Language selection


Privacy Act

Prepared by:
Audit Services Canada from Public Works and Government Services Canada

The criteria used to assess compliance with the Privacy Act and our related findings and recommendations are detailed below.

Criterion 2-1 — The Department collects, retains, and disposes of personal information in accordance with the Act.

As a result of our document review and interviews, we found that:

  1. The Department implemented a General Privacy Policy and Guidelines for the Collection Creation, Management, and Handling of Personal Information March 31, 2011. This document is available on the Department’s intranet site.
  2. The Department collects data for the various programs and services it delivers to its clients. The Department controls the types of information collected by using forms which specify the information to be gathered. The forms used to gather information are completed either by the client, staff or a third party. Some of these forms are completed in person at a district office, through client MyVac accounts, by nurses, and by individuals who have been given power of attorney on behalf of a client.
    • The Department is reviewing its forms to make certain they meet the need-to-know requirement of the Privacy Act and that the Department is not inadvertently collecting information it does not require for a specific client purpose. The Department now requires that any new forms used to gather information are first reviewed by IM advisors and approved by the IM Director to confirm they comply with legal and technical authorities.
    • Forms used by nurses require a more general approach to collecting information when they are performing a client assessment. Nurses are therefore provided with privacy training on what is considered acceptable information and what is considered to be excess information.
    • For the purposes of understanding and assessing the collection of information, we reviewed a sample of forms and noted they contained a statement identifying the reason for the collection of personal information and a statement that it is protected under the Privacy Act from unauthorized disclosure.
  3. Areas within the Department are responsible for ensuring the records retained are up-to-date. The Veterans Independence Program, for example, performs annual reviews and client screenings to confirm that records are correct. These reviews involve contacting clients and verifying information based on a questionnaire.
  4. Records may also be verified when clients contact the Department. Client screenings are conducted from a prepared list of questions.
  5. The Department has a Records Disposition Authority issued by Library and Archives Canada allowing it to dispose of records no longer required. This is currently being applied to paper documents. It cannot, however, be applied to electronic records until the Department implements an electronic documents and records management system.
  6. The complexity of CSDN’s design prevents the Department from removing electronic records in an efficient manner.

Criterion 2-2 — The Department protects its personal information.

As a result of our document review and interviews, we found that:

  1. In response to the recommendation from the Office of the Privacy Commissioner, the Department developed a Privacy Framework which was implemented on April 1, 2011. The Framework creates awareness and provides guidance with respect to information management and privacy practices. The framework comprises the:
    • General Privacy Policy and Guidelines for the Collection, Creation, Management, and Handling of Personal Information. This document is the main component of the Department’s Privacy Framework.
    • Veterans Affairs Canada Privacy Protection Infrastructure. This document outlines the responsibilities of the newly created position of Chief Privacy Officer (CPO) and the new Departmental Privacy Committee (DPC). The CPO’s responsibility is to provide strategic leadership and oversight on privacy issues. The DPC, chaired by the CPO, reviews risk management and privacy compliance, and establishes privacy priorities and measures.
    • Information Management Policy, Veterans Affairs Canada Information Management Best Practices, and IM & Privacy Directive on Email. This document provides guidance on effective information management.
    • Privacy Breach Policy and Privacy Breach Guidelines. Provide information in terms of objectives and definitions. This document provides roles and responsibilities of specific positions within the Department and on actions to be taken if there is a privacy breach.
  2. The Department established a Matrix Review Committee to evaluate who should have access to CSDN. Questionnaires, developed by the Matrix Review Committee of the IT/IM Directorate, were sent to units within the Department to obtain information related to employees’ need to access the system. An Access Contact was responsible for working with managers or supervisors to document the rationale for each CSDN access level essential for the employee to carry out their required job functions. The Functional Authority for each level approved or denied the access, often only after clarifying and questioning the rationale provided. An example of a completed questionnaire including sample rationales was provided to CSDN Access Contacts and managers. These sample rationales included, 'Access level 3 required to view all client information with the exception of payment information and pension history’ and 'Access level 67 not required because we do not have to see what a veteran has done online'. The head office review of positions was completed and changes are being implemented. The 2800–3000 system users were reduced by approximately 400. The regional reviews are not expected to be completed until September 2011.
  3. A preliminary review of the Department’s IM/IT environment undertaken in November 2010 by an expert from FINTRAC resulted in a number of recommendations. Considered highest in priority were those related to the reporting database (RDB), which contains information from the operational databases and is accessible by over 100 users within the Department. The recommendations were:
    • Reassess information gathering with a privacy lens. The Department determined that creating additional reports without identifiers in a parallel catalog would not be an effective solution. Instead, privacy training for the system’s frequent users will be implemented.
    • Review and ensure operational reports posted do not contain personal information. Since the resources needed to change the format of existing reports are not available, the operational reports will be reviewed as they come up for renewal.
    • Enhance RDB audit capabilities. An audit program was implemented capturing user activity.
    • Review user access and enhance for smaller subset reporting. The Department reviewed and verified RDB users but was unable to limit the extent of access because of the nature of the database. They are looking for another solution.
  4. FCHPS, a benefits payment system contracted to Medavie Blue Cross, is defined to be under the Department’s control. The Department has access control policies and procedures in place to manage access by its employees. For Medavie Blue Cross employees who have access to the system and related client information, data modifications and authentication events are logged and recorded for audit purposes. Read-only inquiries into client information are not reported for audit purposes. According to Medavie Blue Cross, access to the system is reviewed on an annual basis and 'need to know’ is part of its overall access control process.
  5. In October 2010 the Department began monitoring access to CSDN to verify that employees have a need-to-know reason for accessing client files. The emphasis is on read-only accesses. Emails were originally sent to managers advising them of employee access but there was slow or limited response. Emails are now sent directly to employees advising them that their access to a specific client notebook was detected and they are required to provide a legitimate reason to access the file. If employees fail to respond their supervisor is advised. Related to the CSDN monitoring initiative, we found:
    • There are 9 million CSDN accesses per year or 30,000 per day. IT Security staff indicated that even with the monitoring initiative, the number of accesses has remained the same since October.
    • Monitoring has raised employee awareness; however, employees are now apprehensive knowing that every file access is monitored.
    • There are limitations to the monitoring as CSDN does not track the time that an employee spends in a client file.
  6. The Department drafted a Protocol for the Use of Personal Information for Non-Administrative Purposes to be used for research, audit, and related activities.
  7. The VAC Discipline Policy and Disciplinary Guidelines state that because of the nature of the Department’s mandate and the highly personal information in its possession, inappropriate access to client files and inappropriate disclosure of client information are types of misconduct which could warrant disciplinary measures. The Discipline Policy and Disciplinary Guidelines are available on the Department’s intranet.
  8. The Department has corporate files that contain personal information but lacks systems to manage this information. The Department has developed an employee guidance document, Personal Information as Supporting Documentation on Departmental Subject Records. Its purpose is to provide direction on acceptable use of personal information as supporting documentation on departmental subject records.
  9. In addition to electronic client records, hard-copy records containing client information are maintained at head office as well as regional offices. At the Centralized Processing Centre hard-copy client files are kept in unlocked storage until the client file is no longer active. Operational practices require that portions of client files be copied and forwarded to the Finance Directorate (e.g., Earnings Loss Program files).
  10. During the collection of client data for program use, the Department ensures it obtains signed authority to release information and maintains this authority on file. The forms used contain the client name and file number as well as information on the party to whom information will be released and the nature of the information. This allows the Department to consult with community service providers and other health professionals in the managing of a client file.
  11. The Department developed Guidelines on Handling Personal Information in the Preparation of Briefing Materials. Despite the Privacy Awareness Training, a departmental review of briefing notes revealed that between November 1, 2010 and March 31, 2011, 30 percent of briefing notes and 28 percent of ministerial reports contained more than 'need-to-know’ information.
  12. Privacy Impact Assessments (PIAs) assess privacy risks related to programs and activities. PIAs and threat and risk assessments, if required, are now completed before any changes to programs or new programs are implemented. There are a number of legacy programs for which PIAs have not been completed as they were in place before this requirement. The Access to Information and Privacy (ATIP) Coordinator for VAC has primary responsibility for the conduct of PIAs.
  13. The Department produced or is producing a number of guidance documents related to the disclosure of personal information in accordance with section 8 of the Act. These include guidelines for the disclosure of information to the Attorney General of Canada; Policing Services and Federal Investigative Bodies; Subpoena, Warrant, or Court Order; and to Ministers and Members of Parliament.

Criterion 2-3 — The Department verifies that its personal information banks are complete.

As a result of our document review and interviews, we found that:

  1. The Department submits new or revised personal information banks (PIBs) to the Information and Privacy Policy Division of the Treasury Board Secretariat where the content is reviewed for compliance with the Privacy Act. PIBs are then to be input to Info Source.

Criterion 2-4 — The Department annually confirms that its personal information bank index is accurate, complete, and up to date.

As a result of our document review and interviews, we found that:

  1. The Department submitted its most recent listing of PIBs to TBS to be included in the 2010 edition of Info Source which will update the 2009 edition currently available.
  2. The latest submission included a number of revised PIBs containing updated information approved by TBS. PIBs are reviewed and updated as often as possible in consultation with the program areas to ensure new collections, uses, and disclosures are reflected in the PIBs. Each time changes are made, TBS approval is required.
  3. The Department’s 2009 PIB Index includes all of the information required by TBS and the Privacy Act.

Criterion 2-5 — The Department responds to requests for access to personal information as required and within the stipulated timelines.

As result of our document review and interviews, we found that:

  1. The Privacy Act requires that the Department provides notice to the requestor within 30 days that the documents will be provided and access will be given.
  2. For purposes of understanding and assessing the process, we selected three requests submitted under the Privacy Act and found:
    • The Department answered one request in three days.
    • The Department completed one request in 30 days.
    • The Department completed one request in 121 days. This request contained 1,286 pages of documents and 2 cassette tapes. We could not confirm the requester was notified that the response would exceed 30 days, as required by the Act, section 15.
  3. The draft of the 2010 - 2011 Annual Report on the Administration of the Privacy Act indicated the Department responded to 69 percent of requests within 30 days of receipt and, when extensions were taken, 70 percent of requests were completed on time.
  4. There were 96 formal privacy requests outstanding in 2010-11 that were carried forward to 2011-12.

Criterion 2-6 — The Department applies exemptions to the disclosure of personal information in accordance with the Act.

As a result of our document review and interviews, we found that:

  1. For purposes of understanding and assessing the process, we reviewed three requests submitted under the Privacy Act and found the Department applied exemptions in each case. They each referenced the Privacy Act, section 26 requiring personal information of another individual, other than the requester, be removed from the records. When the Department completes a request it sends a letter to the requester along with the records requested and cites the sections of the Act applied. As well, for any portion of the records that was redacted, the section of the Act applied is noted next to the redacted area.
  2. The draft 2010-2011 Annual Report on the Administration of the Privacy Act identified 170 cases where exemptions were applied for formal requests. These included the sections mentioned above and sections 22, 27 and 28 of the Privacy Act.
  3. The Policy and Procedures for the Processing of Requests for Access to Records and Personal Information under the Access to Information Act and the Privacy Act provides guidelines on applying exemptions in the Privacy Act. The authority to apply the exemptions has been delegated to the ATIP officer. However, the institution providing the records is required to review the records and highlight the information they believe requires exemptions to be applied. The ATIP officer reviews the records and makes the decision whether the information highlighted qualifies for exemption or if other parts of the records require exemptions.

Criterion 2-7 — The Department prepares an annual report on the administration of the Act to be tabled in Parliament within three months of year end.

As a result of our document review and interviews, we found that:

  1. The Department prepared its 2010–11 Annual Report on the Administration of the Privacy Act in May 2011. The Report must be submitted to each House of Parliament within three months from the financial year end or, if Parliament is not sitting, within 15 days of the next session. At the time of our report completion, the deadline had not passed and the Report had not been submitted.
  2. The 2009–10 annual Report was deposited with the Clerk of the House October 19, 2010. The House was not sitting the end of June when the Report was due and it resumed its session September 20, 2010. The Report was submitted 29 days after the House returned for the third session of the 40th Parliament.
Date modified: