Ste. Anne’s Hospital Transfer Project

Ste. Anne’s Hospital Transfer Project

Government Institution

Veterans Affairs Canada

Government Official Responsible for the Privacy Impact Assessment

Faith McIntyre

Director General responsible for the Ste. Anne’s Hospital Transfer Project

Head of the government institution / Delegate for section 10 of the Privacy Act

Crystal Garrett-Baird

Director, Privacy and Information Management

Name of Program or Activity of the Government Institution

Ste. Anne’s Hospital Transfer Project

Description of Program or Activity:

Following the First World War, with the influx of returning soldiers, the Government of Canada owned and operated hospitals because of the special needs of Veteran patients and the variations in the care that was publicly available from one province to another. Since its establishment in 1917, Ste. Anne’s Hospital’s “raison d'être” has been to serve Veterans, to provide them with the highest standards of care, and to be a symbol of remembrance for the community and the country.

Since the introduction of the Canada Health Act and Medicare in the 1960s, the federal government began a process to transfer its 18 Veterans’ hospitals to provinces, thereby respecting provincial jurisdiction in matters of heath care. Ste. Anne’s Hospital (SAH) was the last remaining federally owned Veterans hospital and officially transferred to the Government of Quebec on April 1, 2016, becoming part of the new Centre intégré universitaire de santé et services sociaux (CIUSSS) de l’Ouest-de-l’Île-de-Montréal. The Ste. Anne’s Hospital transfer agreement negotiated positions agreed upon between both levels of government in the transfer of the Hospital.

Following the transfer, the distinct expertise in long-term care offered at Ste. Anne’s Hospital to Veterans will also benefit the local community. Post transfer, in addition to eligible war Veterans, all Veterans and other civilians who need long-term care could be admitted. As is the case in other long-term care facilities across the country, Veterans Affairs Canada will provide financial support and priority access to eligible war Veterans for contract beds at the Hospital. Veterans not eligible for contract beds but who are eligible due to a service related disability may have access to the provincial community beds at Ste. Anne’s Hospital. Ste. Anne’s Hospital will undergo the same provincial monitoring as other Quebec provincial long-term care facilities and will be subject to an accreditation process recognized by the province.

Description of the Class of Record and Personal Information Bank associated with the program or activity:

Class of Record: Ste. Anne’s Hospital (VAC MVA 715)

Personal Information Bank: Ste. Anne’s Hospital (VAC PPU 280)

Legal Authority for Program or Activity - VAC

Order in Council P.C. 2015-0432 (Ste. Anne’s Hospital Transfer)

Department of Veterans Affairs Act – sections 4 and 5

Financial Administration Act (FAA) – sections 11 to 13

Privacy Act

The legal authorities for Government of Quebec programs or activities:

An Act Respecting Health Services and Social Services

Organization and Management of Institutions Regulation (chapter S-5, r.5)

An Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information

Bill 59

Risk Area Identification & Categorization

The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIAs to learn more about the risk scale.

1) Type of Program or Activity

Administration of Programs / Activity and Services

Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.).

Level of risk to privacy – 2

2) Type of Personal Information Involved and Context

Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.

Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive.

Level of risk to privacy – 3 & 4

3) Program or Activity Partners and Private Sector Involvement

With other institutions or a combination of federal, provincial, and/or municipal governments.

Level of risk to privacy – 3

4) Duration of the Program or Activity

Long-term program.

Level of risk to privacy – 3

5) Program Population

The program affects certain employees for internal administrative purposes.

The program affects certain individuals for external administrative purposes.

Level of risk to privacy – 1 & 3

6) Technology & Privacy

a) Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?

Risk to privacy –No

b) Is the new or modified program or activity a modification of an IT legacy systems and / or services?

Risk to privacy –Yes

c) Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic).

Risk to privacy –No

d) Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc.

Risk to privacy –No

e) Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA, government institutions are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior.

Risk to privacy –No

7) Personal Information Transmission

The personal information is used within a closed system. (No connections to Internet, Intranet or any other system. Circulation of hardcopy documents is controlled.)

The personal information is used in a system that has connections to at least one other system. (The program or activity involves one or more connections to the Internet, Intranet or any other system. Circulation of hardcopy documents is not controlled.)

The personal information is transferred to a portable device or is printed. (USB key, diskette, laptop computer, any transfer of the personal information to a different medium.)

Level of risk to privacy – 1, 2 & 3

8) Risk Impact to the Institution

Organizational harm

Reputational harm, embarrassment, loss of credibility

Level of risk to privacy – 2 & 4

9) Risk Impact to the Individual or Employee

Inconvenience

Reputational harm, embarrassment

Physical harm

Level of risk to privacy – 1, 2 & 4