Veterans Affairs Canada’s Privacy Action Plan 2.0

Executive Summary

• In fall 2010, the Office of the Privacy Commissioner of Canada completed an investigation of a complaint filed against Veterans Affairs Canada (VAC) under the Privacy Act that raised issues with the way personal information was handled in the Department.
• VAC took immediate action to respond to these issues and developed a 10-Point Action Plan that addressed immediate risks by putting in place key governance structures, establishing mandatory training, and developing key policies for the Department. In addition, the Action Plan instituted proactive monitoring and refined access controls to VAC’s electronic information systems.
• While the main points of the 10-Point Privacy Action Plan were completed by March 2011, VAC recognizes that privacy management requires ongoing vigilance and a firm commitment to maintaining the strong culture of privacy that is at the core of the work the Department does.
• To accomplish this and maintain the momentum of the 10-Point Plan, VAC is launching the Privacy Action Plan 2.0. This Plan will build on the success of deliverables that were implemented in the original plan and will work to fully integrate privacy protection as part of the Department’s overall management framework. This means looking at privacy in the context of five key management areas and activities:

Training and Awareness

• Deliver renewed privacy principles training to VAC employees and targeted training to promote a dialogue on privacy practices.
• Launch outreach activities with VAC clients and the Veteran community to promote an understanding of their rights and the Department’s obligations related to the Privacy Act.

Governance

• Continue to hold regular Departmental Privacy Committee meetings to review and advise on departmental priorities and privacy risks.
• Focus on developing proactive privacy guidance to address privacy risks at the planning phase.

Administration and Practices

• Streamline consent forms and clarify privacy notification statements to increase transparency with respect to VAC’s privacy management practices.
• Conduct privacy reviews and assessments related to key transformation initiatives (i.e. My VAC Account) and other VAC programs and activites.

Monitoring and Evaluation

• Monitor and evaluate whether privacy goals are being met with respect to privacy compliance and the management of personal information.
• Action findings and recommendations resulting from the Office of the Privacy Commissioner’s audit of VAC’s privacy practices.

Reporting and Priority Identification

• Report regularly on the results of monitoring and evaluations to senior management within the Department and to the public through VAC’s Annual Report on the administration of the Privacy Act.
• The Privacy Action Plan 2.0 will advance a deeper understanding of privacy and the need to protect personal information at all levels throughout the Department. The Phase II Privacy Performance Management Plan identifies strategic outcomes, key priorities as well as ongoing activities for each management area. Performance indicators are also identified to ensure that quantitative measures are available to assess achievement of desired outcomes.
• The Privacy Action Plan 2.0 will be rolled out over the fiscal year 2012-2013.

The following table summarizes the priority activities and timeframe for implementation on the plan.

Overview of priority activities and deliverables for 2012-2013

Priority Activities	Q1	Q2	Q3	Q4
1) Training and Awareness
Develop privacy principles training material	x
Develop privacy video presentation for departmental training.	x
Develop outreach activities with VAC clients and Veteran community	x	x	x
Delivery of renewed training modules concurrent with ongoing training	x	x	x	x
2) Governance
Hold regular meetings of the Departmental Privacy Committee (DPC)	x	x	x	x
Provide strategic privacy advice on departmental priorities and risk areas such as those relating to VAC Transformation.	x	x	x	x
3) Administration and Practices - Consent Forms Review
Streamlining consent forms – clarification on use of consent versus proper notification.	x
Implementation and follow up activities		x
3) Administration and Practices - Privacy lens review
Complete revisions to personal information bank descriptions.	x
Support and coordinate privacy reviews and assessments related to key transformation initiatives (i.e. My VAC Account) and other VAC programs and activities.	x	x	x	x
4) Monitoring and Evaluation - Annual review of personal information banks (PIBs)
Comprehensive assessment on the current state of PIBs including related sharing agreements to identify required revisions.	x	x
Implement required changes.			x	x
4) Monitoring and Evaluation - Privacy review
Action findings and recommendations resulting from the Office of the Privacy Commissioner’s audit of VAC’s privacy practices		x	x
Implement required changes.		x	x	x
5) Reporting and Priority Identification
Complete all legislative and policy reporting (privacy request statistics, Info Source, PIBs, Annual Reports to Parliament).	x	x
Strengthen and ensure regular reporting to DPC and Senior Management Committee with respect to the Privacy Management Dashboard.	x	x	x	x

Background

• The Office of the Privacy Commissioner’s (OPC) investigation into a complaint filed against Veterans Affairs Canada (VAC) under the Privacy Act identified areas of concern surrounding the management of personal information within VAC. The investigation also identified the need to strengthen controls to protect personal information.
• In response to the privacy issues identified, VAC developed and implemented a 10-point Privacy Action Plan to address immediate risks and put in place key governance structures and policies for the Department. In addition, the Department’s Privacy Action Plan:
  • Instituted proactive monitoring of VAC’s electronic information systems;
  • Obtained the services of a privacy expert as well as a technical expert to assist with refining access controls to the Client Services Delivery Network (CSDN).
  • Reviewed 2,800 user accounts resulting in a detailed CSDN access matrix of fewer users;
  • Provided mandatory training on new procedures and policies for handling personal information;
  • Completed an independent assessment; and
  • Cooperated with the Office of the Privacy Commissioner in the recent audit. Work is ongoing to ensure VAC is well positioned for this activity.
• Although significant progress has been made since the publication of the Privacy Action Plan in 2011 (Appendix A), the Department has focused its efforts on continuing to strengthen existing initiatives while exploring areas to further enhance the privacy management framework within the Department. This work has culminated in the release and implementation of the Privacy Action Plan 2.0.

Current Context

• The 2010 10-Point Privacy Action Plan is subsumed and overtaken by this new plan. Privacy Action Plan 2.0 builds on deliverables to date and works to further develop five (5) key areas as part of the overall and ongoing departmental privacy management strategy:
  1. Training and Awareness: Increase targeted training and awareness activities that promote a dialogue on privacy practices
  2. Governance: Strengthen governance and strategic planning related to privacy management
  3. Administration and Practices: Continue to improve sound privacy practices while ensuring that fundamental work related to compliance with the Privacy Act and related Treasury Board Secretariat policy and directives is completed
  4. Monitoring and Evaluation: Actively monitor and evaluate whether desired outcomes are being met in terms of privacy compliance and improved management of personal information
  5. Reporting and Priority Identification: Ensure that the results of monitoring and evaluation are integrated into regular reporting structures with the Department’s overall governance structure
• Privacy Action Plan 2.0 continues to advance an understanding of privacy and the need to protect personal information throughout the Department. It will address all aspects of administration of the Privacy Act within this management approach.

Appendix A

Veterans Affairs Canada 2010 Ten Point Privacy Action Plan

Point	Status
1) Review system access in detail Detailed review of approximately 2,800 user accounts in the Client Service Delivery Network (CSDN).	Completed March 2011
2) Communicate discipline policy Strengthened discipline policy and guidelines with clear sanctions were developed and communicated to staff.	Completed October 2010
3) Introduce a privacy lens for briefing note processes New procedures were issued on the appropriate use of client information when preparing briefing notes and other documents prepared for use within the Department.	Completed October 2010
4) Appoint external systems expert External experts in electronic information systems management reviewed and recommended changes to departmental systems. NOTE: The majority of activities related to the recommendations have been completed.	Completed November 2010
5) Appoint external privacy expert Information Management and Privacy experts reviewed and recommended changes to departmental processes to ensure information is protected and access is controlled.	Completed January 2011
6) Enhance monitoring of electronic systems A team proactively monitors, reviews and investigates who is accessing client information. Where there is inappropriate access, disciplinary measures are taken.	Completed (Ongoing)
7) Provide mandatory privacy training A mandatory privacy awareness program was launched in October 2010. This program covers the "need to know" principle, the need for client consent when sharing information, and the range of disciplinary measures that will be taken if privacy is breached. NOTE: Ste. Anne's Hospital, as an accredited hospital, has a comprehensive training program relating to privacy and confidentiality of client information (approximately 1200 employees work at Ste-Anne’s Hospital).	Completed November 2010
8) Provide in-depth training on Government policies and procedures on privacy In-depth training for staff on the new policies, guidelines and procedures began in January 2011.	Completed July 2011
9) Conduct independent annual assessment The first annual independent assessment of VAC's compliance with the Privacy and Access to Information Acts was completed by Audit Services Canada in August 2011.	Completed August 2011
10) Prepare for Privacy Commissioner's audit The Office of the Privacy Commissioner is conducting a privacy audit on the Department.	Completed April 2012 (Ongoing)