Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Carlos Lourenso
Director, Health Care, Rehabilitation and Income Support Programs
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
Access to Information and Privacy Coordinator
Name of Program or Activity of the Government Institution
War Veterans Allowance
Description of Program or Activity
Veterans Affairs Canada’s (VAC’s) War Veterans Allowance (WVA) program provides financial assistance in the form of a monthly grant payment to low-income clients. Eligibility for WVA is determined by the wartime service of a Veteran or qualified civilian, their age or health, as well as their income and residency. Payment rates are based on income, domestic status and number of dependants.
Once eligible for WVA, the recipient becomes eligible to access other VAC programs. In this way, WVA acts as a gateway to the Assistance Fund, Funeral and Burial assistance, Treatment Benefits, Veterans Independence Program (VIP) and Long-Term Care (LTC). Some Veterans do not qualify for WVA support because their family income exceeds the maximum amount allowable. However, if this is due to income from Old Age Security, these individuals are designated as "income-qualified". As such, they can access VAC’s medical benefits and the other programs associated with WVA.
In the fall of 2013, the Disability benefits paid under the Pension Act was no longer deducted from WVA benefits. The changes to the WVA program did not result in changes to the handling of the personal information.
Description of the class of record and the Personal Information Bank
- War Veterans Allowance – Personal Information Bank VAC PPU 040
- War Veterans Allowance – Class of Record VAC MVA 680
Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter
Legal Authority for Program or Activity
The authority for VAC to collect and use the personal information for War Veterans Allowance is established under Section 4 of the War Veterans Allowance Act, and Sections 3 and 4 of the Veterans Allowance Regulations, and Sections 9, 9.1 and 12 of the Civilian War-Related Benefits Act, and is used to administer the War Veterans Allowance. Section 5 of the Department of Veterans Affairs Act, provides the Minister with the authority to create regulations in support of the Department of Veterans Affairs. The SIN is collected pursuant to Section 30(3) of the War Veterans Allowance Act and by virtue of Section 57(1) of the Civilian War-Related Benefits Act.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to Appendix C of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
Level of risk to privacy – 2
- Administration of Programs / Activity and Services
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- With other federal institutions
Level of risk to privacy – 2
- With other federal institutions
- Duration of the Program or Activity
- Long-term program
Level of risk to privacy – 3
- Long-term program
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy – No
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – Yes
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
The personal information is used in a system that has connections to at least one other system.Level of risk to privacy – 2
- Risk Impact to the Institution
Managerial harm, Organizational harm and Reputational harm, embarrassment, loss of credibility.Level of risk to privacy – 1, 2 and 4
- Risk Impact to the Individual or Employee
Inconvenience, Reputational harm, embarrassment and Financial harm.Level of risk to privacy – 1, 2 and 3