Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
John Walker
Director General, Service Delivery and Program Management
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
ATIP Coordinator
Name of Program or Activity of the Government Institution
Outreach and Visitation Initiative, Service Contract between Veterans Affairs Canada and the RCL
Description of Program or Activity:
The Long-Term Care and Veteran Independence Programs support eligible Veterans and other individuals who require facility-based care to meet their long-term care needs. The Outreach and Visitation Initiative will provide a mechanism by which the Veterans Affairs Canada (VAC or the Department) can maintain contact with Veterans residing in provincial long-term care facilities.
Through a Contract for Service, VAC will use the Royal Canadian Legion (RCL) Dominion Command volunteer network to visit approximately 4,000 Veterans annually who are receiving financial assistance from VAC for long-term care. This initiative will facilitate face-to-face visits with Veterans, providing them with an opportunity to have a conversation and social visit with a volunteer and to raise concerns or identify needs that might be addressed by VAC. The service contract has a duration of one year with the possibility of a one-year renewal.
Description of the Class of Record and Personal Information Bank associated with the program or activity:
Class of Record and Personal Information Banks can be reviewed at: VAC's Info Source Chapter.
- Intermediate and Long-Term Care - Class of Record VAC MVA 880
- Non-departmental Institutions – Long Term Care (LTC) - Personal Information Bank VAC PPU 619
- Non-departmental Institutions - Veterans Independence Program (VIP) - Personal Information Bank VAC PPU 618
Legal Authority for Program or Activity
Non-departmental Institutions – Long Term Care
VAC administers the Long Term Care program under Part III and Part IV of the Veterans Health Care Regulations.
Non-departmental institutions - VIP
VAC administers the Veterans Independence Program (Intermediate Care element) under Part II and Part IV of the Veterans Health Care Regulations.
The general authority to enter into a contract is reflected in section 4 of the Department of Veterans Affairs Act and the exercise of such implicit authority is essential to enable the Minister to fulfill his mandate and obligation described therein.
Risk Area Identification and Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to "Appendix C" of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
Level of risk to privacy – 2
- Administration of Programs / Activity and Services
- Type of Personal Information Involved and Context
- Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.
Level of risk to privacy – 1
- Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.
- Program or Activity Partners and Private Sector Involvement
- Private sector organizations or international organizations or foreign governments.
Level of risk to privacy – 4
- Private sector organizations or international organizations or foreign governments.
- Duration of the Program or Activity
- Short-term program
Level of risk to privacy – 2
- Short-term program
- Program Population
- The program affects certain employees for internal administrative purposes.
Level of risk to privacy – 1
- The program affects certain employees for internal administrative purposes.
- Technology and Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - No
- Does the new or modified program or activity require any modifications to IT legacy systems and/or services?
Risk to privacy - No
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer-aided monitoring including audit trails, satellite surveillance, etc. chip with non-programmable logic).
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques. For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in a system that has connections to at least one other system. The personal information is transferred to a portable device or is printed.
Level of risk to privacy – 2 and 3
- Risk Impact to the Institution
- Inconvenience
- Reputational harm, embarrassment
Level of risk to privacy – 1 and 2
- Risk Impact to the Individual or Employee
- Managerial harm
- Reputational harm, embarrassment, loss of credibility.
Level of risk to privacy – 1 and 4
- The personal information is used in a system that has connections to at least one other system. The personal information is transferred to a portable device or is printed.