Privacy Impact Assessment (PIA)

Privacy Impact Assessments (PIAs) are used to identify potential privacy issues of new or redesigned federal government operations. PIAs examine how government departments protect personal information through its lifecycle of collection, use, disclosure, storage, and disposition.

About the Office of the Veterans Ombudsman

The Office of the Veterans Ombudsman was established in 2007 under the authority of Order in Council P.C. 2007-530. The Office of the Veterans Ombudsman works to ensure that Veterans, serving members of the Canadian Forces and the Royal Canadian Mounted Police, and their families are treated respectfully, in accordance with the Veterans Bill of Rights, and receive the services and benefits that they require in a fair, timely and efficient manner. The Office provides information and referrals, and addresses complaints, emerging and systemic issues related to programs and services provided or administered by Veterans Affairs Canada. The Office also addresses systemic issues related to the Veterans Review and Appeal Board.

In April 2012, the Minister of Veterans Affairs Canada fully delegated administration of the Privacy Act to the Veterans Ombudsman and three senior management positions within the Office of the Veterans Ombudsman.

About the Privacy Impact Assessment

In March 2012, the Office of the Veterans Ombudsman completed a privacy impact assessment as a pro-active measure to assess the Office’s privacy practices with respect to its core mandate to ensure that privacy is appropriately considered and designed into business processes.

The scope of this privacy impact assessment was to identify privacy risks and recommend mitigation measures associated with the main business lines.

The overall risk rating for each risk identified was determined based on two factors:

  1. the probability that an adverse event could occur; and

  2. the impact on the Office of the Veterans Ombudsman should an adverse event occur.

It is important to note that a few areas of risk identified are for activities that the Office of the Veterans Ombudsman is contemplating rather than currently engaging in. Given this is the first formal privacy impact assessment conducted for a relatively new organization, it is common to have several areas of risk identified.

About the Risks Identified and Mitigation Measures

Risk # 1 – High

The Office of the Veterans Ombudsman has not formalized organization-specific policies and procedures related to privacy and the management of personal information.

Mitigation: Complete

The Office of the Veterans Ombudsman has provided introductory, refresher, and detailed privacy training to all staff and developed internal processes to support access to information and privacy administration.

The Office of the Veterans Ombudsman has also developed a Protection of Personal Information, Policy and Procedures Manual in 2014. 

Risk # 2 – High

The Office of the Veterans Ombudsman has contemplated the recording and / or live monitoring of client calls for quality assurance purposes.

Mitigation: Complete

The Office of the Veterans Ombudsman will not be recording or live monitoring client calls for quality assurance purposes at this time and no further action is required.

Risk # 3 – High

Threat and risk assessments have not been conducted on the Office’s case management and online complaint submission systems, and related processes.

Mitigation: Complete

The Office of the Veterans Ombudsman has completed threat and risk assessments on the Office’s case management and online complaint submission systems, and related processes.

The Office of the Veterans Ombudsman has implemented password standards within the case management system and is working with VAC-IT to determine the feasibility of other recommended system changes.

Risk # 4 – Moderate

A memorandum of understanding between the Office of the Veterans Ombudsman and Veterans Affairs Canada that outlines roles and responsibilities related to the administration of the Privacy Act is not formalized.

Mitigation: Complete

A memorandum of understanding between the Office of the Veterans Ombudsman and Veterans Affairs Canada for the administration of the Privacy Act has been negotiated and signed.

Risk # 5 – Moderate

The Office of the Veterans Ombudsman’s privacy governance structure, and roles and responsibilities documents have not been formalized.

Mitigation: Complete

The Office of the Veterans Ombudsman formalized a privacy governance structure, and revised a terms of reference for management committees that includes privacy-related roles and responsibilities.

Risk # 6 – Moderate

Appropriate controls related to the extraction of data from the Office’s case management system have not been developed.

Mitigation: In-Progress

The Office of the Veterans Ombudsman has implemented appropriate controls related to the extraction of date from the Office's case management system. 

The Office of the Veterans Ombudsman has to develop a policy on the use of personal information for non-administrative purposes.  The Office plans to complete this policy during fiscal year 2015/2016.

Risk # 7 – Moderate

For those complaints initiated over the phone, a specific Privacy Act notice similar in nature to notice provided via other intake channels is not provided.

Mitigation: Complete

The Office of the Veterans Ombudsman updated the Privacy Act notice for complaints initiated over the phone to ensure it is similar in nature to notice provided via other intake channels.

Risk # 8 – Moderate

The Office of the Veterans Ombudsman has several areas where personal information is collected on the Web site without an appropriate Privacy Act notice.

Mitigation: Complete

The Office of the Veterans Ombudsman has added Privacy Act notices where personal information is collected on the Office’s Web site.

Risk # 9 – Moderate

The Office of the Veterans Ombudsman is utilizing the contact information it has collected on clients to notify clients when a town hall or outreach event will be held near the client without identifying this as a consistent use of this information. The Office of the Veterans Ombudsman may also wish to use client contact information to contact clients to ask them their willingness to participate in a survey related to their satisfaction with the service provided by the Office.

Mitigation: Complete

The Office updated the personal information bank used by the Office (VAC PPU 210) in 2012 to include other consistent uses of personal information.

The Office updated collection processes to specifically seek consent from clients for consistent uses of personal information.

Risk # 10 – Moderate

Based on current business processes, personal information related to cases may be retained in email and network drives, as well as in the online complaint submission system.

Mitigation: Complete

The Office of the Veterans Ombudsman has developed an annual process to reconcile and purge personal information retained in systems.

The Office of the Veterans Ombudsman has also updated processes to ensure electronic copies of information uploaded to the Office's case management system are purged on a regular basis.

Risk # 11 – Moderate

A retention and disposition authority from Library and Archives Canada has not been obtained for the Office. Without a disposition authority, the Office has retained all case files in both electronic and paper format since the Office started to receive and process complaints in 2007.

Mitigation: In-Progress

The Office of the Veterans Ombudsman is currently implementing projects to support Recordkeeping Directive compliance including identifying information resources of business value and implementing an enterprise document and record management system.  The Office of the Veterans Ombudsman plans to seek a disposition authority from Library and Archives Canada as part of this work however, this is an in-progress action for the Office.   

Risk # 12 – Moderate

Roles and responsibilities related to some aspects of the management of personal information have not been formally defined between the Office of the Veterans Ombudsman and Veterans Affairs Canada.

Mitigation: Complete

A memorandum of understanding between the Office of the Veterans Ombudsman and Veterans Affairs Canada for information sharing between both organizations has been negotiated and signed.

Questions?

For further information on this privacy impact assessment, contact us:

E-mail:

OVOATIP-BOVAIPRP@ombudsman-veterans.gc.ca

Telephone:

Toll free calls within Canada: 1-877-330-4343

Mail:

Access to Information and Privacy Coordinator
Office of the Veterans Ombudsman
P.O. Box 66
Charlottetown, P.E.I.  C1A 7K2