Privacy Impact Assessment (PIA) summary
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Faith McIntyre
Director, Ste. Anne’s Hospital Transfer Project
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
ATIP Coordinator
Name of Program or Activity of the Government Institution
Human Resources Planning
Description of Program or Activity
Ste. Anne’s Hospital is recognized around the world for its expertise in geriatrics and mental health. With the potential Ste. Anne’s Hospital transfer from VAC to the Government of Quebec, Veterans will continue to receive exceptional care in this centre of excellence on the leading edge of clinical innovation. The transfer of Ste. Anne’s Hospital will provide long-term benefits to Veterans, Hospital staff and Quebec residents alike. There is a declining demand for long-term care beds for traditional Veterans at the Hospital. Transferring Ste. Anne’s Hospital to the Government of Quebec will help to maintain and maximize the Hospital’s expertise in geriatrics and psychogeriatrics, and provide bed availability for others.
The PIA completed in 2012–2013 assessed the privacy impacts of sharing Human Resources information with the Government of Quebec. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC). An additional PIA on the entire scope of the transfer is to be completed in the 2013–2014 fiscal year.
Description of the Class of Record and Personal Information Bank associated with the program or activity:
Human Resources Planning: Class of Record
Human Resources Planning: Personal Information Bank
Legal Authority for Program or Activity
Financial Administration Act (FAA) - sections 11 to 13 and Department of Veterans Affairs Act – section 4 and 5.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.
- Type of Program or Activity
- Administration of Programs / Activity and Services
- Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).
- Level of risk to privacy – 2
- Type of Personal Information Involved and Context
- Only personal information provided by the individual – at the time of collection – relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities.
- The context in which the personal information is collected is not particularly sensitive.
- Level of risk to privacy – 1
- Duration of the Program or Activity
- One time program or activity
Note: While information may be shared periodically during the transfer process, this is considered a “one-time” activity as the need for future sharing will be eliminated once the transfer occurs. - Typically involves offering a one-time support measure in the form of a grant payment as a social support mechanism.
- Level of risk to privacy – 1
- One time program or activity
- Program Population
- The program affects all individuals for external administrative purposes.
- Level of risk to privacy – 4
- Training and Understanding of Privacy and Personal Information Protection
- A systematic privacy training and/or awareness plan is in place and sessions are provided and/or made available to employees and sectors or the government institution.
- Level of risk to privacy – 2
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – No - Is the new or modified program or activity a modification of an IT legacy systems and / or services?
Risk to privacy – No - Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc.) as well as easy pass technology, new identification cards including magnetic stripe cards, "smart cards" (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).
Risk to privacy – No - Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance, etc.
Risk to privacy – No - Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.
Risk to privacy – No
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is transferred to a portable device or is printed. USB key, diskette, laptop computer, any transfer of the personal information to a different medium.
- Level of risk to privacy – 3
- Risk Impact to the Institution
- Organizational harm - Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.
- Level of risk to privacy – 2
- Risk Impact to the Individual or Employee
- Inconvenience
- Level of risk to privacy – 1