Tabling of the 2008-2009 Annual Report to Parliament on the Privacy Act

Remarks at a media briefing

November 17, 2009
Ottawa, Ontario

Address by Jennifer Stoddart, Privacy Commissioner of Canada and
Chantal Bernier, Assistant Privacy Commissioner of Canada

(Check against delivery)

---

Commissioner Stoddart:

Good afternoon and thank you for coming.  Our latest annual report on the Privacy Act was tabled in Parliament this morning. It highlights the findings of recent audits of two major national security initiatives – the Passenger Protect Program, better known to Canadians as the “no-fly list,” and of FINTRAC, the Financial Transactions and Reports Analysis Centre of Canada.

I’ll briefly summarize what we found in the FINTRAC audit, Assistant Commissioner Chantal Bernier will describe the findings of our Passenger Protect audit, and then we will open the floor to any questions.

By way of background, FINTRAC is the independent agency mandated to analyze financial transactions and identify suspected money laundering and terrorist financing in Canada.  A large number of professionals and organizations – banks, accountants and casinos, for example – are required to collect information about their clients and report it to FINTRAC.

Our audit found that, overall, FINTRAC has a robust and comprehensive approach to securing the personal information of Canadians.

However, we looked at a sample of files in FINTRAC’s database and found that some of them contained personal information that the Centre does not need, use or have the legislative authority to receive.

For example, there was a report from a financial institution about a customer who had deposited a cheque.  Although the financial institution was satisfied with her explanation about the source of the money, it notified FINTRAC anyway – simply because of the woman’s ethnic origin and the fact she had visited a particular country. 

It is clear that such reports – containing not a shred of evidence of money laundering and terrorist financing – should not be making their way into the FINTRAC database.  It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose.  The federal government must have a justifiable need to collect someone’s personal information.

Clearly, FINTRAC needs to do more work with organizations to ensure it does not acquire personal information that it has no legislative authority to receive – and that it does not need or use.

We were pleased that FINTRAC accepted 10 of our 11 recommendations.  We had recommended that FINTRAC enhance its information-sharing agreements with foreign partners by including mandatory breach notification and audit provisions. However, the agency says the work it conducts in this area is sufficient. 

Assistant Commissioner Bernier:

As the Commissioner mentioned, we also conducted an audit of Transport Canada’s Passenger Protect Program. 

Generally speaking, we found that Transport Canada collects, uses and discloses personal information related to the program in a way that safeguards privacy.  But we did identify a few issues that need to be addressed.

We were concerned to learn that the process through which the Deputy Minister approves the addition or the removal of people’s names from the no-fly or “specified persons” list did not involve providing all the information needed to make these sorts of decisions. This constitutes a flaw in the oversight of the process to include persons in the list.

This is a significant concern given the serious repercussions for people named on the list.  They are denied the right to board flights and may face other sanctions or consequences. It must be said, though, that Transport Canada has accepted our recommendation in this regard and amended its process accordingly.

We also discovered Transport Canada had not verified that airlines are complying with federal regulations related to the handling of the “specified persons list.”  The risk of a breach is particularly high for the small number of air carriers that rely on paper copies of the list. 

Meanwhile, there were no requirements that air carriers report to Transport Canada security breaches involving personal information related to the no-fly list.

The audit also found that the computer application used to give air carriers information on the no-fly list was not subjected to the formal certification and accreditation process designed to ensure the security of sensitive personal information.

We’re pleased that Transport Canada has responded positively to all of our recommendations.

Commissioner Stoddart:

Since the terrorist attacks of 9/11, Canada has seen a rapid growth of national security programs and initiatives – many of them involving the collection, analysis and storage of personal information.

Our latest audits reinforce what our Office has been saying for some time – it is absolutely critical for government officials to integrate privacy protections into all of these initiatives at the outset.

Thank you.  We would be pleased to take any questions.  If you have technical questions, we have some members of our audit team here and they’ll be available after the briefing.