Administration of the Privacy Act Annual Report 2015–16

Table of Contents

Introduction

This report to Parliament, prepared and tabled in accordance with Section 72 of the Privacy Act (hereafter the "Act"), describes the activities of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in administrating the Act during fiscal year 2015–16.

The purpose of the Act is to:

  • Extend the present laws of Canada that protect the privacy of individuals with respect to personal information about themselves held by government institutions;
  • Set strict guidelines and conditions regulating the collection, accuracy, use, access and distribution, retention, and disposal of personal information necessary to the administration of government programs; and
  • Provide individuals with the right of access to information about themselves and to request correction of that information, thereby promoting both transparency and accountability in government institutions.

About FINTRAC

As Canada's financial intelligence agency, FINTRAC helps protect the safety of Canadians and the integrity of Canada's financial system through the detection, prevention, and deterrence of money laundering and terrorism financing. The Centre fulfills its mandate through the following activities:

  • Receiving financial transaction reports and voluntary information on money laundering and terrorism financing in accordance with the Proceeds of Crime (Money Laundering) and Terrorism Financing Act and regulations, and safeguarding personal information under its control.
  • Ensuring compliance of reporting entities with the legislation and regulations.
  • Producing financial intelligence relevant to the investigations of money laundering, terrorist activity financing and threats to the security of Canada.
  • Researching and analyzing data from a variety of information sources that shed light on trends and patterns in money laundering and terrorism financing.
  • Maintaining a registry of money services businesses in Canada.
  • Enhancing public awareness and understanding of money laundering and terrorist activity financing.

FINTRAC's financial intelligence assists money laundering investigations in the context of a variety of criminal investigations, where the origins of the suspected criminal proceeds are linked to drug offences, fraud, tax evasion, corruption, human smuggling, and other offences. FINTRAC's financial intelligence is also used by policy leaders and decision-makers to assess current and emerging trends and patterns in money laundering and terrorism financing, and the impact they may have on national security and broader government policy.

Delegation of Authority

Order in Council P.C. 2000-1066 designates the Director of FINTRAC as head of FINTRAC for the purposes of administering the Act and FINTRAC's privacy program. However, pursuant to Section 73 of the Act, the authority to exercise the powers and perform the functions and duties of the Director under the Act has been delegated to the Manager of Communications within the Corporate Management Services Sector. Certain functions have also been delegated to the Access to Information and Privacy (ATIP) Coordinator.

A copy of the Director's Delegation Order can be found in Annex A.

The Access to Information and Privacy Office

FINTRAC's ATIP Office is part of FINTRAC's Communications Group within the Corporate Management Services Sector. The ATIP Office consists of the ATIP Coordinator, a Senior ATIP Advisor, and an ATIP Advisor.

The ATIP Office is responsible for the coordination, development and implementation of policies, procedures, and guidelines to ensure FINTRAC's compliance with the Act and the Access to Information Act as well as related government policies and directives. The Office is primarily responsible for processing and responding to requests made under the Act (including consultations from other institutions) and providing training, advice, and guidance to FINTRAC employees, contractors, and students on ATIP-related matters.

The ATIP Coordinator's mandate is to promote and enforce compliance with the Act and its regulations, including parliamentary reporting requirements and related government policy requirements. The Coordinator is responsible for overseeing the creation of procedures, processing standards, and an awareness program to broaden the general knowledge and understanding of the principles of access to information and the management of information requests within FINTRAC. The Coordinator is also responsible for communicating and consulting with the Treasury Board Secretariat, the Office of the Information Commissioner, government departments and agencies, and the Canadian public at large.

The ATIP advisors are responsible for processing requests for access to information submitted under the Act including consultation requirements, and for providing subject matter expertise and guidance. The Senior ATIP Advisor in particular is responsible for developing procedures and guidelines, for leading the ATIP representatives' networking forums and for developing and delivering a training and awareness program.

FINTRAC maintains a network of 25 ATIP representatives who have been designated to coordinate requests within their area of responsibility, participate in networking forums, and liaise with the ATIP Office.

The ATIP Office is also supported by Legal Services, which provides advice as required.

Activities and Accomplishments

Performance

In fiscal year 2015–16, there was a 33% increase in the volume of requests processed by FINTRAC under the Act; a total of 34 new requests were received this fiscal year, compared to 23 in 2014–15. Taken together with the significant rise in Access to Information Act requests received in the same fiscal year (60%), this was a substantial increase for FINTRAC's ATIP Program. The increased workload was offset by the addition of a new full-time resource (the ATIP Advisor) who was mobilized in 2015–16 to support FINTRAC's increasing ATIP activities.

Despite the increase in demand and effort, FINTRAC's response rate for all privacy requests was 100%. This compares favourably with the federal government's overall average of 82% for 2014–15.

Significant Changes to the Organization, Programs, Operations, or Policy

In order to better align its program activities to deliver more efficiently on its legislative and operational mandate FINTRAC undertook a number of organizational changes in 2015–16. The Centre's operational programs, Compliance and Intelligence, were combined under the new Operations Sector. As well, the creation of the Corporate Management Services Sector saw the consolidation of Communications (including the ATIP Office), Information Management, Information Technology, Security, Finance and Administration, and Corporate Business Planning and Management.

Following these changes, the ATIP processing structure was modified to ensure proper coverage of responsibilities and efficiencies throughout the FINTRAC.

New Privacy-related Policies, Guidelines, or Procedures Implemented

Nothing to report.

Education and Training

The FINTRAC Code of Conduct, Values and Ethics specifically describes employees' legal obligations to protect information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and also makes reference to the Privacy Act, the Canadian Charter of Rights and Freedoms, the Access to Information Act, as well as to FINTRAC's Privacy, Security and Information Management Policies. Adherence to this Code is a condition of employment for every FINTRAC employee. The education and training activities organized for FINTRAC employees in fiscal year 2015–16 served to reinforce the obligations and values outlined in the Code and legislation.

Given FINTRAC's legislated mandate to protect personal information, employee awareness of privacy responsibilities is crucial and is achieved across FINTRAC in operational and corporate training. With respect to obligations under the Act and its related policy instruments, FINTRAC promotes privacy requirements and raises ATIP awareness among employees using specific and targeted methods, including face-to-face meetings, learning products, all-staff messages, and innovative media. It also raises awareness through mandatory group awareness sessions, held for employees on a cyclical basis. These include the following activities:

The following education and training activities took place in fiscal year 2015–16:

  • The ATIP Office provided 17 mandatory ATIP training and awareness sessions to a total of 339 employees, representing a coverage rate of 95%. The training focused on:
    • Employees' legal responsibilities and obligations under the Act;
    • The principles for assisting applicants;
    • Applicable definitions, delegations, exemption decisions and the exercise of discretion;
    • The requirement to provide complete, accurate and timely responses;
    • The complaint process and reviews by the courts;
    • Consequences of obstructing the right of access;
    • The Proceeds of Crime, Money Laundering, Terrorist Financing Act, and FINTRAC's obligations regarding the 10 privacy principles including its privacy governance;
    • The definition of personal information;
    • The legal authority on use, collection and disclosure of personal information as per sections 7 and 8 of the Act;
    • Accountability and risk management of personal information, including the conduct of privacy impact assessments and related activities;
    • What constitutes a privacy breach and reporting requirements; and
    • The consequences of non-compliance with the Act.
  • Four employees took part in a three-day comprehensive ATIP training and awareness session held by the Canada School of Public Service.
  • One employee completed the Information Access and Protection of Privacy Foundations online course through the University of Alberta.
  • Information notices regarding privacy protection and ATIP were published on a monthly basis on FINTRAC's intranet site. The notices included information in relation to privacy risk assessment requirements, offences for the obstruction of access, and Info Source publishing responsibilities.
  • Key messages on privacy principles are included in the mandatory Corporate Overview training and in FINTRAC's Information Management awareness sessions for all new employees (including contractors and students). In the reporting year, 12 Corporate Overview sessions were provided to 53 new employees, and 8 sessions of FINTRAC's Information Management awareness were provided to 93 employees. The sessions raised employee awareness about their responsibilities under the Act, and covered the obligations and best practices for managing personal information in accordance with the Act, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, and FINTRAC's Privacy, Security, and Information Management policies.
  • FINTRAC's Intelligence and Compliance programs have integrated fundamental ATIP concepts, privacy practices, and the protection of information into their core training programs, threading them throughout their individual module components. In 2015–16, 25 new employees participated in the mandatory Financial Intelligence Operations Training program. For the Compliance program's approximate 100 employees, privacy is reinforced at various regional and headquarters training forums, and through a variety of integrated business processes (institutionalized policies and procedures).
  • In its promotion of privacy and information protection, the Security Office delivered 33 specialized awareness sessions about unique security risks to FINTRAC to 164 participants in fiscal year 2015–16. Another 20 mandatory security awareness sessions were delivered to a total of 99 new or returning FINTRAC employees, contractors, and students. These sessions provided participants with an overview of:
    • The importance of security given FINTRAC's mandate;

    • Employee roles and responsibilities for protecting information;

    • Classification, transmission and storage of information;

    • The need to know/need to share principle; and

    • The consequences of unauthorized disclosure and inappropriate use of information.

Quarterly forums with members of FINTRAC's ATIP Representatives' Network took place in 2015–16 to discuss horizontal and functional questions, issues, and legal tests for invoking exemptions to withhold information. These forums serve to further enhance the knowledge and awareness of the employees who are directly responsible for coordinating responses to ATIP requests within their sector. They also provide opportunities for the members to discuss potential improvements or enhancements to the processing of ATIP requests. In addition to these meetings, the ATIP Office raises awareness by providing day-to-day interaction and function-specific contextual training, coaching and guidance to ATIP representatives and their colleagues. These activities have been essential to the success of FINTRAC's ATIP program as they foster collaboration and enable the exchange of ideas and solutions with respect to FINTRAC's ability to deliver on its privacy requirements under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and the Act.

Program Performance and Monitoring

FINTRAC's ATIP Office uses case management software (AccessPro Suite) to coordinate and facilitate the processing of requests, including monitoring performance, documenting important actions and decisions, and ensuring that requests are completed within legislated timelines.

FINTRAC's ATIP Coordinator provides regular briefings to the Corporate Management Services Sector Management Committee, FINTRAC's Corporate Services Committee and its Executive Committee on access and privacy statistics, issues, performance and compliance. Policy issues, issues of non-compliance, or processing delays are also discussed and addressed.

Statistical Overview

Privacy Request Case Activity

During the reporting period of April 1, 2015 to March 31, 2016, the ATIP Office received 34 new requests for access to personal information in addition to the 3 outstanding requests from the previous reporting period. Thirty-four requests were completed in 2015–16, while 3 were carried over to the next reporting period.

Method of Access

All applicants received paper copies of responsive documents as the number of pages for each release package was very low.

Disposition of Completed Requests

Thirty-four access requests were completed by FINTRAC in 2015–16:

  • In 7 cases, the applicant received full disclosure of the information.
  • In 2 cases, the applicant received partial disclosure of the information.
  • In 17 cases, FINTRAC responded that it was unable to acknowledge the existence of information.
  • In 4 cases, the requests were abandoned by the applicant.
  • In 4 cases, it was determined that no records existed within FINTRAC's information holdings.

Completion Times and Extensions

All requests were completed within the 30-day statutory deadline.

Exclusions and Exemptions Invoked

The ATIP Office invoked exemptions under the Act, as follows:

  • Section 22 (law enforcement and investigation) 17 instances   
  • Section 25 (safety of individuals) 18 instances   
  • Section 26 (personal information about another individual) 19 instances

No exclusions were invoked.

Other Requests

FINTRAC responded by the deadline to one formal consultation request from another government institution concerning a request they received under the Act.

The Centre was also consulted twice by private sector organizations under the Personal Information Protection and Electronic Documents Act and once by an organization that was processing a request under provincial freedom of information legislation.

In all 3 cases FINTRAC responded within the deadline stipulated by the consulting organization.

Corrections and Notations

The ATIP Office received no requests for corrections of personal information.

Complaints and Investigations

Nothing to report.

Federal Court Cases

Nothing to report.

Privacy Breaches

Nothing to report.

Privacy Impact Assessments (PIA)

The Government's Directive on Privacy Impact Assessments (PIA) requires that FINTRAC ensures privacy principles are taken into account when there are proposals for, and during the design, implementation, and evolution of, programs and services that raise privacy issues. FINTRAC currently has core PIA reports in place for all of its main programs and services.

In 2015–16, FINTRAC completed no new core PIAs. However, in accordance with its Privacy Policy, FINTRAC routinely conducts privacy impact checklists that must be completed during the design phase of any project involving an addition or a change to a program using personal data. Along with these checklists, FINTRAC's Security, Information Management, and ATIP experts are engaged in all projects involving personal information. The ATIP Office provides regular advice and guidance to all FINTRAC employees to further ensure that the Centre manages its personal information holdings effectively and in accordance with the Act.

Disclosures of Personal Information under Subsection 8(2)(m) of the Act

In accordance with subsection 8(2)(m) of the Act, a government institution may disclose personal information under its control without the consent of the individual to whom the information relates if the disclosure is in the public interest or would clearly benefit the individual. In 2015–16, FINTRAC did not make any disclosures under subsection 8(2)(m) of the Act.

Annex A – Copy of the Director's Delegation Order

Delegation Order – Privacy Act and Regulations

The Director of the Financial Transactions and Reports Analysis Centre of Canada pursuant to Section 73 of the Privacy Act, hereby makes the following designations to exercise the powers and perform the duties and functions of the Director of the Centre as the head under the provisions of the Privacy Act. The designation also applies to those persons occupying the listed positions on an acting basis.

Section/Article Manager, Communications ATIP Coordinator, Communications

8(2)

Where personal information may be disclosed

Yes  

8(2)(m)

Disclose in the public interest or in the interest of the individual

Yes  

8(5)

Notice of disclosure under 8(2)(m)

Yes  

9(1)

Record of disclosures to be retained

Yes Yes

9(4)

Consistent uses

Yes Yes

10

Personal information to be included in personal information banks

Yes Yes

14

Notice where access requested

Yes Yes

15

Extension of time limits

Yes Yes

16(1)

Where access is refused

Yes Yes

16(2)

Existence not required to be disclosed

Yes  

17

Forms of Access

Yes Yes

17(3)(b)

Access to personal information in alternative format

Yes Yes

18(2)

Exemption (exempt bank) – Disclosure may be refused

Yes Yes

19(1)

Exemption – Personal information obtained in confidence

Yes  

19(2)

Exemption – Where authorized to disclose

Yes  

20

Exemption – Federal-provincial affairs

Yes  

21

Exemption – International affairs and defence

Yes  

22

Exemption – Law enforcement and investigation

Yes  

22.3

Exemption – Public Servants Disclosure Protection Act

Yes  

23

Exemption – Security clearances

Yes  

24

Exemption – Individuals sentenced for an offence

Yes  

25

Exemption – Safety of individuals

Yes  

26

Exemption – Information about another individual

Yes  

27

Exemption – Solicitor-client privilege

Yes  

28

Exemption – Medical record

Yes  

33(2)

Investigations – Right to make representation

Yes  

35(4)

Investigations – Access to be given

Yes Yes

51

Review by the Federal Court – Actions relating to international affairs and defence

Yes  

72

Report to Parliament

Yes  

Regulations Manager, Communications ATIP Coordinator, Communications

9

Reasonable facilities and time provided to examine personal information

Yes Yes

11(2)

Notification that correction to personal information has been made

Yes Yes

11(4)

Notification that correction to personal information has been refused

Yes Yes

13(1)

Disclosure of information relating to physical or mental health

Yes Yes

This designation takes effect as of the 15th of October, 2012

Dated at Ottawa this 29th day of October, 2012

Gérald Cossette
Director, Financial Transactions and Reports Analysis Centre of Canada

Date Modified: