Privacy Impact Assessment (PIA) Summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Maureen Sinnott
A/DG Service Delivery and Program Management
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
Director, Access to Information and Privacy
Name of Program or Activity of the Government Institution
Departmental Printing and Mailing
Description of Program or Activity
The objective of this project is to offer a substitute to VAC staff for the manual printing and mailing of client-facing forms and their accompanying inserts. These forms and their attachments will be available for printing and mailing externally with the addition of an automated solution which will have Canada Post performing both the printing and mailing functions. Canada Post has contracted the printing services to CGI. There are no changes to the processes associated with the new printing and mailing option from the current state up to the point of selecting the print option. Once the forms, and their accompanying inserts, are ready to be printed and mailed, the analyst will have the ability to select from the system the option to send to external printing and mailing, or another distribution option such as 'Finalize without Print' or 'Locally Print & Mail' if necessary. The goal is to have all client facing forms and accompanying inserts sent to external printing and mailing. Automating the printing and mailing process will create efficiencies in the processes as a result of large volume printing, standardized envelopes and improved address accuracy and processes.
An Addendum to this PIA was completed in October 2015 to address a change to the third party service provider for the Departmental Printing and Mailing. As of September 1, 2015, these services are now being delivered by Shared Services Canada. No additional risks were identified during this assessment.
Description of the class of records and Personal Information Banks associated with the program or activity
Class of Records and Personal Information Banks can be reviewed at: VAC’s Info Source Chapter
Legal Authority for Program or Activity
Program and services at Veterans Affairs Canada (VAC) are governed by legal authorities. These authorities include but are not limited to the Pension Act, the Canadian Forces Members and Veterans Re-establishment and Compensation Act and Regulations, the War Veterans Allowance Act, the Royal Canadian Mounted Police Superannuation Act and/or the Royal Canadian Mounted Police Pension Continuation Act, and the Veterans Health Care Regulations.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to "Appendix C" of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Program or activity that does NOT involve a decision about an identifiable individual
Level of risk to privacy – 1
- Program or activity that does NOT involve a decision about an identifiable individual
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. For example: the personal information by association indirectly reveals information on the health, financial situation, religious or lifestyle choices of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual. For example: the personal information by association indirectly reveals information on the health, financial situation, religious or lifestyle choices of the individual.
- Program or Activity Partners and Private Sector Involvement
- With other federal institutions
Level of risk to privacy – 2
- With other federal institutions
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
Level of risk to privacy – 3
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No
- Does the new or modified program or activity require any modifications to IT legacy systems and / or services?
Risk to privacy – Yes
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.
Risk to privacy – Yes
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – Yes
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is used in system that has connections to at least one other system.
Risk to privacy – 2
- The personal information is used in system that has connections to at least one other system.
- Risk Impact to the Institution
- Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.
Level of risk to privacy – 1
- Organizational harm - Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.
Level of risk to privacy – 2
- Managerial harm - Processes must be reviewed, tools must be changed, change in provider / partner.
- Risk Impact to the Individual or Employee
- Inconvenience
Level of risk to privacy – 1
- Financial harm
Level of risk to privacy – 3
- Inconvenience