Author Topic: Veterans Affairs Canada (VAC) Privacy Action Plan  (Read 1258 times)

0 Members and 1 Guest are viewing this topic.


  • Administrator
  • Sr. Member
  • **********
  • Posts: 321
    • View Profile
Veterans Affairs Canada (VAC) Privacy Action Plan
« on: April 02, 2012, 07:08:35 PM »
Veterans Affairs Canada (VAC) Privacy Action Plan

The Office of the Privacy Commissioner of Canada recently completed an investigation of a complaint filed against Veterans Affairs Canada under the Privacy Act. The Commissioner's report can be found here (Opens a new window).

At Minister Blackburn's request, a 10-point action plan was developed, which specifically outlines the steps the Department is taking. These steps exceed the report's four recommendations and balance the protection of personal information and the ability of staff to provide top quality service. The recommendations referenced below are attached as Annex A.
1) Review system access in detail

Detailed review of approximately 2,800 user accounts in the Client Service Delivery Network (CSDN). (Addresses recommendation 2)
Date: March 31, 2011
2) Communicate discipline policy

A strengthened discipline policy and guidelines with clear sanctions have been developed and communicated to staff. (Addresses recommendation 1)
Date: October 31, 2010
3) Introduce a privacy lens for briefing note processes

New procedures have been issued on the appropriate use of client information when preparing briefing notes and other documents prepared for use within the Department. (Addresses recommendations 3 and 4)
Date: October 31, 2010
4) Appoint external systems expert

External experts in electronic information systems management will review and recommend changes to departmental systems. (Addresses Recommendation 2)
Date: October 31, 2010 - March 31, 2011
5) Appoint external privacy expert

A team of experts in government Information Management and Privacy is working with the Department. These experts will review and recommend changes to departmental processes that will ensure information is protected and access is controlled. (Addresses recommendation 1)
Date: October 19, 2010 - March 31, 2011
6) Enhance monitoring of electronic systems

A team began to proactively monitor, review and investigate who is accessing client information. Where there is inappropriate access, disciplinary measures will be taken. (Addresses recommendation 1)
Date: Implemented October 18, 2010
7) Provide mandatory privacy training

A mandatory privacy awareness program for all staff was launched on October 19, 2010. This program covers the "need to know," the need for client consent when sharing information, and the range of disciplinary measures that will be taken if privacy is breached. Ste. Anne's Hospital, as an accredited hospital, has its own programs relating to privacy and confidentiality of client information. (Addresses recommendations 3 and 4)
Date: October 19, 2010 - November 19, 2010
Cool Provide in-depth training on Government policies and procedures on privacy

In-depth training for all staff on the new policies, guidelines and procedures. (Addresses recommendation 3)
Date: January - March 31, 2011
9) Conduct independent annual assessment

An annual independent assessment of VAC's compliance with the Privacy and Access to Information Acts. (Address recommendation 1)
Date: Annually starting June 2011
10) Prepare for Privacy Commissioner's audit

The Department has already started preparations for a comprehensive audit by the Privacy Commissioner which is expected to start immediately.
Date: Immediately

As the findings of the Privacy Commissioner's report relate to activity in 2006, Veterans Affairs Canada has since made ongoing improvements to information management practices. For example, training on access, privacy and information management was delivered to 500 staff over 18 months in 2009-2010. At the same time, specialized training was provided to Access to Information and Privacy staff and departmental coordinators.

In May 2009, the Department developed and approved a three-year Information Management Strategy with the goal of strengthening information management practices and raising the level of awareness among all staff. This included the addition of new leadership and ongoing communication with staff.

Four investigations of inappropriate access to computer systems were conducted in 2009. These investigations resulted in 41 individuals being disciplined.
Annex A
Privacy Commissioner's Findings and Recommendations

An investigation by the Privacy Commissioner's Office into a complaint filed against the Department under the Privacy Act raised significant concerns surrounding the use of personal information within VAC and apparent lack of controls to protect personal information from being widely disseminated and accessed within the Department.

The following four recommendations were made.
Recommendation 1

Veterans Affairs Canada should take immediate steps to support an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the Department.
Recommendation 2

Veterans Affairs Canada should review and revise its existing information management practices and policies to ensure that personal information is shared within the Department on a need to know basis only and is appropriately limited to what is necessary to fulfil the operational requirements of its programs. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
Recommendation 3

Veterans Affairs should disseminate its strengthened privacy policy framework to all of its employees, provide training and raise awareness amongst VAC employees about appropriate personal information handling practices.
Recommendation 4

Veterans Affairs Canada should also review and comply with its existing policies and procedures concerning referrals to Ste. Anne's Hospital to ensure that the consent of the individual to whom the information relates has been provided before personal information is shared with hospital personnel and that the information shared is limited to that which is demonstrably necessary to fulfil the relevant purpose.

Privacy Act: Collection of personal information

4. No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.

1980-81-82-83, c. 111, Sch. II “4”.