Language selection


Administration of the Privacy Act Annual Report 2020–21

On this page


This report to Parliament, which is prepared and tabled in accordance with Section 72 of the Privacy Act (hereafter the “Act”), describes the activities of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in administrating the Act during fiscal year 2020–21. This report should be considered along with FINTRAC's 2020–21 Annual Report on the Administration of the Access to Information Act, which is tabled separately.

The purpose of the Act is to protect the privacy of individuals with respect to personal information about themselves held by government institutions and to provide individuals with a right of access to that information.


FINTRAC is Canada's financial intelligence unit and anti-money laundering and anti-terrorist financing regulator and plays a critical role in combating money laundering, terrorism financing, and threats to the security of Canada. The Centre has two core responsibilities framed around a duty to protect the personal information with which it is entrusted.

First, the Centre is responsible for ensuring compliance with Part 1 and 1.1 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its associated Regulations. This legal framework establishes obligations for reporting entities to develop a compliance regime in order to identify clients, monitor business relationships, keep records and report certain types of financial transactions.  These compliance obligations allow for certain economic activities to be more transparent, which helps prevent and deter nefarious individuals and organizations from using Canada's legitimate economy to launder the proceeds of their crimes or finance terrorist activities. FINTRAC is committed to working with businesses to help them understand and comply with their obligations. The Centre also maintains a registry of money services businesses in Canada and foreign money services businesses that direct and provide services to persons and entities in Canada.

Second, FINTRAC is also mandated by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act to generate actionable financial intelligence that assists Canada's police, law enforcement and national security agencies and other international partners in combatting money laundering, terrorism financing and threats to the security of Canada. In addition, the Centre produces strategic financial intelligence for federal policy and decision-makers, the security and intelligence community, reporting entities across the country, international partners and other stakeholders. FINTRAC's strategic intelligence provides a wide analytic perspective on the nature, scope and threat posed by money laundering and terrorism financing. 

The Access to Information and Privacy Office

FINTRAC's Access to Information and Privacy (ATIP) Office is responsible for leading, coordinating and undertaking the Centre's access to information and privacy responsibilities. The ATIP Office is part of FINTRAC's Communications Group, which falls under the Deputy Director (and Chief Financial Officer) of the Enterprise Policy, Research and Programs Sector. The Deputy Director, who is also the Centre's Chief Privacy Officer, is responsible for the overall management of all access to information and privacy matters within FINTRAC.

FINTRAC's ATIP Office consists of an ATIP Coordinator, and two Senior ATIP Advisors. Key responsibilities of the ATIP Office include:

To support the ATIP Office in meeting its legislative obligations, FINTRAC established a collaborative network comprised of representatives from all sectors and relevant units within the Centre. These representatives are responsible for coordinating requests, providing guidance on the Act within their work units, and liaising with the ATIP Office on all ATIP-related matters.

Delegation of Authority

Order in Council P.C. 2000-1066 designates the Director and Chief Executive Officer of FINTRAC as head of FINTRAC for the purposes of administering the Act and FINTRAC's privacy program. Pursuant to Section 73 of the Act, FINTRAC's Director and Chief Executive Officer delegated the authority to exercise the powers, functions, and duties under the Act to the Deputy Director of the Enterprise Policy, Research and Programs Sector, the Manager of Communications and the ATIP Coordinator within the Enterprise Policy, Research and Programs Sector. These functions have full-delegated authority under the Act and the Access Information Act, in accordance with the delegation of authority instrument approved by the Director and Chief Executive Officer in October 2019.

A copy of the Director and Chief Executive Officer's Delegation Order in place during 2020–21 is available in Annex A.

Statistical Overview and Accomplishments

Performance of Privacy Request Case Activity

During the reporting period of April 1, 2020 to March 31, 2021, there was a 45% decrease in the number of requests received by FINTRAC (17) under the Act compared to the previous reporting year (31). Together with 2 outstanding requests from the previous fiscal year, 19 requests were completed in 2020–21, with no requests carried over to the next year.

Number of Privacy Requests

View the text equivalent Number of requests received and completed over the past five years
Number of privacy requests
Year Requests received Requests outstanding Requests completed Requests carried over
2016–17 20 2 20 2
2017–18 29 2 30 1
2018–19 24 1 22 3
2019–20 31 3 32 2
2020–21 17 2 19 0

FINTRAC maintained an on-time response rate of 95% for all privacy requests in 2020–21, well above the federal government's overall average response rate of 85% in 2019–20.

Method of Access

When responding to requests under the Act, FINTRAC provided 1 applicant with electronic copies and 1 applicant with paper copies of responsive records.

Responses to Completed Privacy Requests

FINTRAC responded to 19 requests in 2020–21:

Completion Times and Extensions of Privacy Requests

The Act allows an additional 30-day extension beyond the 30-day statutory period for specific reasons. During the reporting period, FINTRAC completed all requests, with the exception of 1, within the 30-day statutory deadline. In the 1 case, the ATIP Office took an additional 30-day extension beyond the original 30-day statutory period due to the volume of records that it had to process while managing other priority files and operational pressures.

Exemptions Invoked

The ATIP Office invoked exemptions under the Act, as follows:

Consultations under the Act

Consultations undertaken between institutions are an essential part of processing requests under the Act. They afford institutions that have an interest in the records proposed for disclosure with an opportunity to make recommendations to the processing institution. For this reporting period, FINTRAC received 1 new consultation request from another government institution which was responded to within 15 days of its receipt.

Corrections and Notations

For this reporting period, FINTRAC did not receive any requests for corrections of personal information.

Impact of COVID-19

As a result of the early public health measures and restrictions associated with the COVID-19 global pandemic, FINTRAC directed its focus at fulfilling its core financial intelligence and compliance mandates. The Centre had limited capacity to fully discharge its Privacy Act responsibilities between April 1 and August 31 of the reporting year. During this period, FINTRAC's ATIP Office engaged in remote work and made best efforts to process existing and new requests without imposing undue burden on the Centre's employees who were facing challenging circumstances, including, in a number of cases, not having access to FINTRAC's systems.

Between September 2020 and April 2021, on-site access remained limited for some of FINTRAC's employees involved in processing requests under the Act. However, the ATIP Office was able to gain access to FINTRAC's physical workplace and respond to requests that remained in abeyance during the early pandemic months.

Complaints and Investigations

Subsection 29(1) of the Act describes how the Office of the Privacy Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act. During the reporting year, FINTRAC received notice from the Office of the Privacy Commissioner that a complaint it had received in 2019 alleging that FINTRAC had contravened the access provisions of the Act was finalized. The investigation concluded that FINTRAC properly responded to the complainant's request, and that the complaint was “not well-founded”.   

FINTRAC did not receive any new complaints under the Act in the reporting period.


Pursuant to section 72(2) of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, the Privacy Commissioner is required to conduct a biennial review of the measures taken by FINTRAC to protect information it receives or collects, and to report the results of these audits to Parliament. Such an audit of FINTRAC was initiated in 2019–20; however, it was not finalized by the Office of the Privacy Commissioner during the 2020–21 reporting period.

Federal Court Cases

There were no court cases involving FINTRAC during the reporting period.

Material Privacy Breaches

A privacy breach involves improper or unauthorized collection, use, disclosure, retention or disposal of personal information. As required by the Treasury Board Secretariat of Canada's Directive on Privacy Practices, institutions and their delegated authorities are required to establish plans and procedures for addressing privacy breaches. During the reporting period, no material privacy breaches occurred and, therefore, none were reported by FINTRAC to the Office of the Privacy Commissioner, or to the Information and Privacy Policy Division of the Treasury Board of Canada Secretariat.

Privacy Impact Assessments (PIA)

The Government's Directive on Privacy Impact Assessments (PIAs) requires that FINTRAC ensures privacy principles are taken into account when there are proposals for, and during the design, implementation, and evolution of programs and services that raise privacy issues. FINTRAC currently has core PIA reports in place for its main programs and services.

In 2020–21, FINTRAC completed no new core PIAs. However, in accordance with its Privacy Policy, FINTRAC routinely conducts privacy impact checklists that must be completed during the design phase of projects involving an addition or a change to a program using personal data. Along with these checklists, FINTRAC's Security, Information Management, and ATIP experts are engaged in projects involving personal information. The ATIP Office provides regular advice and guidance to FINTRAC employees to further ensure that the Centre manages its personal information holdings effectively and in accordance with the Act.

Disclosures of Personal Information under Subsection 8(2)(m) of the Act

In accordance with subsection 8(2)(m) of the Act, a government institution may disclose personal information under its control without the consent of the individual to whom the information relates if the disclosure is in the public interest or would clearly benefit the individual. In 2020–21, FINTRAC did not make any disclosures under subsection 8(2)(m) of the Act.

Training and Education

Information protection is integral to FINTRAC's mandate. As such, the Centre requires its employees (including students and contractors) to have a heightened awareness of security, privacy, information management and access to information. The FINTRAC Code of Conduct, Values and Ethics specifically describes employees' legal obligations to protect information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and makes reference to the Privacy Act, the Canadian Charter of Rights and Freedoms, the Access to Information Act, and FINTRAC's privacy, security and information management policies. Adherence to the Code of Conduct, Values and Ethics is a condition of employment for every FINTRAC employee.

The following training and awareness activities took place during the reporting period:

Operational and Organizational Changes to the Privacy Program

Nothing new to report.

New Privacy-related Policies, Guidelines, or Procedures

None to report.

Privacy Request Program Performance and Monitoring

FINTRAC's automated case management system facilitates timely responses to requests, documents important actions and decisions, and monitors performance. The system also includes an audit log, has extensive search capabilities to enable analysis of previously processed information, and generates progress and statistical reports.

The ATIP Office provides updates to senior management within FINTRAC's corporate governance, as well as providing status updates of ATIP files to FINTRAC's Executive Office on a bi-weekly basis.


Through its robust privacy management framework, FINTRAC continues to safeguard the personal information under its control as it focuses on protecting Canadians and the integrity of Canada's financial system through the detection and deterrence of money laundering and terrorist activity financing.

Annex A – Director and Chief Executive Officer's Delegation Order

Delegation Order – Privacy Act and Regulations

Pursuant to Section 73 of the Privacy Act, the Financial Transactions and Reports Analysis Centre of Canada's Director and Chief Executive Officer delegates the full authority to exercise the powers, functions, and duties under the Privacy Act to the Deputy Director, the Manager of Communications, and the Access to Information and Privacy Coordinator within the Enterprise Policy, Research & Programs Sector. This delegation order also applies to persons occupying any of these positions on an acting basis.

This designation takes effect as of October 21, 2019.

Nada Semaan
Director and Chief Executive Officer
Financial Transactions and Reports Analysis Centre of Canada

234 Laurier Avenue West
Ottawa, Ontario  K1P 1H7 Canada
Telephone: 1-866-346-8722
Facsimile: 613-943-7931

ISSN 2563-7339
Cat. No. FD2-6/2E-PDF

Date Modified: