Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Michael Zinck
Senior Director, Communications Division
Head of the government institution / Delegate for section 10 of the Privacy Act
Crystal Garret-Baird
A/Director
Name of Program or Activity of the Government Institution
Social Media Platform
Description of Program or Activity
As part of the commitment to better connect with citizens and businesses, the Government of Canada (GC) is improving access to government services and information, and examining opportunities to streamline its web presence (Economic Action Plan 2013). In this context, the GC’s Web Renewal strategy aims to modernize online communication capabilities, in particular its use of websites and social media. The Web Renewal strategy also supports Canada's commitment to open government and enables greater information sharing, public dialogue and collaboration.
Social media provides VAC with additional ways to target, reach, engage and build a relationship with Veterans, their families, other stakeholders and Canadians. It is also providing the Department with a greater understanding of the perspectives of Veterans, citizens, stakeholders and experts. Using social media will help develop better, more informed and more effective policies and programs for Veterans and their families. VAC has been successfully using social media tools (Facebook, YouTube and Twitter) to communicate Remembrance messaging.
This PIA assesses the privacy impacts of VAC establishing a presence on the social media platform, Facebook. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).
Description of the Class of Record and Personal Information Bank associated with the program or activity
Operational information that is collected via the VAC Facebook presence is not limited to any one specific program or activity for VAC and would be more closely compared to the department’s receipt of correspondence from the general public. As such, VAC will rely on two standard Classes of Records to reflect the operational information that this initiative is likely to generate:
In the event that an individual chooses to provide specific program related information using the Facebook platform, other Classes of Records may be relevant; however, that will only be determined by the nature of information that users post.
VAC will rely on two standard Personal Information Banks to reflect the personal information:
Legal Authority for Program or Activity
Department of Veterans Affairs Act, section 4
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
- Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).
Level of risk to privacy – 2
- Type of Personal Information Involved and Context
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
Level of risk to privacy – 3
- Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.
- Program or Activity Partners and Private Sector Involvement
- Private sector organizations or international organizations or foreign governments
Level of risk to privacy – 4
- Private sector organizations or international organizations or foreign governments
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
Level of risk to privacy – 3
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
- Program Population
- The program affects certain individuals for external administrative purposes.
Level of risk to privacy – 3
- The program affects certain individuals for external administrative purposes.
- Technology & Privacy
- Personal information posted by individuals to official social media accounts may be subject to data matching or mining, record linkage, transaction monitoring, personal information comparisons, knowledge discovery, or other information filtering and analysis by the platform owner, third parties, and/or members of the public.
Risk to privacy – 2
- Personal information posted by individuals to official social media accounts may be subject to data matching or mining, record linkage, transaction monitoring, personal information comparisons, knowledge discovery, or other information filtering and analysis by the platform owner, third parties, and/or members of the public.
- Personal Information Transmission
- The personal information is transmitted using wireless technologies.
Level of risk to privacy – 4
- The personal information is transmitted using wireless technologies.
- Risk Impact to the Institution
- Organizational harm
Reputation harm, embarrassment, lost of credibility. Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.Level of risk to privacy – 2, 4
- Organizational harm
- Risk Impact to the Individual or Employee
- Reputation harm, embarrassment
- Level of risk to privacy – 2