Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Charlotte Stewart
Director General, Service Delivery and Program Management
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
ATIP Coordinator
Name of Program or Activity of the Government Institution
- Document Imaging and Data Capture Services
- Centralized Client Mail Centre
Description of Program or Activity
With a streamlined centralized mail process, Veterans will no longer have to worry about where to send their mail. Most incoming mail to the Department will be sent to Matane, Quebec by 2014, making it easier for Veterans to send their mail where it needs to be. The consolidation of departmental addresses will happen in phases.
VAC is partnering with Public Works Government Services Canada (PWGSC) to help centralize the mail process. PWGSC’s Document Imaging Services in Matane, Quebec allows departments to modernize and green their operations by replacing paper copies with digital information and to improve their client service by having electronic access to information.
Because of this modernization, VAC employees are now able to process the same information simultaneously. Veterans will not be required to resubmit documentation and this centralization will contribute to faster decision-making and turnaround times for Veterans and their families.
The PIA identified the need to update program specific Personal Information Banks which are available to assist individuals exercise their rights under the Privacy Act. The PIA for this initiative has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).
Description of the class of record and the Personal Information Bank associated with the program or activity:
Class of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter
Legal Authority for Program or Activity
There is an over-arching authority that permits PWGSC to offer document imaging services to line departments, such as VAC. TBS' Common Services Policy, issued under the authority of section 7 of the Financial Administration Act, provides the direction for PWGSC to deliver these services on behalf of organizations such as VAC.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
- Program or activity that does NOT involve a decision about an identifiable individual
- Personal information is used strictly for statistical / research or evaluations including mailing list where no decisions are made that directly have an impact on an identifiable individual.
Level of risk to privacy - 1
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual
- Program or Activity Partners and Private Sector Involvement
- With other federal institutions
Level of risk to privacy – 2
- With other federal institutions
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
Level of risk to privacy – 3
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy - 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - No
While VAC's implementation of the PWGSC document imaging solution is new, this is not a new system or process for PWGSC.
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy - No
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is transmitted using wireless technologies.
Level of risk to privacy – 1
- The personal information is transmitted using wireless technologies.
- Risk Impact to the Institution
- Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.
Level of risk to privacy – 1
- Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.
- Risk Impact to the Individual or Employee
The level of individual harm would depend on the program. As some VAC programs require financial information, this risk has been assessed at the highest appropriate level. In some cases, the risk would be inconvenience.
- Financial harm
- Lawsuit, additional moneys required reallocation of financial resources.
Level of risk to privacy – 3