OTTAWA - The colour of your skin or the countries you visit could mean details of your financial dealings end up at the national agency that fights terror funding, a review by the federal privacy watchdog has found.
Privacy Commissioner Jennifer Stoddart says the little-known Financial Transactions and Reports Analysis Centre is collecting too much personal information about Canadians.
In her annual report tabled Tuesday, Stoddart also says a deputy minister essentially rubber-stamped names that security agencies recommended for Canada's controversial no-fly list of banned air passengers.
The government's drive to secure public safety since the 9-11 terrorist attacks "has led to a seemingly insatiable appetite" for personal details, the report says.
"The unprecedented scope of government data collection that we are witnessing today heightens the risk of misuses and unauthorized disclosure. The consequences for individuals can be grave."
Stoddart says FinTRAC, the federal financial investigative agency, must scale back its data gathering.
The centre zeros in on cash linked to money laundering, terrorism and other crimes by sifting through information from banks, insurance companies, securities dealers, money service businesses, real estate brokers, casinos and others.
"While the centre has put in place elements of checks and controls, there are gaps that need to be addressed," Stoddart's report says.
She found that, although reports about allegedly dubious transactions are reviewed and prioritized, they are not assessed for reasonable suspicion of money laundering or terrorist financing.
In one case, a financial institution filed a report about a woman who deposited a cheque from a law firm. The institution was satisfied the person had provided legitimate reasons for the source of funds, but decided to tell FinTRAC anyway because of the woman's ethnic origin and the fact she had visited a particular country.
In another case, someone deposited a government cheque for less than $300 and then withdrew the entire amount. The financial institution filed a suspicious transaction report, but did not indicate why the dealing was being flagged.
Stoddart says it is clear that such reports should not make their way into the FinTRAC database, as they lack even a shred of evidence of wrongdoing. "It is a bedrock privacy principle that you collect only the personal information you need for a specific purpose," she told a news conference.
The commissioner also found instances where the centre kept "extraneous information" such as social insurance and health card numbers.
Stoddart recommended FinTRAC work with the agencies that report allegedly suspicious cases to ensure the centre does not get personal information it has no legislative authority to receive "and that it does not need or use."
She also urged the centre to permanently delete all personal data that falls outside its legal mandate.
FinTRAC agreed to numerous changes, including creation of a chief privacy officer position and development of new guidelines.
FinTRAC director Jeanne Flemming said Tuesday her agency receives 1.5 million records a month, making it difficult to purge unnecessary data.
"So once it gets through, how do you find it, without stopping the system to find it? And then even when you do find it, the next issue is, how do you delete it?"
New Democrat MP Bill Siksay said sheer volume is no excuse.
"If that's their mandate, and if they are collecting that information, they need to make sure that these safeguards are in place and act accordingly."
The no-fly list, which came into effect in June 2007, is intended to prevent people considered a threat to aviation security from boarding airplanes originating in or headed to Canada.
Overall, Stoddart found the Transport Department has operating procedures and agreements to ensure it collects only the personal information needed to administer the program.
However, the report indicates the deputy minister at Transport Canada, who is responsible for the names on the no-fly list, had almost nothing to go on when approving additions and deletions recommended by his department, the Canadian Security Intelligence Service and the RCMP.
"The deputy minister was provided with a recommendation to sign, with little to no supporting evidence to explain why someone should be placed on or removed from the list."
A small number of carriers have relied on paper copies of the list, heightening the risk that information could inadvertently become public, Stoddart added.
There were also no requirements that air carriers report security breaches involving personal information to the Transport Department.
Stoddart says Transport has made changes to bolster information for the deputy minister and keep a closer eye on airlines handling the no-fly list. "The department has committed to improve its practices to better protect Canadians' sensitive personal information."
However, Stoddart said she expected more regulation and parliamentary oversight of the no-fly list. "Its impact on the lives of Canadians remains opaque, and that's a concern."
Transport Canada officials had no immediate comment.
Technology creates new privacy challenges of an unprecedented scope and magnitude, the report notes.
A hacker using readily available software, for example, broke into a computer at Agriculture Canada, exposing about 60,000 personal files of farmers using a federal loan-guarantee program.
And more than 1,200 employees at the Foreign Affairs Department had access to a database containing confidential information about a citizen jailed abroad.
