This report presents the findings of the Privacy Impact Assessment (PIA) on the Assistance Fund (AF). On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the War Veterans Allowance Program and associated benefits to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to perform a Privacy Impact Assessment of the Assistance Fund including the current expansion to Allied Veterans. This PIA reflects the status of the Assistance Fund as of October 31, 2009.
The purpose of the Assistance Fund (AF) is to provide War Veterans Allowance (WVA) recipients, residing in Canada, with financial assistance to meet an emergency or unexpected contingency for which they do not have the resources.
The AF is delivered as a grant and cannot exceed $1,000 per calendar year per recipient. This grant complements the WVA by providing additional financial support for recipients of WVA, who are in an emergency situation or at risk of being in an emergency situation (e.g. the need to replace a furnace-depending on the time of year, this would be an emergency or a “near emergency”). These clients, already deemed to be low-income by virtue of receiving the WVA, do not have the financial resources to cover the costs of their emergency and without support their health or safety will be at risk.
About the Privacy Impact Assessment (PIA)
This Privacy Impact Assessment reflects an analysis of the Assistance Fund but does not include the assessment of the gateway for eligibility to the AF which is provided through the War Veterans Allowance (WVA) Program. A separate assessment of the WVA Program has been conducted.
VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Assistance Fund conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.
The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of the AF. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The AF PIA has identified three potential privacy risks.
Risk #1 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)
Issue:
VAC's electronic system, the Client Service Delivery Network (CSDN), does not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.
Management Plan:
This is a departmental risk that is not solely related to the Assistance Fund. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.
Risk #2 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)
Issue:
A Threat and Risk Assessment (TRA) has not been completed on the AF, which may lead to sensitive information not being properly identified and protected.
Management Plan:
The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The AF has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.
Risk #3 - Privacy Notice Statements (Risk Rating: Low)
Issue:
The notice statement on the VAC 1128 Assistance Fund Application does not clearly state the purpose for the collection, the authority for the collection and the right of access to the information.
Management Plan:
The notice statement on the VAC 1128 Assistance Fund Application will be revised.
Conclusion
Although this PIA has has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.