Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Mark Roy
Director, Planning and Support Services
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garret-Baird
Director, Privacy and Information Management
Name of Program or Activity of the Government Institution
Disability Benefits Program
Description of Program or Activity
Canadian Armed Forces members and Veterans who have a service-related injury and/or illness will be provided with a monthly payment for life option; that is the Pain and Suffering Compensation (PSC). Those experiencing barriers to re-establishment in post-service life due to a service-related permanent and severe impairment will be provided with additional recognition and compensation through the Additional Pain and Suffering Compensation (APSC).
Traditionally, “Disability Benefits” refers to Disability Pensions (under the Pension Act), Disability Awards, and Death Benefit [the latter two being provided under the Veterans Well-being Act (VWA)]. For purposes of this PIA, the “Disability Benefits Program” includes the new non-economic benefits being added to the VWA (PSC, and APSC), VWA non-economic benefits (Death Benefit, Clothing Allowance, and Detention Benefit), and Pension Act benefits (Disability Pension, Clothing Allowance, Attendance Allowance, Exceptional Incapacity Allowance, and Prisoner of War Compensation).
Description of the class of record and the Personal Information Bank
Classes of Records (CORs) and Personal Information Banks (PIBs) can be reviewed at VAC's Information about Programs and Information Holdings.
Disability and Death Compensation: Pain and Suffering Compensation – Class of Record, Additional Pain and Suffering Compensation – Class of Record, Death Benefit – Class of Record, Disability Awards Program – Class of Record, and Disability Pension Program – Class of Record
Personal Information Banks: Pain and Suffering Compensation, Additional Pain and Suffering Compensation, Death Benefit, Disability Awards, Disability Pensions, Exceptional Incapacity Allowance, and Other Allowances
Legal Authority for Program or Activity
Veterans Well-being Act
For benefits being provided under the VWA, personal information is collected pursuant to Part 3:
- Non-application of this Part: section 42
- Pain and Suffering Compensation: sections 45 to 56.5
- No award — decision under Pension Act: section 56
- Additional Pain and Suffering Compensation: sections 56.6 to 56.8
- Death Benefit: sections 57 to 59
- Clothing Allowance: sections 60 to 62
- Detention Benefit: sections 64 to 65
- Additional Monthly Amount: section 131 and 132
Personal information may also be collected, used, and disclosed pursuant to Part 4 of the VWA:
- Transition to Civilian Life: sections 75.1 and 75.2
- Application to the Minister: subsection 76(1) and (2)
- Waiver: sections 78.1 and 78.2
- Inspection: section 79
- Sharing of Information: sections 80 and 81
- Review: sections 84 and 85
Pension Act
For benefits being provided under the Pension Act, personal information is collected pursuant to:
- Veterans Well-being Act - No award payable: section 3.1
- Disability Pensions: Part III, sections 21 to 36
- Attendance Allowance: Part III, subsections 38(1) and 38(2)
- Clothing Allowance: Part III, subsections 38(4) to 38(8)
- Pensions for Death: Part III, sections 45 to 57
- Prisoner of War: Part III.1, sections 71.1 to 71.5
- Exceptional Incapacity Allowance: Part IV, sections 72 and 73
Personal information may also be collected, used, and disclosed pursuant to Part VI of the Pension Act:
- Waiver: sections 80.1 and 80.2
- Review: sections 82 and 84
- Right to Inspect Records, etc.: section 109
- Information that shall be made available to Minister: section 109.1
- Information that Minister may disclose: section 109.2
For both the VWA and Pension Act, the associated regulations also apply, being the Veterans Well-being Regulations and Award Regulations, respectively.
Royal Canadian Mounted Police Superannuation Act
For benefits being provided under the Royal Canadian Mounted Police Superannuation Act, personal information is collected pursuant to:
- Benefits in Respect of Injury or Death on Service: Part II, sections 31.1 to 34
Royal Canadian Mounted Police Pension Continuation Act
For benefits being provided under the Royal Canadian Mounted Police Pension Continuation Act, personal information is collected pursuant to:
- Compensation for disability: section 5
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
Level of risk to privacy – 2
- Administration of Programs / Activity and Services
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- Within the institution (amongst one or more programs within the same institution)
- With other federal institutions
- With other or a combination of federal/ provincial and/or municipal government(s)
- Private sector organizations or international organizations or foreign governments
Level of risk to privacy – 1,2,3,4
- Duration of the Program or Activity
- Long-term program.
Level of risk to privacy – 3
- Long-term program.
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy - No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy - Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.
Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – Yes
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in a system that has connections to at least one other system.
The personal information is transferred to a portable device or is printed.
The personal information is transmitted using wireless technologies.Level of risk to privacy – 2, 3, 4
- The personal information is used in a system that has connections to at least one other system.
- Risk Impact to the Institution
- Managerial harm
- Organizational harm
- Financial harm
- Reputational harm, embarrassment, loss of credibility.
Level of risk to privacy – 1, 2, 3 and 4
- Risk Impact to the Individual or Employee
- Inconvenience
- Reputational harm, embarrassment
- Financial harm
Level of risk to privacy – 1, 2 and 3