Veterans Affairs Canada Privacy Action Plan 1.0

In fall 2010, the Office of the Privacy Commissioner of Canada completed an investigation of a complaint filed against Veterans Affairs Canada under the Privacy Act. Commissioner's Findings 2010-2011.

To respond to issues raised, a 10-point action plan was developed, which specifically outlines the steps the Department is taking. These steps exceed the report's four recommendations and balance the protection of personal information and the ability of staff to provide top quality service. The recommendations referenced below are attached as Annex A.

Action:

  1. Review system access in detail

    Detailed review of approximately 2,800 user accounts in the Client Service Delivery Network (CSDN) was completed in March 2011 (Addresses recommendation 2)
  2. Communicate discipline policy

    A strengthened discipline policy and guidelines with clear sanctions were developed and communicated to staff in October 2010. (Addresses recommendation 1)
  3. Introduce a privacy lens for briefing note processes

    New procedures were issued, in October 2010 on the appropriate use of client information when preparing briefing notes and other documents prepared for use within the Department. (Addresses recommendations 3 and 4)
  4. Appoint external systems expert

    External experts in electronic information systems management reviewed and recommended changes to departmental systems. The review was positive and made a number of recommendations. This report is being actioned with the majority of activities to be completed by March 31, 2012.(Addresses Recommendation 2)
  5. Appoint external privacy expert

    Information Management and Privacy experts reviewed and recommended changes to departmental processes to ensure information is protected and access is controlled. A number of recommended changes have been implemented and work is ongoing. (Addresses recommendation 1)
  6. Enhance monitoring of electronic systems

    A team began now proactively monitors, reviews and investigatse who is accessing client information. Where there is inappropriate access, disciplinary measures are taken. (Addresses recommendation 1)
  7. Provide mandatory privacy training

    A mandatory privacy awareness program was launched in October 2010. This program covers the "need to know" principle, the need for client consent when sharing information, and the range of disciplinary measures that will be taken if privacy is breached. Ste. Anne's Hospital, as an accredited hospital, has its own programs relating to privacy and confidentiality of client information. (Addresses recommendations 3 and 4)
  8. Provide in-depth training on Government policies and procedures on privacy

    In-depth training for staff on the new policies, guidelines and procedures began in January 2011. (Addresses recommendation 3)
  9. Conduct independent annual assessment

    The first annual independent assessment of VAC's compliance with the Privacy and Access to Information Acts was completed by Audit Services Canada in August 2011. (Addresses recommendation 1)
  10. Prepare for Privacy Commissioner's audit

    The Office of the Privacy Commissioner is conducting a privacy audit on the Department. Results of the audit are expected to be published in winter 2012.

Annex A
Privacy Commissioner's Findings and Recommendations

An investigation by the Privacy Commissioner's Office into a complaint filed against the Department under the Privacy Act raised significant concerns surrounding the use of personal information within VAC and apparent lack of controls to protect personal information from being widely disseminated and accessed within the Department.

The following four recommendations were made.

  1. Recommendation 1

    Veterans Affairs Canada should take immediate steps to support an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the Department.
  2. Recommendation 2

    Veterans Affairs Canada should review and revise its existing information management practices and policies to ensure that personal information is shared within the Department on a need to know basis only and is appropriately limited to what is necessary to fulfil the operational requirements of its programs. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
  3. Recommendation 3

    Veterans Affairs should disseminate its strengthened privacy policy framework to all of its employees, provide training and raise awareness amongst VAC employees about appropriate personal information handling practices.
  4. Recommendation 4

    Veterans Affairs Canada should also review and comply with its existing policies and procedures concerning referrals to Ste. Anne's Hospital to ensure that the consent of the individual to whom the information relates has been provided before personal information is shared with hospital personnel and that the information shared is limited to that which is demonstrably necessary to fulfil the relevant purpose.
Date modified: