Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Mary Nicholson
Director, Health Care and Rehabilitation Programs
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garret-Baird
Director, Privacy and Information Management
Name of Program or Activity of the Government Institution
Education and Training Benefit
Description of Program or Activity
The Education and Training Benefit (ETB) program provides funding that allows eligible Veterans to pursue further training and education. The funding is intended to cover tuition, fees, materials and some incidental and living expenses while eligible Veterans are engaged in formalized educational programs. Veterans may also use funding toward fees and other costs associated with short courses aimed at certification, professional designation, small business/entrepreneurship or personal development in support of a Veteran’s meaningful activity and purpose. The amount of ETB available to Veterans is dependent on their number of years of service. Compensation is provided in the form of a lump sum payment directly to the Veteran. This program is delivered through grants.
ETB clients, who are also participants VAC’s Career Transition Services (CTS) Program, may receive assistance from the CTS National Service Provider in making informed decisions in regards to their education and training program.
Description of the class of record and the Personal Information Bank
- Education and Training Benefit – Class of Record VAC TBD
- Education and Training Benefit – Personal Information Bank VAC PPU TBD
- Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter
Legal Authority for Program or Activity
The legal authority for the Education and Training Benefit is provided under Part 1.1, sections 5.2 to 5.93 of the Veterans Well-being Act. Section 78.1 of the Veterans Well-being Act provides that the Minister may waive the requirement for an application. As well, sections 80 and 81 of the Veterans Well-being Act authorize the sharing of personal information in support of program development.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
- Level of risk to privacy – 2
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- Private sector organizations or international organizations or foreign governments.
Level of risk to privacy – 4
- Private sector organizations or international organizations or foreign governments.
- Duration of the Program or Activity
- Long-term program.
Level of risk to privacy – 3
- Long-term program.
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - Yes
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy - Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – Yes
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – Yes
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in a system that has connections to at least one other system.
The personal information is transferred to a portable device or is printed.Level of risk to privacy – 2, 3
- The personal information is used in a system that has connections to at least one other system.
- Risk Impact to the Individual or Employee
- Inconvenience,
- Reputational harm,
- embarrassment,
- Financial harm.
- Level of risk to privacy – 1, 2 and 3
- Risk Impact to the Institution
- Managerial harm,
- Organizational harm,
- Financial harm,
- Reputational harm,
- embarrassment,
- loss of credibility.
- Level of risk to privacy – 1, 2, 3 and 4