Privacy Impact Assessment (PIA) Summary
Government Institution
Veterans Affairs Canada (VAC)
Government Official Responsible for the Privacy Impact Assessment
Sandra Williamson
Director, Long Term Care and Disability Benefits
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garrett-Baird
A/Director, Access to Information and Privacy
Name of Program or Activity of the Government Institution
Long Term Care Program and Veterans Independence Program – Intermediate Care
Description of Program or Activity:
Every year on October 1, as stipulated in the Veterans Health Care Regulations (VHCRs), Veterans Affairs Canada (VAC) adjusts the monthly amount that Veterans in long term care facilities must contribute to their accommodation and meals (A&M) costs. Recipients of support through the Long Term Care (LTC) program and the Veterans Independence Program – Intermediate Care (VIP-IC) may be required to pay for the cost of accommodation and meals (A&M) up to a maximum amount. The amount of A&M that an individual contributes is based on an analysis of their income. An income analysis will also determine if the individual is eligible for long term care as income-qualified. As a result, VAC has entered into an agreement with Canada Revenue Agency (CRA) by way of a Memorandum of Understanding (MOU) which enables VAC to obtain income information directly from CRA. Obtaining the income data in this manner, with the individual’s consent, will ensure accurate income amounts are available and will result in a reduction of administrative burden on eligible Veterans and civilians and will result in significantly less processing time for VAC staff.
Description of the class of record and the Personal Information Bank
The Class of Record: Intermediate and Long Term Care (VAC MVA 880) Personal Information Banks: Non-departmental Institutions – Long Term Care (VAC PPU 619) and Non-departmental institutions - VIP (VAC PPU 618). These can be viewed at: VAC's Info Source Chapter.
Legal Authority for Program or Activity
Non-departmental Institutions – Long Term Care - VAC has authority to collect the information as it relates directly to and is required for the administration of VAC’s legislatively mandated program, the Long Term Care program. The information is specifically related to the determination of income-based eligibility for this program and the amount of Accommodation and Meals contributions under the VHCRs made under the Department of Veterans Affairs Act. Long Term Care (Non-departmental Institutions - LTC) is administered under Part III and IV of the VHCRs made under the Department of Veterans Affairs Act and is a VAC health care program which has income-based components.
Non-departmental institutions - VIP - VAC has authority to collect the information as it relates directly to and is required for the administration of VAC’s legislatively mandated program, the Veterans Independence Program. The information is specifically related to the determination of Accommodation and Meals contributions under the VHCRs made under the Department of Veterans Affairs Act. The Veterans Independence Program (Non-departmental Institutions - VIP) is administered under Part II and IV of the VHCRs made under the Department of Veterans Affairs Act and is a VAC health care program which has income-based components.
SIN Collection
Non-departmental Institutions -Long Term Care and Non-departmental Institutions – VIP VAC has authority to collect information, including SINs, that relates directly to and is required for the administration of the LTC Program and VIP in accordance with the Department of Veterans Affairs Act and the VHCRs. SIN's are required to obtain income information necessary for the administration of these programs. The LTC and VIP programs are Income and Health Care Programs of VAC which are authorized to collect SINs under the Treasury Board Directive on Social Insurance Numbers.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services.
Level of risk to privacy – 2
- Administration of Programs / Activity and Services.
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- Within the institution (amongst one or more programs within the same institution)
With other federal institutions
Level of risk to privacy – 1&2
- Within the institution (amongst one or more programs within the same institution)
- Duration of the Program or Activity
- Long-term program.
Level of risk to privacy – 3
- Long-term program.
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy – Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.
Risk to privacy – Yes
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – Yes
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
Level of risk to privacy – 2
- Risk Impact to the Institution
Potential for managerial harm (processes must be reviewed, tools must be changed, change in provider / partner); financial harm (lawsuit, additional moneys required, reallocation of financial resources); and reputational harm, embarrassment, loss of credibility (decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.)
Level of risk to privacy – 1, 2, 3 & 4
- Risk Impact to the Individual or Employee
Potential for inconvenience, reputational harm, embarrassment and financial harm.
Level of risk to privacy – 1, 2, & 3