Audits of major national security programs raise concerns for privacy

Excessive reporting of personal information to FINTRAC and potential information technology risks with Canada’s “no-fly list” are among concerns identified in audits highlighted in the Privacy Commissioner’s annual report on public sector issues.

OTTAWA, November 17, 2009 — The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) has more personal information in its database than it needs, uses or has the legislative authority to receive.

This was one of the key findings of the Privacy Commissioner of Canada’s in-depth audit of the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada.

A separate audit, also published today, examined the Passenger Protect Program – better-known to Canadians as the no-fly list.  It identified several concerns, such as the fact that the Deputy Minister ultimately in charge of who is on the list was not provided with complete information to allow for informed decision-making.

“Since the terrorist attacks of 9/11, we’ve seen a proliferation of new national security programs.  We fully appreciate the underlying aim of many security programs – protecting Canadians.  However, it is critical – a point reinforced by our new audits – for government officials to integrate privacy protections into all of these programs at the outset,” says Privacy Commissioner Jennifer Stoddart.

The findings of the two audits are highlighted in the Commissioner’s 2008-2009 report to Parliament on Canada’s federal public-sector privacy legislation, the Privacy Act.

FINTRAC Audit

Legislative changes passed in 2006 expanded the types of transactions that must be reported to FINTRAC, as well as the number of professionals and organizations that are required to collect information about clients and to report it to FINTRAC. Examples of entities required to report to FINTRAC include financial institutions, life insurance companies, accountants and casinos.

The audit found that FINTRAC needs to do more to ensure that the amount of personal information it acquires is kept to an absolute minimum. A random sample of files examined in the audit turned up several reports that did not clearly demonstrate reasonable grounds to suspect money laundering or terrorist financing.  For example:  

• A reporting entity filed several reports stating it was “taking a conservative approach in reporting this … because there are no grounds for suspecting that this transaction is related to the commission of a money laundering offence, but there is a lack of evidence to prove that the transaction is legitimate.” 
• An individual deposited a government cheque for an amount less than $300 and then withdrew the entire amount. The financial institution filed a suspicious-transaction report, but did not indicate why the transaction was deemed suspicious.
• A financial institution filed a report about an individual who had deposited a cheque from a law firm.  The institution was satisfied that the individual had provided legitimate reasons for the source of funds, but decided to notify FINTRAC anyway because of the individual’s ethnic origin and the fact that this person had visited a particular country. 

“It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database,” says Commissioner Stoddart.

“It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose,” she says. “The federal government needs to have a justifiable need to collect someone’s personal information. Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.”

The audit recommended enhanced front-end screening of reports; stronger ongoing monitoring and review to ensure that information holdings are relevant and not excessive, and the permanent deletion of information that FINTRAC did not have the statutory authority to receive.

Under amendments passed in 2006, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act requires the Privacy Commissioner to review FINTRAC every two years and report the results to Parliament.

Passenger Protect Program Audit

The “no-fly list” is a passenger screening tool introduced in 2007 to prevent people named on a “specified persons list” from boarding domestic and international flights from or to Canadian airports.

The program has sparked privacy concerns, in part because it is secretive in that it uses personal information without the knowledge of the individuals concerned. Moreover, the repercussions for a person named on the list being denied boarding on an aircraft can be profound in terms of privacy and other human rights, such as freedom of association and expression and the right to mobility.

The focus of the audit, however, was to determine whether the program has adequate controls and safeguards in place to protect personal information. 

“We were concerned to learn that officials did not always provide the Deputy Minister – who is ultimately responsible for adding to or removing people’s names from the ‘specified persons’ list – all the information needed to make these sorts of decisions,” says Assistant Privacy Commissioner Chantal Bernier.

Other concerns identified during the audit included:

• Transport Canada has not verified that airlines are complying with federal regulations related to the handling and safeguarding of the “specified persons list.”  The risk of this information being inappropriately disclosed is particularly high for the small number of air carriers that rely on paper copies of the list. 
• There were no requirements that air carriers report to Transport Canada security breaches involving personal information related to the no-fly list.
• Transport Canada did not demonstrate that the application used to transmit information to air carriers met government security standards.

The Passenger Protect Program and the FINTRAC audits, as well as the latest Privacy Act annual report, are available at www.priv.gc.ca. 

The annual report also includes details of privacy-related complaints against federal departments and agencies investigated during the 2008-2009 fiscal year.  The Office received 748 formal complaints in 2008-2009, down slightly from the previous year.  The most common complaints related to access to personal information and to the length of time government departments and agencies were taking to respond to access requests. 

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

To view the reports:

• Annual Report to Parliament 2008-2009 – Report on the Privacy Act
• Audit of the Financial Transactions and Reports Analysis Centre of Canada
• Audit of the Passenger Protect Program of Transport Canada
• Audit of Federal Annual Privacy Reports

For more information, contact:

Anne-Marie Hayden
Office of the Privacy Commissioner of Canada
Tel: (613) 995-0103
E-mail: ahayden@privcom.gc.ca