Disclosure

Privacy Impact Assessment (PIA) summary

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Faith McIntyre
Director, Ste. Anne’s Hospital Transfer Project

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
ATIP Coordinator

Name of Program or Activity of the Government Institution

Human Resources Planning

Description of Program or Activity

Ste. Anne’s Hospital is recognized around the world for its expertise in geriatrics and mental health. With the potential Ste. Anne’s Hospital transfer from VAC to the Government of Quebec, Veterans will continue to receive exceptional care in this centre of excellence on the leading edge of clinical innovation. The transfer of Ste. Anne’s Hospital will provide long-term benefits to Veterans, Hospital staff and Quebec residents alike. There is a declining demand for long-term care beds for traditional Veterans at the Hospital. Transferring Ste. Anne’s Hospital to the Government of Quebec will help to maintain and maximize the Hospital’s expertise in geriatrics and psychogeriatrics, and provide bed availability for others.

The PIA completed in 2012–2013 assessed the privacy impacts of sharing Human Resources information with the Government of Quebec. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC). An additional PIA on the entire scope of the transfer is to be completed in the 2013–2014 fiscal year.

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Human Resources Planning: Class of Record
Human Resources Planning: Personal Information Bank

Legal Authority for Program or Activity

Financial Administration Act (FAA) - sections 11 to 13 and Department of Veterans Affairs Act – section 4 and 5.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).
   • Level of risk to privacy – 2
2. Type of Personal Information Involved and Context
   • Only personal information provided by the individual – at the time of collection – relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities.
   • The context in which the personal information is collected is not particularly sensitive.
   • Level of risk to privacy – 1
3. Duration of the Program or Activity
   • One time program or activity
     Note: While information may be shared periodically during the transfer process, this is considered a “one-time” activity as the need for future sharing will be eliminated once the transfer occurs.
   • Typically involves offering a one-time support measure in the form of a grant payment as a social support mechanism.
   • Level of risk to privacy – 1
4. Program Population
   • The program affects all individuals for external administrative purposes.
   • Level of risk to privacy – 4
5. Training and Understanding of Privacy and Personal Information Protection
   • A systematic privacy training and/or awareness plan is in place and sessions are provided and/or made available to employees and sectors or the government institution.
   • Level of risk to privacy – 2
6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
      Risk to privacy – No
   2. Is the new or modified program or activity a modification of an IT legacy systems and / or services?
      Risk to privacy – No
   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
      Risk to privacy – No
   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.
      Risk to privacy – No
   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
      Risk to privacy – No
7. Personal Information Transmission
   • The personal information is transferred to a portable device or is printed. USB key, diskette, laptop computer, any transfer of the personal information to a different medium.
   • Level of risk to privacy – 3
8. Risk Impact to the Institution
   • Organizational harm - Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.
   • Level of risk to privacy – 2
9. Risk Impact to the Individual or Employee
   • Inconvenience
   • Level of risk to privacy – 1

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Elizabeth Douglas
Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
A/Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Priority Hiring

Description of Program or Activity

The Government of Canada (GoC) proposed amendments to the Public Service Employment Act (PSEA) enhancing hiring opportunities for certain serving and former members of the Canadian Armed Forces (CAF) through the introduction of Bill C-27 (Veterans Hiring Act). The amendments establish a right of appointment, in priority to all other persons, for certain members of the CAF who are medically released for reasons that the Minister of Veterans Affairs determines are attributable to service. Amendments received Royal Assent on March 31, 2015.

To implement these amendments, Veterans Affairs Canada (VAC) has partnered with the Public Service Commission (PSC) and the Department of National Defence (DND) to ensure efficient program delivery. As part of this initiative, CAF members will be able to apply to VAC to seek determination regarding whether their medical release is attributable to military service. All other aspects of delivery for this initiative will be completed by DND or the PSC. There is no information sharing from VAC to either of the other two federal organizations – the medical determination letter is provided to the applicant and they retain control over whether or not to proceed with their participation in the program.

Description of the Class of Record and Personal Information Bank associated with the program or activity

Veterans Hiring Act Initiative (VAC PPU 704)

Legal Authority for Program or Activity

Personal information is collected under the authority of subsection 39(1) of the Public Service Employment Act.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs/Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Personal information, with no contextual sensitivities after the time of collection, provided by the individual with consent to also use personal information held by another source.
     
     Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 2,3

3. Program or Activity Partners and Private Sector Involvement
   • With other federal institutions.

     Level of risk to privacy – 2

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear “sunset”.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used in system that has connections to at least one other system.

     Level of risk to privacy – 2

8. Risk Impact to the Institution
   • Reputation harm, embarrassment, loss of credibility. Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.

     Level of risk to privacy – 4

9. Risk Impact to the Individual or Employee
   • Reputation harm, embarrassment

     Level of risk to privacy – 2

This Privacy Impact Assessment (PIA) evaluates whether the Human Resources Management System (GC HRMS PeopleSoft v.8.9) as it has been implemented by Veterans Affairs Canada (VA) complies with privacy requirements.

The scope of this PIA is limited to the GC HRMS v.8.9 upgrade and reflects the status of PeopleSoft as of March 2007. It focuses on VA employees' personal Human Resources information collected, used, disclosed, and retained in the PeopleSoft system.

The PIA review, conducted by Government Consulting Services, identifies three (3) areas of concern regarding privacy requirements. To resolve these identified privacy issues, mitigation measures have been recommended as follows:

Safeguarding personal information

• Conduct a Threat and Risk Assessment (TRA), develop a contingency plan to ensure that security measures are equal to sensitivity of personal information collected, and thoroughly address any risks identified in the TRA.

Accountability and performance measurement

• For the program custodian of personal information, ensure that accountability is documented and performance requirements are developed.
• Arrange with VA's Audit and Evaluation Branch for regular Audits of Compliance against privacy requirements.

Procedures and documentation

• Review person-to-person procedures and electronic processes for collection of personal information and ensure that documentation of purpose, authority, and consent are consistent across all collection processes.
• Continue discussions with Canada Public Service Agency (CPSA) regarding retention and disposition of personal information.

The above mitigation strategies, when implemented, will bring VA into agreement with privacy requirements.

About Government On-Line (GOL)

An initiative of the Government of Canada, the goal of GOL is to use information and communication technology to provide Canadians with increased access to citizen-centred, integrated services - anytime, anywhere - in the language of their choice. This initiative allows Canadians and organizations to access general information about Government of Canada programs and services, to apply for services on-line, and, in some cases, allows individuals to access personal information about themselves collected and used by various government institutions.

The VA Benefits and Health Services On-Line Project (B&HSOL) :

• permits clients with an ePass digital certificate to apply on-line for disability pension benefits;
• allows clients with an ePass digital certificate to make an on-line request for a review of existing pension entitlements;
• provides for the electronic transmission of health information required to support the disability pension application; and
• provides clients with an on-line process to track their pension transactions.

This Privacy Impact Assessment (PIA) describes the On-Line Disability Pension Submissions system component of the B&HSOL Project and demonstrates the considerations and steps taken to protect the client's personal information when it is being transferred electronically. The On-Line Disability Pension Submissions system allows VA clients to submit disability pension applications on-line for new entitlements or to request a review of existing benefits. Both electronic requests provide clients with on-line receipt acknowledgements and appropriate linkages to the Client Service Delivery Network (CSDN), an integrated system that supports the delivery of benefits and services associated with the Disability Pension, Economic Support and Health Care programs of the Department.

VA is committed to protecting the personal information of its clients and has taken measures to ensure that this system conforms to the principles of the Privacy Act and Regulations and the Treasury Board policy on Privacy and Data Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.

The Outstanding Issues portion of this PIA identifies three privacy-related issues to be resolved. These issues relate mostly to documented processes within VA and are considered to be low risk.

• Electronic Document Management: VA does not currently have an electronic document management system, however, the Information Technology Division's Information Management component is examining the possibility of implementing electronic document management in the future. Until implementation of an electronic document management system, disability pension applications submitted on-line will reside on the electronic system.
• Documented Procedures: Documented procedures for protecting personal information and reporting security and privacy breaches will be reviewed to ensure that they are complete and up to date.
• Personal Information Bank entries in Info Source publication: A review of existing VA Personal Information Banks will be completed to ensure that relevant entries reflect changes resulting from the availability of the On-Line Disability Pension Submissions system.

About Government On-Line (GOL)

An initiative of the Government of Canada, the goal of the GOL initiative is to use information and communication technology to provide Canadians with increased access to citizen-centred, integrated services – anytime, anywhere – in the language of their choice. This initiative allows Canadians and organizations to access general information about Government of Canada programs and services, to apply for services on-line, and, in some cases, allows individuals to access personal information about themselves collected and used by various government institutions.

This Privacy Impact Assessment (PIA) describes the Benefits and Health Services On-Line (B&HSOL) system and demonstrates the considerations and steps taken to protect the client's personal information when it is being transferred electronically.

About the B&HSOL system

Veterans Affairs (VA) has developed a system for on-line submissions of electronic health assessment forms using the B&HSOL system. The B&HSOL system will allow VA District Office Nurses (DON) to select specific forms for clients and forward them to a contracted health professional for completion. The System will allow VA's contracted health professionals to digitally receive, sign and submit standard nursing assessment reports (or forms) on-line once the health professional has registered for a Public Key Infrastructure (PKI) certificate and enrolled in the B&HSOL system.

Once the appropriate DON closes a form, it will be available for viewing only through the Client Inquiry functionality in B&HSOL and the Client Service Delivery Network (CSDN), an integrated system that supports the delivery of benefits and services associated with the Disability Pension, Economic Support and Health Care programs of the Department. Only VA employees will have access to view completed client assessment forms; contracted health professionals will not have access to the Client Inquiry functionality. A VA employee's access to view completed forms will be based on restricted system access profile grids for B&HSOL and CSDN. Clients will not have on-line access to their completed forms, but this information will be accessible to clients through a formal request under the Privacy Act.

To support the on-line system, VA will subscribe to the service provided by Public Works and Government Services Canada's (PWGSC) Secure Applications and Key Management Service (SAKMS) to enable electronic program delivery via the Internet in a secure environment This information is protected by Secure Socket Layers (SSL), Entrust TruePass technology and based on guidelines from the Communications Security Establishment (CSE). VA will use major elements of Secure Channel's service capabilities to support communication and interaction between VA and its contracted health professionals including SCNet -- a government-wide telecommunications network for connecting departmental systems.

About the PIA

Veterans Affairs is committed to protecting the personal information of its clients and has taken measures to ensure that this system conforms to the principles of the Privacy Act and Regulations and the Treasury Board policy on Privacy and Data Protection that govern the collection, use, correction, protection, retention and disposal of personal information.

The Outstanding Issues portion of this PIA identifies two privacy-related issues. Both issues relate to processes within VA and are considered to be low risk.

• Control and Custody of Records: Third-party health professionals need to be made aware that their obligations with respect to record retention and client information, currently written into standard contracts, carry over into the electronic domain. A formal notification process for third-party users will mitigate this risk.
• Electronic Document Management: As VA does not currently have an electronic document management system, all forms will have to be printed and sent to VA's Records section. This issue will continue to be explored by the Strategic Information Management Group as it has been addressed in the recent Information Management Capacity Check (IMCC).

Various technologies have been identified to aid in meeting the Service Delivery Branch’s commitment to modernize and improve the delivery of services to Veterans and other individuals, partnerships and opportunities. Utilizing modern digital imaging technology, service health records are now being transferred to an electronic format by Public Works and Government Services (PWGSC) digital imaging centre in Matane, Québec. This allows Veterans Affairs Canada (VAC) employees immediate access to records, regardless of physical location, in order to begin processing applications for benefits and services to meet the needs of the Veteran or other individual served by VAC.

Digital Imaging will lead to:

• Reduced disability program wait times;
• Decreased number of recalled records from Library and Archives Canada (LAC);
• Simultaneous access by all authorized users for multiple purposes, e.g., processing, status update, reporting; and
• Partnerships with PWGSC and LAC.

The Privacy Impact Assessment (PIA) identified a number of risks for which mitigating measures were recommended and implemented. The PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).

Addendum to the PIA on Service Health Records Digital Imaging Initiative (SHRDII) – Transition of Outside Documents Preparation to Public Services and Procurement Canada (PSPC)

The initial PIA on the Service Health Records Digital Imaging Initiative (SHRDII) was completed in 2011. Since that time, changes related to VAC’s transformation resulted in the closure of its Outside Documents Unit (OSD) and the transfer of these responsibilities to PWGSC (now known as Public Services and Procurement Canada (PSPC)) in Matane, Quebec, on June 28, 2013. The services now provided by PSPC for Service Health Records (SHRs) retrieved from LAC and/or the Royal Canadian Mounted Police (RCMP) in response to VAC applications for programs/benefits/services were examined.

The assessment focussed on the transition of the provision of the services of the OSD to PSPC and included documenting the process for the retrieval of SHRs, the use and internal disclosure of these records and the final disposition.

Risks identified within the Addendum have either been mitigated or addressed through mitigation plans. Risks which were previously identified in the SHRDII PIA in 2011 were previously addressed and completed with mitigation strategies which were shared with the OPC.

VAC is committed to continue monitoring and providing ongoing communications, training and awareness to management and staff concerning the protection of personal information.

Legal Authority for Activity

The authority for VAC to collect and use the personal information that is contained in the Service Health Records of applicants for benefits is established under Section 6.6 of the Department of Veterans Affairs Act, Subsection 109(1) and Section 109.1 of the Pension Act, Part II of the RCMP Superannuation Act, Section 80 of the Canadian Forces Members and Veterans Re-establishment Act, and Section 30(1.1) of the War Veterans Allowance Act.

This report presents the findings of the Privacy Impact Assessment (PIA) of the Long Term Care (LTC) Program. On June 18, 2009, amendments to the Veterans Health Care Regulations and the War Veterans Allowance Act received Royal Assent expanding the WVA Program and associated benefits, including those that fall under the LTC Program, to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to perform a Privacy Impact Assessment of the Long Term Care Program, including the current expansion to Allied Veterans. This PIA reflects the status of the LTC Program as of December 1, 2009.

The LTC Program dates back to 1915 when departmental health care facilities were first established to care for injured and disabled Veterans. Over the years, the clients' needs have changed and demand for acute and rehabilitative care has declined. Today the LTC Program works in cooperation with the provinces, territories, regional health authorities and long-term care facilities to financially support eligible Veterans in an appropriate long-term care setting where their assessed health care needs can be met.

About the Privacy Impact Assessment (PIA)

This Privacy Impact Assessment reflects an analysis of the Long Term Care Program but does not include the assessment of the gateway for eligibility to the LTC Program which is provided through the War Veterans Allowance (WVA) Program. A separate assessment of WVA Program has been conducted.

VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Long Term Care Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.

The PIA reviews how personal information is being collected, used and disclosed throughout the life cycle of the LTC Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The LTC Program PIA has identified six potential privacy risks.

Risk #1 - Inadvertent collection of the Social Insurance Number (Risk Rating: Medium)

Issue:

There is an almost certain likelihood that non-essential personal information, including the Social Insurance Number (SIN) will be inadvertently provided to VAC on documentation that will demonstrate eligibility. As proof of eligibility for Allied Veterans, VAC requests documentation such as an Old Age Security (OAS) cheque stub, which does contain the SIN. As the SIN is a highly sensitive piece of information, the use of which is governed by TBS policy, it has been determined that since the sensitivity of the information is high, there are increased risks in the unlikely event of a breach.

Management Plan:

Upon receipt of proof of the OAS for Allied Veteran eligibility, staff will ensure the SIN , which has been inadvertently provided on proof documentation, is removed by blacking out the SIN on information that is retained on file. A directive will be issued to staff to advise of the protocol to follow once in receipt of a SIN.

Risk #2 - Use of VAC 520 and VAC 520-5: Authority to Release Personal Information (Risk Rating: Low)

Issue:

An Authority to Release Personal Information form (VAC 520 or 520-5) may be required if a client requests that a family member/friend obtain information on his behalf from VAC. Past experience has shown that clients do not fully understand when and how the Authority to Release Personal Information form should be used. The form requires further explanation to ensure clients understand the intended purpose of the form and when and how to properly complete it.

Management Plan:

A guide will be prepared to include clear instructions, both for VAC staff and clients, as to when the form should be used and how to properly complete the required elements. Communication to VAC staff members will be provided to ensure they fully understand the intended purpose of the form and are able to explain this to clients to obtain informed consent.

Risk #3 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)

Issue:

VAC's electronic systems, the Client Service Delivery Network (CSDN) and the Residential Care Support System (RCSS), do not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.

Management Plan:

This is a departmental risk that is not solely related to the Long Term Care Program. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.

Risk #4 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)

Issue:

A Threat and Risk Assessment (TRA) has not been completed on the Long Term Care Program, which may lead to sensitive information not being properly identified and protected.

Management Plan:

The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The Long Term Care Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.

Risk #5 - Lack of National Business Processes (Risk Rating: Low)

Issue:

While there is a renewed National Long-Term Care Strategy to help provide Veterans with more options for the care they need in the location they prefer, the LTC Program lacks written business processes and procedures that would provide consistency through the Department, and the District and Regional Offices. Service delivery, training and understanding by all staff of the LTC Program can be affected by the lack of consistent written business processes.

Management Plan:

Program policies, directives and processes are currently under development. Privacy specialists will be available for consultation to ensure that the information collected and disclosed is appropriate. Upon completion of the writing of the business processes and procedures, training, if required, will be provided to staff.

Risk #6 - Privacy Notice Statements (Risk Rating: Low)

Issue:

Several forms used in the Long Term Care Program either lack privacy notice statements or have notice statements which do not comply with Treasury Board requirements and VAC standards.

Management Plan:

The VAC 549: Allied Service - Eligibility for Long Term Care, the VAC 1415: Nursing Assessment and the Residential Care Decision Form will be updated to include an appropriate privacy notice statement.

Conclusion

Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.

This report presents the findings of the Privacy Impact Assessment (PIA) of the Health Care Benefits Program. On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the War Veterans Allowance (WVA) Program and associated benefits, including those that fall under the Health Care Benefits Program, to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to perform a Privacy Impact Assessment of the Health Care Benefits Program, including the current expansion to Allied Veterans. This PIA reflects the status of the Health Care Benefits Program as of October 31, 2009.

Health care benefits and services have been extended to Veterans in one form or another since the end of the First World War (1914-1918). Following the Second World War (1939-1945), the Department of Veterans Affairs, newly formed in 1944, recognized the need to provide large scale sustained rehabilitation programs to meet the needs of Veterans who returned home wounded, or had served, and were finding the return to civilian life challenging for various reasons. What resulted was the development of a comprehensive set of programs to address the challenges faced by Veterans, including medical treatments.

About the Privacy Impact Assessment (PIA)

This Privacy Impact Assessment reflects an analysis of the Health Care Benefits Program activities that are delivered by VAC but does not include the claims administration which is handled under contract by a third-party administrator. The scope of this PIA is limited to the Health Care Benefits Program from the point at which a positive eligibility decision under certain programs establishes a client’s eligibility for Health Care Benefits.

Veterans Affairs Canada is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Health Care Benefits Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.

The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of the Health Care Benefits Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The Health Care Benefits Program PIA has identified five potential privacy risks.

Risk #1 - Guidance Required Relating to the Collection and Disclosure of Personal Information (Risk Rating: Low)

Issue:

The majority of personal information required to provide authorizations and approvals for benefits and services is collected indirectly from service providers and health care professionals. There is a lack of guidance relating to the collection and disclosure of personal information that could lead to the collection of unnecessary information and the unauthorized disclosure of information.

Management Plan:

This risk is deemed low as there is implied consent provided by the client that the required information may be exchanged to facilitate the delivery of services and benefits when he provides his health card number to a service provider. To minimize the risks associated with this activity and to ensure that the exchange of information is limited to that which is required to deliver services and benefits, information required for the purposes of providing authorizations and approvals will be identified and guidance on the collection, use and disclosure of personal information will be communicated to staff.

Risk #2 - Privacy Notice Statements (Risk Rating: Low)

Issue:

Some of the forms used for the collection of personal information in the Health Care Benefits Program do not have privacy notice statements. For many of the Programs of Choice (POC), forms are not the typical method of collection of personal information. There does not appear to be a documented consistent message to inform clients of their rights with respect to the collection, use and disclosure of information.

Management Plan:

Review and update the privacy notice statements on forms and establish/document notices related to eligibility for Health Care Benefits to conform with Treasury Board requirements and VAC standards.

Risk # 3 - Use of the Agreement and Consent Form (Risk Rating: Medium)

Issue:

The Agreement and Consent Form is used to obtain consent from clients to collect information in relation to varying diagnoses, treatments and services rendered by service providers and health care professionals. The form contains only the date, the client signature and the witness signature, making it difficult to identify the client. There is a lack of clarity regarding how the form will be used, and for how long, and no information is provided about the consequences of a refusal to sign the form. As a result, the client may not be fully informed of his rights.

Management Plan:

The Agreement and Consent Form will be revised to include the necessary client identifiers to enable proper linkage to the correct client and to explain the length of validity. Clear information will be provided to the client that will explain when and how consent will be used.

Risk #4 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)

Issue:

VAC’s electronic systems, the Client Service Delivery Network (CSDN) and the Federal Health Claims Processing System (FHCPS), do not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.

Management Plan:

This is a departmental risk that is not solely related to the Health Care Benefits Program. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.

Risk #5 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)

Issue:

A Threat and Risk Assessment (TRA) has not been completed on the Health Care Benefits Program, which may lead to sensitive information not being properly identified and protected.

Management Plan:

The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The Health Care Benefits Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.

Conclusion

Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.

This report presents the findings of the Privacy Impact Assessment (PIA) of the Funeral and Burial Program (FBP). On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the War Veterans Allowance (WVA) Program and associated benefits, including those that fall under the Funeral and Burial Program, to add Allied Veterans and other individuals as eligible recipients. The expansion and the amendments to the program afforded the opportunity to perform a PIA of the Funeral and Burial Program. This PIA reflects the status of the Funeral and Burial Program as of November 23, 2009.

The Funeral and Burial Program allows Veterans Affairs Canada (VAC) to provide financial assistance so that eligible Veterans and other individuals receive a dignified funeral and burial. The Last Post Fund (LPF), a non profit corporation, administers funeral, burial and grave-marking services on behalf of VAC. The LPF is a registered charity that has been serving Canada’s Veterans since it was originally created in 1909. In 1921, the organization was federally incorporated as the Last Post Fund. With federal funding, it began to offer services from coast to coast providing assistance to eligible Veterans throughout Canada. In 1995, changes were made to existing funeral, burial and grave marking programs. The LPF was mandated to solely administer the Funeral and Burial Program on behalf of VAC.

About the Privacy Impact Assessment (PIA)

This Privacy Impact Assessment reflects an assessment of the entire Funeral and Burial Program.

VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Funeral and Burial Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection to govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.

The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of theFuneral and Burial Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The Funeral and Burial Program PIA has identified five potential privacy risks.

Risk #1 - Privacy Notice Statement (Risk Rating: Low)

Issue:

There is no privacy notice statement on the Application for Funeral and Burial Benefits, therefore, the privacy requirements to provide clients with information about the collection, use and disclosure of their personal information are not being met.

Management Plan:

The Funeral and Burial Application will be enhanced with the addition of a Privacy Notice Statement.

Risk #2 - Email address is collected on the application form (Risk Rating: Low)

Issue:

The Application for Funeral and Burial Benefits collects an applicant’s (executor or survivor) Email address. VAC Security and Real Property Services Division has not authorized the use of Email to communicate with clients.

Management Plan:

VAC is committed to ensuring that adequate measures are in place to protect the privacy of clients in the delivery of the Funeral and Burial Program. At this time, VAC will accept the risk associated with collecting an applicant’s Email address and communicating via Email. However, options will be explored to minimize the risk associated with the Email collection and communication (e.g. informing clients about the risks of using Email) and the most appropriate option will be implemented by the program area.

Risk #3 - Secondary use identified that has not been noted in the Personal Information Bank (Risk Rating: Low)

Issue:

Upon a favourable decision for the Funeral and Burial Program, a copy of the client’s decision letter is forwarded to Honours and Awards to be reviewed for possible medal implications. This secondary use of information is not currently listed within the new Funeral and Burial Personal Information Bank.

Management Plan:

An update to the Funeral and Burial Personal Information Bank will be actioned to include this secondary use.

Risk #4 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)

Issue:

VAC's electronic system, the Client Service Delivery Network (CSDN), does not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.

Management Plan:

This is a departmental risk that is not solely related to the Funeral and Burial Program. At this time an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.

Risk #5 - A Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)

Issue:

A Threat and Risk Assessment (TRA) has not been completed on the Funeral and Burial Program, which may lead to sensitive information not being properly identified and protected.

Management Plan:

The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The Funeral and Burial Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.

Conclusion

Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.

This report presents the findings of the Privacy Impact Assessment (PIA) on the Assistance Fund (AF). On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the War Veterans Allowance Program and associated benefits to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to perform a Privacy Impact Assessment of the Assistance Fund including the current expansion to Allied Veterans. This PIA reflects the status of the Assistance Fund as of October 31, 2009.

The purpose of the Assistance Fund (AF) is to provide War Veterans Allowance (WVA) recipients, residing in Canada, with financial assistance to meet an emergency or unexpected contingency for which they do not have the resources.

The AF is delivered as a grant and cannot exceed $1,000 per calendar year per recipient. This grant complements the WVA by providing additional financial support for recipients of WVA, who are in an emergency situation or at risk of being in an emergency situation (e.g. the need to replace a furnace-depending on the time of year, this would be an emergency or a “near emergency”). These clients, already deemed to be low-income by virtue of receiving the WVA, do not have the financial resources to cover the costs of their emergency and without support their health or safety will be at risk.

About the Privacy Impact Assessment (PIA)

This Privacy Impact Assessment reflects an analysis of the Assistance Fund but does not include the assessment of the gateway for eligibility to the AF which is provided through the War Veterans Allowance (WVA) Program. A separate assessment of the WVA Program has been conducted.

VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Assistance Fund conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.

The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of the AF. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The AF PIA has identified three potential privacy risks.

Risk #1 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)

Issue:

VAC's electronic system, the Client Service Delivery Network (CSDN), does not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.

Management Plan:

This is a departmental risk that is not solely related to the Assistance Fund. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.

Risk #2 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)

Issue:

A Threat and Risk Assessment (TRA) has not been completed on the AF, which may lead to sensitive information not being properly identified and protected.

Management Plan:

The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The AF has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.

Risk #3 - Privacy Notice Statements (Risk Rating: Low)

Issue:

The notice statement on the VAC 1128 Assistance Fund Application does not clearly state the purpose for the collection, the authority for the collection and the right of access to the information.

Management Plan:

The notice statement on the VAC 1128 Assistance Fund Application will be revised.

Conclusion

Although this PIA has has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.