Language selection


Privacy Policy

February 9, 2011

On this page

  1. Effective date
  2. Application
  3. Context
  4. Policy statement
  5. Roles and responsibilities
  6. Policy requirements
  7. Consequences
  8. Risk management
  9. Management of employee personal information
  10. Fair information principles
  11. References
  12. Legislation relevant to this policy
  13. Companion policies, procedures, and guidelines
  14. Enquiries
  15. Annex A: Definitions and explanations
  16. Annex B: Provisions in the PCMLTFA promoting the privacy of Canadians

1. Effective date

This policy takes effect on February 9, 2011.

2. Application

This policy applies to all employees (indeterminate, temporary, students) and contractors of the Financial Transactions and Reports Analysis Centre of Canada (hereinafter referred to as FINTRAC). Please refer to Roles and Responsibilities
(Section 5 below).

3. Context

In carrying out its mandate under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), FINTRAC receives and collects personal information about individuals as defined by section 3 of the Privacy Act. The PCMLTFA is unique in that it contains a specific provision requiring FINTRAC to ensure the protection of personal information under FINTRAC's control. As a result, safeguarding personal information is a value that is an overarching and fundamental consideration in every aspect of FINTRAC operations. The basis for this value is found in the PCMLTFA, the Privacy Act and the Charter of Rights and Freedoms. A list of the provisions in the PCMLTFA that protect the privacy of individuals can be found in Annex B.

FINTRAC's Privacy Policy is an expression of its commitment to protect the information with which it is entrusted and to adhere not only to the legislative requirements of the Privacy Act and the PCMLTFA, but to the spirit of the Acts as well.

4. Policy statement


The objective of this policy is to ensure that FINTRAC effectively manages the personal information under its control by:

Expected results

The expected results of this policy are:

5. Roles and responsibilities

FINTRAC's Director and Chief Executive Officer is accountable for safeguarding personal information under the control of FINTRAC. The Director and Chief Executive Officer's powers as deputy head under the Privacy Act have been delegated to the Deputy Director, to the Communications Manager, and to the Access to Information and Privacy (ATIP) Coordinator of the Enterprise Policy, Research and Programs Sector.

FINTRAC's Chief Privacy Officer (CPO) provides strategic privacy leadership and oversees privacy related activities involving the functions of FINTRAC. The CPO provides updates to the Director and Chief Executive Officer and the Executive Committee in relation to FINTRAC's privacy program and activities.

The ATIP Coordinator is accountable for the administration of Privacy Act requirements and for maintaining a consistent, coherent and up-to-date Privacy Policy, which conforms to the Policy on Privacy Protection and related Directives of the Government of Canada.

The Deputy Directors and Assistant Directors are accountable for safeguarding all personal information within their area of responsibility and for implementing this policy.

All managers, staff and contractors are accountable for ensuring that personal information under their control is protected from unauthorized disclosure and used only for the purpose for which it was retained. Furthermore, all employees are responsible for adhering to the principles and requirements set out in this policy, FINTRAC's Code of Conduct and Ethics and any other of FINTRAC's policies that contain established rules for the treatment and handling of personal information.

6. Policy requirements

  1. Personal information shall be received, collected, used, disclosed and disposed of in compliance with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), the Privacy Act, and the Library and Archives of Canada Act.
  2. All personal information collected and used by FINTRAC must be accounted for and published either as Personal Information Banks (PIB) or Classes of Personal Information in FINTRAC's chapter of the Treasury Board Secretariat's Info Source publication Sources of Federal Government Information.
    • All personal information that is used for administrative purposes (i.e. to make decisions about the individual to whom the information relates) must be described in a PIB; and
    • All personal information that is used for non-administrative purposes (i.e. where no decisions are made that directly have an impact on an identifiable individual) is described as Classes of Personal Information.
  3. All projects and activities involving the collection and use of personal information, including modifications to its use in any program, activity or service, shall be evaluated to determine the level of impact they have on individual privacy. This includes any operational changes to processes involving the way personal information is assessed (in decision making), used and disclosed. (See Part 8 - Risk Management - to better understand this requirement and how it serves FINTRAC and its privacy management role).
  4. Personal information must be safeguarded at a proportionate level in relation to relevant statements of sensitivity and threat risk assessments in order to ensure that personal information is not at risk of being misused or mishandled. Also, personal information must be protected from improper access, loss, use, disclosure or destruction through the inclusion of specific confidentiality provisions in contracts or other arrangements with third parties.
  5. Access to personal information shall be limited to those who have a need-to-know in order to effectively perform their duties and functions.
  6. All security breaches as defined in FINTRAC's Policy on Security must be reported to FINTRAC's Departmental Security Officer (DSO). Upon recognition that a security breach involves the misuse or mishandling of personal information the DSO must inform the Chief Privacy Officer (CPO) as well as the ATIP Coordinator, who is responsible for coordinating and documenting FINTRAC's assessment and possible response in accordance with FINTRAC's Privacy Breach Incident Guidelines.

7. Consequences

Violation of this Policy, which constitutes the inappropriate or unauthorized collection, use or disclosure of personal information through intent or neglect, may result in disciplinary action up to and including termination of employment. The PCMLTFA contains its own consequences in relation to unauthorized disclosure of personal information (see Annex B).

8. Risk management

The Government's Directive on Privacy Impact Assessments requires FINTRAC to ensure that privacy principles are being taken into account when there are proposals for, and during the design, implementation and evolution of, programs and services that raise privacy issues. This can include the carrying out of a Privacy Impact Assessment (PIA). FINTRAC's PIA Development and Approval Procedures outlines the factors to consider for undertaking PIAs and to what extent they are necessary.

It is important that ATIP be included at an early stage in the evaluation of projects that involve new collections of personal information or significant changes to the way FINTRAC collects, uses and discloses personal information. To determine the level of assessment required, a Privacy Impact Checklist must be completed during the design phase of any project involving a new or substantial change to a program using personal data. Early review of such projects will determine if:

PIAs will determine if there are specific privacy risks to the activity and will result in recommendations about how to mitigate such risks. Assessing the impact that program modifications have on privacy serves to:

9. Management of employee personal information

FINTRAC as an employer is committed to fair information practices for its employees, which creates a legitimate and enforceable expectation of privacy.

Personally identifiable information exists in employee and job applicant records. The collection, use, disclosure, retention and disposal of this information must be managed in a way that takes into account the Privacy Act's principles of confidentiality, accuracy and relevance. The spirit and the letter of the Privacy Act, as it pertains to federal government employees, are expressed in this policy as well as the Government's Policy on Privacy Protection.

10. Fair information principles

The widely accepted Fair Information Principles must be considered when collecting, using and disclosing personal information. These principles serve as the basic foundation of the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA) and must be borne in mind by FINTRAC when assessing and constructing its programs which collect and use personal information. The following lists each principle and a brief description about how they are generally considered by FINTRAC.

Accountability Deputy Directors and Assistant Directors are accountable for personal information collected and used in their area of responsibilities and ensure that appropriate policies and procedures are set in place.

Identifying purposes — FINTRAC provides the rationale for any collections and uses of personal information and such purposes must be made public by way of privacy notices at points of collection, Info Source reporting, and through other means of communication.

Other than for the purpose of administration (i.e. human resources, corporate services, etc.), FINTRAC's collections of personal information are expressly authorized by the PCMLTFA and its regulations. In general, FINTRAC receives financial transaction reports and related information indirectly from individuals (i.e. third-party reporting), and therefore, in most cases, is unable to inform individuals of the purpose for which the information is collected.

Consent — FINTRAC's collection, use and disclosure of personal information is legally authorized under the PCMLTFA. In relation to collections of personal information for purposes other than compliance and analysis (i.e. for purposes of human resources, administration, etc.) consent is only relevant if and when FINTRAC wishes to use an individual's personal information beyond its original purpose.

Limiting collection — FINTRAC collects only necessary, relevant personal information required to accomplish its mandate and does so only by lawful, fair and transparent means. In keeping with this principle, FINTRAC makes efforts, on an ongoing basis, to validate the information that it receives in order to limit its holding to only that to which it is legally entitled.

Limiting use, disclosure, and retention — FINTRAC can only use personal information for those purposes for which it was originally collected or for purposes consistent with those purposes, for example, in relation to its mandate in the detection and deterrence of money laundering and terrorist activity financing.

The PCMLTFA states that the information received from reporting entities, law enforcement and the public along with information collected by FINTRAC can only be disclosed in very specific situations. In the furtherance of its analytical mandate, FINTRAC may disclose personal Information but only to the appropriate Canadian police force (federal, provincial, and/or municipal), to other specified federal institutions (Canadian Security Intelligence Service, Canada Border Services Agency, Canada Revenue Agency and the Communications Security Establishment Canada), or to a foreign financial intelligence unit with which there is a Memorandum of Understanding. In this context FINTRAC may only disclose personal information when, on the basis of its analysis, it has met one or more of the thresholds for disclosure set out in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

FINTRAC may also disclose to the appropriate law enforcement agencies, or to a foreign financial intelligence unit, with whom there is a memorandum of understanding, any information of which it becomes aware in exercising its compliance functions and that it suspects on reasonable grounds is evidence of a contravention of Part I of the PCMLTFA (which outlines the reporting, client identification and record keeping obligations of reporting entities).

The PCMLTFA states that FINTRAC must retain all reports received from reporting entities and all other information received or collected by FINTRAC for 10 years following the receipt of the report or the receipt or collection of the information. Fifteen years following the receipt of a report, FINTRAC must destroy any identifying information contained in that report if the report was not disclosed. 

The retention of all other personal information received or collected by FINTRAC pursuant to the PCMLTFA, or otherwise, is managed in accordance with FINTRAC's Information Management Policy.

Accuracy — Where possible, FINTRAC ensures that the personal information under its control is sufficiently accurate, complete, and up-to-date in order to minimize the possibility that inappropriate decisions may be made about an individual.

In relation to some of the personal information it receives and collects pursuant to its mandate, such as transaction reports, voluntary information and information collected from law enforcement and national security databases, FINTRAC relies on information provided by third parties and as such is unable to validate the accuracy of certain information.

Individual access — To the extent possible FINTRAC allows individuals to request copies and question the accuracy and completeness of their personal information.

Under s. 55 of the PCMLTFA, FINTRAC is prohibited from disclosing any information contained in the reports it receives or the information it receives or collects pursuant to its mandate or any of the analytical products that it prepares from such reports and information. Despite this prohibition, an individual has a right of access to his or her personal information subject to the exemptions set out in the Privacy Act.

In general, however, in order to not compromise its intelligence mandate or the effectiveness of the anti-money laundering and anti-terrorist financing regime, FINTRAC must neither confirm nor deny the existence of information when it receives requests for access, under the Privacy Act, to most financial transaction reports or any information that it has derived from those reports (i.e. intelligence products). As a consequence, the right to correct or challenge the accuracy of such information cannot be exercised.

Cross Border Currency Reports (CBCRs), which are signed by the individuals to whom they relate, may be accessible under the Privacy Act, where that individual provides FINTRAC with specific details regarding their declaration along with government issued identification. Requests to correct information contained in CBCRs, however, are directed to the Canada Border Services Agency (CBSA) which is the government agency responsible for the reception and the submission of CBCRs to FINTRAC. CBSA is responsible for the administration of PART II of the PCMLTFA, which relates specifically to the importation and exportation of currency and monetary instruments at Canada's borders and airports.

Safeguards — FINTRAC protects personal information by security safeguards appropriate to its sensitivity as identified in security assessments and in accordance with the FINTRAC Security Policy.

Openness — FINTRAC aims to be open about its privacy policies and practices by making information publicly available.

Challenging compliance — FINTRAC has a procedure for handling complaints lodged against it by individuals in relation to access requests made under the Privacy Act.

FINTRAC's compliance with the Privacy Act is also verified by the Office of the Privacy Commissioner (OPC). In addition the OPC, pursuant to the PCMLTFA, is required to conduct bi-annual reviews of FINTRAC's measures to protect the information it receives and collects. The review reports of the OPC must be submitted to Parliament.

11. References

Model Code for the Protection of Personal Information, CAN/CSA-Q830-96

Treasury Board Secretariat Privacy and Data Protection Policies

12. Legislation relevant to this policy

Canadian Charter of Rights and Freedoms

Library and Archives of Canada Act

Personal Information Protection and Electronic Documents Act (PIPEDA) 2000, c. 5

Privacy Act (R.S. 1985, c. P-21) and related Privacy Regulations

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), 2000, c.17

13. Companion policies, procedures, and guidelines

The FINTRAC Privacy Policy is consistent and complementary to other FINTRAC policies and related instruments such as:

14. Enquiries

Enquiries about this policy should be directed to ATIP.

Access to Information and Privacy Coordinator
Financial Transactions and Reports Analysis Centre of Canada
24th Floor, 234 Laurier Avenue West
Ottawa, ON K1P 1H7
Fax: 613-943-7931

15. Annex A

Definitions and Explanations


Personal Information: Personal information refers to any information about an identifiable individual that is recorded in any form. It includes information about race, ethnicity, education, criminal and employment history, financial transaction in which an individual has been involved, etc. (See Section 3 of the Privacy Act for more information).

Under the control: Personal information is considered to be under the control of FINTRAC when the Centre is authorized to collect and use, to grant or deny access, and to dispose of it. This includes information retained by its regional offices.

16. Annex B

Provisions in the PCMLTFA promoting the privacy of Canadians

To promote the privacy of Canadians, the Proceeds of Crime (Money Laundering) and Terrorist Act contains the following provisions. These provisions include:

Date Modified: