This report presents the findings of the Privacy Impact Assessment (PIA) of the Funeral and Burial Program (FBP). On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the War Veterans Allowance (WVA) Program and associated benefits, including those that fall under the Funeral and Burial Program, to add Allied Veterans and other individuals as eligible recipients. The expansion and the amendments to the program afforded the opportunity to perform a PIA of the Funeral and Burial Program. This PIA reflects the status of the Funeral and Burial Program as of November 23, 2009.
The Funeral and Burial Program allows Veterans Affairs Canada (VAC) to provide financial assistance so that eligible Veterans and other individuals receive a dignified funeral and burial. The Last Post Fund (LPF), a non profit corporation, administers funeral, burial and grave-marking services on behalf of VAC. The LPF is a registered charity that has been serving Canada’s Veterans since it was originally created in 1909. In 1921, the organization was federally incorporated as the Last Post Fund. With federal funding, it began to offer services from coast to coast providing assistance to eligible Veterans throughout Canada. In 1995, changes were made to existing funeral, burial and grave marking programs. The LPF was mandated to solely administer the Funeral and Burial Program on behalf of VAC.
About the Privacy Impact Assessment (PIA)
This Privacy Impact Assessment reflects an assessment of the entire Funeral and Burial Program.
VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the Funeral and Burial Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection to govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.
The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of theFuneral and Burial Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The Funeral and Burial Program PIA has identified five potential privacy risks.
Risk #1 - Privacy Notice Statement (Risk Rating: Low)
Issue:
There is no privacy notice statement on the Application for Funeral and Burial Benefits, therefore, the privacy requirements to provide clients with information about the collection, use and disclosure of their personal information are not being met.
Management Plan:
The Funeral and Burial Application will be enhanced with the addition of a Privacy Notice Statement.
Risk #2 - Email address is collected on the application form (Risk Rating: Low)
Issue:
The Application for Funeral and Burial Benefits collects an applicant’s (executor or survivor) Email address. VAC Security and Real Property Services Division has not authorized the use of Email to communicate with clients.
Management Plan:
VAC is committed to ensuring that adequate measures are in place to protect the privacy of clients in the delivery of the Funeral and Burial Program. At this time, VAC will accept the risk associated with collecting an applicant’s Email address and communicating via Email. However, options will be explored to minimize the risk associated with the Email collection and communication (e.g. informing clients about the risks of using Email) and the most appropriate option will be implemented by the program area.
Risk #3 - Secondary use identified that has not been noted in the Personal Information Bank (Risk Rating: Low)
Issue:
Upon a favourable decision for the Funeral and Burial Program, a copy of the client’s decision letter is forwarded to Honours and Awards to be reviewed for possible medal implications. This secondary use of information is not currently listed within the new Funeral and Burial Personal Information Bank.
Management Plan:
An update to the Funeral and Burial Personal Information Bank will be actioned to include this secondary use.
Risk #4 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)
Issue:
VAC's electronic system, the Client Service Delivery Network (CSDN), does not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.
Management Plan:
This is a departmental risk that is not solely related to the Funeral and Burial Program. At this time an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.
Risk #5 - A Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)
Issue:
A Threat and Risk Assessment (TRA) has not been completed on the Funeral and Burial Program, which may lead to sensitive information not being properly identified and protected.
Management Plan:
The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The Funeral and Burial Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.
Conclusion
Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.