This report presents the findings of the Privacy Impact Assessment (PIA) of the Long Term Care (LTC) Program. On June 18, 2009, amendments to the Veterans Health Care Regulations and the War Veterans Allowance Act received Royal Assent expanding the WVA Program and associated benefits, including those that fall under the LTC Program, to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to perform a Privacy Impact Assessment of the Long Term Care Program, including the current expansion to Allied Veterans. This PIA reflects the status of the LTC Program as of December 1, 2009.
The LTC Program dates back to 1915 when departmental health care facilities were first established to care for injured and disabled Veterans. Over the years, the clients' needs have changed and demand for acute and rehabilitative care has declined. Today the LTC Program works in cooperation with the provinces, territories, regional health authorities and long-term care facilities to financially support eligible Veterans in an appropriate long-term care setting where their assessed health care needs can be met.
About the Privacy Impact Assessment (PIA)
This Privacy Impact Assessment reflects an analysis of the Long Term Care Program but does not include the assessment of the gateway for eligibility to the LTC Program which is provided through the War Veterans Allowance (WVA) Program. A separate assessment of WVA Program has been conducted.
VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Long Term Care Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.
The PIA reviews how personal information is being collected, used and disclosed throughout the life cycle of the LTC Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The LTC Program PIA has identified six potential privacy risks.
Risk #1 - Inadvertent collection of the Social Insurance Number (Risk Rating: Medium)
Issue:
There is an almost certain likelihood that non-essential personal information, including the Social Insurance Number (SIN) will be inadvertently provided to VAC on documentation that will demonstrate eligibility. As proof of eligibility for Allied Veterans, VAC requests documentation such as an Old Age Security (OAS) cheque stub, which does contain the SIN. As the SIN is a highly sensitive piece of information, the use of which is governed by TBS policy, it has been determined that since the sensitivity of the information is high, there are increased risks in the unlikely event of a breach.
Management Plan:
Upon receipt of proof of the OAS for Allied Veteran eligibility, staff will ensure the SIN , which has been inadvertently provided on proof documentation, is removed by blacking out the SIN on information that is retained on file. A directive will be issued to staff to advise of the protocol to follow once in receipt of a SIN.
Risk #2 - Use of VAC 520 and VAC 520-5: Authority to Release Personal Information (Risk Rating: Low)
Issue:
An Authority to Release Personal Information form (VAC 520 or 520-5) may be required if a client requests that a family member/friend obtain information on his behalf from VAC. Past experience has shown that clients do not fully understand when and how the Authority to Release Personal Information form should be used. The form requires further explanation to ensure clients understand the intended purpose of the form and when and how to properly complete it.
Management Plan:
A guide will be prepared to include clear instructions, both for VAC staff and clients, as to when the form should be used and how to properly complete the required elements. Communication to VAC staff members will be provided to ensure they fully understand the intended purpose of the form and are able to explain this to clients to obtain informed consent.
Risk #3 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)
Issue:
VAC's electronic systems, the Client Service Delivery Network (CSDN) and the Residential Care Support System (RCSS), do not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.
Management Plan:
This is a departmental risk that is not solely related to the Long Term Care Program. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.
Risk #4 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)
Issue:
A Threat and Risk Assessment (TRA) has not been completed on the Long Term Care Program, which may lead to sensitive information not being properly identified and protected.
Management Plan:
The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The Long Term Care Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.
Risk #5 - Lack of National Business Processes (Risk Rating: Low)
Issue:
While there is a renewed National Long-Term Care Strategy to help provide Veterans with more options for the care they need in the location they prefer, the LTC Program lacks written business processes and procedures that would provide consistency through the Department, and the District and Regional Offices. Service delivery, training and understanding by all staff of the LTC Program can be affected by the lack of consistent written business processes.
Management Plan:
Program policies, directives and processes are currently under development. Privacy specialists will be available for consultation to ensure that the information collected and disclosed is appropriate. Upon completion of the writing of the business processes and procedures, training, if required, will be provided to staff.
Risk #6 - Privacy Notice Statements (Risk Rating: Low)
Issue:
Several forms used in the Long Term Care Program either lack privacy notice statements or have notice statements which do not comply with Treasury Board requirements and VAC standards.
Management Plan:
The VAC 549: Allied Service - Eligibility for Long Term Care, the VAC 1415: Nursing Assessment and the Residential Care Decision Form will be updated to include an appropriate privacy notice statement.
Conclusion
Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.