Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
André Levesque
A/DG Commemoration
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
ATIP Coordinator
Name of Program or Activity of the Government Institution
Bomber Command Web Portal
Description of Program or Activity
A new Bomber Command honour has been created. The honour is in the form of a bar to be worn on the ribbon of the Canadian Volunteer Service Medal (CVSM). With this bar, Canada is honouring those Canadians who fought for peace, freedom and democracy through their service in Bomber Command, and in particular the approximately 10,000 who made the ultimate sacrifice.
The existing Order-in-Council governing the Canadian Volunteer Service Medal has been amended to include the eligibility criteria and the description of the new Bomber Command honour. All Canadian Veterans who were awarded the CVSM and served a minimum of one day with Bomber Command, regardless of rank or role, are eligible for this new bar. Loved ones of a deceased Canadian Bomber Command Veteran who hold the Veteran’s CVSM may also apply to receive this bar.
For more information on Canada’s role in Bomber Command, to apply online for the honour, or to download a hardcopy of the application form, please visit Veterans Affairs Canada.
VAC’s Privacy Impact Assessment explored the initiative to assess the privacy impacts. The PIA for this initiative has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).
Description of the Class of Record and Personal Information Bank associated with the program or activity
Ceremonies and Events: Class of Record
Honours and Awards: Personal Information Bank
Legal Authority for Program or Activity
Personal information is collected in accordance with Order in Council (OIC) 1965-688. The Canadian Volunteer Service Medal Order governs the administration of the Bomber Command bar, including the eligibility criteria.
Award Regulations
An applicant for an award shall provide the Minister with (a) any documentation necessary to substantiate the applicant's claim; (b) information on the applicant's domestic status; (c) any other relevant information; and (d) an affidavit or statutory declaration attesting to the truth of the information provided.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
- Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).
Level of risk to privacy – 2
- Type of Personal Information Involved and Context
- Only personal information provided by the individual – at the time of collection – relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities. The context in which the personal information is collected is not particularly sensitive.
Level of risk to privacy – 1
- Only personal information provided by the individual – at the time of collection – relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities. The context in which the personal information is collected is not particularly sensitive.
- Program or Activity Partners and Private Sector Involvement
- Within the institution (amongst one or more programs within the same institution)
Level of risk to privacy – 1
- Within the institution (amongst one or more programs within the same institution)
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
Level of risk to privacy – 3
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
- Program Population
- The program affects certain employees for internal administrative purposes.
Level of risk to privacy – 1
- The program affects certain employees for internal administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - Yes
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy - Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in system that has connections to at least one other system.
Level of risk to privacy – 2
- The personal information is used in system that has connections to at least one other system.
- Risk Impact to the Institution
- Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.
Level of risk to privacy – 1
- Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.
- Risk Impact to the Individual or Employee
- Inconvenience
- Level of risk to privacy – 1