War Veterans Allowance

War Veterans Allowance

This report presents the findings of the Privacy Impact Assessment (PIA) of the War Veterans Allowance (WVA) Program. On June 18, 2009, amendments to the War Veterans Allowance Act received Royal Assent expanding the WVA Program and associated benefits to Allied Veterans who served during the Second World War or the Korean War, their survivors and/or their dependents. The expansion of the program afforded the opportunity to conduct a Privacy Impact Assessment of the War Veterans Allowance Program, including the current expansion to Allied Veterans. This PIA reflects the status of the WVA Program as of October 30, 2009.

VAC's War Veterans Allowance Program provides financial assistance in the form of a monthly grant payment to low-income clients. Eligibility for WVA is determined by the wartime service of a Veteran or qualified civilian, his age or health, as well as his income and residency.

WVA is an income-tested benefit and most regular income must be considered to determine eligibility. VAC can only supplement a client’s income up to a maximum ceiling set by law. This income ceiling is adjusted quarterly in accordance with increases in the Consumer Price Index. VAC's method for assessing income is similar to that used by other federal income support programs, such as the Guaranteed Income Supplement. A similar definition of income is in place for both programs and is based on the Income Tax Act.

Once eligible for WVA, the recipient becomes eligible to access other VAC programs. In this way, WVA acts as a gateway to the Assistance Fund, Funeral and Burial assistance, Treatment Benefits, Veterans Independence Program (VIP) and Long Term Care (LTC). Some Veterans do not qualify for WVA support because their family income exceeds the maximum amount allowable. However, if this is due to income from Old Age Security, these individuals are designated as "near recipients" of WVA. As such, they can access VAC's medical benefits and the other programs associated with WVA.

About the Privacy Impact Assessment (PIA)

This Privacy Impact Assessment reflects an analysis of the WVA Program but does not include assessments of the programs for which the WVA Program provides a gateway for eligibility. These programs have been assessed in individual PIAs.

VAC is committed to protecting the personal information of all clients and has taken the appropriate measures to ensure that the WVA Program conforms to the principles of the Privacy Act, its associated regulations and the Treasury Board Secretariat (TBS) Policy on Privacy Protection that govern the collection, use, disclosure, correction, protection, retention and disposal of personal information.

The PIA reviews how personal information is being collected, used and disclosed throughout the life-cycle of the WVA Program. PIAs are based on the ten universal privacy principles and are derived from the requirements of the Privacy Act. The WVA PIA has identified six potential privacy risks.

Risk #1 - Disclosure of Information to Allied Countries (Risk Rating: Low)

Issue:

Allied Veteran applicants sign a consent form (VAC 794) to allow VAC to obtain service verification from Allied Country embassies (or similar organizations). VAC does not have a formal agreement with these various countries/organizations regarding the use, disclosure, custody, control and disposition of the applicant’s personal information on the consent form and cannot guarantee that the applicant’s personal information maintained outside of Canada is afforded the same protection as information held within Canada.

Management Plan:

VAC will ensure that the cover letter which accompanies the consent includes an outline of the privacy and information management requirements that apply to the personal information on the form. A notice will be added to the consent form to advise clients that VAC has no control over the use and disposition of the personal information contained on the consent form when it is sent to Allied Countries.

Risk #2 - Collection of the Provincial Health/Hospital Number (PHN) on the WVA Application (Risk Rating: Low)

Issue:

VAC has no demonstrable need to collect the applicant’s Provincial Health/Hospital Number with the WVA application.

Management Plan:

As the PHN is not needed for the administration of the War Veterans Allowance Program, the Application form (VAC form 1466) will be changed to remove the Provincial Hospital/Health Number. The WVA Personal Information Bank will be revised to remove the PHN from the list of personal information collected.

Risk #3 - Privacy Notice Statement (Risk Rating: Low)

Issue:

The privacy notice on the VAC 1319: Report by Medical Examiner is inadequate to inform clients and physicians of the privacy requirements of the personal information collected on the form.

Management Plan:

VAC will update the privacy notice statement on the VAC 1319: Report by Medical Examiner to comply with Treasury Board guidelines and VAC standards.

Risk #4 - Use of VAC 520 and VAC 520-5: Authority to Release Personal Information (Risk Rating: Low)

Issue:

An Authority to Release Personal Information form (VAC 520 or VAC 520-5) may be required if a client requests that a family member/friend obtain information on his behalf from VAC. Past experience has shown that clients do not fully understand when and how the Authority to Release Personal Information form should be used. The form requires further explanation to ensure clients understand the intended purpose of the form and when and how to properly complete it.

Management Plan:

A guide will be prepared to include clear instructions, both for VAC staff and clients, as to when the form should be used and how to properly complete the required elements. Communication to VAC staff members will be provided to ensure they fully understand the intended purpose of the form and are able to explain this to clients to obtain informed consent.

Risk #5 - VAC's Electronic Systems do not have Disposition Functionality (Risk Rating: Low)

Issue:

VAC's electronic systems, the Client Service Delivery Network (CSDN) and the Federal Health Claims Processing System (FHCPS), do not have the functionality to perform disposition, which leads to information not being managed completely through its life cycle in accordance with legislative and central agency requirements. While this issue poses no immediate security risk to client information, this practice is a clear violation of both privacy and information management laws and policies.

Management Plan:

This is a departmental risk that is not solely related to the WVA Program. At this time, an action plan has been developed that outlines the high level tasks that must be completed in order to address this problem. Progress against this action plan has been made that includes the establishment of retention periods for VAC client information and the development of a proposal for Information Technology prioritization. To ensure continued progress, VAC will develop a more detailed action plan, including cost estimates, for management consideration and business planning.

Risk #6 - Threat and Risk Assessment (TRA) for Safeguarding Personal Information (Risk Rating: Low)

Issue:

A Threat and Risk Assessment (TRA) has not been completed on the WVA Program, which may lead to sensitive information not being properly identified and protected.

Management Plan:

The use of existing physical office space, previously used processes and existing staff lowers the probability of a security incident/privacy breach. The WVA Program has been in operation for a significant period of time, ensuring that the practices and procedures are well established and understood and ensuring that the privacy of the client is respected. At this time, VAC will accept the risk and monitor the situation. If the situation changes (i.e., processes, systems, etc.), the approach will be re-evaluated.

Conclusion

Although this PIA has identified a number of privacy risks, management plans commensurate with the degree of risk have been developed.