Canada's privacy watchdog is blasting a federal agency that is supposed to be gathering financial intelligence on suspected terrorists and money launderers, but has also collected personal banking records of thousands of ordinary Canadians not suspected of anything.

By law, Canadian banks, casinos and thousands of other businesses are required to report all financial transactions over $10,000, and any movement of money they suspect may be linked to terrorism or laundering the proceeds of crime.

But in a special report to Parliament today, Privacy Commissioner Jennifer Stoddart complains that an investigation of the Financial Transactions Reports Analysis Centre, known as FINTRAC, found far too many files that have nothing to do with terrorism or money laundering.

Instead, Stoddart's investigators found everyday financial transactions of ordinary Canadians — things such as down payments for homes and cars, and wire transfers from families overseas to their children studying here.

Stoddart's report points out that FINTRAC has amassed over 165 million reports containing personal information about financial transactions.

Civil liberties advocates say that likely means that thousands of innocent Canadians have been put under a cloud of suspicion, lumped in with suspected money launderers and terrorist financiers.

Stoddart's investigators found one case in which a Canadian bank filed a suspicious transaction report when a local shopkeeper deposited $570 in small bills.

The bank gave no indication in its report what it thought was suspicious about a shopkeeper making that kind of deposit.

The privacy investigation also found FINTRAC's files often contained more personal information than just details of a financial transaction.

Those details included medical records and tax returns as well as copies of drivers' licences, passports, social insurance cards, credit reports and even employee training records.

Officials say Canadians have no way of knowing if they have erroneously landed in this database of suspected terrorists and money launderers — and, by law, files cannot be erased for at least 10 years.

In an interview with CBC News, Chantal Bernier, deputy privacy commissioner, said the current situation is unacceptable.

"Essentially, FINTRAC receives and keeps information about innocent transactions, about Canadians who have absolutely no guilt, no reason to be in a database that is characterized by … suspicion of illegal activities," she said.

"The mere inclusion in the database without justification is a violation of the right to privacy."

Michael Vonn of the B.C. Civil Liberties Association said it is impossible to know what the implications might be for individuals flagged in a government database as "suspicious."

"When individuals suddenly find themselves of interest to say Canada Border Services, or the Canada Revenue Agency … we don't know how much of this leads back to FINTRAC."

This is not the first time the federal privacy watchdog has taken a bite out of FINTRAC.

Stoddart conducted a similar investigation of the agency in 2009, and came up with similar findings.

Clearly, not much has changed.

"I think that doing two audits and seeing the same issues come up leads us to conclude that actually these are systemic issues beyond FINTRAC," says Bernier.

The deputy privacy commissioner says the root problem is that the laws on terrorist financing and money laundering, drafted in the period following the 9/11 terror attacks, were a recipe for FINTRAC being swamped with excessive reporting of financial transactions of no relevance to law enforcement, and which the government has no business collecting.

In a nutshell, she says, with no definition of what constitutes a suspicious transaction, banks and other institutions are reporting far too many of them, and FINTRAC is screening out far too few before they get into the database.

Bernier points out that the law imposes fines up to $500,000 for a bank or other business not reporting a suspicious transaction, but no penalties at all for reporting something completely harmless.

"We believe that now there have to be legislative changes to address the bias towards over-reporting, and to clarify…the duties of FINTRAC," she says.

FINTRAC spokesperson Peter Lamey says the agency has about 350 employees and receives more than 20 million reports a year, and can't effectively screen them all.

He admits "in that number, there are going to be transactions that don't meet the legislative threshold."

But the solution, he says, is for the banks and others to be more selective about which transactions they flag to FINTRAC in the first place.

Lamey said that regardless of what ends up in FINTRAC's database, the agency is careful about what it passes along to law enforcement and intelligence agencies.

Vonn of the B.C. Civil Liberties Union says the more relevant point is that the vast amount of data being poured into FINTRAC's computers may be too much to analyse to find the real terrorist threats.

"We have no evidence here that this system is actually working to catch terrorism financing and money laundering. The best that they can come up with is that they hope it creates a chill on those entities."