Privacy Impact Assessment (PIA) summary
Government Institution
Veteran Affairs Canada
Government Official Responsible for the Privacy Impact Assessment
Raymond Lalonde
Director, National Center for Operational Stress Injuries (NCOSI)
Head of the government institution / Delegate for section 10 of the Privacy Act
Shawn MacDougall
ATIP Coordinator
Name of Program or Activity of the Government Institution
VAC-NCOSI Client-Reported Outcomes Monitoring Information System (CROMIS) Initiative
Description of Program or Activity:
CROMIS is a national, web-based software suite that supports ongoing, session-by-session client-reported mental health outcomes tracking. Although the client reports the outcomes, the data base does not have information that can be used to identify the Veteran or other individual served by VAC. The approach is to monitor important mental indicators to prevent deterioration and/or premature drop-out, by accurately identifying those at risk and providing actionable, “just-in-time” evidence-informed recommendations to client and clinician alike. The software (OQ-Analyst) has been demonstrated in randomized controlled trials not only to facilitate clinical performance monitoring in mental health care systems, but also to actually improve clinical outcomes.
The National Centre for Operational Injuries at VAC is using this client-reported outcome monitoring system to better evaluate the effectiveness of the Operational Stress Injury Clinic (OSIC) Network.
The PIA assessed the initiative to identify risks to personal information and implement changes to remove or mitigate the risks. This PIA has been submitted to Treasury Board Secretariat (TBS) and the Office of the Privacy Commissioner (OPC).
Description of the Class of Record and Personal Information Bank associated with the program or activity:
Mental Health Services and Supports: Class of Record
Mental Health: Personal Information Bank
Legal Authority for Program or Activity
The information collected and held by VAC in relation to the CROMIS initiative is done so under various legislated programs under the responsibility of the Department.
Risk Area Identification & Categorization
The following section contains risks identified in the PIA for the new or modified program. A risk scale has been included. The numbered risk scale is presented in ascending order: the first level represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. Please refer to “Appendix C” of the TBS Directive on PIA s to learn more about the risk scale.
- Type of Program or Activity
- Program or activity that does NOT involve a decision about an identifiable individual
- Personal information is used strictly for statistical / research or evaluations (including mailing lists) where no decisions are made that directly have an impact on an identifiable individual. The Directive on PIA applies to administrative use of personal information. The Policy on Privacy Protection requires that government institutions establish an institutional Privacy Protocol for addressing non-administrative uses of personal information.
- Level of risk to privacy – 1 – NCOSI
- Administration of Programmes / Activity and Services
- Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programmesprograms including authentication for accessing programmesprograms/services, administering programmeprogram payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.
- Level of risk to privacy – 2 – OSIC
- Type of Personal Information Involved and Context
- Sensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and / or the context surrounding the personal information is particularly sensitive.
- Level of risk to privacy – 4
- Program or Activity Partners and Private Sector Involvement
- With other or a combination of federal/ provincial and/or municipal government(s) ( Private Sector hosting).
- Level of risk to privacy – 3
- Duration of the Program or Activity
- Long-term program - Existing program that has been modified or is established with no clear "sunset".
- Level of risk to privacy – 3
- Program Population
- The program affects all individuals for external administrative purposes.
- Level of risk to privacy – 3
- Technology & Privacy
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
Risk to privacy – Yes - Does the new or modified program or activity require any modifications to IT legacy systems and / or services? Risk to privacy – No
- Enhanced identification methods - This includes biometric technology (i.e. facial recognition, gait analysis, iris scan, fingerprint analysis, voice print, radio frequency identification (RFID), etc…) as well as easy pass technology, new identification cards including magnetic stripe cards, “smart cards” (i.e. identification cards that are embedded with either an antenna or a contact pad that is connected to a microprocessor and a memory chip or only a memory chip with non-programmable logic). Risk to privacy – No
- Use of Surveillance - This includes surveillance technologies such as audio/video recording devices, thermal imaging, recognition devices, RFID, surreptitious surveillance / interception, computer aided monitoring including audit trails, satellite surveillance etc… Risk to privacy – No
- Use of automated personal information analysis, personal information matching and knowledge discovery techniques - For the purposes of the Directive on PIA , government institution are to identify those activities that involve the use of automated technology to analyze, create, compare, cull, identify or extract personal information elements. Such activities would include personal information matching, record linkage, personal information mining, personal information comparison, knowledge discovery, information filtering or analysis. Such activities involve some form of artificial intelligence and/or machine learning to uncover knowledge (intelligence), trends/patterns or to predict behavior. Risk to privacy – Yes The clinicians of the OSIC will utilize the software’s automated personal information analysis, personal information matching and knowledge discovery capabilities.
- Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?
- Personal Information Transmission
- The personal information is transferred to a portable device or is printed. USB key, diskette, laptop computer, any transfer of the personal information to a different medium.
- Level of risk to privacy – 3
- Risk Impact to the Institution
- Reputation harm, embarrassment, loss of credibility.
- Decrease confidence by the public, elected officials under the spotlight, institution strategic outcome compromised, government priority compromised, impact on the Government of Canada Outcome areas.
- Level of risk to privacy – 4
- Risk Impact to the Individual or Employee
- Reputation harm, embarrassment.
- Level of risk to privacy - 2