Disclosure

Privacy Impact Assessment (PIA) Summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Maureen Sinnott
A/DG Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Departmental Printing and Mailing

Description of Program or Activity

The objective of this project is to offer a substitute to VAC staff for the manual printing and mailing of client-facing forms and their accompanying inserts. These forms and their attachments will be available for printing and mailing externally with the addition of an automated solution which will have Canada Post performing both the printing and mailing functions. Canada Post has contracted the printing services to CGI. There are no changes to the processes associated with the new printing and mailing option from the current state up to the point of selecting the print option. Once the forms, and their accompanying inserts, are ready to be printed and mailed, the analyst will have the ability to select from the system the option to send to external printing and mailing, or another distribution option such as 'Finalize without Print' or 'Locally Print & Mail' if necessary. The goal is to have all client facing forms and accompanying inserts sent to external printing and mailing. Automating the printing and mailing process will create efficiencies in the processes as a result of large volume printing, standardized envelopes and improved address accuracy and processes.

An Addendum to this PIA was completed in October 2015 to address a change to the third party service provider for the Departmental Printing and Mailing. As of September 1, 2015, these services are now being delivered by Shared Services Canada. No additional risks were identified during this assessment.

Description of the class of records and Personal Information Banks associated with the program or activity

Class of Records and Personal Information Banks can be reviewed at: VAC’s Info Source Chapter

Legal Authority for Program or Activity

Program and services at Veterans Affairs Canada (VAC) are governed by legal authorities. These authorities include but are not limited to the Pension Act, the Canadian Forces Members and Veterans Re-establishment and Compensation Act and Regulations, the War Veterans Allowance Act, the Royal Canadian Mounted Police Superannuation Act and/or the Royal Canadian Mounted Police Pension Continuation Act, and the Veterans Health Care Regulations.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to "Appendix C" of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Program or activity that does NOT involve a decision about an identifiable individual

     Level of risk to privacy – 1

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. For example: the personal information by association indirectly reveals information on the health, financial situation, religious or lifestyle choices of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • With other federal institutions

     Level of risk to privacy – 2

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear "sunset".

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.

      Risk to privacy – Yes

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

7. Personal Information Transmission
   • The personal information is used in system that has connections to at least one other system.

     Risk to privacy – 2

8. Risk Impact to the Institution
   • Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.

     Level of risk to privacy – 1

   • Organizational harm - Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.

     Level of risk to privacy – 2

9. Risk Impact to the Individual or Employee
   • Inconvenience

     Level of risk to privacy – 1

   • Financial harm

     Level of risk to privacy – 3

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Charlotte Stewart
Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
ATIP Coordinator

Name of Program or Activity of the Government Institution

• Document Imaging and Data Capture Services
• Centralized Client Mail Centre

Description of Program or Activity

With a streamlined centralized mail process, Veterans will no longer have to worry about where to send their mail. Most incoming mail to the Department will be sent to Matane, Quebec by 2014, making it easier for Veterans to send their mail where it needs to be. The consolidation of departmental addresses will happen in phases.

VAC is partnering with Public Works Government Services Canada (PWGSC) to help centralize the mail process. PWGSC’s Document Imaging Services in Matane, Quebec allows departments to modernize and green their operations by replacing paper copies with digital information and to improve their client service by having electronic access to information.

Because of this modernization, VAC employees are now able to process the same information simultaneously. Veterans will not be required to resubmit documentation and this centralization will contribute to faster decision-making and turnaround times for Veterans and their families.

The PIA identified the need to update program specific Personal Information Banks which are available to assist individuals exercise their rights under the Privacy Act. The PIA for this initiative has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).

Description of the class of record and the Personal Information Bank associated with the program or activity:

Class of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

There is an over-arching authority that permits PWGSC to offer document imaging services to line departments, such as VAC. TBS' Common Services Policy, issued under the authority of section 7 of the Financial Administration Act, provides the direction for PWGSC to deliver these services on behalf of organizations such as VAC.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Program or activity that does NOT involve a decision about an identifiable individual
   • Personal information is used strictly for statistical / research or evaluations including mailing list where no decisions are made that directly have an impact on an identifiable individual.

     Level of risk to privacy - 1

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • With other federal institutions

     Level of risk to privacy – 2

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear "sunset".

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy - 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

      While VAC's implementation of the PWGSC document imaging solution is new, this is not a new system or process for PWGSC.

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is transmitted using wireless technologies.

     Level of risk to privacy – 1

8. Risk Impact to the Institution
   • Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.

     Level of risk to privacy – 1

9. Risk Impact to the Individual or Employee

   The level of individual harm would depend on the program. As some VAC programs require financial information, this risk has been assessed at the highest appropriate level. In some cases, the risk would be inconvenience.

   • Financial harm
   • Lawsuit, additional moneys required reallocation of financial resources.

     Level of risk to privacy – 3

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

André Levesque
A/DG Commemoration

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
ATIP Coordinator

Name of Program or Activity of the Government Institution

Bomber Command Web Portal

Description of Program or Activity

A new Bomber Command honour has been created. The honour is in the form of a bar to be worn on the ribbon of the Canadian Volunteer Service Medal (CVSM). With this bar, Canada is honouring those Canadians who fought for peace, freedom and democracy through their service in Bomber Command, and in particular the approximately 10,000 who made the ultimate sacrifice.

The existing Order-in-Council governing the Canadian Volunteer Service Medal has been amended to include the eligibility criteria and the description of the new Bomber Command honour. All Canadian Veterans who were awarded the CVSM and served a minimum of one day with Bomber Command, regardless of rank or role, are eligible for this new bar. Loved ones of a deceased Canadian Bomber Command Veteran who hold the Veteran’s CVSM may also apply to receive this bar.

For more information on Canada’s role in Bomber Command, to apply online for the honour, or to download a hardcopy of the application form, please visit Veterans Affairs Canada.

VAC’s Privacy Impact Assessment explored the initiative to assess the privacy impacts. The PIA for this initiative has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).

Description of the Class of Record and Personal Information Bank associated with the program or activity

Ceremonies and Events: Class of Record

Honours and Awards: Personal Information Bank

Legal Authority for Program or Activity

Personal information is collected in accordance with Order in Council (OIC) 1965-688. The Canadian Volunteer Service Medal Order governs the administration of the Bomber Command bar, including the eligibility criteria.

Award Regulations

An applicant for an award shall provide the Minister with (a) any documentation necessary to substantiate the applicant's claim; (b) information on the applicant's domestic status; (c) any other relevant information; and (d) an affidavit or statutory declaration attesting to the truth of the information provided.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Only personal information provided by the individual – at the time of collection – relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities. The context in which the personal information is collected is not particularly sensitive.

     Level of risk to privacy – 1

3. Program or Activity Partners and Private Sector Involvement
   • Within the institution (amongst one or more programs within the same institution)

     Level of risk to privacy – 1

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear "sunset".

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain employees for internal administrative purposes.

     Level of risk to privacy – 1

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - Yes

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used in system that has connections to at least one other system.

     Level of risk to privacy – 2

8. Risk Impact to the Institution
   • Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.

     Level of risk to privacy – 1

9. Risk Impact to the Individual or Employee
   • Inconvenience
   • Level of risk to privacy – 1

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Carlos Lourenso
Director, Health Care, Rehabilitation and Income Support Programs

Head of the government institution / Delegate for section 10 of the Privacy Act

Shawn MacDougall
Access to Information and Privacy Coordinator

Name of Program or Activity of the Government Institution

War Veterans Allowance

Description of Program or Activity

Veterans Affairs Canada’s (VAC’s) War Veterans Allowance (WVA) program provides financial assistance in the form of a monthly grant payment to low-income clients. Eligibility for WVA is determined by the wartime service of a Veteran or qualified civilian, their age or health, as well as their income and residency. Payment rates are based on income, domestic status and number of dependants.

Once eligible for WVA, the recipient becomes eligible to access other VAC programs. In this way, WVA acts as a gateway to the Assistance Fund, Funeral and Burial assistance, Treatment Benefits, Veterans Independence Program (VIP) and Long-Term Care (LTC). Some Veterans do not qualify for WVA support because their family income exceeds the maximum amount allowable. However, if this is due to income from Old Age Security, these individuals are designated as "income-qualified". As such, they can access VAC’s medical benefits and the other programs associated with WVA.

In the fall of 2013, the Disability benefits paid under the Pension Act was no longer deducted from WVA benefits. The changes to the WVA program did not result in changes to the handling of the personal information.

Description of the class of record and the Personal Information Bank

• War Veterans Allowance – Personal Information Bank VAC PPU 040
• War Veterans Allowance – Class of Record VAC MVA 680

Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

The authority for VAC to collect and use the personal information for War Veterans Allowance is established under Section 4 of the War Veterans Allowance Act, and Sections 3 and 4 of the Veterans Allowance Regulations, and Sections 9, 9.1 and 12 of the Civilian War-Related Benefits Act, and is used to administer the War Veterans Allowance. Section 5 of the Department of Veterans Affairs Act, provides the Minister with the authority to create regulations in support of the Department of Veterans Affairs. The SIN is collected pursuant to Section 30(3) of the War Veterans Allowance Act and by virtue of Section 57(1) of the Civilian War-Related Benefits Act.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to Appendix C of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • With other federal institutions

     Level of risk to privacy – 2

4. Duration of the Program or Activity
   • Long-term program

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

7. Personal Information Transmission
   The personal information is used in a system that has connections to at least one other system.

   Level of risk to privacy – 2

8. Risk Impact to the Institution
   Managerial harm, Organizational harm and Reputational harm, embarrassment, loss of credibility.

   Level of risk to privacy – 1, 2 and 4

9. Risk Impact to the Individual or Employee
   Inconvenience, Reputational harm, embarrassment and Financial harm.

   Level of risk to privacy – 1, 2 and 3

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Mary Nicholson
Director, Health Care and Rehabilitation Programs

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Veterans Emergency Fund

Description of Program or Activity

The Veterans Emergency Fund (VEF) provides funding to assist Veterans and their families when facing emergency financial situations that threaten their health and well-being. Expenses in the event of an emergency that may be approved for funding could include (but are not limited to) food, clothing, shelter, medical care and expenses required to maintain safety and shelter. Information related to the administration of the VEF, which provides prompt monetary assistance to eligible Veterans and their family members who are facing financial crisis/emergency with the intent of resolving the immediate need. The VEF assists VAC in meeting its mandated commitments of assisting Veterans with the care, treatment and re-establishment in civilian life, as well as repaying the nation's debt of gratitude toward those who have sacrificed for our country. VEF payments will be paid as a grant.

Description of the class of record and the Personal Information Bank

• Veterans Emergency Fund – Class of Record VAC TBD
• Veterans Emergency Fund – Personal Information Bank VAC TBD
• Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

Personal information is collected pursuant to Order-in-Council # 2017-1696.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Level of risk to privacy – 2
2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • Private sector organizations or international organizations or foreign governments.

     Level of risk to privacy – 1 and 2

4. Duration of the Program or Activity
   • Long-term program.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – Yes

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

7. Personal Information Transmission
   • The personal information is used in a system that has connections to at least one other system.
     The personal information is transferred to a portable device or is printed.

     Level of risk to privacy – 2, 3, 4

8. Risk Impact to the Individual or Employee
   • Inconvenience,
   • Reputational harm,
   • embarrassment,
   • Financial harm.
   • Level of risk to privacy – 1, 2, 3 and 4
9. Risk Impact to the Institution
   • Managerial harm,
   • Organizational harm,
   • Financial harm,
   • Reputational harm,
   • embarrassment,
   • loss of credibility.
   • Level of risk to privacy – 1, 2, 3 and 4

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Mary Nicholson
Director, Health Care, Rehabilitation and Income Support Programs Directorate

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Veterans Independence Program

Description of Program or Activity

The Veterans Independence Program (VIP) is a home care program that was created in 1981 to help eligible Veterans, civilians, as well as their survivors or primary caregivers remain independent and self-sufficient in their homes and communities through financial support towards the costs of services. VIP benefits do not replace other federal, provincial or municipal programs. Instead, the program complements existing programs or private insurance to help meet individual needs.

This assessment is an update to the 2010 VIP Privacy Impact Assessment (PIA) to support changes to the program, namely: the implementation of grants as the payment mechanism for housekeeping and grounds maintenance benefits; and the additional tasks performed by a third-party contractor, Medavie Blue Cross (MBC). In addition to its role as a payment processor for VAC, MBC now administers the annual renewal process that is required for VIP recipients. The annual renewal process includes a follow-up phone call to those whom VAC has identified as not having recent contact with the Department, and processing the annual renewal form submitted by those receiving benefits via the “Survivor” eligibility gateway.

It is important to note that eligibility for the program has not changed. There are three payment processes for the VIP which MBC administers on VAC’s behalf.^{Footnote 1} For the Housekeeping and Grounds Maintenance elements, eligible recipients receive two upfront payments per year based on their needs and the going rate for services in their communities. For all other VIP elements, the payment process is “reimbursement”. Reimbursements are paid based on submitted receipts to either the recipient or a registered service provider. In exceptional circumstances, such as financial hardship, advance payment may be used for elements other than Housekeeping and Grounds Maintenance.

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Class of Record:
Veterans Independence Program (VAC MVA 855)

Personal Information Banks:
Veterans Independence Program – Home Care Benefits and Services (VAC PPU 616) Veterans Independence Program – Other Services (VAC PPU 617)

Legal Authority for Program or Activity

The activities of the Veterans Independence Program are conducted under the authority of the Veterans Health Care Regulations (VHCRs) (Part II, sections 15-20) made pursuant to section 5 of the Department of Veterans Affairs Act. In accordance with sections 18 and 31.2, and subsection 33.1(5) of the VHCRs, VAC has the authority to collect income information to determine eligibility for Exceptional Health Needs.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • WPrivate sector organizations or international organizations or foreign governments

     Level of risk to privacy – 4

4. Duration of the Program or Activity
   • Long-term program

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – Yes

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used in a system that has connections to at least one other system.

     Level of risk to privacy – 2

8. Risk Impact to the Institution
   • Managerial harm; financial harm; and reputational harm, embarrassment, loss of credibility

     Level of risk to privacy – 1, 3, & 4

9. Risk Impact to the Individual or Employee
   • Inconvenience; reputational harm, embarrassment; and financial harm
   • Level of risk to privacy – 1, 2 & 3

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Elizabeth Douglas
Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Amy Meunier
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Transition Services and Casualty Management

Description of Program or Activity

Transition Services

To ensure a seamless transition to civilian life, Transition Services has been designed to assist CF members, serving and retiring/releasing RCMP members, Veterans, including homeless Veterans and those clients serving a Federal sentence under the Criminal Code of Canada, and their families.

Casualty Management

In partnership with DND and the RCMP, casualty management ensures that members and their families receive immediate help when serious illnesses/injuries or deaths occur. Early interventions by VAC is necessary to provide benefits and/or services and ensure that clients and/or their families understand the support available when making future financial, health care, and career decisions.

Description of the Class of Record and Personal Information Bank associated with the program or activity

Class of Records and Personal Information banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

Canadian Forces Members and Veterans Re-establishment and Compensation Act, Department of Veterans Affairs Act, and/or the Pension Act.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services
   • Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • With other federal institutions.
     
     Private sector organizations or international organizations or foreign governments.

     Level of risk to privacy – 2, 4

4. Duration of the Program or Activity
   • Long-term program - Existing program that has been modified or is established with no clear "sunset".

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - No

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used in system that has connections to at least one other system.
     Mbr />The personal information is transferred to a portable device or is printed.
     
     The personal information is transmitted using wireless technologies.

     Level of risk to privacy – 2, 3, 4

8. Risk Impact to the Institution
   • Managerial harm
     
     Organizational harm
     
     Financial harm
     
     Reputation harm, embarrassment, loss of credibility. Decreased confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.

     Level of risk to privacy – 1, 2, 3, 4

9. Risk Impact to the Individual or Employee
   • Reputation harm, embarrassment
   • Level of risk to privacy – 2

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Mary Nicholson
Director, Re-establishment, Financial Well-being and Business Intelligence Directorate

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Rehabilitation Services and Vocational Assistance Program

Description of Program or Activity

The Veterans Affairs Canada (VAC) Rehabilitation Services and Vocational Assistance Program (Rehabilitation Program) is one of a suite of wellness programs designed to help modern-day Veterans and their families make and maintain the transition to civilian life. The Program offers comprehensive services, as part of an individualized rehabilitation plan, that can help restore their ability to function at home, and in their community and workplace. Eligible clients include Canadian Armed Forces (CAF) Veterans and, in certain cases, their spouses, common-law partners or survivors. The VAC Rehabilitation Program offers: medical rehabilitation services; psycho-social rehabilitation services; vocational rehabilitation services; and vocational assistance services.

The Rehabilitation Program is accessed through one of VAC's case managers located in local field offices across the country, or from VAC staff located on major CAF bases and wings. Rehabilitation services are usually provided through a network of local experts and based on the Veteran’s or other program participant’s provider of choice.

After the completion of the 2007 PIA for Rehabilitation Services, the business process was changed to include a third party contractor in the delivery model. While the decisions regarding eligibility are always made by VAC, some assessments and the delivery of vocational rehabilitation services is delivered, in part, by an external service provider under contract with VAC.

In 2015, two addendums to the Rehabilitation and Vocational Assistance PIA were completed. In April 2015, an addendum was completed to reflect a change to the Canadian Forces Members and Veterans Re-establishment Regulations (CFMVRCR), now Veterans Well-being Regulations, effective April 1, 2015. In May 2015, an addendum was completed to assess the awarding of a contract to a new external service provider for rehabilitation and vocational assistance services, effective June 5, 2015.

In March 2019 an addendum was completed to assess changes in the program eligibility, which will be phased in over time beginning April 1, 2019.

Description of the class of record and the Personal Information Bank

Rehabilitation – Class of Record VAC MVA 830

Rehabilitation Services and Vocational Assistance Program – Personal Information Bank VAC PPU 300

Classes of Records and Personal Information Banks can be reviewed at: Information about Programs and Information Holdings.

Legal Authority for Program or Activity

The authority for VAC to collect and use the personal information for the Rehabilitation Services and Vocational Assistance Program is established under the Canadian Forces Members and Veterans Re-establishment Act and related Regulations. Specifically, sections eight, nine, eleven and twelve of the legislation.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • Private sector organizations or international organizations or foreign governments.

     Level of risk to privacy – 4

4. Duration of the Program or Activity
   • Long-term program.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – No

   3. Enhanced identification methods – This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance – This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques – For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

7. Personal Information Transmission
   • The personal information is used in a system that has connections to at least one other system.

     Level of risk to privacy – 2

8. Risk Impact to the Institution
   • Managerial harm
   • Financial harm
   • Reputational harm, embarrassment, loss of credibility.

     Level of risk to privacy – 1, 3 and 4

9. Risk Impact to the Individual or Employee
   • Inconvenience
   • Reputational harm, embarrassment
   • Financial harm

     Level of risk to privacy – 1, 2 and 3

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Mary Nicholson
Director, Re-establishment, Financial Well-being and Business Intelligence Directorate

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Income Replacement Benefit

Description of Program or Activity

The program provides economic support to eligible Canadian Armed Forces Veterans, members’ or Veterans’ surviving spouse/common-law partner, or orphans for the economic impact that a career ending and/or service-related injury or death can have on a Veteran’s ability to earn income, advance in a career or save for retirement. Support is provided to Veterans who have health problems, resulting from service that are causing a barrier to re-establishment and who are participating in the Rehabilitation Program; and those who were eligible for the program, but are unable to participate due to a diminished earnings capacity; Compensation is provided in the form of monthly income support payments. A lump sum benefit may be paid to the surviving spouse/common-law partner or orphans for non-service related death before the Veteran’s age of 65, if the Veteran was entitled to the Income Replacement Benefit at the time of his/her death. This lump sum payment equates to 24 times the amount of the Income Replacement Benefit amount that the Veteran would have been entitled to, for the month in which s/he died, before offsets.

Description of the class of record and the Personal Information Bank

Classes of Records (CORs) and Personal Information Banks (PIBs) can be reviewed at VAC's Information about Programs and Information Holdings.

Financial Benefits – Class of Record

Income Replacement Benefit – Personal Information Bank

Legal Authority for Program or Activity

Personal information is collected pursuant to Part 2, sections 18-26 and section 78.1 of the Veterans Well-being Act (VWA) [formerly known as the Canadian Forces Members and Veterans Re-establishment and Compensation Act (CFMVRCA)], as well as the associated Regulations. Sections 80 and 81 of the VWA provides information sharing authority upon which government institutions and agencies can rely. Social Insurance Numbers are collected pursuant to Section 82 of the VWA.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1. Type of Program or Activity
   • Administration of Programs / Activity and Services

     Level of risk to privacy – 2

2. Type of Personal Information Involved and Context
   • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

     Level of risk to privacy – 3

3. Program or Activity Partners and Private Sector Involvement
   • Within the institution (amongst one or more programs within the same institution)
   • With other federal institutions

     Level of risk to privacy – 1 and 2

4. Duration of the Program or Activity
   • Long-term program.

     Level of risk to privacy – 3

5. Program Population
   • The program affects certain individuals for external administrative purposes.

     Level of risk to privacy – 3

6. Technology & Privacy
   1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

   2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - Yes

   3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

   4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – No

   5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

7. Personal Information Transmission
   • The personal information is used in a system that has connections to at least one other system.
   • The personal information is transferred to a portable device or is printed.
   • The personal information is transmitted using wireless technologies.

     Level of risk to privacy – 2, 3, 4

8. Risk Impact to the Institution
   • Managerial harm
   • Organizational harm
   • Financial harm
   • Reputational harm, embarrassment, loss of credibility.

     Level of risk to privacy – 1, 2, 3 and 4

9. Risk Impact to the Individual or Employee
   • Inconvenience
   • Reputational harm, embarrassment
   • Financial harm

     Level of risk to privacy – 1, 2 and 3

May 11, 2007

About the New Veterans Charter

On May 13, 2005, Bill C-45, the Canadian Forces Members and Veterans Re-establishment and Compensation Act (The New Veterans Charter), received Royal Assent. The New Veterans Charter represents the most sweeping change to Veterans' benefits and services in the past 60 years and keeps pace with the needs of releasing Canadian Forces (CF) members and their families, while still providing services and benefits to help traditional war-service Veterans live with dignity and independence.

This Privacy Impact Assessment (PIA) describes the Health Benefits program under the New Veterans Charter. The Health Benefits Program helps eligible CF Veterans and their families who would not otherwise qualify for the Public Service Health Care Plan (PSHCP) after military discharge and release. This program fills this gap, offering them the group health insurance they need through PSHCP at an affordable cost.

There are two kinds of coverage:

• Supplementary coverage helps those who are covered by a health insurance plan through their province or territory.
• Comprehensive coverage helps those who live outside Canada and are not covered by a provincial/territorial health insurance plan.

Under the New Veterans Charter, CF Veterans and their families will be able to qualify for such things as:

• drug benefits
• vision care benefits
• miscellaneous expenses such as medical supplies; and
• medical practitioners benefits.

Participation in PSHCP is voluntary. With application for health benefits/services under this program, the client is required to submit an application package which may include the following information: member's name, service number, birth date, gender, language of preference, civil status, address, service dates, whether the client is in receipt of Service Income Security Insurance Plan Long Term Disability (SISIP LTD), service-related rehabilitation needs, member or spouse's PSHCP Certificate Number (if applicable), dependant(s)' name, gender, date of birth, financial institution account information, and for Québec residents only, a Social Insurance Number (SIN).

About the PIA

A Privacy Impact Assessment (PIA) provides a framework to ensure that privacy is considered throughout the design or redesign of programs or services and identifies the extent to which proposals comply with all appropriate statutes.

The scope of this PIA is limited to only the particulars of the Health Benefits program under the New Veterans Charter.

The PIA reflects the program status as it existed December 21, 2006 and identifies six privacy-related issues, all deemed to be low risk. To resolve these low-risk concerns, mitigation measures have been brought forward which include:

• Additional awareness and training
• Development of Information Management Accountability Framework
• Addition of Information Management responsibilities into work descriptions of Regional Directors General and Director General of the National Operations Division of Veterans Affairs
• Development of evaluation and performance measurement criteria
• Addition of Information Management components to the responsibilities of the Quality Management Program
• Update of program forms and the Treasury Board Secretariat Info Source publication to include the registered Personal Information Bank number
• Compliance with the Comprehensive Risk Analysis for the USA Patriot Act of the Treasury Board Secretariat
• Provision of warnings to clients on inherent privacy risks involved with personal information maintained outside of Canada
• Potential for new Records and Disposition Authorities for client records
• Consistent management of information through its lifecycle in accordance with legislative and central agency requirements
• Updated Threat and Risk Assessment following modifications of electronic records system
• Access to Information and Privacy (ATIP) Division involvement in contract preparation, input into framing of Statements of Requirements, and bid review

Mitigation strategies for all privacy-related issues are appropriate and in accordance with program management procedures.