Private Storage of Records

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Michael Johnson
Director, IM and IT Operations

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Private Storage of Records

Description of Program or Activity:

VAC has established a contract with Iron Mountain Canada, a private storage company, for the storage of all VAC records. Iron Mountain Canada will provide document storage, information retrieval and document destruction services in secure facilities across Canada. These facilities are monitored 24 hours a day, seven days a week for fire, floods and unauthorized entry.

The contract with Iron Mountain Canada includes clauses required by VAC’s Security and ATIP Divisions to meet privacy and security requirements for the transfer, storage, retrieval and secure destruction of personal information.

Description of the class of record and the Personal Information Bank

As Private Storage is available to every VAC program, every class of record where a program may use Private Storage will be relevant, with limited exception. All applicable VAC Personal Information Banks will be updated to ensure clients/employees are informed of the potential storage of their records within a private facility. Class of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

Information contained in the files that may be located in private storage is created and captured for the purposes of documenting all activities related to the operations of mandated programs delivered by Veterans Affairs Canada and the Veterans Review and Appeal Board as well as the administrative activities that support the operations of the Department.

The legal authority for these programs and activities stems from Departmental enabling legislation and regulations as well as Government of Canada legislation regarding the administrative functions of government. A comprehensive list of this legislation can be made available.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

  1. Type of Program or Activity
    • Program or activity that does not involve a decision about an identifiable individual
    • Level of risk to privacy – 1

  2. Type of Personal Information Involved and Context
    • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
    • Level of risk to privacy – 3

  3. Program or Activity Partners and Private Sector Involvement
    • Private sector organizations or international organizations or foreign governments
    • Level of risk to privacy – 4

  4. Duration of the Program or Activity
    • Long-term program
    • Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes.
    • Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – Yes

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – No

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – Yes

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc…

      Risk to privacy – Yes

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

  7. Personal Information Transmission
    • The personal information is transmitted using wireless technologies.
    • Level of risk to privacy – 4

  8. Risk Impact to the Institution
    • Reputational harm, embarrassment, loss of credibility (Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.)
    • Level of risk to privacy – 4

  9. Risk Impact to the Individual or Employee
    • Potential for reputational harm, embarrassment; and financial harm.
    • Level of risk to privacy – 2 & 3

Date modified: