My VAC Account

Privacy Impact Assessment (PIA) Addendum Summary (2017)

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Kim Andrews
A/Director General, Program Management and Service Delivery

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

My VAC Account – Interoperability for Benefit Applications

Description of Program or Activity:

The initial 2011 Privacy Impact Assessment (PIA) documented the risks and mitigation measures of implementing the My VAC Account (MVA). In 2013, the PIA was updated to assess the privacy impacts of the evolution of the portal.

Recently enhanced MVA functionality now allows for an electronic exchange of information between VAC and the Department of National Defense (DND). The electronic extraction of specified DND data elements will provide VAC with up-to-date, real-time service history and personal information about still-serving and recently released CAF members that is needed for the adjudication of benefits and services at VAC. The collection of service history and personal information from DND by VAC is not new but the electronic exchange of information between DND and VAC is a more efficient means of collecting only specific required data elements.

The focus of the 2017 PIA addendum is the automated exchange of information between VAC and the Department of National Defense (DND) through the MVA portal. The exchange is designed to enable two things:

  • Data Matching

    An identity authentication process will confirm the service information of Veterans and still-serving members of the Canadian Armed Forces (CAF) who are applying for VAC benefits and services. This will be achieved through a data linkage and will verify a serving member’s or recently released Veteran’s service with the CAF.

  • Data Extraction for Benefit Claims

    Electronic extraction of specified data elements (e.g. release date, release type, etc.) from DND will support a streamlined application process for members and Veterans who apply for VAC benefits and services.

    Risks identified though the Addendum have either been mitigated or addressed through mitigation plans.

Privacy Impact Assessment (PIA) Summary (2013)

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

John Walker
Director General
Service Delivery and Program Management Division

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Director
ATIP Coordinator

Name of Program or Activity of the Government Institution

My VAC Account

Description of Program or Activity:

In 2011, as a commitment to client service, VAC introduced an online portal available to VAC Veterans. This portal, entitled, My VAC Account enabled individuals to view and update basic personal information (such as name and address), communicate with the department via secure messaging, complete certain applications online, access the status of some of their services and change their direct deposit information. This was only one additional point of access as individuals could still request information and make changes to their information in person or by calling the National Call Centre Network (NCCN).

In 2011, a Privacy Impact Assessment was completed that documented risks and mitigation measures. Since that point, there have been changes to My VAC Account and an updated PIA is required in order to ensure the risks identified in 2011 have been addressed, document the evolution of the portal and identify any risks that may have arisen due to the modifications.

In addition, this PIA will document the relationship and use of the My VAC Account technology by the Veterans Review and Appeal Board (VRAB) and representatives from the Royal Canadian Legion (RCL).

By December 31, 2015 VAC officials are anticipating that there will be 18,000 individuals accessing their information through their My VAC Account.

Description of the class of records and Personal Information Banks associated with the program or activity

Class of Records and Personal Information banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

It is important to note that My VAC Account is linked to multiple programs/services within VAC, each of which operates under their own legal authorities.

The legal authority derives from the Department of Veterans Affairs Act and from Section 4 of the Communications Policy of the Government of Canada.

Risk Area Identification & Categorization

The following section contains risks identified in the 2013 PIA. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

Where risks associated with the enhancements assessed in the 2017 addendum differ from the 2013 PIA, this difference is noted.

  1. Type of Program or Activity
    • Administration of Programs / Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).
    • Level of risk to privacy – 2

  2. Type of Personal Information Involved and Context
    • Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. For example: the personal information by association indirectly reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and other individuals, such as relatives.
    • Level of risk to privacy – 41

  3. Program or Activity Partners and Private Sector Involvement
    • Private sector organizations or international organizations or foreign governments
    • Level of risk to privacy – 12

  4. Duration of the Program or Activity
    • Long-term program - Existing program that has been modified or is established with no clear “sunset”.
    • Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes.
    • Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – Yes

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No3

  7. Personal Information Transmission
    • The personal information is used in system that has connections to at least one other system.
    • Level of risk to privacy – 24

  8. Risk Impact to the Institution
    • Reputation harm, embarrassment, loss of credibility. Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.
    • Level of risk to privacy – 4

  9. Risk Impact to the Individual or Employee
    • Reputations harm, embarrassment
    • Level of risk to privacy – 25

Date modified: