2024–25 annual report on the administration of the Privacy Act
On this page
- Introduction
- About FINTRAC
- The Access to Information and Privacy Office
- Delegation of authority
- Statistical overview and accomplishments
- Performance of privacy request case activity
- Disposition of completed privacy requests
- Completion times and extensions of privacy requests
- Consultations under the Act
- Corrections and notations
- Complaints and investigations
- Material privacy breaches
- Privacy Impact Assessments (PIA)
- Disclosures of personal information under subsection 8(2)(m) of the Act
- Training and education
- New privacy-related policies, guidelines, procedures, or initiatives
- Privacy request program performance and compliance monitoring
- Closing
- Annex A – Director and Chief Executive Officer’s delegation order
Introduction
This Report to Parliament, which is prepared and tabled in accordance with Section 72 of the Privacy Act (hereafter the “Act”), describes the activities of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) in administering the Act during fiscal year 2024–25. This report should be considered along with FINTRAC’s 2024–25 Annual Report on the Administration of the Access to Information Act, which is tabled separately.
The purpose of the Act is to protect the privacy of individuals with respect to personal information about themselves held by government institutions and to provide individuals with a right of access to that information.
About FINTRAC
FINTRAC is Canada’s financial intelligence unit and anti-money laundering and anti-terrorist financing supervisor and plays a critical role in combatting money laundering, terrorist activity financing, sanctions evasion and threats to the security of Canada. The Centre has two core responsibilities framed around a duty to protect the personal information with which it is entrusted.
First, FINTRAC is responsible for ensuring compliance with Part 1 and 1.1 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its associated Regulations. This legal framework establishes obligations for specified businesses to develop a compliance regime in order to identify clients, monitor business relationships, keep records and report certain types of financial transactions to FINTRAC. These obligations allow for certain economic activities to be more transparent, which helps prevent and deter nefarious individuals and organizations from using Canada’s legitimate economy to launder the proceeds of their crimes, finance terrorist activities and/or evade sanctions. FINTRAC is committed to working with businesses to help them understand and comply with their obligations. The Centre also takes firm action when it is required to ensure that businesses take their responsibilities seriously. This includes undertaking compliance enforcement action such as follow-up examinations, the development and monitoring of action plans imposed on businesses, the levying of administrative monetary penalties, and the provision of non-compliance disclosures to law enforcement. The Centre also maintains a registry of Canadian-based money services businesses and foreign money services businesses that direct and provide services to persons and entities in Canada.
Second, FINTRAC generates actionable financial intelligence that assists Canada's law enforcement, national security agencies and international partners in combatting money laundering, terrorist activity financing, sanctions evasion and threats to the security of Canada. In addition, the Centre produces strategic financial intelligence for federal policy and decision-makers, the security and intelligence community, businesses across the country, international partners and other stakeholders. FINTRAC's strategic intelligence provides a wide analytic perspective on the nature, scope and threat posed by money laundering, terrorism financing and sanctions evasion.
The Access to Information and Privacy Office
FINTRAC’s Access to Information and Privacy (ATIP) Office is responsible for leading, coordinating and undertaking the Centre’s access to information and privacy responsibilities. The ATIP Office is part of FINTRAC’s Communications Group and led by the Centre’s Executive Communications Lead, who reports directly to FINTRAC’s Director and Chief Executive Officer. The Executive Communications Lead, who is also the Centre’s Chief Privacy Officer, is responsible for the overall management of all access to information and privacy matters within FINTRAC.
FINTRAC’s ATIP Office consists of an ATIP Coordinator and two Senior ATIP Advisors. Key responsibilities of the ATIP Office include:
- developing and implementing policies, procedures, and guidelines to ensure FINTRAC’s compliance with the Act and the Access to Information Act;
- ensuring the timely processing of privacy and access to information requests, and meeting proactive disclosure obligations;
- providing advice, guidance, and awareness activities to FINTRAC employees, contractors, and students on ATIP-related matters;
- representing FINTRAC in its discussions and negotiations with external stakeholders, including other government departments, third parties, the Treasury Board of Canada Secretariat, the Office of the Privacy Commissioner, the Office of the Information Commissioner and the general public;
- maintaining Personal Information Banks and conducting privacy impact assessments; and
- preparing annual reports on the administration of the Act and the Access to Information Act to Parliament and publishing FINTRAC’s Info Source Chapter.
To support the ATIP Office in meeting its legislative obligations, FINTRAC has established a collaborative network comprised of representatives from all sectors and relevant units within the Centre. These representatives are responsible for coordinating requests, providing guidance on the Act within their work units, and liaising with the ATIP Office on all ATIP-related matters.
FINTRAC is not party to any service agreements under section 73.1 of the Act.
Delegation of authority
Order in Council P.C. 2000-1066 designates the Director and Chief Executive Officer of the Centre as head of FINTRAC for the purposes of administering the Act and FINTRAC’s privacy program. Pursuant to Section 73 of the Act, FINTRAC’s Director and Chief Executive Officer delegated the authority to exercise the powers, functions, and duties under the Act to FINTRAC’s Executive Communications Lead and its ATIP Coordinator. These functions have full-delegated authority under the Act and the Access Information Act, in accordance with the delegation of authority instrument approved by the Director and Chief Executive Officer in March 2023.
A copy of the Director and Chief Executive Officer’s Delegation Order is available at Annex A.
Statistical overview and accomplishments
Performance of privacy request case activity
During the reporting period of April 1, 2024 to March 31, 2025, there was a 17% decrease in the number of requests received (35) by FINTRAC under the Act compared to the previous reporting year (42). With 5 outstanding requests from the previous fiscal year, FINTRAC had a total caseload of 40 requests in 2024–25, of which 36 were closed, as follows:
- 4 requests were completed in 1-15 days
- 26 requests were completed in 16-30 days
- 6 requests were completed in 31-60 days
View the text equivalent Number of requests received and completed over the past five years
| Year | Requests received | Requests outstanding | Requests completed | Requests carried over |
|---|---|---|---|---|
| 2020–21 | 17 | 2 | 19 | 0 |
| 2021–22 | 29 | 0 | 27 | 2 |
| 2022–23 | 31 | 2 | 29 | 4 |
| 2023–24 | 42 | 4 | 41 | 5 |
| 2024–25 | 35 | 5 | 36 | 4 |
Four remaining requests were carried over to 2025–26.
FINTRAC maintained an on-time response rate of 100% for all privacy requests in 2024–25, well above the Government of Canada's overall average response rate of 80% in 2023–24.
Disposition of completed privacy requests
FINTRAC completed 36 requests in 2024–25:
- In 1 case, representing 2.5% of the overall cases, the applicant received full disclosure of the information.
- In 7 cases, representing 20% of the overall cases, the applicants received partial disclosure of the information.
- In 18 cases, representing 50% of the overall cases, FINTRAC responded that it was unable to acknowledge the existence of information.
- In 9 cases, representing 25% of the overall cases, it was determined that no records existed within FINTRAC’s information holdings.
- In 1 case, representing 2.5% of the overall cases, the applicant abandoned their request.
Completion times and extensions of privacy requests
The Act allows an additional 30-day extension beyond the 30-day statutory period for specific reasons. During the reporting period, FINTRAC completed 28 requests within the 30-day statutory deadline, and 6 were completed with an additional 30 day extension as follows:
- 5 requests required an extension to process a large volume of pages (as per section 15(a)(i)).
- 1 request required an extension to complete a consultation (as per section 15(a)(ii) and to process a large volume of pages (as per section 15(a)(i)).
Consultations under the Act
Consultations undertaken between institutions are an essential part of processing requests under the Act. They provide institutions that have an interest in the records proposed for disclosure with an opportunity to make recommendations to the processing institution. For this reporting period, FINTRAC received one consultation request from another government institution to which it responded in 16-30 days.
Corrections and notations
For this reporting period, FINTRAC did not receive any requests for corrections of personal information.
Complaints and investigations
Subsection 29(1) of the Act describes how the Office of the Privacy Commissioner receives and investigates complaints from individuals regarding the processing of requests under the Act.
During the reporting year, FINTRAC received four complaints under the Act. FINTRAC worked closely with the Office of the Privacy Commissioner and provided representations in a timely manner. All of the complaints were resolved within the reporting period and in FINTRAC’s favour.
At the close of 2024–25, FINTRAC had no active complaints.
Material privacy breaches
A privacy breach involves improper or unauthorized collection, use, disclosure, retention, or disposal of personal information. As required by the Treasury Board of Canada Secretariat’s Directive on Privacy Practices, institutions and their delegated authorities are required to establish plans and procedures for addressing privacy breaches. During the reporting period, no material privacy breaches occurred.
Privacy Impact Assessments (PIA)
The Government’s Directive on Privacy Impact Assessments (PIAs) requires that FINTRAC ensure privacy principles are taken into account when there are proposals for, and during the design, implementation and evolution of, programs and services that raise privacy issues. FINTRAC currently has core PIA reports in place for its main programs and services. The Centre did not complete any new core PIAs in the reporting year.
In accordance with its Privacy Policy, FINTRAC routinely conducts privacy impact checklists that must be completed during the design phase of projects involving an addition or a change to a program using personal data. The Centre completed three privacy impact checklist in 2024–25. Along with these checklists, FINTRAC’s Security, Information Management and ATIP experts are engaged in projects involving personal information. The ATIP Office provides regular advice and guidance to FINTRAC employees to further ensure that the Centre manages its personal information holdings effectively and in accordance with the Act.
Disclosures of personal information under subsection 8(2)(m) of the Act
In accordance with subsection 8(2)(m) of the Act, a government institution may disclose personal information under its control without the consent of the individual to whom the information relates if the disclosure is in the public interest or would clearly benefit the individual.
In 2024–25, FINTRAC did not report any 8(2)(m) disclosures.
Training and education
Information protection is integral to FINTRAC’s mandate. As such, the Centre requires its employees (including students and contractors) to have a heightened awareness of security, privacy, information management and access to information. The FINTRAC Code of Conduct, Values and Ethics specifically describes employees’ legal obligations to protect information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and makes reference to the Privacy Act, the Canadian Charter of Rights and Freedoms, the Access to Information Act, and the Centre’s privacy, security and information management policies. Adherence to the Code of Conduct, Values and Ethics is a condition of employment for every FINTRAC employee.
The following training and awareness activities took place during the reporting period:
- The ATIP Office published monthly information notices regarding access to information and privacy protection on FINTRAC’s intranet site.
- The ATIP Office raised awareness by providing day-to-day coaching and targeted information sessions to ATIP representatives across the Centre. In 2024–25, 6 one-on-one training sessions were delivered. This focused training fosters a spirit of collaboration and has been essential to the success of FINTRAC’s broader ATIP program.
- The ATIP Office provides training and awareness sessions to employees tailored to the needs of specific operational groups. The ATIP Office delivered an awareness session to 10 employees during the 2024–25 period.
- FINTRAC employees completed the following online learning courses at the Canada School of Public Service:
- Access to Information and Privacy Fundamentals (106 employees)
- Access to Information in the Government of Canada (2 employees)
- Privacy in the Government of Canada (1 employee)
Access to information and privacy protection messaging is incorporated in mandatory Information Management awareness sessions and in New Employee Orientation Training.
FINTRAC’s Legal Services unit provides privacy awareness in its training of new employees, Legal Framework of FINTRAC, which outlines the various provisions of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act that promote the protection of Canadians’ privacy. The sessions reinforce employees’ obligations with respect to receiving, collecting, using, disclosing and safeguarding personal information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
Given the sensitive information and environment in which FINTRAC operates, a heightened understanding of information security is required of all employees. In addition to the requirement to complete the Canada School of Public Service Security Awareness Course (A230), new and returning employees must also undertake an in-house mandatory security awareness session. These sessions cover the importance of security at FINTRAC by:
- providing an understanding of the potential security risks (e.g., cyber, personal, operational, and insider threats) in relation to FINTRAC’s environment;
- highlighting the roles and responsibilities of all employees;
- discussing classification, transmission, and storage of information;
- covering the need to know/need to share principle; and
- emphasizing the consequences of unauthorized disclosure and inappropriate use of information.
As well as mandatory security training, all FINTRAC employees are made aware of the consequences of unauthorized disclosure and inappropriate use of personal information, which is covered in FINTRAC’s Policy on Security. All new employees are required to acknowledge that they have read and understood this policy.
New privacy-related policies, guidelines, procedures, or initiatives
None to report.
Privacy request program performance and compliance monitoring
FINTRAC’s automated case management system facilitates timely responses to requests, documents important actions and decisions, and monitors performance. The system also includes an audit log, has extensive search capabilities to enable analysis of previously processed information, and generates progress and statistical reports. FINTRAC uses the centralized platform ATIP Online Management Tool to receive requests under the Act and communicate with applicants.
Privacy is a key consideration in all FINTRAC programs and activities. As per its Privacy Policy, FINTRAC’s ATIP Office is engaged and assesses all new projects and programs, including contracts and agreements that involve the use of personal information to ensure that privacy and information safeguards are at the forefront of these activities.
The ATIP Office provides updates to senior management within FINTRAC’s corporate governance, as well as providing briefings on ATIP files to FINTRAC’s Executive Committee.
Closing
Through its robust privacy management framework, FINTRAC continues to safeguard the personal information under its control as it focuses on protecting Canadians and the integrity of Canada’s financial system through the detection and deterrence of money laundering, terrorist activity financing and sanctions evasion.
ANNEX A – Director and Chief Executive Officer’s delegation order
Access to Information Act and Regulations
Pursuant to Section 95 of the Access to Information Act, the Financial Transactions and Reports Analysis Centre of Canada’s Director and Chief Executive Officer delegates the full authority to exercise the powers, functions and duties under the Access to Information Act to the Manager of Communications and Chief Privacy Officer, and to the Access to Information and Privacy Coordinator. This delegation order also applies to persons occupying any of these positions on an acting basis.
This designation takes effect as of March 31, 2023
Sarah Paquet
Director and Chief Executive Officer
Financial Transactions and Reports Analysis Centre of Canada
234 Laurier Avenue West
Ottawa, Ontario K1P 1H7 Canada
Telephone: 1-866-346-8722
fintrac-canafe.canada.ca
© His Majesty the King in Right of Canada, 2025
ISSN 2563-7339
Cat. No. FD2-6/2E-PDF
- Date Modified: