to unauthorized disclosure of personal information (see Annex B).
VIII. Risk Management
The Government's Directive on Privacy Impact Assessments requires FINTRAC to ensure that privacy principles are being taken into account when there are proposals for, and during the design, implementation and evolution of, programs and services that raise privacy issues. This can include the carrying out of a Privacy Impact Assessment (PIA). FINTRAC's PIA Development and Approval Procedures outlines the factors to consider for undertaking PIAs and to what extent they are necessary.
It is important that ATIP be included at an early stage in the evaluation of projects that involve new collections of personal information or significant changes to the way FINTRAC collects, uses and discloses personal information. To determine the level of assessment required, a Privacy Impact Checklist must be completed during the design phase of any project involving a new or substantial change to a program using personal data. Early review of such projects will determine if:
- A PIA is required in relation to personal information that will be used or disclosed to make decisions about an individual (administrative use); or if
PIAs will determine if there are specific privacy risks to the activity and will result in recommendations about how to mitigate such risks. Assessing the impact that program modifications have on privacy serves to:
- Ensure the identification of privacy risks of all programs using personal information;
- Weigh the benefit against the intrusion to privacy that may result from the change;
- Document the measures to be/that are taken to mitigate risks; and to
- Document the rationale behind risk acceptance.
IX. Management of Employee Personal Information
FINTRAC as an employer is committed to fair information practices for its employees, which creates a legitimate and enforceable expectation of privacy.
Personally identifiable information exists in employee and job applicant records. The collection, use, disclosure, retention and disposal of this information must be managed in a way that takes into account the Privacy Act's principles of confidentiality, accuracy and relevance. The spirit and the letter of the Privacy Act, as it pertains to federal government employees, are expressed in this policy as well as the Government's Policy on Privacy Protection.
X. Fair Information Principles
The widely accepted Fair Information Principles must be considered when collecting, using and disclosing personal information. These principles serve as the basic foundation of the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA) and must be borne in mind by FINTRAC when assessing and constructing its programs which collect and use personal information. The following lists each principle and a brief description about how they are generally considered by FINTRAC.
Accountability Deputy Directors and Assistant Directors are accountable for personal information collected and used in their area of responsibilities and ensure that appropriate policies and procedures are set in place.
Identifying purposes — FINTRAC provides the rationale for any collections and uses of personal information and such purposes must be made public by way of privacy notices at points of collection, Info Source reporting, and through other means of communication.
Other than for the purpose of administration (i.e. human resources, corporate services, etc.), FINTRAC's collections of personal information are expressly authorized by the PCMLTFA and its regulations. In general, FINTRAC receives financial transaction reports and related information indirectly from individuals (i.e. third-party reporting), and therefore, in most cases, is unable to inform individuals of the purpose for which the information is collected.
Consent — FINTRAC's collection, use and disclosure of personal information is legally authorized under the PCMLTFA. In relation to collections of personal information for purposes other than compliance and analysis (i.e. for purposes of human resources, administration, etc.) consent is only relevant if and when FINTRAC wishes to use an individual's personal information beyond its original purpose.
Limiting collection — FINTRAC collects only necessary, relevant personal information required to accomplish its mandate and does so only by lawful, fair and transparent means. In keeping with this principle, FINTRAC makes efforts, on an ongoing basis, to validate the information that it receives in order to limit its holding to only that to which it is legally entitled.
Limiting use, disclosure, and retention — FINTRAC can only use personal information for those purposes for which it was originally collected or for purposes consistent with those purposes, for example, in relation to its mandate in the detection and deterrence of money laundering and terrorist activity financing.
The PCMLTFA states that the information received from reporting entities, law enforcement and the public along with information collected by FINTRAC can only be disclosed in very specific situations. In the furtherance of its analytical mandate, FINTRAC may disclose personal Information but only to the appropriate Canadian police force (federal, provincial, and/or municipal), to other specified federal institutions (Canadian Security Intelligence Service, Canada Border Services Agency, Canada Revenue Agency and the Communications Security Establishment Canada), or to a foreign financial intelligence unit with which there is a Memorandum of Understanding. In this context FINTRAC may only disclose personal information when, on the basis of its analysis, it has met one or more of the thresholds for disclosure set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
FINTRAC may also disclose to the appropriate law enforcement agencies, or to a foreign financial intelligence unit, with whom there is a memorandum of understanding, any information of which it becomes aware in exercising its compliance functions and that it suspects on reasonable grounds is evidence of a contravention of Part I of the PCMLTFA (which outlines the reporting, client identification and record keeping obligations of reporting entities).
The PCMLTFA states that FINTRAC must retain all reports received from reporting entities and all other information received or collected by FINTRAC for 10 years following the receipt of the report or the receipt or collection of the information. Fifteen years following the receipt of a report, FINTRAC must destroy any identifying information contained in that report if the report was not disclosed.
The retention of all other personal information received or collected by FINTRAC pursuant to the PCMLTFA, or otherwise, is managed in accordance with FINTRAC's Information Management Policy.
Accuracy — Where possible, FINTRAC ensures that the personal information under its control is sufficiently accurate, complete, and up-to-date in order to minimize the possibility that inappropriate decisions may be made about an individual.
In relation to some of the personal information it receives and collects pursuant to its mandate, such as transaction reports, voluntary information and information collected from law enforcement and national security databases, FINTRAC relies on information provided by third parties and as such is unable to validate the accuracy of certain information.
Individual access — To the extent possible FINTRAC allows individuals to request copies and question the accuracy and completeness of their personal information.
Under s. 55 of the PCMLTFA, FINTRAC is prohibited from disclosing any information contained in the reports it receives or the information it receives or collects pursuant to its mandate or any of the analytical products that it prepares from such reports and information. Despite this prohibition, an individual has a right of access to his or her personal information subject to the exemptions set out in the Privacy Act.
In general, however, in order to not compromise its intelligence mandate or the effectiveness of the anti-money laundering and anti-terrorist financing regime, FINTRAC must neither confirm nor deny the existence of information when it receives requests for access, under the Privacy Act, to most financial transaction reports or any information that it has derived from those reports (i.e. intelligence products). As a consequence, the right to correct or challenge the accuracy of such information cannot be exercised.
Cross Border Currency Reports (CBCRs), which are signed by the individuals to whom they relate, may be accessible under the Privacy Act, where that individual provides FINTRAC with specific details regarding their declaration along with government issued identification. Requests to correct information contained in CBCRs, however, are directed to the Canada Border Services Agency (CBSA) which is the government agency responsible for the reception and the submission of CBCRs to FINTRAC. CBSA is responsible for the administration of PART II of the PCMLTFA, which relates specifically to the importation and exportation of currency and monetary instruments at Canada's borders and airports.
Safeguards — FINTRAC protects personal information by security safeguards appropriate to its sensitivity as identified in security assessments and in accordance with the FINTRAC Security Policy.
Openness — FINTRAC aims to be open about its privacy policies and practices by making information publicly available.
Challenging compliance — FINTRAC has a procedure for handling complaints lodged against it by individuals in relation to access requests made under the Privacy Act.
FINTRAC's compliance with the Privacy Act is also verified by the Office of the Privacy Commissioner (OPC). In addition the OPC, pursuant to the PCMLTFA, is required to conduct bi-annual reviews of FINTRAC's measures to protect the information it receives and collects. The review reports of the OPC must be submitted to Parliament.
Model Code for the Protection of Personal Information, CAN/CSA-Q830-96
Treasury Board Secretariat Privacy and Data Protection Policies
XII. Legislation Relevant to this Policy
Canadian Charter of Rights and Freedoms
Library and Archives of Canada Act
Personal Information Protection and Electronic Documents Act (PIPEDA) 2000, c. 5
Privacy Act (R.S. 1985, c. P-21) and related Privacy Regulations
Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), 2000, c.17
XIII. Companion Policies, Procedures, and Guidelines
- FINTRAC ATIP Requests Management Guidelines
- FINTRAC Code of Conduct and Ethics
- FINTRAC Directive on Email
- FINTRAC Financial Analysis and Disclosures Directorate Policies and Procedures
- FINTRAC Information Management Policy
- FINTRAC Procedures for the Development and Approval of Privacy Impact Assessments
- FINTRAC Privacy Breach Incident Guidelines
- FINTRAC Regional Operations and Compliance Directorate Policies and Procedures
- FINTRAC Security Policy
Enquiries about this policy should be directed to ATIP.Access to Information and Privacy Coordinator
Financial Transactions and Reports Analysis Centre of Canada
24th Floor, 234 Laurier Avenue West
Ottawa, ON K1P 1H7
Definitions and Explanations
Personal Information: Personal information refers to any information about an identifiable individual that is recorded in any form. It includes information about race, ethnicity, education, criminal and employment history, financial transaction in which an individual has been involved, etc. (See Section 3 of the Privacy Act for more information).
Under the control: Personal information is considered to be under the control of FINTRAC when the Centre is authorized to collect and use, to grant or deny access, and to dispose of it. This includes information retained by its regional offices.
Provisions in the PCMLTFA promoting the privacy of Canadians
To promote the privacy of Canadians, the Proceeds of Crime (Money Laundering) and Terrorist Act contains the following provisions. These provisions include:
- Ensuring that the personal information under its control is protected from unauthorized disclosure, par. 40(c);
- responding to the threats posed by organized crime by providing law information with financial information while ensuring that appropriate safeguards are put in place to protect personal information, par. 3(b);
- collecting personal information from public sources that it considers relevant to money laundering or terrorist financing, ss. 54(b);
- except where authorized, FINTRAC is prohibited from disclosing any information in reports (made under s. 7, 7.1, 9, 9.1), information voluntarily provided to the Centre about suspicious of money laundering or of the financing of terrorist activities, analytical products prepared by the Centre from the reports and information referred to above, and information received or collected for registration of money services businesses, s.55;
- FINTRAC's employees are subject to the same provisions that FINTRAC is subject to, ss. 55(2);
- any access to law enforcement or national security databases can only take place if FINTRAC and the law enforcement or national security agency have entered into agreements that set out the nature of and the limits with respect to the information that FINTRAC may collect from those databases, ss. 54(b) and 66(2);
- all reports and all information referred to in par. 54(a) and (b) must be retained for 10 years beginning on the day on which the report was received. Fifteen years after the day on which a report, referred to in par. 54(a), was received, any identifying information contained in the report must be destroyed, if the information contained in the report was not disclosed, ss. 54(d) and (e);
- the Minister of Finance must sign or approve MOUs with agencies of foreign states or international organizations before any information can be disclosed by FINTRAC to such agencies, s. 56.1;
- MOUs with foreign agencies or international organizations must restrict the use of information to purposes relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence or an offence that is substantially similar to either offence. Such agreements must state that the information is to be treated in a confidential manner and must not be further disclosed without FINTRAC's express consent, s. 56.1;
- FINTRAC must record in writing its reasons for its disclosures of designated information, ss. 55(5.1), 55.1(2) and 56.1(4);
- FINTRAC cannot disclose information that would directly or indirectly identify either the provider of a report of information or the subject of a report of information received by FINTRAC, s. 53, ss. 58(2);
- FINTRAC must comply with compulsory processes only when they are issued in the course of the prosecution of a money laundering or a terrorist activity financing offence or an offence under the PCMLTFA, s.59(1);
- no search warrant can be issued against FINTRAC, s. 59(2)
- law enforcement and security agencies must get a court order to gain access to additional information held by FINTRAC, s. 60 and 60.1;
- the Canada Revenue Agency must get a court order to gain access to additional information held by FINTRAC, but it may only do so for the purposes of an investigation in respect of an offence that is the subject of a disclosure, s 60.3;
- only a person authorized by FINTRAC's Director and Chief Executive Officer may examine the records and inquire into the business of persons or entities (identified in s. 5) and this may only be done for the purpose of ensuring compliance with Part 1 of the PCMLTFA, s 62(1);
- if a reporting entity's premises is a dwelling house, an authorized person may only enter the premises with the permission of the occupant or a warrant, s 63(1);
- when an authorized person enters a dwelling house under authority of a warrant, the authorized person may enter only a room or part of a room in which the person believes that the business of the reporting entity is being carried on, 63(3);
- in relation to the information that it gathers pursuant to its compliance powers, FINTRAC may make disclosures of non-compliance to the appropriate law enforcement agency only when FINTRAC suspects on reasonable grounds that the information is evidence of a contravention of Part 1 of the PCMLTFA, s 65(1);
- information disclosed to regulators for compliance purposes may be used by the recipients only for purposes relating to compliance with Part 1 of the PCMLTFA, ss.65(3);
- information disclosed to foreign agencies for compliance purposes can only be used for compliance purposes, must be treated in a confidential manner and cannot be further disclosed without FINTRAC's express consent, s 65.1(1);
- in undertaking its audits of FINTRAC, the Office of the Auditor General is subject to the prohibitions set out in ss. 55(1) of the PCMLTFA, s. 70(2);
- FINTRAC's Annual Report must include a description of the management guidelines and policies of the Centre for the protection of human rights and freedoms, ss. 71(2);
- on a biennial basis, the office of the Privacy Commissioner reviews the measures FINTRAC has taken to protect information it receives or collects and its findings are reported to Parliament, ss. 72(2); and
- offences and punishment for unauthorized disclosure can be up to 5 years in jail a fine of up to $500,000 or both, ss. 74-77.
- Date Modified: