Disclosure

Government Institution

Veterans Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Faith McIntyre

Director General responsible for the Ste. Anne’s Hospital Transfer Project

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird

Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Ste. Anne’s Hospital Transfer Project

Description of Program or Activity:

Following the First World War, with the influx of returning soldiers, the Government of Canada owned and operated hospitals because of the special needs of Veteran patients and the variations in the care that was publicly available from one province to another. Since its establishment in 1917, Ste. Anne’s Hospital’s “raison d'être” has been to serve Veterans, to provide them with the highest standards of care, and to be a symbol of remembrance for the community and the country.

Since the introduction of the Canada Health Act and Medicare in the 1960s, the federal government began a process to transfer its 18 Veterans’ hospitals to provinces, thereby respecting provincial jurisdiction in matters of heath care. Ste. Anne’s Hospital (SAH) was the last remaining federally owned Veterans hospital and officially transferred to the Government of Quebec on April 1, 2016, becoming part of the new Centre intégré universitaire de santé et services sociaux (CIUSSS) de l’Ouest-de-l’Île-de-Montréal. The Ste. Anne’s Hospital transfer agreement negotiated positions agreed upon between both levels of government in the transfer of the Hospital.

Following the transfer, the distinct expertise in long-term care offered at Ste. Anne’s Hospital to Veterans will also benefit the local community. Post transfer, in addition to eligible war Veterans, all Veterans and other civilians who need long-term care could be admitted. As is the case in other long-term care facilities across the country, Veterans Affairs Canada will provide financial support and priority access to eligible war Veterans for contract beds at the Hospital. Veterans not eligible for contract beds but who are eligible due to a service related disability may have access to the provincial community beds at Ste. Anne’s Hospital. Ste. Anne’s Hospital will undergo the same provincial monitoring as other Quebec provincial long-term care facilities and will be subject to an accreditation process recognized by the province.

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Class of Record: Ste. Anne’s Hospital (VAC MVA 715)

Personal Information Bank: Ste. Anne’s Hospital (VAC PPU 280)

Legal Authority for Program or Activity - VAC

Order in Council P.C. 2015-0432 (Ste. Anne’s Hospital Transfer)

Department of Veterans Affairs Act – sections 4 and 5

Financial Administration Act (FAA) – sections 11 to 13

Privacy Act

The legal authorities for Government of Quebec programs or activities:

An Act Respecting Health Services and Social Services

Organization and Management of Institutions Regulation (chapter S-5, r.5)

An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information

Bill 59

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Michael Zinck
Senior Director, Communications Division

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
A/Director

Name of Program or Activity of the Government Institution

Social Media Platform

Description of Program or Activity

As part of the commitment to better connect with citizens and businesses, the Government of Canada (GC) is improving access to government services and information, and examining opportunities to streamline its web presence (Economic Action Plan 2013). In this context, the GC’s Web Renewal strategy aims to modernize online communication capabilities, in particular its use of websites and social media. The Web Renewal strategy also supports Canada's commitment to open government and enables greater information sharing, public dialogue and collaboration.

Social media provides VAC with additional ways to target, reach, engage and build a relationship with Veterans, their families, other stakeholders and Canadians. It is also providing the Department with a greater understanding of the perspectives of Veterans, citizens, stakeholders and experts. Using social media will help develop better, more informed and more effective policies and programs for Veterans and their families. VAC has been successfully using social media tools (Facebook, YouTube and Twitter) to communicate Remembrance messaging.

This PIA assesses the privacy impacts of VAC establishing a presence on the social media platform, Facebook. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).

Description of the Class of Record and Personal Information Bank associated with the program or activity

Operational information that is collected via the VAC Facebook presence is not limited to any one specific program or activity for VAC and would be more closely compared to the department’s receipt of correspondence from the general public. As such, VAC will rely on two standard Classes of Records to reflect the operational information that this initiative is likely to generate:

• PRN 939 Communications
• PRN 904 Cooperation and Liaison

In the event that an individual chooses to provide specific program related information using the Facebook platform, other Classes of Records may be relevant; however, that will only be determined by the nature of information that users post.

VAC will rely on two standard Personal Information Banks to reflect the personal information:

• PSU 914 Public Communications
• PSU 938 Outreach Activities

Legal Authority for Program or Activity

Department of Veterans Affairs Act, section 4

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • Private sector organizations or international organizations or foreign governments

     Level of risk to privacy – 4

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear "sunset".

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Personal information posted by individuals to official social media accounts may be subject to data matching or mining, record linkage, transaction monitoring, personal information comparisons, knowledge discovery, or other information filtering and analysis by the platform owner, third parties, and/or members of the public.

      Risk to privacy – 2

7. Personal Information Transmission
   • The personal information is transmitted using wireless technologies.

     Level of risk to privacy – 4

8. Risk Impact to the Institution
   • Organizational harm
     
     Reputation harm, embarrassment, lost of credibility. Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.

     Level of risk to privacy – 2, 4

9. Risk Impact to the Individual or Employee
   • Reputation harm, embarrassment
   • Level of risk to privacy – 2

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Michael Johnson
Director, IM and IT Operations

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Private Storage of Records

Description of Program or Activity:

VAC has established a contract with Iron Mountain Canada, a private storage company, for the storage of all VAC records. Iron Mountain Canada will provide document storage, information retrieval and document destruction services in secure facilities across Canada. These facilities are monitored 24 hours a day, seven days a week for fire, floods and unauthorized entry.

The contract with Iron Mountain Canada includes clauses required by VAC’s Security and ATIP Divisions to meet privacy and security requirements for the transfer, storage, retrieval and secure destruction of personal information.

Description of the class of record and the Personal Information Bank

As Private Storage is available to every VAC program, every class of record where a program may use Private Storage will be relevant, with limited exception. All applicable VAC Personal Information Banks will be updated to ensure clients/employees are informed of the potential storage of their records within a private facility. Class of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

Information contained in the files that may be located in private storage is created and captured for the purposes of documenting all activities related to the operations of mandated programs delivered by Veterans Affairs Canada and the Veterans Review and Appeal Board as well as the administrative activities that support the operations of the Department.

The legal authority for these programs and activities stems from Departmental enabling legislation and regulations as well as Government of Canada legislation regarding the administrative functions of government. A comprehensive list of this legislation can be made available.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Program or activity that does not involve a decision about an identifiable individual
   • Level of risk to privacy – 1
      
2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
   • Level of risk to privacy – 3
      
3. Program or Activity Partners and Private Sector Involvement
   • Private sector organizations or international organizations or foreign governments
   • Level of risk to privacy – 4
      
4. Duration of the Program or Activity
   • Long-term program
   • Level of risk to privacy – 3
      
5. Program Population
   • The program affects certain individuals for external administrative purposes.
   • Level of risk to privacy – 3
      
6. Technology & Privacy

   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – Yes

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – Yes

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc…

      Risk to privacy – Yes

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is transmitted using wireless technologies.
   • Level of risk to privacy – 4
      
8. Risk Impact to the Institution
   • Reputational harm, embarrassment, loss of credibility (Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.)
   • Level of risk to privacy – 4
      
9. Risk Impact to the Individual or Employee
   • Potential for reputational harm, embarrassment; and financial harm.
   • Level of risk to privacy – 2 & 3
      

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Charlotte Stewart
Director General, Service Delivery & Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
ATIP Coordinator

Name of Program or Activity of the Government Institution

Veterans Affairs Canada (VAC) and Service Canada (SC) Partnership

Description of Program or Activity

Canada’s Veterans can access services in more locations through a new partnership between VAC and Service Canada. The objective of the partnership is to provide increased access for Canadians, including Veterans and their families, to general information on VAC's programs and services through Service Canada’s in-person network of offices and Scheduled Outreach sites. This partnership with Service Canada provides Veterans with approximately 600 points of service across the country. In addition to obtaining services through Service Canada, Canadians can continue to access information about VAC programs and services online at veterans.gc.ca or in person at VAC offices and Canadian Forces Bases across Canada.

The PIA assessed the initiative to identify risks to personal information and implement changes to remove or mitigate the risks. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).

Description of the class of records and Personal Information Bank associated with the program or activity

Class of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

VAC – Service Canada Order in Council # 2011-1348, signed by the Deputy Governor General on November 21, 2011.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • With other federal institutions.

     Level of risk to privacy – 2

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear “sunset”.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used within a closed system.

     Level of risk to privacy – 1

8. Risk Impact to the Institution
   • Organizational harm - Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.

     Level of risk to privacy – 2

9. Risk Impact to the Individual or Employee
   • Inconvenience

     Level of risk to privacy – 1

Privacy Impact Assessment (PIA) summary

Government Institution

Veterans Affairs Canada (VAC)

Government Official Responsible for the Privacy Impact Assessment

Dr. Cyd Courchesne
Director General, Health Professionals

Head of the government institution / Delegate for section 10 of the Privacy Act

Amy Meunier
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Operational Stress Injury (OSI) Clinic Network

Description of Program or Activity

The initial Privacy Impact Assessment on the Operational Stress Injury (OSI) Clinic Network was completed in 2015. All OSI clinics are established through Memoranda of Understandings (MOUs) with provincial health organizations. Veterans Affairs Canada (VAC) purchases mental health care services from these provincial organizations to ensure exclusive access for eligible OSI clients. It is noted that these provincial clinics are subject to their own legislative requirements.

In 2016, an addendum was completed to address changes since the original PIA was written. A new OSI clinic opened in June of 2015, and the former VAC-run clinics at Ste. Anne’s Hospital were officially transferred from the Government of Canada to the Government of Quebec on April 1, 2016. The addendum assessed the risks associated with the transfer of personal information between VAC and the OSI Clinic Network. As well, an examination of the MOUs between VAC and the provincial health clinics was undertaken to assess privacy protection clauses to ensure privacy best practices are addressed and followed in support of the cross-jurisdictional transfer of personal information.

Veterans Affairs Canada (VAC) defines an Operational Stress Injury (OSI) as any persistent psychological difficulty resulting from operational duties performed while serving in the Canadian Armed Forces (CAF) or as a member of the Royal Canadian Mounted Police (RCMP). Operational Stress Injuries are usually associated with a traumatic event but can become heightened when there is a lack of support or resources. They can include post-traumatic stress disorder, anxiety, mood disorders, addictions, sleep disturbances, anger, chronic pain, and relationship problems.

The OSI Clinic network provides specialized mental health care services for eligible Veterans and family members. In 2006 access was extended to still-serving members of the CAF and RCMP.

Description of the class of records associated with the program or activity

Class of Record: Mental Health Services and Supports (VAC MVA 720)
Personal Information Bank: Mental Health (VAC PPU 320)

Legal Authority for Program or Activity

Canadian Forces Members and Veterans Re-establishment and Compensation Act (sections 7 to 10); Pension Act (defintions section a to h); and Veterans Health Care Regulations (sections 3 to 5).

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to Appendix C of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity

   Administration of Programs / Activity and Services

   Level of risk to privacy – 2

2. Type of Personal Information Involved and Context

   Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

   Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

   Level of risk to privacy – 3 & 4

3. Program or Activity Partners and Private Sector Involvement

   With other institutions or a combination of federal, provincial or territorial, and municipal governments.

   Level of risk to privacy – 3

4. Duration of the Program or Activity

   Long-term program

   Level of risk to privacy – 3

5. Program Population

   The program affects all individuals for external administrative purposes.

   Level of risk to privacy – 4

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

      Risk to privacy - No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission

   The personal information is used in a system that has connections to at least one other system.

   The personal information is transferred to a portable device or is printed.

   Level of risk to privacy – 2 & 3

8. Risk Impact to the Institution

   Reputation harm, embarrassment, loss of credibility.

   Level of risk to privacy – 4

9. Risk Impact to the Individual or Employee

   Reputation harm, embarrassment.

   Level of risk to privacy – 2

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

John Walker
Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
ATIP Coordinator

Name of Program or Activity of the Government Institution

Outreach and Visitation Initiative, Service Contract between Veterans Affairs Canada and the RCL

Description of Program or Activity:

The Long-Term Care and Veteran Independence Programs support eligible Veterans and other individuals who require facility-based care to meet their long-term care needs. The Outreach and Visitation Initiative will provide a mechanism by which the Veterans Affairs Canada (VAC or the Department) can maintain contact with Veterans residing in provincial long-term care facilities.

Through a Contract for Service, VAC will use the Royal Canadian Legion (RCL) Dominion Command volunteer network to visit approximately 4,000 Veterans annually who are receiving financial assistance from VAC for long-term care. This initiative will facilitate face-to-face visits with Veterans, providing them with an opportunity to have a conversation and social visit with a volunteer and to raise concerns or identify needs that might be addressed by VAC. The service contract has a duration of one year with the possibility of a one-year renewal.

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Class of Record and Personal Information Banks can be reviewed at: VAC's Info Source Chapter.

• Intermediate and Long-Term Care - Class of Record VAC MVA 880
• Non-departmental Institutions – Long Term Care (LTC) - Personal Information Bank VAC PPU 619
• Non-departmental Institutions - Veterans Independence Program (VIP) - Personal Information Bank VAC PPU 618

Legal Authority for Program or Activity

Non-departmental Institutions – Long Term Care

VAC administers the Long Term Care program under Part III and Part IV of the Veterans Health Care Regulations.

Non-departmental institutions - VIP

VAC administers the Veterans Independence Program (Intermediate Care element) under Part II and Part IV of the Veterans Health Care Regulations.

The general authority to enter into a contract is reflected in section 4 of the Department of Veterans Affairs Act and the exercise of such implicit authority is essential to enable the Minister to fulfill his mandate and obligation described therein.

Risk Area Identification and Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to "Appendix C" of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.

     Level of risk to privacy – 1

3. Program or Activity Partners and Private Sector Involvement
   • Private sector organizations or international organizations or foreign governments.

     Level of risk to privacy – 4

4. Duration of the Program or Activity
   • Short-term program

     Level of risk to privacy – 2

5. Program Population
   • The program affects certain employees for internal administrative purposes.

     Level of risk to privacy – 1

6. Technology and Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and/or services?

      Risk to privacy - No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer-aided monitoring including audit trails, satellite surveillance, etc. chip with non-programmable logic).

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques. For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used in a system that has connections to at least one other system. The personal information is transferred to a portable device or is printed.

     Level of risk to privacy – 2 and 3

   • Risk Impact to the Institution
     • Inconvenience
     • Reputational harm, embarrassment

     Level of risk to privacy – 1 and 2

   • Risk Impact to the Individual or Employee
     • Managerial harm
     • Reputational harm, embarrassment, loss of credibility.

     Level of risk to privacy – 1 and 4

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Raymond Lalonde
Director, National Center for Operational Stress Injuries (NCOSI)

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
ATIP Coordinator

Name of Program or Activity of the Government Institution

VAC-NCOSI Client-Reported Outcomes Monitoring Information System (CROMIS) Initiative

Description of Program or Activity:

CROMIS is a national, web-based software suite that supports ongoing, session-by-session client-reported mental health outcomes tracking. Although the client reports the outcomes, the data base does not have information that can be used to identify the Veteran or other individual served by VAC. The approach is to monitor important mental indicators to prevent deterioration and/or premature drop-out, by accurately identifying those at risk and providing actionable, “just-in-time” evidence-informed recommendations to client and clinician alike. The software (OQ-Analyst) has been demonstrated in randomized controlled trials not only to facilitate clinical performance monitoring in mental health care systems, but also to actually improve clinical outcomes.

The National Centre for Operational Injuries at VAC is using this client-reported outcome monitoring system to better evaluate the effectiveness of the Operational Stress Injury Clinic (OSIC) Network.

The PIA assessed the initiative to identify risks to personal information and implement changes to remove or mitigate the risks. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Mental Health Services and Supports: Class of Record
Mental Health: Personal Information Bank

Legal Authority for Program or Activity

The information collected and held by VAC in relation to the CROMIS initiative is done so under various legislated programs under the responsibility of the Department.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIA s to learn more about the risk scale.

1. Type of Program or Activity
   • Program or activity that does NOT involve a decision about an identifiable individual
   • Personal information is used strictly for statistical / research or evaluations (including mailing lists) where no decisions are made that directly have an impact on an identifiable individual. The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection requires that government institutions establish an institutional Privacy Protocol for addressing non-administrative uses of personal information.
   • Level of risk to privacy – 1 – NCOSI
   • Administration of Programmes / Activity and Services
   • Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programmesprograms including authentication for accessing programmesprograms/services, administering programmeprogram payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.
   • Level of risk to privacy – 2 – OSIC
2. Type of Personal Information Involved and Context
   • Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and / or the context surrounding the personal information is particularly sensitive.
   • Level of risk to privacy – 4
3. Program or Activity Partners and Private Sector Involvement
   • With other or a combination of federal/ provincial and/or municipal government(s) ( Private Sector hosting).
   • Level of risk to privacy – 3
4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear "sunset".
   • Level of risk to privacy – 3
5. Program Population
   • The program affects all individuals for external administrative purposes.
   • Level of risk to privacy – 3
6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
      Risk to privacy – Yes
   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services? Risk to privacy – No
   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic). Risk to privacy – No
   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc… Risk to privacy – No
   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA , government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior. Risk to privacy – Yes The clinicians of the OSIC will utilize the software’s automated personal information analysis, personal information matching and knowledge discovery capabilities.
7. Personal Information Transmission
   • The personal information is transferred to a portable device or is printed. USB key, diskette, laptop computer, any transfer of the personal information to a different medium.
   • Level of risk to privacy – 3
8. Risk Impact to the Institution
   • Reputation harm, embarrassment, loss of credibility.
   • Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.
   • Level of risk to privacy – 4
9. Risk Impact to the Individual or Employee
   • Reputation harm, embarrassment.
   • Level of risk to privacy - 2

Privacy Impact Assessment (PIA) Summary

Government Institution

Veterans Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Hélène Robichaud
A/Director General, Commemoration Division

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

International Commemorative Activities

Description of Program or Activity:

The Government of Canada, led by Veterans Affairs Canada, is commemorating significant milestones from the First and Second World Wars. Beginning in 2016, the commemoration activities include the 100^th anniversary of the Battles of the Somme and Beaumont-Hamel in July 2016, the 100^th anniversary of the Battle of Vimy Ridge in April 2017, the 75^th anniversary of the Dieppe Raid in August 2017, and the 100^th anniversary of the Battle of Passchendaele in November 2017. In response to changing security environments, certain governments are seeking more identifying personal information than in the past, which led to the need to assess the privacy risks of such a request.

The Privacy Impact Assessment is comprised of two parts: a) privacy risks associated with the Beaumont-Hamel commemorative event in July 2016; and b) an addendum that includes a post-event analysis applicable to future international commemorative activities. At the conclusion of the July 2016 Beaumont-Hamel commemorative event, the approach towards the collection, disclosure and retention of the personal information was modified to reduce risks that were identified during the event for the continually evolving program delivery in a manner that balances security and the privacy rights of individuals. The additional risks and mitigation measures that were implemented are documented in a post-event analysis that forms an addendum to this Privacy Impact Assessment.

In December 2018, an addendum to Privacy Impact Assessment (PIA) was completed to better reflect all International Commemorative Activities as opposed to only 2016 events. With an increased terror level across the globe, this addendum focused on necessary security safeguards, for both attendees and their personal information. No new risks were identified in the addendum process and all previous risks identified in the 2016 PIA have been mitigated.

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Class of Record: Ceremonies and Events (VAC MVA 755)

Personal Information Bank: Ceremonies and Events (VAC PPU 621)

Legal Authority for Program or Activity:

Order in Council P.C. 1965-688

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1) Type of Program or Activity

Administration of Programs / Activity and Services

Criminal investigation and enforcement / National Security

Level of risk to privacy – 2 and 4

2) Type of Personal Information Involved and Context

Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy – 2, 3 and 4

3) Program or Activity Partners and Private Sector Involvement

With other federal institutions

Private sector organizations or international organizations or foreign governments

Level of risk to privacy – 2 and 4

4) Duration of the Program or Activity

Long-term program

Level of risk to privacy – 3

5) Program Population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy – 3

6) Technology & Privacy

a) Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy – No

b) Is the new or modified program or activity a modification of IT legacy systems and/or services?

Risk to privacy – No

c) Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy – No

d) Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance/interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy – No

e) Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behaviour.

Risk to privacy – No

7) Personal Information Transmission

The personal information is used in a system that has connections to at least one other system.

The personal information is transferred to a portable device or is printed.

Level of risk to privacy – 2 and 3

8) Risk Impact to the Institution

Managerial harm

Reputational harm, embarrassment, loss of credibility

Level of risk to privacy – 1 and 4

9) Risk Impact to the Individual or Employee

Physical harm

Level of risk to privacy – 4

Privacy Impact Assessment (PIA) Summary

Government Institution

Veterans Affairs Canada (VAC)

Government Official Responsible for the Privacy Impact Assessment

Sandra Williamson
Director, Long Term Care and Disability Benefits

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird
A/Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Long Term Care Program and Veterans Independence Program – Intermediate Care

Description of Program or Activity:

Every year on October 1, as stipulated in the Veterans Health Care Regulations (VHCRs), Veterans Affairs Canada (VAC) adjusts the monthly amount that Veterans in long term care facilities must contribute to their accommodation and meals (A&M) costs. Recipients of support through the Long Term Care (LTC) program and the Veterans Independence Program – Intermediate Care (VIP-IC) may be required to pay for the cost of accommodation and meals (A&M) up to a maximum amount. The amount of A&M that an individual contributes is based on an analysis of their income. An income analysis will also determine if the individual is eligible for long term care as income-qualified. As a result, VAC has entered into an agreement with Canada Revenue Agency (CRA) by way of a Memorandum of Understanding (MOU) which enables VAC to obtain income information directly from CRA. Obtaining the income data in this manner, with the individual’s consent, will ensure accurate income amounts are available and will result in a reduction of administrative burden on eligible Veterans and civilians and will result in significantly less processing time for VAC staff.

Description of the class of record and the Personal Information Bank

The Class of Record: Intermediate and Long Term Care (VAC MVA 880) Personal Information Banks: Non-departmental Institutions – Long Term Care (VAC PPU 619) and Non-departmental institutions - VIP (VAC PPU 618). These can be viewed at: VAC's Info Source Chapter.

Legal Authority for Program or Activity

Non-departmental Institutions – Long Term Care - VAC has authority to collect the information as it relates directly to and is required for the administration of VAC’s legislatively mandated program, the Long Term Care program. The information is specifically related to the determination of income-based eligibility for this program and the amount of Accommodation and Meals contributions under the VHCRs made under the Department of Veterans Affairs Act. Long Term Care (Non-departmental Institutions - LTC) is administered under Part III and IV of the VHCRs made under the Department of Veterans Affairs Act and is a VAC health care program which has income-based components.

Non-departmental institutions - VIP - VAC has authority to collect the information as it relates directly to and is required for the administration of VAC’s legislatively mandated program, the Veterans Independence Program. The information is specifically related to the determination of Accommodation and Meals contributions under the VHCRs made under the Department of Veterans Affairs Act. The Veterans Independence Program (Non-departmental Institutions - VIP) is administered under Part II and IV of the VHCRs made under the Department of Veterans Affairs Act and is a VAC health care program which has income-based components.

SIN Collection
Non-departmental Institutions -Long Term Care and Non-departmental Institutions – VIP VAC has authority to collect information, including SINs, that relates directly to and is required for the administration of the LTC Program and VIP in accordance with the Department of Veterans Affairs Act and the VHCRs. SIN's are required to obtain income information necessary for the administration of these programs. The LTC and VIP programs are Income and Health Care Programs of VAC which are authorized to collect SINs under the Treasury Board Directive on Social Insurance Numbers.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services.

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • Within the institution (amongst one or more programs within the same institution)

     With other federal institutions

     Level of risk to privacy – 1&2

4. Duration of the Program or Activity
   • Long-term program.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.

      Risk to privacy – Yes

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

7. Personal Information Transmission

   Level of risk to privacy – 2

8. Risk Impact to the Institution

   Potential for managerial harm (processes must be reviewed, tools must be changed, change in provider / partner); financial harm (lawsuit, additional moneys required, reallocation of financial resources); and reputational harm, embarrassment, loss of credibility (decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.)

   Level of risk to privacy – 1, 2, 3 & 4

9. Risk Impact to the Individual or Employee

   Potential for inconvenience, reputational harm, embarrassment and financial harm.

   Level of risk to privacy – 1, 2, & 3

Privacy Impact Assessment (PIA) Summary

Government Institution

Veterans Affairs Canada (VAC)

Human Resources and Skills Development Canada (HRSDC)

Government Official Responsible for the Privacy Impact Assessment

Maureen Sinnott
A/Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

HRSDC and VAC – Information Sharing Exchanges

Description of Program or Activity:

HRSDC and VAC have proposed a Memorandum of Understanding (MOU) to provide the necessary framework for the exchange of personal information relevant to the administration of VAC programs. A PIA has been conducted jointly between HRSDC and VAC to determine any privacy issues associated with the proposal and to recommend measures to mitigate or resolve them. The purpose of the Memorandum of Understanding (MoU) between Human Resources and Skills Development Canada (HRSDC) and Veterans Affairs Canada (VAC) is to enhance, and enable the seamless access to benefits available to veterans. Old Age Security (OAS) and Canada Pension Plan (CPP) applicants’ and beneficiaries’ information will be shared by HRSDC with VAC to administer the War Veterans Allowance (WVA), the Veterans Independence Program (VIP), Long Term Care Program (LTC), Earnings Loss Benefit (EL), and Canadian Forces Income Support Benefit (CFIS).

Description of the class of record and the Personal Information Bank

Class of Record and Personal Information Banks can be reviewed at: VAC's Info Source Chapter.

• War Veterans Allowance – Class of Record VAC MVA 680
• War Veterans Allowance Personal Information Bank VAC PPU 040M
• Intermediate and Long-Term Care - Class of Record VAC MVA 880
• Non-departmental Institutions - Veterans Independence Program (VIP) - Personal Information Bank VAC PPU 618
• Non-departmental Institutions – Long Term Care (LTC) - Personal Information Bank VAC PPU 619
• Financial Benefits – Class of Record VAC MVA 845
• Earnings Loss – Personal Information Bank VAC PPU 607
• Canadian Forces Income Support – Personal Information Bank VAC PPU 608

Legal Authority for Program or Activity

• Department of Veterans Affairs Act,
• War Veterans Allowance Act,
• Civilian War-Related Benefits Act,
• Canadian Forces Members and Veterans Re-establishment and Compensation Act,
• Canadian Forces Members and Veterans Re-establishment and Compensation Regulations,
• Veterans Health Care Regulations,
• Department of Human Resources and Skills Development Act, and the
• Department of Human Resources and Skills Development Regulations

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to "Appendix C" of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services.

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • Within the Department and with other Federal institutions.

     Level of risk to privacy – 1&2

4. Duration of the Program or Activity
   • Long-term program or activity.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – Yes

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.

      Risk to privacy – Yes

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

7. Personal Information Transmission
   • The personal information is used in a system that has connections to at least one other system.
   • The personal information is transferred to a portable device or is printed.
   • Information that is exchanged between HRSDC and VAC on a case by case basis is printed.

     Level of risk to privacy – 2&3

8. Risk Impact to the Institution
   • Managerial harm
   • Organizational harm
   • Financial Harm
   • Reputational harm, embarrassment, loss of credibility.

     Level of risk to privacy – 1, 2, 3 & 4

9. Risk Impact to the Individual or Employee
   • Inconvenience
   • Reputational harm, embarrassment
   • Financial harm

     Level of risk to privacy – 1, 2 & 3