The assertion, made in the annual report to Parliament on the Privacy Act, relates specifically to an eight-year-old financial security system that has been audited for the first time.
The Canacian Privacy Commissioner had audited the Financial Transactions and Reports Analysis Center of Canada (FINTRAC), which collects and analyzes financial transactions to help spot money laundering and terrorist financing.
"Our audit found that FINTRAC is acquiring and retaining more personal information than what the Proceeds of Crime (Money Laundering) and Terrorist Financing Act allows", said the report.
FINTRAC potentially requires up to 300 000 entities - including banks, credit unions, life insurance companies, and foreign exchange dealers - to report least amounts of personal information about clients' financial transactions, without the clients' consent, the report said.
Privacy transgressions in FINTRAC included a number of reports made on the basis of unsubstantiated suspicion. At least one report was made on the basis of an individual's ethnic origin in spite of the fact that the individual had provided legitimate reasons for the source of funds.
FINTRAC's privacy accountability guidelines are not clearly defined, and its privacy risk management process has not been formalized, the report added. Staff are not given privacy specific training, either.
"The centre should enhance its front-end screening of reports, and develop stronger ongoing monitoring and review to ensure that its information holdings are both relevant and not excessive", the report recommended.
The report also highlighted several information security breaches in Canadian organizations throughout the year. Agriculture and Agri-Food Canada was hacked by a script kiddie using an unsophisticated attack in September 2008, for example, exposing 60 000 personal data records of farmers using a federal loan guarantee program.