Privacy Impact Assessment (PIA) summary
Government Institution
Veterans Affairs Canada (VAC)
Government Official Responsible for the Privacy Impact Assessment
Dr. Cyd Courchesne
Director General, Health Professionals
Head of the government institution / Delegate for section 10 of the Privacy Act
Amy Meunier
Director, Access to Information and Privacy
Name of Program or Activity of the Government Institution
Operational Stress Injury (OSI) Clinic Network
Description of Program or Activity
The initial Privacy Impact Assessment on the Operational Stress Injury (OSI) Clinic Network was completed in 2015. All OSI clinics are established through Memoranda of Understandings (MOUs) with provincial health organizations. Veterans Affairs Canada (VAC) purchases mental health care services from these provincial organizations to ensure exclusive access for eligible OSI clients. It is noted that these provincial clinics are subject to their own legislative requirements.
In 2016, an addendum was completed to address changes since the original PIA was written. A new OSI clinic opened in June of 2015, and the former VAC-run clinics at Ste. Anne’s Hospital were officially transferred from the Government of Canada to the Government of Quebec on April 1, 2016. The addendum assessed the risks associated with the transfer of personal information between VAC and the OSI Clinic Network. As well, an examination of the MOUs between VAC and the provincial health clinics was undertaken to assess privacy protection clauses to ensure privacy best practices are addressed and followed in support of the cross-jurisdictional transfer of personal information.
Veterans Affairs Canada (VAC) defines an Operational Stress Injury (OSI) as any persistent psychological difficulty resulting from operational duties performed while serving in the Canadian Armed Forces (CAF) or as a member of the Royal Canadian Mounted Police (RCMP). Operational Stress Injuries are usually associated with a traumatic event but can become heightened when there is a lack of support or resources. They can include post-traumatic stress disorder, anxiety, mood disorders, addictions, sleep disturbances, anger, chronic pain, and relationship problems.
The OSI Clinic network provides specialized mental health care services for eligible Veterans and family members. In 2006 access was extended to still-serving members of the CAF and RCMP.
Description of the class of records associated with the program or activity
Class of Record: Mental Health Services and Supports (VAC MVA 720)
Personal Information Bank: Mental Health (VAC PPU 320)
Legal Authority for Program or Activity
Canadian Forces Members and Veterans Re-establishment and Compensation Act (sections 7 to 10); Pension Act (defintions section a to h); and Veterans Health Care Regulations (sections 3 to 5).
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to Appendix C of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
Administration of Programs / Activity and Services
Level of risk to privacy – 2
- Type of Personal Information Involved and Context
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.
Level of risk to privacy – 3 & 4
- Program or Activity Partners and Private Sector Involvement
With other institutions or a combination of federal, provincial or territorial, and municipal governments.
Level of risk to privacy – 3
- Duration of the Program or Activity
Long-term program
Level of risk to privacy – 3
- Program Population
The program affects all individuals for external administrative purposes.
Level of risk to privacy – 4
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - No
- Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy - No
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
The personal information is used in a system that has connections to at least one other system.
The personal information is transferred to a portable device or is printed.
Level of risk to privacy – 2 & 3
- Risk Impact to the Institution
Reputation harm, embarrassment, loss of credibility.
Level of risk to privacy – 4
- Risk Impact to the Individual or Employee
Reputation harm, embarrassment.
Level of risk to privacy – 2