Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Carlos Lourenso
Director, Health Care, Rehabilitation and Income Support Programs
Head of the government institution / Delegate for section 10 of the Privacy Act
Amy Meunier
Director, Access to Information and Privacy
Name of Program or Activity of the Government Institution
Health Care Benefits and Services (HCBS)
Description of Program or Activity
In order to recognize their service to Canada, the Health Care Benefits and Services (HCBS) program provides clients, who meet the eligibility requirements, with access to appropriate treatment benefits related to their health needs. The HCBS provide financial support for a wide range of health-related products and services to treat both physical and mental health conditions. Financial support is available for specific benefits and services through the fourteen Programs of Choice (POC) - Aids for Daily Living, Ambulance/Medical Travel Services, Audio (Hearing) Services, Dental Services, Hospital Services, Medical Services, Medical Supplies, Nursing Services, Oxygen Therapy, Prescription Drugs, Prosthetics and Orthotics, Related Health Services, Special Equipment and Vision (Eye) Care.
The program is offered, in part, through a third party service provider Medavie Blue Cross (MBC). MBC processes payments for approved benefits and services through the Federal Health Claims Processing System (FHCPS). Payments are issued to either the service provider or the client, depending who submitted the claim. In certain programs, such as Dental and Pharmacy, claims and payments are issued on-line in real-time to service providers. The majority of the benefits and services available under the HCBS are listed on a benefit grid which offers guidance on benefits and services available, dollar limits, frequency limits, quantity limits, and approval requirements. Most VAC benefits and services have limits on the number of times a benefit can be covered in a specified period of time or how much VAC can pay toward a benefit or service. For many HCBS, a prescription from a qualified health care professional and pre-authorization from VAC is required.
Description of the class of records and Personal Information Banks associated with the program or activity
- Health Care Benefits Program – Class of Record VAC MVA 860
- Health Care Benefits and Services – Personal Information Bank VAC PPU 295
Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter.
Legal Authority for Program or Activity
Part 1 of the Veterans Health Care Regulations and Section 4 and 5 of the Department of Veterans Affairs Act.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).
Level of risk to privacy – 2
- Administration of Programs / Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- Private sector organizations or international organizations or foreign governments
Level of risk to privacy – 4
- Private sector organizations or international organizations or foreign governments
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear “sunset”
Level of risk to privacy – 3
- Long-term program - Existing program that has been modified or is established with no clear “sunset”
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy – Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc…
Risk to privacy – Yes
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – Yes
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is transmitted using wireless technologies.
Level of risk to privacy – 2, 3
- The personal information is transmitted using wireless technologies.
- Risk Impact to the Institution
- Managerial harm, Organizational harm, Financial harm, Reputational harm, embarrassment, loss of credibility.
Level of risk to privacy – 1, 2, 3 and 4
- Managerial harm, Organizational harm, Financial harm, Reputational harm, embarrassment, loss of credibility.
- Risk Impact to the Individual or Employee
- Inconvenience, Reputational harm, embarrassment and Financial harm.
Level of risk to privacy – 1, 2 and 3
- Inconvenience, Reputational harm, embarrassment and Financial harm.