2024 to 2025 Annual Report on the Privacy Act
Information contained in this publication or product may be reproduced, in part or in whole and by any means, for personal or public non-commercial purposes, without charge or further permission, unless otherwise specified. Commercial reproduction and distribution are prohibited except with written permission from the Financial Consumer Agency of Canada.
For more information, contact:
Financial Consumer Agency of Canada
427 Laurier Ave. West
Ottawa, ON K1R 7Y2
www.canada.ca/en/financial-consumer-agency
ISSN 2816-9832
©His Majesty the King in Right of Canada, as represented by the Minister of Finance Canada, October, 2025.
Aussi disponible en français sous le titre : 2024 à 2025 Rapport annuel sur la Loi sur la protection des renseignements personnels
Introduction
The Financial Consumer Agency of Canada (FCAC or the Agency) is pleased to present its annual report to Parliament on how it administered the Privacy Act (The Act) during the period from April 1, 2024, to March 31, 2025. This report was prepared and tabled in accordance with section 72 of the Act. The Privacy Act, which came into force on July 1, 1983, gives Canadian citizens, permanent residents, and individuals present in Canada—including those who are not citizens or permanent residents as defined by the Immigration and Refugee Protection Act—as well as corporations in Canada, the right to access personal information held by the government, with some limited exceptions. It also protects individuals’ privacy rights. During this reporting period, FCAC did not have any non-operational (“paper”) subsidiaries.
Organizational structure
FCAC is a federal government agency established under the Financial Consumer Agency of Canada Act (FCAC Act). The FCAC Act defines the Agency’s mandate, powers, duties, and functions, and identifies the federal laws and regulations under its supervision. Under Canadian legislation, the Commissioner of FCAC is designated as the head of the Agency. To support the administration of the Act and to ensure compliance, the Commissioner has delegated specific authorities to the following positions:
- Assistant Commissioner, Corporate Services: Supports the Commissioner by overseeing corporate services and ensuring that the Agency’s operations comply with the requirements of the Act.
- ATIP Coordinator (Manager, Security and Administration, Corporate Services): Responsible for developing, coordinating, and implementing effective policies, guidelines, systems, and procedures to ensure the Agency meets its obligations under the Act. The Coordinator also approves the release of records in accordance with delegated authorities.
- Senior ATIP Advisor: Provides expert advice and support to assist in the administration of the Act and ensure legislative compliance.
During this reporting period, the Agency was not party to any service agreement under section 73.1 of the Privacy Act.
Delegation order
The Delegation Order outlines the powers, duties, and functions under the Privacy Act that have been delegated by the Commissioner of the Agency, as the designated head of the institution. The Delegation Order is provided in Appendix A.
Performance 2024–2025
The Agency responded to 100% of the requests received within the legislative timeline. No requests were carried over from the previous reporting period, and 6 new requests were received. Of these:
- 3 were completed within 15 days and
- 3 were completed within between 16 and 30 days.
The Agency did not carry over any active requests and did not require any extensions. Of the 6 new requests received in 2024–2025, 33% were abandoned, 33% resulted in no records found, and the remaining 33% were disclosed in part.
The Agency did not receive any complaints during this reporting period. Additionally, the Agency did not receive any consultation requests from other government institutions or organizations.
Training and awareness
ATIP training was included in FCAC’s onboarding for new employees. Staff involved in access to information and privacy were coached on their responsibilities, how to retrieve records, and how the process works. The Agency also continued to require Office of Primary Interest staff to complete mandatory privacy training through the Canada School of Public Service. To raise awareness, FCAC shared information on its internal website during Access to Information and Privacy Week.
Policies, guidelines and procedures
The Agency followed the Privacy Act and Treasury Board Secretariat policies, procedures, and guidelines when processing requests. It also implemented updated internal procedures for handling privacy requests. In addition, the Agency developed and introduced a new tool to better meet privacy breach reporting requirements.
Initiatives and projects to improve privacy
To modernize service delivery and improve information management and request processing, the Agency used ATIP Online ATIP Online Management Tools V4 as part of its procedures. In addition, the Agency has acquired a request processing software solution, which is currently being implemented.
Summary of key issues and actions taken on complaints
The Agency did not have any active complaints during this reporting period.
Material privacy breaches
The Agency reported 1 material privacy breach to both the Office of the Privacy Commissioner and the Treasury Board of Canada Secretariat. The breach involved personal information extracted from a database and sent to an external personal email address. An internal investigation was conducted with the involvement of the Security, IT, and ATIP teams. A report detailing the findings was submitted to both oversight bodies, and the Agency is currently awaiting a response.
Privacy impact assessments
The Agency didn’t complete any privacy impact assessments during this reporting period.
Public interest disclosures
The Agency did not make any disclosures of personal information pursuant to paragraph 8(2)(m) of the Privacy Act.
Monitoring compliance
FCAC tracks processing times by recording all actions and activities in an electronic database. Timelines are set based on the legislated timeframes, and workflows are reviewed and adjusted when extensions are needed. Reports are generated and shared with the ATIP Coordinator as required. To protect privacy, all information is stored in a secure electronic database, with access restricted to those who need it.
Appendix A: Delegation Order
Privacy Act Delegation Order
The Commissioner of the Financial Consumer Agency of Canada, pursuant to section 73 of the Privacy Act, hereby designates the following persons to exercise or perform the powers, duties or functions of the head of the institution set out in the sections of the act indicated beside each position.
Original signed by
Werner Liedtke
Chief Financial Officer and Assistant Commissioner, Financial Consumer Agency of Canada
Date: July 18, 2024
| Section of the Privacy Act | Powers, duties or functions | Position |
|---|---|---|
| 8 | Disclosure for research purposed, Disclosure in the public interest or in the interest of the individual, Copies of requests under 8(2)(e) to be retained and Notice of disclosure under 8(2)(m) | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 9 | Record of disclosures to be retained and Consistent uses | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 14 | Notice where access requested | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 15 | Extension of time limits | Assistant Commissioner, Corporate Services ATIP Coordinator Senior ATIP Advisor |
| 17 | Language of access and Access to personal information in alternative format | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 18 | Exemption (exempt bank) – disclosure may be refused. | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 19 | Exemption – Personal information obtained in confidence and Where authorized to disclose | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 20 | Exemption – Federal-provincial affairs | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 21 | Exemption – International affairs and defence | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 22 | Exemption – Law enforcement and investigation and Public Servants Disclosure Protection Act | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 23 | Exemption – Security clearances | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 24 | Exemption – Individuals sentenced for an offence | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 25 | Exemption – Safety of individuals | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 26 | Exemption – Information about another individual | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 27 | Exemption – Solicitor-client privilege | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 28 | Exemption – Medical record | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 31 | Notice of intention to investigate of the Privacy Commissioner | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 33 | Right to make representation | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 35 | Notice of actions to implement recommendations of the Privacy Commissioner and Access to be given | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 36 | Notice of actions to implement recommendations of Commissioner concerning exempt banks | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 37 | Notice of actions to implement recommendations of Commissioner concerning compliance with sections 4 to 8 | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 51 | Special rules for hearings and Ex parte representations | Assistant Commissioner, Corporate Services ATIP Coordinator |
| 72 | Report to Parliament | Assistant Commissioner, Corporate Services ATIP Coordinator |