Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Mary Nicholson
Director, Re-establishment, Financial Well-being and Business Intelligence Directorate
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garret-Baird
Director, Privacy and Information Management
Name of Program or Activity of the Government Institution
Rehabilitation Services and Vocational Assistance Program
Description of Program or Activity
The Veterans Affairs Canada (VAC) Rehabilitation Services and Vocational Assistance Program (Rehabilitation Program) is one of a suite of wellness programs designed to help modern-day Veterans and their families make and maintain the transition to civilian life. The Program offers comprehensive services, as part of an individualized rehabilitation plan, that can help restore their ability to function at home, and in their community and workplace. Eligible clients include Canadian Armed Forces (CAF) Veterans and, in certain cases, their spouses, common-law partners or survivors. The VAC Rehabilitation Program offers: medical rehabilitation services; psycho-social rehabilitation services; vocational rehabilitation services; and vocational assistance services.
The Rehabilitation Program is accessed through one of VAC's case managers located in local field offices across the country, or from VAC staff located on major CAF bases and wings. Rehabilitation services are usually provided through a network of local experts and based on the Veteran’s or other program participant’s provider of choice.
After the completion of the 2007 PIA for Rehabilitation Services, the business process was changed to include a third party contractor in the delivery model. While the decisions regarding eligibility are always made by VAC, some assessments and the delivery of vocational rehabilitation services is delivered, in part, by an external service provider under contract with VAC.
In 2015, two addendums to the Rehabilitation and Vocational Assistance PIA were completed. In April 2015, an addendum was completed to reflect a change to the Canadian Forces Members and Veterans Re-establishment Regulations (CFMVRCR), now Veterans Well-being Regulations, effective April 1, 2015. In May 2015, an addendum was completed to assess the awarding of a contract to a new external service provider for rehabilitation and vocational assistance services, effective June 5, 2015.
In March 2019 an addendum was completed to assess changes in the program eligibility, which will be phased in over time beginning April 1, 2019.
Description of the class of record and the Personal Information Bank
Rehabilitation – Class of Record VAC MVA 830
Rehabilitation Services and Vocational Assistance Program – Personal Information Bank VAC PPU 300
Classes of Records and Personal Information Banks can be reviewed at: Information about Programs and Information Holdings.
Legal Authority for Program or Activity
The authority for VAC to collect and use the personal information for the Rehabilitation Services and Vocational Assistance Program is established under the Canadian Forces Members and Veterans Re-establishment Act and related Regulations. Specifically, sections eight, nine, eleven and twelve of the legislation.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
Level of risk to privacy – 2
- Administration of Programs / Activity and Services
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- Private sector organizations or international organizations or foreign governments.
Level of risk to privacy – 4
- Private sector organizations or international organizations or foreign governments.
- Duration of the Program or Activity
- Long-term program.
Level of risk to privacy – 3
- Long-term program.
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy – No
- Enhanced identification methods – This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance – This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques – For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy – 2
- The personal information is used in a system that has connections to at least one other system.
- Risk Impact to the Institution
- Managerial harm
- Financial harm
- Reputational harm, embarrassment, loss of credibility.
Level of risk to privacy – 1, 3 and 4
- Risk Impact to the Individual or Employee
- Inconvenience
- Reputational harm, embarrassment
- Financial harm
Level of risk to privacy – 1, 2 and 3