Administration of the Privacy Act Annual Report 2019–20
Table of Contents
- About FINTRAC
- The Access to Information and Privacy Office
- Delegation of Authority
- Statistical Overview and Accomplishments
- Performance of Privacy Request Case Activity
- Method of Access
- Responses to Completed Privacy Requests
- Completion Times and Extensions of Privacy Requests
- Exemptions Invoked
- Consultations under the Act
- Corrections and Notations
- Impact of COVID-19
- Complaints and Investigations
- Federal Court Cases
- Material Privacy Breaches
- Privacy Impact Assessments (PIA)
- Disclosures of Personal Information under Subsection 8(2)(m) of the Act
- Training and Education
- Operational and Organizational Changes to the Privacy Program
- New Privacy-related Policies, Guidelines, or Procedures Implemented
- Privacy Request Program Performance and Monitoring
- Annex A – Copy of the Director and Chief Executive Officer's Delegation Order
This report to Parliament, which is prepared and tabled in accordance with Section 72 of the Privacy Act (hereafter the “Act”), describes the activities of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in administrating the Act during fiscal year 2019–20. This report should be considered along with FINTRAC's 2019–20 Annual Report on the Administration of the Access to Information Act, which is tabled separately.
The purpose of the Act is to protect the privacy of individuals with respect to personal information about themselves held by government institutions and to provide individuals with a right of access to that information.
FINTRAC is Canada's financial intelligence unit and anti-money laundering and anti-terrorist financing regulator and plays a critical role in combating money laundering, terrorism financing, and threats to the security of Canada. The Centre has two core responsibilities framed around a duty to protect the personal information entrusted to FINTRAC.
First, the Centre is responsible for ensuring the compliance of reporting entities subject to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. These compliance obligations allow for certain economic activities to be more transparent, which helps prevent and deter nefarious individuals and organizations from using Canada's legitimate economy to launder the proceeds of their crimes or finance terrorist activities. FINTRAC is committed to working with businesses to help them understand and comply with their obligations.
Second, based on the financial transaction reports it receives from reporting entities, FINTRAC produces actionable financial intelligence that is disclosed, when thresholds are met, to police, law enforcement, and national security agencies. In addition, FINTRAC produces strategic financial intelligence, including specialized research reports and trends-analysis, for regime partners and policy decision-makers, businesses, and international counterparts. Strategic intelligence shines a light on the nature, scope, and threat posed by money laundering and terrorism financing.
The Access to Information and Privacy Office
FINTRAC's Access to Information and Privacy (ATIP) Office is responsible for leading, coordinating and undertaking the Centre's access to information and privacy responsibilities. The ATIP Office is part of FINTRAC's Communications Group, which falls under the Deputy Director (and Chief Financial Officer) of the Enterprise Policy, Research and Programs Sector. The Deputy Director, who is also the Centre's Chief Privacy Officer, is responsible for the overall management of all access to information and privacy matters within FINTRAC.
The Centre's ATIP Office consists of an ATIP Coordinator, a Senior ATIP Advisor, and an ATIP Advisor. Key responsibilities of the ATIP Office include:
- developing and implementing policies, procedures, and guidelines to ensure FINTRAC's compliance with the Act and the Access to Information Act;
- ensuring the timely processing of privacy and access requests, and meeting proactive disclosure obligations;
- providing advice, guidance, and awareness activities to FINTRAC employees, contractors, and students on ATIP-related matters;
- representing FINTRAC in its discussions and negotiations with external stakeholders, including other government departments, third parties, the Treasury Board Secretariat of Canada, the Office of the Privacy Commissioner, the Office of the Information Commissioner, and the general public;
- maintaining Personal Information Banks and conducting privacy impact assessments; and
- preparing annual reports to Parliament and publishing FINTRAC's Info Source Chapter.
To support the ATIP Office in meeting its legislative obligations, FINTRAC established a collaborative network comprised of representatives from all sectors and relevant units within the Centre. These representatives are responsible for coordinating requests, providing guidance on the Act within their work units, participating in networking forums, and liaising with the ATIP Office on all ATIP-related matters.
Delegation of Authority
Order in Council P.C. 2000-1066 designates the Director and Chief Executive Officer of FINTRAC as head of FINTRAC for the purposes of administering the Act and FINTRAC's privacy program. Pursuant to Section 73 of the Act, FINTRAC's Director and Chief Executive Officer delegated the authority to exercise the powers, functions, and duties under the Act to the Deputy Director, the Manager of Communications and the ATIP Coordinator within the Enterprise Policy, Research and Programs Sector (formerly the Corporate Management Services Sector). These functions have full-delegated authority under the Act and the Access Information Act, in accordance with the delegation of authority instrument approved by the Director and Chief Executive Officer in October 2019.
A copy of the Director and Chief Executive Officer's Delegation Order in place during 2019–20 is available in Annex A.
Statistical Overview and Accomplishments
Performance of Privacy Request Case Activity
During the reporting period of April 1, 2019 to March 31, 2020, there was a 29% increase in the number of requests received by FINTRAC (31) under the Act compared to the previous reporting year (24). Together with the outstanding 3 requests from the previous year, 32 requests were completed in 2019–20, while 2 were carried over to the next year.
View the text equivalent Number of requests received and completed over the past five years
|Year||Requests received||Requests outstanding||Requests completed||Requests carried over|
Despite a demanding year, FINTRAC maintained its on-time rate of 100% for all privacy requests in 2019–20, well above the federal government's overall average response rate of 77% for 2018–19.
Method of Access
When responding to requests under the Act, FINTRAC provided 1 applicant with electronic copies and 6 applicants with paper copies of responsive records.
Responses to Completed Privacy Requests
FINTRAC responded to 32 requests in 2019–20:
- In 6 cases, the applicant received full disclosure of the information.
- In 1 case, the applicant received partial disclosure of the information.
- In 16 cases, FINTRAC responded that it was unable to acknowledge the existence of information.
- In 2 cases, the requests were abandoned by the applicant.
- In 7 cases, it was determined that no records existed within FINTRAC's information holdings.
Completion Times and Extensions of Privacy Requests
The Act allows up to an additional 30-day extension beyond the 30-day statutory period for specific reasons. During the reporting period, FINTRAC completed all requests, with the exception of 1, within the 30-day statutory deadline. The ATIP Office took an additional 30-day extension beyond the original 30-day statutory period due to the volume of records that it had to process while managing other priority files and operational pressures.
The ATIP Office invoked exemptions under the Act, as follows:
- Section 22 (law enforcement and investigation) – 10 instances
- Section 25 (safety of individuals) – 10 instances
- Section 26 (personal information about another individual) – 10 instances
Consultations under the Act
Consultations undertaken between institutions are an essential part of processing requests under the Act. They afford institutions that have an interest in the records proposed for disclosure with an opportunity to make recommendations to the processing institution. For this reporting period, FINTRAC did not receive any new consultation requests from other government institutions.
Corrections and Notations
For this reporting period, FINTRAC did not receive any requests for corrections of personal information.
Impact of COVID-19
Due to the COVID-19 global pandemic, FINTRAC focused on its core mandate and had limited capacity to fulfill its Privacy Act request responsibilities between March 16 and March 31 of the reporting year. Employees of FINTRAC's ATIP Office teleworked and made best efforts to process existing and any new requests it received without imposing undue burden on the Centre's employees who were facing challenging circumstances, including, in a number of cases, not having access to FINTRAC systems.
Complaints and Investigations
Subsection 29(1) of the Act describes how the Office of the Privacy Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. FINTRAC did not receive any complaints during the reporting period.
Pursuant to section 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Privacy Commissioner is required to conduct a biennial review of the measures taken by FINTRAC to protect information it receives or collects, and to report the results of these audits to Parliament. The Office of the Privacy Commissioner initiated but did not finalize an audit during the 2019–20 reporting period.
Federal Court Cases
There were no court cases involving FINTRAC during the reporting period.
Material Privacy Breaches
Privacy Impact Assessments (PIA)
The Government's Directive on Privacy Impact Assessments (PIAs) requires that FINTRAC ensures privacy principles are taken into account when there are proposals for, and during the design, implementation, and evolution of programs and services that raise privacy issues. FINTRAC currently has core PIA reports in place for all of its main programs and services.
Disclosures of Personal Information under Subsection 8(2)(m) of the Act
In accordance with subsection 8(2)(m) of the Act, a government institution may disclose personal information under its control without the consent of the individual to whom the information relates if the disclosure is in the public interest or would clearly benefit the individual. In 2019–20, FINTRAC did not make any disclosures under subsection 8(2)(m) of the Act.
Training and Education
Information protection is an integral part of FINTRAC's mandate. As such, the Centre requires its employees (including students and contractors) to have a heightened awareness of security, privacy, information management and access to information. The FINTRAC Code of Conduct, Values and Ethics specifically describes employees' legal obligations to protect information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and makes reference to the Privacy Act, the Canadian Charter of Rights and Freedoms, the Access to Information Act, and FINTRAC's privacy, security and information management policies. Adherence to the Code of Conduct, Values and Ethics is a condition of employment for every FINTRAC employee.
The following training and awareness activities took place during the reporting period:
- The ATIP Office published monthly information notices regarding access to information and privacy protection on FINTRAC's intranet site.
- Access to information and privacy protection messaging is incorporated in the mandatory corporate overview training and Information Management's awareness sessions for all new employees. In 2019–20, 3 corporate overview sessions were provided to 15 new employees and multiple, mostly one-on-one, Information Management awareness sessions were delivered to 90 employees. The sessions raised employee awareness about their responsibilities under the Acts, and covered the obligations and best practices for managing personal information in accordance with the Privacy Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and FINTRAC's privacy, security and information management policies.
- FINTRAC's Security Office delivered 23 mandatory security awareness sessions to a total of 89 new or returning employees. These sessions covered the importance of security at FINTRAC; the roles and responsibilities of all employees; classification, transmission, and storage of information; the need to know/need to share principle; and the consequences of unauthorized disclosure and inappropriate use of information.
- The ATIP Office also raises awareness by providing day-to-day coaching as well as targeted information sessions to ATIP representatives. In 2019–20, 5 training sessions were delivered to 8 new representatives. Providing this focused training fosters a spirit of collaboration and has been essential to the success of FINTRAC's ATIP program.
Operational and Organizational Changes to the Privacy Program
Nothing new to report.
New Privacy-related Policies, Guidelines, or Procedures Implemented
None to report.
Privacy Request Program Performance and Monitoring
FINTRAC's automated case management system facilitates timely responses to requests, documents important actions and decisions, and monitors performance. The system also includes an audit log, has extensive search capabilities to enable analysis of previously processed information, and generates progress and statistical reports.
Monitoring of FINTRAC's performance and ATIP compliance are clear priorities within FINTRAC's corporate governance. The ATIP Office provides a monthly update at FINTRAC's Executive Committee, which consists of FINTRAC's Director and Chief Executive Officer (Deputy Minister level), 3 deputy directors (Assistant Deputy Minister level), 3 assistant directors (Associate Assistant Deputy Minister level), and FINTRAC's general counsel.
Through its robust privacy management framework, FINTRAC continues to safeguard the personal information under its control as it focuses on protecting Canadians and the integrity of Canada's financial system through the detection and deterrence of money laundering and terrorist activity financing.
Annex A – Copy of the Director and Chief Executive Officer's Delegation Order
Delegation Order – Privacy Act and Regulations
Pursuant to Section 73 of the Privacy Act, the Financial Transactions and Reports Analysis Centre of Canada's Director and Chief Executive Officer delegates the full authority to exercise the powers, functions, and duties under the Privacy Act to the Deputy Director, the Manager of Communications, and the Access to Information and Privacy Coordinator within the Enterprise Policy, Research & Programs Sector. This delegation order also applies to persons occupying any of these positions on an acting basis.
This designation takes effect as of October 21, 2019.
Director and Chief Executive Officer
Financial Transactions and Reports Analysis Centre of Canada
234 Laurier Avenue West
Ottawa, Ontario K1P 1H7 Canada
Cat. No. FD2-6/2E-PDF
- Date Modified: