HRSDC and VAC – Information Sharing Exchanges

Privacy Impact Assessment (PIA) Summary

Government Institution

Veterans Affairs Canada (VAC)

Human Resources and Skills Development Canada (HRSDC)

Government Official Responsible for the Privacy Impact Assessment

Maureen Sinnott
A/Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

HRSDC and VAC – Information Sharing Exchanges

Description of Program or Activity:

HRSDC and VAC have proposed a Memorandum of Understanding (MOU) to provide the necessary framework for the exchange of personal information relevant to the administration of VAC programs. A PIA has been conducted jointly between HRSDC and VAC to determine any privacy issues associated with the proposal and to recommend measures to mitigate or resolve them. The purpose of the Memorandum of Understanding (MoU) between Human Resources and Skills Development Canada (HRSDC) and Veterans Affairs Canada (VAC) is to enhance, and enable the seamless access to benefits available to veterans. Old Age Security (OAS) and Canada Pension Plan (CPP) applicants’ and beneficiaries’ information will be shared by HRSDC with VAC to administer the War Veterans Allowance (WVA), the Veterans Independence Program (VIP), Long Term Care Program (LTC), Earnings Loss Benefit (EL), and Canadian Forces Income Support Benefit (CFIS).

Description of the class of record and the Personal Information Bank

  • Class of Record and Personal Information Banks can be reviewed at: VAC's Info Source Chapter.
  • War Veterans Allowance – Class of Record VAC MVA 680
  • War Veterans Allowance Personal Information Bank VAC PPU 040M
  • Intermediate and Long-Term Care - Class of Record VAC MVA 880
  • Non-departmental Institutions - Veterans Independence Program (VIP) - Personal Information Bank VAC PPU 618
  • Non-departmental Institutions – Long Term Care (LTC) - Personal Information Bank VAC PPU 619
  • Financial Benefits – Class of Record VAC MVA 845
  • Earnings Loss – Personal Information Bank VAC PPU 607
  • Canadian Forces Income Support – Personal Information Bank VAC PPU 608

Legal Authority for Program or Activity

  • Department of Veterans Affairs Act,
  • War Veterans Allowance Act,
  • Civilian War-Related Benefits Act,
  • Canadian Forces Members and Veterans Re-establishment and Compensation Act,
  • Canadian Forces Members and Veterans Re-establishment and Compensation Regulations,
  • Veterans Health Care Regulations,
  • Department of Human Resources and Skills Development Act, and the
  • Department of Human Resources and Skills Development Regulations

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to "Appendix C" of the TBS Directive on PIAs to learn more about the risk scale.

  1. Type of Program or Activity
    • Administration of Programs / Activity and Services.

      Level of risk to privacy – 2

  2. Type of Personal Information Involved and Context
    • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive.

      Level of risk to privacy – 3

  3. Program or Activity Partners and Private Sector Involvement
    • Within the Department and with other Federal institutions.

      Level of risk to privacy – 1&2

  4. Duration of the Program or Activity
    • Long-term program or activity.

      Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes.

      Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – Yes

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – Yes

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc…

      Risk to privacy – Yes

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

  7. Personal Information Transmission
    • The personal information is used in a system that has connections to at least one other system.

      The personal information is transferred to a portable device or is printed.
      Information that is exchanged between HRSDC and VAC on a case by case basis is printed.

      Level of risk to privacy – 2&3

  8. Risk Impact to the Institution
    • Managerial harm
      Organizational harm
      Financial Harm
      Reputational harm, embarrassment, loss of credibility.

      Level of risk to privacy – 1, 2, 3 & 4

  9. Risk Impact to the Individual or Employee
    • Inconvenience
      Reputational harm, embarrassment
      Financial harm.

      Level of risk to privacy – 1, 2 & 3

Date modified: