Disclosure

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Carlos Lourenso
Director, Health Care, Rehabilitation and Income Support Programs

Head of the government institution / Delegate for section 10 of the Privacy Act

Amy Meunier
Director, Access to Information and Privacy

Name of Program or Activity of the Government Institution

Health Care Benefits and Services (HCBS)

Description of Program or Activity

In order to recognize their service to Canada, the Health Care Benefits and Services (HCBS) program provides clients, who meet the eligibility requirements, with access to appropriate treatment benefits related to their health needs. The HCBS provide financial support for a wide range of health-related products and services to treat both physical and mental health conditions. Financial support is available for specific benefits and services through the fourteen Programs of Choice (POC) - Aids for Daily Living, Ambulance/Medical Travel Services, Audio (Hearing) Services, Dental Services, Hospital Services, Medical Services, Medical Supplies, Nursing Services, Oxygen Therapy, Prescription Drugs, Prosthetics and Orthotics, Related Health Services, Special Equipment and Vision (Eye) Care.

The program is offered, in part, through a third party service provider Medavie Blue Cross (MBC). MBC processes payments for approved benefits and services through the Federal Health Claims Processing System (FHCPS). Payments are issued to either the service provider or the client, depending who submitted the claim. In certain programs, such as Dental and Pharmacy, claims and payments are issued on-line in real-time to service providers. The majority of the benefits and services available under the HCBS are listed on a benefit grid which offers guidance on benefits and services available, dollar limits, frequency limits, quantity limits, and approval requirements. Most VAC benefits and services have limits on the number of times a benefit can be covered in a specified period of time or how much VAC can pay toward a benefit or service. For many HCBS, a prescription from a qualified health care professional and pre-authorization from VAC is required.

Description of the class of records and Personal Information Banks associated with the program or activity

  • Health Care Benefits Program – Class of Record VAC MVA 860
  • Health Care Benefits and Services – Personal Information Bank VAC PPU 295

Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter.

Legal Authority for Program or Activity

Part 1 of the Veterans Health Care Regulations and Section 4 and 5 of the Department of Veterans Affairs Act.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

  1. Type of Program or Activity
    • Administration of Programs / Activity and Services - Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).

      Level of risk to privacy – 2

  2. Type of Personal Information Involved and Context
    • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

      Level of risk to privacy – 3

  3. Program or Activity Partners and Private Sector Involvement
    • Private sector organizations or international organizations or foreign governments

      Level of risk to privacy – 4

  4. Duration of the Program or Activity
    • Long-term program - Existing program that has been modified or is established with no clear “sunset”

      Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes.

      Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy – No

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy – Yes

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc…

      Risk to privacy – Yes

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

  7. Personal Information Transmission
    • The personal information is transmitted using wireless technologies.

      Level of risk to privacy – 2, 3

  8. Risk Impact to the Institution
    • Managerial harm, Organizational harm, Financial harm, Reputational harm, embarrassment, loss of credibility.

      Level of risk to privacy – 1, 2, 3 and 4

  9. Risk Impact to the Individual or Employee
    • Inconvenience, Reputational harm, embarrassment and Financial harm.

      Level of risk to privacy – 1, 2 and 3

 
Report Category
Disclosure
Report Year
2023
Start year
2019-01
Searchable
On

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Hélène Robichaud
A/Director General, Commemoration Division

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Funeral and Burial Program

Description of Program or Activity

This program provides financial assistance toward funeral, burial and grave marking expenses of eligible Veterans to recognize their service to Canada. Under the Veterans Burial Regulations, assistance is available for deceased service qualified Veterans whose deaths are a result of their service or whose estates do not have sufficient funds for a dignified funeral, burial and grave marking. The Funeral and Burial Program is administered by the Last Post Fund, an independent, non-profit organization, on behalf of Veterans Affairs Canada. This program is delivered through operating funds and grants.

Description of the Class of Record and Personal Information Bank associated with the program or activity

Class of Record: Funeral and Burial Program (VAC MVA 745)

Personal Information Bank: National and International Memorials – Funeral and Burial Program (VAC PPU 260)

Legal Authority for Program or Activity

Department of Veterans Affairs Act
Veterans Burial Regulations
Privy Council Order 1965-688

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

  1. Type of Program or Activity
    • Administration of Programs / Activity and Services

      Personal information is collected to assist in making a determination whether a Veteran’s estate is eligible for funeral and burial assistance.

      Level of risk to privacy – 2

  2. Type of Personal Information Involved and Context
    • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

      Level of risk to privacy – 3

  3. Program or Activity Partners and Private Sector Involvement
    • Within the institution (amongst one or more programs within the same institution)

      With other federal institutions

      Private sector organizations or international organizations or foreign governments

      Level of risk to privacy – 1,2 and 4

  4. Duration of the Program or Activity
    • Long-term program

      Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes

      Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - No

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - No

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – Yes

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – No

  7. Personal Information Transmission
    • The personal information is used in a system that has connections to at least one other system.

      The personal information is transferred to a portable device or is printed.

      Level of risk to privacy – 2 and 3

  8. Risk Impact to the Institution
    • Managerial harm

      Organizational harm

      Reputation harm, embarrassment, loss of credibility.

      Level of risk to privacy – 1, 2 and 4

  9. Risk Impact to the Individual or Employee
    • Inconvenience

      Reputation harm, embarrassment

      Financial harm
    • Level of risk to privacy – 1, 2 and 3
 
Report Category
Disclosure
Report Year
2023
Start year
2019-01
Searchable
On

Government Institution

Veterans Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Kim Andrews

A/Director General, Service Delivery and Program Management

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird

Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Federal Health Claims Processing Service (FHCPS)

Description of Program or Activity:

Veterans Affairs Canada (VAC), the Canadian Armed Forces (CAF) and the Royal Canadian Mounted Police (RCMP) provide a wide range of health benefits and services to eligible members/clients, Veterans and other persons, as specified under their respective legislation. VAC, RCMP and CAF have partnered to manage the claims processing and related services for these health benefits and services by using the Federal Health Claims Processing Service (FHCPS). This service is provided through a third party contract with Medavie Blue Cross (MBC) that was awarded in January 2014, followed by an 18 month development period. The operation phase began on August 1, 2015 and will run for an initial 7 year period. VAC is the project authority for the three partner Departments.

FHCPS includes services and systems used to:

  • Process VAC, CAF and RCMP health claims;
  • Support clients and providers with the processing and settlement of their claims; and
  • Ensure compliance with VAC, RCMP and CAF policies and processes, including audit, reporting and financial control practices.

The determination of a client’s eligibility is the responsibility of the each partner Department. The FHCPS enables the management, monitoring, reporting and electronic processing of claims based on client eligibility and is accessible by authorized MBC, VAC, CAF and RCMP personnel. Service providers and members/clients can also access specific information to which they are entitled on a self-service on-line portal. Claims payments are made to health care providers, or through reimbursement to clients and authorized third parties. Providers who register with the Contractor meet the applicable registration criteria.

VAC has four programs that use FHCPS as part of its program delivery: Treatment Benefits, Veterans Independence Program, Intermediate and Long-Term Care and Rehabilitation Services and Vocational Assistance Program. Services provided by MBC using the FHCPS include the following:

  • Medical, surgical, psychological and dental examinations and treatment provided by health professionals;
  • Surgical or prosthetic devices and aids, and their maintenance;
  • Home adaptations to accommodate the use of the foregoing devices and aids;
  • Preventive health care and supplies;
  • Prescribed drugs;
  • Medical and Psychosocial services and associated travel expenses;
  • Health-related travel and rehabilitation related expenses;
  • Veterans Independence Program; and
  • Long Term Care.

Description of the Class of Record and Personal Information Bank

Classes of Records:

  • Federal Health Claims Processing System Administration (VAC MVA 690)
  • Health Care Benefits (VAC MVA 860)
  • Intermediate and Long-Term Care Program (VAC MVA 880)
  • Rehabilitation (VAC MVA 830)
  • Veterans Independence Program (VAC MVA 855)

The following Classes of Records are also affected, as eligibility for these programs provides a gateway for eligibility to other benefits and services including Health Care Benefits and Services:

  • Disability Awards Program (VAC MVA 875)
  • Disability Pension Program (VAC MVA 820)
  • War Veterans Allowance (VAC MVA 680)

Personal Information Banks:

  • Health Care Benefits and Services (VAC PPU 295)
  • Rehabilitation Services and Vocational Assistance (VAC PPU 300)
  • Veterans Independence Program - Home Care Benefits and Services (VAC PPU 616)
  • Veterans Independence Program - Other Services (VAC PPU 617)
  • Non-departmental Institutions - Veterans Independence Program (VIP) (VAC PPU 618)
  • Non-departmental Institutions - Long Term Care (LTC) (VAC PPU 619)
  • Disability Pensions (VAC PPU 601)
  • Disability Awards (VAC PPU 603)
  • War Veterans Allowance (VAC PPU 040)

This information can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity - VAC

As this initiative affects multiple VAC programs and services, there are multiple legal authorities:

  • Department of Veterans Affairs Act (Section 4)
  • Canadian Forces Members and Veterans Re-establishment and Compensation Act
  • Canadian Forces Members and Veterans Re-establishment and Compensation Regulations
  • Veterans Health Care Regulations
  • Royal Canadian Mounted Police Superannuation Act
  • Royal Canadian Mounted Police Pension Continuation Act
  • Pension Act
  • War Veterans Allowance Act

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1) Type of Program or Activity

Administration of Programs / Activity and Services

Level of risk to privacy – 2

2) Type of Personal Information Involved and Context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Level of risk to privacy – 3

3) Program or Activity Partners and Private Sector Involvement

Private sector organizations or international organizations or foreign governments

Level of risk to privacy – 4

4) Duration of the Program or Activity

Long-term program.

Level of risk to privacy – 3

5) Program Population

The program affects certain individuals for external administrative purposes.

Level of risk to privacy – 3

6) Technology & Privacy

a) Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy –No

b) Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

Risk to privacy –Yes

c) Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy –No

d) Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy –No

e) Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy –Yes

7) Personal Information Transmission

The personal information is used in a system that has connections to at least one other system.

The personal information is transferred to a portable device or is printed.

The personal information is transmitted using wireless technologies.

Level of risk to privacy – 2, 3 & 4

8) Risk Impact to the Institution

Managerial harm; organizational harm; financial harm; and reputational harm, embarrassment, loss of credibility.

Level of risk to privacy – 1, 2, 3 & 4

9) Risk Impact to the Individual or Employee

Inconvenience; reputational harm, embarrassment; and financial harm.

Level of risk to privacy – 1, 2 & 3

 
Report Category
Disclosure
Report Year
2023
Start year
2019-01
Searchable
On

Privacy Impact Assessment (PIA) summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Mary Nicholson
Director, Health Care and Rehabilitation Programs

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Education and Training Benefit

Description of Program or Activity

The Education and Training Benefit (ETB) program provides funding that allows eligible Veterans to pursue further training and education. The funding is intended to cover tuition, fees, materials and some incidental and living expenses while eligible Veterans are engaged in formalized educational programs. Veterans may also use funding toward fees and other costs associated with short courses aimed at certification, professional designation, small business/entrepreneurship or personal development in support of a Veteran’s meaningful activity and purpose. The amount of ETB available to Veterans is dependent on their number of years of service. Compensation is provided in the form of a lump sum payment directly to the Veteran. This program is delivered through grants.

ETB clients, who are also participants VAC’s Career Transition Services (CTS) Program, may receive assistance from the CTS National Service Provider in making informed decisions in regards to their education and training program.

Description of the class of record and the Personal Information Bank

  • Education and Training Benefit – Class of Record VAC TBD
  • Education and Training Benefit – Personal Information Bank VAC PPU TBD
  • Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

The legal authority for the Education and Training Benefit is provided under Part 1.1, sections 5.2 to 5.93 of the Veterans Well-being Act. Section 78.1 of the Veterans Well-being Act provides that the Minister may waive the requirement for an application. As well, sections 80 and 81 of the Veterans Well-being Act authorize the sharing of personal information in support of program development.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

  1. Type of Program or Activity
    • Administration of Programs / Activity and Services
    • Level of risk to privacy – 2
  2. Type of Personal Information Involved and Context
    • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

      Level of risk to privacy – 3

  3. Program or Activity Partners and Private Sector Involvement
    • Private sector organizations or international organizations or foreign governments.

      Level of risk to privacy – 4

  4. Duration of the Program or Activity
    • Long-term program.

      Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes.

      Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - Yes

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - Yes

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – Yes

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

  7. Personal Information Transmission
    • The personal information is used in a system that has connections to at least one other system.
      The personal information is transferred to a portable device or is printed.

      Level of risk to privacy – 2, 3

  8. Risk Impact to the Individual or Employee
    • Inconvenience,
    • Reputational harm,
    • embarrassment,
    • Financial harm.
    • Level of risk to privacy – 1, 2 and 3
  9. Risk Impact to the Institution
    • Managerial harm,
    • Organizational harm,
    • Financial harm,
    • Reputational harm,
    • embarrassment,
    • loss of credibility.
    • Level of risk to privacy – 1, 2, 3 and 4
 
Report Category
Disclosure
Report Year
2023
Start year
2019-01
Searchable
On

Privacy Impact Assessment (PIA) Summary

Government Institution

Veteran Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Mary Nicholson
Director, Health Care and Rehabilitation Programs

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garret-Baird
Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Career Transition Services

Description of Program or Activity

Career Transition Services supports the transition to civilian life of eligible Canadian Armed Forces Members, Veterans and their spouse/common-law partner, and survivors by providing access to services that will assist them in having the knowledge, skills and plan necessary to prepare for and obtain suitable civilian employment. The provision of support is based on need for the services and is contingent on the participant’s ongoing involvement in developing and completing his or her career transition activities/plan. There are three components: career/vocational counselling, job search training/participation, and job-finding/job placement assistance.

A national contract with a third-party service provider will deliver these services on behalf of VAC. The direct service delivery of CTS will provide eligible participants with a tiered access to services depending on their eligibility.

Description of the class of record and the Personal Information Bank

  • Career Transition Services – Class of Record VAC MVA 825
  • Career Transition Services – Personal Information Bank VAC PPU 530
  • Classes of Records and Personal Information Banks can be reviewed at: VAC's Info Source Chapter

Legal Authority for Program or Activity

Personal information is collected pursuant to Part 1, sections 3, 4, 5 and section 78.1of the Veterans Well-being Act (VWA) [formerly known as the Canadian Forces Members and Veterans Re-establishment and Compensation Act (CFMVRCA)], as well as the associated Regulations. Sections 80 and 81 of the VWA provides information sharing authority upon which government institutions and agencies can rely.

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

  1. Type of Program or Activity
    • Administration of Programs / Activity and Services
    • Level of risk to privacy – 2
  2. Type of Personal Information Involved and Context
    • Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

      Level of risk to privacy – 3

  3. Program or Activity Partners and Private Sector Involvement
    • Private sector organizations or international organizations or foreign governments.

      Level of risk to privacy – 4

  4. Duration of the Program or Activity
    • Long-term program.

      Level of risk to privacy – 3

  5. Program Population
    • The program affects certain individuals for external administrative purposes.

      Level of risk to privacy – 3

  6. Technology & Privacy
    1. Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

      Risk to privacy - Yes

    2. Does the new or modified program or activity require any modifications to IT legacy systems and / or services?

      Risk to privacy - Yes

    3. Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

      Risk to privacy – No

    4. Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

      Risk to privacy – Yes

    5. Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

      Risk to privacy – Yes

  7. Personal Information Transmission
    • The personal information is used in a system that has connections to at least one other system.
      The personal information is transferred to a portable device or is printed.

      Level of risk to privacy – 2, 3

  8. Risk Impact to the Individual or Employee
    • Inconvenience,
    • Reputational harm,
    • embarrassment,
    • Financial harm.
    • Level of risk to privacy – 1, 2 and 3
  9. Risk Impact to the Institution
    • Managerial harm,
    • Organizational harm,
    • Financial harm,
    • Reputational harm,
    • embarrassment,
    • loss of credibility.
    • Level of risk to privacy – 1, 2, 3 and 4
 
Report Category
Disclosure
Report Year
2023
Start year
2019-01
Searchable
On

About the Agent Orange ex Gratia Payment

The Government of Canada, through the Minister of Veterans Affairs, announced on September 12, 2007, a one-time, tax-free ex gratia payment of $20,000 related to the testing of unregistered U.S. military herbicides, including Agent Orange, at Canadian Forces Base (CFB) Gagetown in New Brunswick during the summers of 1966 and 1967. Through an Order in Council, Veterans Affairs Canada (VAC) has been assigned the authority to administer the ex gratia payments. Initiated in September 2007, eligible individuals will have until April 1, 2009 to submit a claim for an ex gratia payment.

To qualify for the ex gratia payment, individuals must have an illness associated with exposure to contaminants in Agent Orange, as determined by the U.S. National Academy of Sciences' Institute of Medicine (IOM), and must have worked at, trained at, been posted to, or lived within five kilometres of CFB Gagetown, when Agent Orange was tested in 1966 and 1967.

About the Privacy Impact Assessment (PIA)

The scope of this Privacy Impact Assessment (PIA) is limited to the particulars of the Agent Orange ex gratia payment, through the Order in Council. It focuses on the collection, use and disclosure of clients and care givers personal information. To apply for the ex gratia payment, individuals are required to submit personal information, which may include personal identification data, medical information and proof of residency documentation.

The PIA review, conducted by Information Management Services Division (IMSD), identified two (2) risks regarding privacy requirements. One (1) specific risk was associated with the administration of the ex gratia payment, while the other was identified as a pre-existing risk which falls outside the immediate scope of this initiative. IMSD has identified and deemed the two privacy issues to be low risk. The following mitigation measures have been brought forward to resolve these low risk concerns:

Collection of Non Personal Information

  • As per the Order in Council, the Government of Canada requires valid proof of residency as an eligibility criterion for the ex gratia payment. A variety of documentation is anticipated to be submitted to substantiate this residency requirement, and with this submission, it is possible that documentation will include both required residential information and other non-essential personal information. Such records include, Church records, vehicle registration, water or utility records, land registry records, Census data and income tax returns. Therefore, for the purpose of obtaining a valid proof of residency, the collection of non-essential personal information is inevitable. Every effort will be made to mitigate this risk by protecting the case files from unauthorized access and ensuring original documentation is returned to clients and non essential information is removed from the copies.
  • The case files will be maintained in a secure area and will not be accessible by employees who do not have a "need-to-know."
  • It is anticipated that the hard copy file will be managed in accordance with the Case File Multi-Institutional Disposition Authority (MIDA) No. 2005/006.

Retention and Disposition of Personal Information

  • The lack of capacity to fully manage electronic client records has been identified as the second low risk. Although this previously identified risk at VAC falls outside the immediate scope of the Agent Orange ex gratia payment, it currently remains unresolved.
  • Veterans Affairs uses a work flow application that manages the Department's electronic records. This system does not have the functionality to perform retention and disposition. Research is currently underway to identify a solution aimed at updating VAC's electronic records systems to include the functionality to perform retention and disposition. Once a solution is identified and resource estimates are developed, a proposal will be presented to senior management.

Mitigation strategies for the privacy related issues are appropriate and in accordance with program management procedures.

 
Report Category
Disclosure
Report Year
2023
Start year
2015-01
Searchable
On
Summary of incidents & actions
Date Event Description & Action
21 July 2022
Veteran #1		 A Veteran contacted the Veterans Affairs Canada (VAC) call centre to file a complaint alleging that a VAC employee had inappropriately raised Medical Assistance in Dying (MAiD) with the Veteran during a phone conversation earlier that day. The Veteran indicated the employee also referred to having provided information on MAiD to another Veteran. The call centre analyst apologized to the Veteran for the incident and assured them that it would be escalated to management immediately.
July 22

An internal fact-finding process was initiated.

The manager reviewed the Veteran’s file and contacted the Veteran to apologize on behalf of the Department. The manager assured the Veteran that discussing MAiD with Veterans, and proposing it as an option, is not part of VAC’s practice, nor is it acceptable. The manager advised the Veteran that the Department would look into the incident and stay in touch with the Veteran.

The Veteran’s file was reassigned to the manager.
July 27 The manager and employee met to discuss the call with the Veteran. The notes in the Veteran’s file validated the subject of MAiD had been raised to the Veteran and that MAiD was repeated a second time as an option during their conversation. The notes also confirmed that information on MAiD had been provided to another Veteran.
July 28 The manager again contacted the Veteran to apologize and advise that the Department was taking the situation very seriously and would be taking action. The Veteran asked for details on what actions would be taken but the manager was unable to share this information due to privacy concerns. The Veteran requested a formal written apology.
August 1 The Veteran sent a secure message through MyVAC Account to ask what actions had been taken to address the issue with the employee. The Veteran was told, due to privacy issues, no information could be shared.
August 9 A comprehensive review and analysis was started on the files of the other Veterans for whom the employee was actively providing guided support services to look for indications of conversations about MAiD.
August 11 A formal, written apology was sent to the Veteran from VAC’s Assistant Deputy Minister, Service Delivery.
August 17

The National Contact Centre Network (NCCN) began tracking calls where MAiD is referenced.

The Director General (DG) of Field Operations surveyed all Area Directors across Canada and instructed them to have conversations with frontline employees about MAiD.
August 19 The Minister of Veterans Affairs instructed the Department to conduct a full and thorough investigation and take all measures to ensure this does not happen again to any Veteran.
August 23
Veteran #2

The analysis of the files for the other Veterans who the employee was actively supporting identified a second Veteran with whom MAiD was raised. Management was immediately made aware of this case.

Written guidance was sent to frontline employees to advise that employees shall not provide advice or suggestions to Veterans on the issue of MAiD. As well, if a Veteran was seeking advice on MAiD, they were to refer the Veteran to their primary care provider.
August 25 - September 14 Five question and answer sessions were held with 750 staff to give them an opportunity to ask questions about the written guidance and training materials they had received on MAiD. These conversations reinforced that staff understood they were not to raise MAiD with Veterans.
August - November VAC’s Deputy Minister and Assistant Deputy Minister Service Delivery proactively reached out to and met with Veterans’ organizations to discuss the issue and reiterate that the situation was unacceptable. They also spoke of the importance of ensuring that Veterans in need of support, continue to reach out in order to receive the help they require.
October 20 - November 24

The Minister of Veterans Affairs and senior Departmental officials appeared before the Standing Committee on Veterans Affairs on October 20 and November 24 to testify about allegations that MAiD was inappropriately raised to Veterans. The Minister appealed to Veterans to come forward if they had experienced a similar situation. The Department also widely promoted the services and supports available for Veterans with mental health conditions and Veterans in crisis through its website and social media platforms.

On November 24, the Minister proactively shared that the Department’s investigation had revealed a total of four incidents.
September - December

Throughout the fall months, some Veterans, family members and stakeholders contacted the Department to voice concerns or ask questions. Staff were provided information to ensure consistent responses were provided to reinforce that MAiD is not a VAC service and that MAiD discussions should be between a Veteran and their primary care provider.

Each time a new allegation was raised, it was thoroughly investigated. Management interviewed frontline staff and reviewed all of these Veterans’ files, but no information was found to validate any of the allegations brought forward.
November 3
Veteran #3		 At a meeting, management asked the employee about the phone conversation with the Veteran, as well as the second Veteran with whom MAiD had been raised. Through these discussions, management was made aware of a third Veteran with whom MAiD had been discussed.
November 10
Veteran #4		 Another VAC employee, who was authorized to work in a Veteran’s file, found inappropriate references to the employee having raised MAiD with a Veteran. Management was made immediately aware of the fourth Veteran with whom the employee had provided information on MAiD.
December 13 The internal fact-finding process related to the four incidents/Veterans concluded.
Mid-December Employee no longer works with Veterans Affairs Canada.
Ongoing Correspondence to the Department related to MAiD is responded to on a priority basis and any additional allegations brought forward continue to be thoroughly investigated.
 
Report Category
Disclosure
Report Year
2023
Searchable
Off
Date modified: