Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Elizabeth Douglas
Director General, Service Delivery and Program Management
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garret-Baird
A/Director, Access to Information and Privacy
Name of Program or Activity of the Government Institution
Priority Hiring
Description of Program or Activity
The Government of Canada (GoC) proposed amendments to the Public Service Employment Act (PSEA) enhancing hiring opportunities for certain serving and former members of the Canadian Armed Forces (CAF) through the introduction of Bill C-27 (Veterans Hiring Act). The amendments establish a right of appointment, in priority to all other persons, for certain members of the CAF who are medically released for reasons that the Minister of Veterans Affairs determines are attributable to service. Amendments received Royal Assent on March 31, 2015.
To implement these amendments, Veterans Affairs Canada (VAC) has partnered with the Public Service Commission (PSC) and the Department of National Defence (DND) to ensure efficient program delivery. As part of this initiative, CAF members will be able to apply to VAC to seek determination regarding whether their medical release is attributable to military service. All other aspects of delivery for this initiative will be completed by DND or the PSC. There is no information sharing from VAC to either of the other two federal organizations – the medical determination letter is provided to the applicant and they retain control over whether or not to proceed with their participation in the program.
Description of the Class of Record and Personal Information Bank associated with the program or activity
Veterans Hiring Act Initiative (VAC PPU 704)
Legal Authority for Program or Activity
Personal information is collected under the authority of subsection 39(1) of the Public Service Employment Act.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs/Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).
Level of risk to privacy – 2
- Administration of Programs/Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).
- Type of Personal Information Involved and Context
- Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.Level of risk to privacy – 2,3
- Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
- Program or Activity Partners and Private Sector Involvement
- With other federal institutions.
Level of risk to privacy – 2
- With other federal institutions.
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear “sunset”.
Level of risk to privacy – 3
- Long-term program - Existing program that has been modified or is established with no clear “sunset”.
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy - No
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in system that has connections to at least one other system.
Level of risk to privacy – 2
- The personal information is used in system that has connections to at least one other system.
- Risk Impact to the Institution
- Reputation harm, embarrassment, loss of credibility. Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.
Level of risk to privacy – 4
- Reputation harm, embarrassment, loss of credibility. Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.
- Risk Impact to the Individual or Employee
- Reputation harm, embarrassment
Level of risk to privacy – 2
- Reputation harm, embarrassment