Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Mary Nicholson
Director, Health Care, Rehabilitation and Income Support Programs Directorate
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garrett-Baird
Director, Privacy and Information Management
Name of Program or Activity of the Government Institution
Veterans Independence Program
Description of Program or Activity
The Veterans Independence Program (VIP) is a home care program that was created in 1981 to help eligible Veterans, civilians, as well as their survivors or primary caregivers remain independent and self-sufficient in their homes and communities through financial support towards the costs of services. VIP benefits do not replace other federal, provincial or municipal programs. Instead, the program complements existing programs or private insurance to help meet individual needs.
This assessment is an update to the 2010 VIP Privacy Impact Assessment (PIA) to support changes to the program, namely: the implementation of grants as the payment mechanism for housekeeping and grounds maintenance benefits; and the additional tasks performed by a third-party contractor, Medavie Blue Cross (MBC). In addition to its role as a payment processor for VAC, MBC now administers the annual renewal process that is required for VIP recipients. The annual renewal process includes a follow-up phone call to those whom VAC has identified as not having recent contact with the Department, and processing the annual renewal form submitted by those receiving benefits via the “Survivor” eligibility gateway.
It is important to note that eligibility for the program has not changed. There are three payment processes for the VIP which MBC administers on VAC’s behalf.Footnote 1 For the Housekeeping and Grounds Maintenance elements, eligible recipients receive two upfront payments per year based on their needs and the going rate for services in their communities. For all other VIP elements, the payment process is “reimbursement”. Reimbursements are paid based on submitted receipts to either the recipient or a registered service provider. In exceptional circumstances, such as financial hardship, advance payment may be used for elements other than Housekeeping and Grounds Maintenance.
Description of the Class of Record and Personal Information Bank associated with the program or activity:
Class of Record:
Veterans Independence Program (VAC MVA 855)
Personal Information Banks:
Veterans Independence Program – Home Care Benefits and Services (VAC PPU 616) Veterans Independence Program – Other Services (VAC PPU 617)
Legal Authority for Program or Activity
The activities of the Veterans Independence Program are conducted under the authority of the Veterans Health Care Regulations (VHCRs) (Part II, sections 15-20) made pursuant to section 5 of the Department of Veterans Affairs Act. In accordance with sections 18 and 31.2, and subsection 33.1(5) of the VHCRs, VAC has the authority to collect income information to determine eligibility for Exceptional Health Needs.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
Level of risk to privacy – 2
- Administration of Programs / Activity and Services
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- WPrivate sector organizations or international organizations or foreign governments
Level of risk to privacy – 4
- WPrivate sector organizations or international organizations or foreign governments
- Duration of the Program or Activity
- Long-term program
Level of risk to privacy – 3
- Long-term program
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy - Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – Yes
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in a system that has connections to at least one other system.
Level of risk to privacy – 2
- The personal information is used in a system that has connections to at least one other system.
- Risk Impact to the Institution
- Managerial harm; financial harm; and reputational harm, embarrassment, loss of credibility
Level of risk to privacy – 1, 3, & 4
- Managerial harm; financial harm; and reputational harm, embarrassment, loss of credibility
- Risk Impact to the Individual or Employee
- Inconvenience; reputational harm, embarrassment; and financial harm
- Level of risk to privacy – 1, 2 & 3