Privacy Commissioner Jennifer Stoddart says FINTRAC has received and retains information beyond its legislative authority. (Tom Hanson/Canadian Press)

The government agency responsible for investigating suspected terrorist financing and money laundering is storing personal information beyond its legal mandate, according to an audit by Canada's privacy commissioner.

Jennifer Stoddart also expressed concerns about Transport Canada's no-fly list — a passenger screening tool to prevent people named on a "specified persons list" from boarding domestic and international flights from or to Canadian airports.

The audit of the Financial Transactions and Reports Analysis Centre of Canada notes it found no evidence to suggest FINTRAC is collecting information beyond what is authorized.

But it did find it "has received and retains information beyond the centre's legislative authority."

For example, cash transactions of $10,000 or more must be reported. But the audit found there have been instances when transactions under that amount are being reported.

The audit also found that of the files they sampled, a number did not demonstrate "reasonable ground to suspect" money laundering or terrorist financing.

"It is clear that such reports, containing not a shred of evidence of money laundering and terrorist financing, should not be making their way into the FINTRAC database," Stoddart said in a news release.

As well, the audit found, FINTRAC is collecting "extraneous information" including social insurance numbers and health card numbers, "where prohibited by provincial legislation."

Delete data outside mandate, FINTRAC urged

Stoddart recommended that FINTRAC work with the agencies that report allegedly suspicious cases to ensure the centre does not get personal information it has no legislative authority to receive "and that it does not need or use."

She also urged FINTRAC to permanently delete all personal data that falls outside its legal mandate.

In regards to the no-fly list, Stoddart looked into whether the program has adequate controls and safeguards in place to protect personal information.

She found officials did not always provide the deputy minister – who is ultimately responsible for adding to or removing people’s names from the "specified persons" list – all the information needed.

The report also found a small number of carriers have relied on paper copies of the list, heightening the risk that information could inadvertently become public.

But Stoddart said the department has made changes to bolster information for the deputy minister and keep a closer eye on airlines handling the no-fly list.

With files from The Canadian Press