Privacy Impact Assessment (PIA) Summary
Government Institution
Veterans Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Hélène Robichaud
A/Director General, Commemoration Division
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garrett-Baird
Director, Privacy and Information Management
Name of Program or Activity of the Government Institution
International Commemorative Activities
Description of Program or Activity:
The Government of Canada, led by Veterans Affairs Canada, is commemorating significant milestones from the First and Second World Wars. Beginning in 2016, the commemoration activities include the 100th anniversary of the Battles of the Somme and Beaumont-Hamel in July 2016, the 100th anniversary of the Battle of Vimy Ridge in April 2017, the 75th anniversary of the Dieppe Raid in August 2017, and the 100th anniversary of the Battle of Passchendaele in November 2017. In response to changing security environments, certain governments are seeking more identifying personal information than in the past, which led to the need to assess the privacy risks of such a request.
The Privacy Impact Assessment is comprised of two parts: a) privacy risks associated with the Beaumont-Hamel commemorative event in July 2016; and b) an addendum that includes a post-event analysis applicable to future international commemorative activities. At the conclusion of the July 2016 Beaumont-Hamel commemorative event, the approach towards the collection, disclosure and retention of the personal information was modified to reduce risks that were identified during the event for the continually evolving program delivery in a manner that balances security and the privacy rights of individuals. The additional risks and mitigation measures that were implemented are documented in a post-event analysis that forms an addendum to this Privacy Impact Assessment.
In December 2018, an addendum to Privacy Impact Assessment (PIA) was completed to better reflect all International Commemorative Activities as opposed to only 2016 events. With an increased terror level across the globe, this addendum focused on necessary security safeguards, for both attendees and their personal information. No new risks were identified in the addendum process and all previous risks identified in the 2016 PIA have been mitigated.
Description of the Class of Record and Personal Information Bank associated with the program or activity:
Class of Record: Ceremonies and Events (VAC MVA 755)
Personal Information Bank: Ceremonies and Events (VAC PPU 621)
Legal Authority for Program or Activity:
Order in Council P.C. 1965-688
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
1) Type of Program or Activity
Administration of Programs / Activity and Services
Criminal investigation and enforcement / National Security
Level of risk to privacy – 2 and 4
2) Type of Personal Information Involved and Context
Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.
Level of risk to privacy – 2, 3 and 4
3) Program or Activity Partners and Private Sector Involvement
With other federal institutions
Private sector organizations or international organizations or foreign governments
Level of risk to privacy – 2 and 4
4) Duration of the Program or Activity
Long-term program
Level of risk to privacy – 3
5) Program Population
The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
6) Technology & Privacy
a) Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No
b) Is the new or modified program or activity a modification of IT legacy systems and/or services?
Risk to privacy – No
c) Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
d) Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – No
e) Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behaviour.
Risk to privacy – No
7) Personal Information Transmission
The personal information is used in a system that has connections to at least one other system.
The personal information is transferred to a portable device or is printed.
Level of risk to privacy – 2 and 3
8) Risk Impact to the Institution
Managerial harm
Reputational harm, embarrassment, loss of credibility
Level of risk to privacy – 1 and 4
9) Risk Impact to the Individual or Employee
Physical harm
Level of risk to privacy – 4