Author Topic: Privacy complaints, data breaches jump: Watchdog Jennifer Stoddart  (Read 13843 times)

0 Members and 4 Guests are viewing this topic.

Canadian_Vet

  • Administrator
  • Hero Member
  • **********
  • Posts: 1546
    • View Profile
    • Canadian Veterans Advocacy
Privacy complaints, data breaches jump: Watchdog Jennifer Stoddart

Published on Thursday October 04, 2012

http://i.thestar.com/images/0a/32/e821f5ad43948e4bcf0e73997b61.jpg

Record delays in accessing personal information held by Ottawa, along with more than six dozen breaches of sensitive data last year alone, show Canada’s privacy laws are in dire need of updating, a federal watchdog says.

In her annual report tabled Thursday, Canada’s privacy commissioner Jennifer Stoddart paints a troubling picture of a bureaucracy governed by obsolete legislation that provides few incentives to report when data has been compromised and offers little recourse to citizens if their personal information is misused.

Stoddart’s office received 986 complaints about the government’s handling of private information last year — a 39 per cent increase over the previous year — most of them targeting the Correctional Service Canada, the RCMP, National Defence and the Canada Revenue Agency. The majority of complaints centered on problems citizens encountered while trying to access information about themselves held by government departments and the amount of time it took to get a response.

Meanwhile, data breaches involving government-controlled personal information were at their highest level in recent years, with 80 reported cases in 2011-12 — a 25 per cent increase over the previous year.

But because the reporting of data breaches is voluntary, the commissioner’s office was unable to determine if the number of breaches actually increased or whether departments took more initiative in reporting them.

“We have no idea what part of the actual data breaches going on we see or know about,” Stoddart told the Toronto Star. “It could be the tip of the iceberg and many may be simply shoved to the background.”

Her report also highlights problems at a number of government departments, including the Canada Revenue Agency, which saw an 23 per cent increase in complaints last year.

In one instance, a woman lodged a complaint with the CRA after she learned that her tax information had been accessed by a government employee now living with her ex-husband. The CRA took 13 months to investigate and failed to inform the woman about the results of the investigation.

“Year after year, people come to us with complaints that somebody has been looking into their tax files, somebody they know personally or someone who is part of their community,” Stoddart said. “This has to be stopped.

“It’s not acceptable for Canadians to give their personal information under law to the government and then not have really strong safeguards about who’s using it and who’s misusing it, and not to have any real remedy if it’s misused.”

Compounding the problem is Canada’s 30-year-old Privacy Act — legislation Stoddart calls “almost totally obsolete” — created before the widespread use of personal computers and the Internet. She laments the lack of government action to despite numerous calls by her office to revamp the law.

Also tabled Thursday was Stoddart’s follow-up audit of Veterans Affairs Canada, which was heavily criticized in 2010 for widely sharing a veteran’s medical information with employees who had no legitimate reason to see it. The personal data even made it into ministerial briefing notes.

Stoddart said the department now has a comprehensive privacy management program and appears to be taking its obligation to protect veterans’ private information seriously.

Avner Levin, director of Ryerson University’s Privacy and Cyber Crime Institute, says the commissioner’s concerns will do little to encourage government departments and institutions to part with information or diligently report data breaches.

“There is a tendency in any organization to say, ‘We’re not going to share that.’ I think all organizations are guilty of this, not just the public sector,” said Levin, noting that government departments tend to take a very rigid interpretation of privacy law.
Canadian Veterans Advocacy - One Veteran One Standard

Web Site: http://www.canadianveteransadvocacy.com/index.html

Main FaceBook Group: https://www.facebook.com/groups/CdnVetsAdvocacy/

Main FaceBook Page: https://www.facebook.com/CanadianVeteransAdvocacy


Canadian_Vet

  • Administrator
  • Hero Member
  • **********
  • Posts: 1546
    • View Profile
    • Canadian Veterans Advocacy
Veterans Affairs Canada - Audit Report of the Privacy Commissioner of Canada
« Reply #1 on: October 05, 2012, 07:41:44 AM »
Veterans Affairs Canada

Audit Report of the Privacy Commissioner of Canada

FULL Report in PDF: http://www.priv.gc.ca/information/pub/ar-vr/ar-vr_vac_2012_e.pdf

Section 37 of the Privacy Act
Final Report
2012
PDF Version

Office of the Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

(613) 947-1698, 1-800-282-1376
Fax (613) 947-6850
TDD (613) 992-9190
Follow us on Twitter: @privacyprivee

© Minister of Public Works and Government Services Canada 2012
Cat. No. IP54-44/2012
ISBN 978-1-100-52495-5
Table of Contents

    * Main Points
         1. What we examined
         2. Why this issue is important
         3. What we found
    * Introduction
         1. Background
         2. About the audit entity
         3. Focus of the audit
    * Observations and Recommendations
         1. Compliance with the Code of Fair Information Practices
               1. Collection practices do not extend beyond legislative mandate
               2. Policies and practices related to the use of Veterans’ information respect privacy
               3. Guidelines to limit personal information in ministerial briefing notes have had a positive impact
               4. System modified to require employees to indicate reason for accessing client database
               5. Management of Veterans’ consent needs to be strengthened
               6. Files have been kept longer than necessary
         2. Safeguarding Veterans’ Personal Information
               1. Risks associated with the primary client database have not been fully assessed
               2. Employee access rights to electronic data have been modified to respect the “need to know” principle
               3. Enhanced activity logging is required to monitor access to client health care claims
               4. There is no record of actions taken to address security risks identified during site inspections
               5. Particularly sensitive personal information is sent by fax
               6. Inspection of telework sites would ensure privacy risks are addressed
               7. Informal arrangements provide little assurance that records are disposed of securely
         3. Privacy Management and Accountability
               1. Accountability for compliance with the Privacy Act is well established
               2. Privacy risk assessment process has been formalized
               3. Mechanisms for reporting on and investigating privacy breaches are in place
               4. New process is designed to ensure contracts include adequate privacy provisions
               5. Maintaining client confidentiality is the cornerstone of employee awareness initiatives
    * Conclusion
    * About the Audit
    * Appendix A: List of Recommendations

Top of Page Table of Contents Main Points
Top of Page Table of ContentsWhat we examined

In October 2010, the Privacy Commissioner of Canada released the results of an investigation into a complaint alleging Veterans Affairs Canada (the Department) mishandled an individual’s personal information. The Commissioner concluded that the Department was not compliant with the Privacy Act and lacked adequate controls to safeguard Veterans’ personal information.

The Department offers a wide range of programs and services to Veterans, their dependents and survivors. This requires the collection and use of sensitive personal information. We looked at how this information is managed.

We reviewed the Department’s personal information management policies, procedures and processes, program records, guidelines, privacy impact assessments, security reviews, training materials, information sharing agreements and contracts with third party service providers. We also examined the controls in place to protect the personal information stored in electronic and hard copy format. In addition, we looked at a sampling of Veterans’ files.

Finally, we examined the way in which Veterans Affairs Canada assigns privacy responsibilities, manages privacy risks and ensures compliance with its obligations under the Privacy Act.
Top of Page Table of ContentsWhy this issue is important

Veterans Affairs Canada provides programs and services to over 200,000 clients. It maintains a large repository of personal information. The data holdings are not only voluminous, they are also highly sensitive. In addition to biographical data (names, dates of birth, marital status, etc.), Veterans’ files may contain military service records, employment and educational histories, and financial and medical information.

The unauthorized use and disclosure of personal information could have a significant impact on Veterans, their dependents and survivors. This could include financial loss resulting from identity theft or fraud, humiliation or damage to reputations, or risk to personal safety.

Veterans Affairs Canada has a legal obligation to ensure that policies, procedures and controls are in place to protect the personal information collected under its mandate. This is essential in order for the Department to maintain Veterans’ confidence in its ability to preserve the confidentiality of information that has been entrusted to it.
Top of Page Table of ContentsWhat we found

Veterans Affairs Canada takes its obligation to protect Veterans’ privacy seriously. Senior management is committed to ensuring departmental practices for the handling of personal information comply with sections 4 through 8 of the Privacy Act, and has been actively involved in monitoring the efforts made to address the deficiencies highlighted by the Privacy Commissioner in October 2010.

Key elements of a comprehensive privacy management program are in place. An internal governance structure has been formalized to foster a culture of privacy throughout the organization, and to provide a coordinated and consistent approach to managing privacy in day-to-day operations. Information management and privacy experts have been engaged to examine and identify opportunities for improving the Department’s personal information management practices. Investments have also been made in monitoring access to Veterans’ files, refining system access controls, increasing employee awareness, and developing new policies, procedures, processes and guidelines to respect Veterans’ privacy.

The principle that personal information should only be collected if there is a legitimate and authorized need is fundamental to privacy protection. Under the Privacy Act, the collection of personal information must be directly related to an operating program or activity. Veterans Affairs Canada collects personal information to administer the various benefits, programs and services under its legislative mandate. We found that the Department’s collection activities are relevant and not excessive, and that Veterans’ personal information is used for authorized purposes.

Although we found no evidence of systemic non-compliance with the disclosure provisions of the Privacy Act, there is room for improvement in terms of how Veterans’ consent is managed. As a general rule, the Department obtains consent prior to releasing a Veteran’s personal information to a third party (e.g., external service provider, family member, etc.); however, we observed consent forms that did not specify the third party or the information the Department was authorized to release. Further, we noted that disclosures had been made but the corresponding consent was not included in the file. Similarly, we found that details surrounding consent were not always entered in the Client Service Delivery Network, the primary electronic repository for Veterans’ records. A concerted effort is needed to ensure consent is consistently and sufficiently recorded on file. Otherwise, there is a risk the Department may mistakenly disclose Veterans’ personal information.

With respect to retention, the Department has schedules that set out how long personal information may be retained before it is destroyed. We found that an extremely large number of hard copy (paper) files have been kept beyond their established retention period—primarily because, in 2008, Library and Archives Canada changed the designation of the files to non-archival. This has had a significant impact on the Department; over 100,000 boxes of files must be reviewed to determine which records can be destroyed. Work is underway in this regard. We also found that the Client Service Delivery Network does not have the technical capability to dispose of records. As a result, information residing in the database is kept indefinitely.

Ensuring that access to personal information is restricted to those with a legitimate need is a key privacy safeguard. The results of the Privacy Commissioner’s investigation in 2010 prompted Veterans Affairs Canada to undertake a review of employee access rights for the Client Service Delivery Network. All positions were examined as part of the exercise. Managers were required to submit the rationale for each access level deemed essential for employees to perform their duties. The submissions were reviewed by a departmental committee and either accepted or rejected, often after questioning the rationale provided. As a result of this review, system access privileges were removed for many employees and access levels were reduced for 95 percent of the remaining positions.

Veterans Affairs Canada has identified areas for improvement in its overall information technology (IT) environment and progress has been made in addressing them; however, the Department’s IT systems have not been subjected to a formal certification and accreditation process, as required under Treasury Board policy. This exposes the Department to a risk that systems may have undetected security weaknesses, which may affect the integrity of the personal information residing in them.

The Department has contracted a third party, Medavie Blue Cross (MBC), to manage the processing of Veterans’ health care claims and certain services. As part of the arrangement, MBC implemented the Federal Health Claims Processing System (FHCPS). Although processes and procedures are in place to manage employees’ access to the FHCPS, the Department has not conducted a review to ensure access privileges are in keeping with the “need to know” principle. Our review of 26 user accounts of departmental staff found that over one-third had access to information that was not required for their defined roles. Moreover, we found that certain user activities are not recorded. While changes to a Veteran’s file are captured in system audit logs, read-only access is not. Logging user activity is crucial to determining whether access rights have been appropriately exercised. Without full activity logging, data residing in the FHCPS may be accessed with no means of detection.

With the exception of two regional offices and one district office, the Department has outsourced the disposal of Veterans’ records to private shredding companies. Approximately one-third of the arrangements are not governed by written contracts, with terms and conditions that satisfy Government of Canada security requirements. There is also an absence of systematic monitoring to verify that records are destroyed in a secure manner.

In October 2010, Veterans Affairs Canada launched a mandatory privacy awareness program for all employees. The program is supplemented by privacy-related bulletins and other resources that are accessible on the Department’s intranet site. While the various training initiatives have been successful in underscoring the importance of maintaining client confidentiality, employees would benefit from an enhanced awareness of core privacy principles.

Veterans Affairs Canada has sent a clear signal that privacy is vital to its operations. With committed leadership, structures and control mechanisms in place, the Department is moving from reacting to privacy issues to proactively addressing them.

Veterans Affairs Canada has responded to our findings. The Department’s responses follow each recommendation throughout the report.
Top of Page Table of Contents Introduction
Top of Page Table of ContentsBackground

1. In October 2010, the Privacy Commissioner released the results of an investigation into a complaint filed by an individual who alleged that Veterans Affairs Canada had mishandled his personal information.

2. The investigation confirmed that two ministerial briefing notes about the complainant contained personal information that exceeded what was necessary for the stated purpose of the briefings. Inquiries also revealed that information was inappropriately shared with departmental officials, indicating a lack of controls to protect personal information from being disseminated to those with no legitimate need to view it. The Commissioner recommended that Veterans Affairs Canada:

    * develop an enhanced privacy policy framework to regulate access to personal information within the Department;
    * revise information management practices and policies to ensure that personal information is shared within the Department on a need-to-know basis;
    * ensure that the consent for the transfer of personal information has been obtained and that the information shared is limited to that which is necessary; and
    * provide training to employees on how to handle personal information.

3. In response to the Commissioner’s report, and at the request of the former Minister of Veterans Affairs, the Department developed its Ten-point Privacy Action Plan to address the above recommendations. As part of this Plan, the Department: implemented a privacy governance structure; developed policies, procedures, processes and guidelines for managing Veterans’ personal information; established mandatory privacy training for employees; and instituted proactive monitoring of the Client Service Delivery Network, the primary electronic repository for Veterans’ personal information.
Top of Page Table of ContentsAbout the audit entity

4. The Veterans Affairs portfolio consists of the Department, the Veterans Review and Appeal Board, and the Office of the Veterans Ombudsman. The Department’s mandate is derived from laws—such as the Department of Veterans Affairs Act—and regulations.

5. Veterans Affairs Canada offers a wide range of programs and services to support its clients. These clients include traditional war service Veterans from the Second World War and the Korean War, and former and serving members of the Canadian Forces and eligible family members. The Department also administers disability pensions and health care benefits for certain serving and former members of the Royal Canadian Mounted Police.

6. In 2006, the Government of Canada enacted the Canadian Forces Members and Veterans Re-establishment and Compensation Act, commonly referred to as the New Veterans Charter. The Charter introduced a new suite of programs and services for modern (post-Korean War) Veterans and their families. The Charter has two key elements. The first is an integrated case management process to address Veterans’ needs. The second is a dual award approach that separates compensation payments for the non-economic effects of a disability attributable to military service, from financial support to compensate for the impact that a service-related or career-ending disability has on a Veteran’s ability to earn income.

7. Veterans Affairs Canada has approximately 3,900 employees. It operates out of three regional offices, 35 service points across Canada and Ste. Anne’s Hospital in Sainte-Anne-de-Bellevue. The Department has also established 24 Integrated Personnel Support Centres with the Department of National Defence. These centres are designed to provide individuals with support throughout the transition from military service to civilian life. More information about the Department is available on its website at www.veterans.gc.ca
Top of Page Table of ContentsFocus of the audit

8. The audit focused on the management of personal information about Veterans.1 The objective was to assess whether the Department has implemented adequate controls to protect Veterans’ personal information, and whether its policies, procedures and processes for managing such information comply with the fair information practices embodied in sections 4 through 8 of the Privacy Act.

9. The audit did not include a review of the Department’s management of personal information about its employees or contract personnel. Moreover, we did not examine the personal information handling practices of the Veterans Review and Appeal Board, the Office of the Veterans Ombudsman, the Bureau of Pension Advocates, Ste. Anne’s Hospital or the Department’s third party service providers.

10. As reported above, Veterans Affairs Canada administers disability pensions and health care benefits for certain members of the Royal Canadian Mounted Police. The personal information management practices related to these programs and services were not reviewed.

11. Although the review included an assessment of the IT safeguards surrounding the primary client database, the audit did not examine the Department’s overarching IT security infrastructure. Information on the scope, criteria and approach can be found in the About the Audit section of this report.
Top of Page Table of ContentsObservations and Recommendations
Top of Page Table of ContentsCompliance with the Code of Fair Information Practices

12. The Privacy Act sets out the rules governing the management of personal information held by federal government institutions. Sections 4 through 8, commonly referred to as the Code of Fair Information Practices, restrict the collection of personal information and limit how that information, once collected, can be used and disclosed. The Actalso addresses the retention and disposal of personal information. It balances the legitimate collection and use requirements essential to government programs with an individual’s right to a reasonable expectation of privacy.

13. To assess the extent to which the Department is meeting its obligations under the Privacy Act, we looked at how Veterans’ personal information is managed. We expected to find that:

    * the collection of Veterans’ personal information is limited to what is necessary to administer programs and services;
    * the information is used and disclosed for authorized purposes; and
    * ensure that the consent for the transfer of personal information has been obtained and that the information shared is limited to that which is necessary; and
    * records are retained and disposed of in accordance with established schedules.

Top of Page Table of ContentsCollection practices do not extend beyond legislative mandate

14. The life cycle management of personal information begins with its collection. Within the federal context, section 4 of the Privacy Act establishes criteria for the collection of personal information. Specifically, the collection must relate directly to an operating program or activity of the government institution. The institution must also have controls in place to ensure it does not collect more personal information than necessary. We expected to find that the Department’s collection activities were both relevant and not excessive.

15. Veterans Affairs Canada collects the personal information required to administer the various benefits, programs and services under its mandate. In addition to biographical data (e.g., names, addresses, dates of birth, marital status, military service numbers), financial, medical, education, employment and military service information is often obtained.

16. Personal information may be collected directly from the Veteran or indirectly from external sources such as the Department of National Defence, community health care professionals, provincial health authorities, third party service providers and family members. Standardized applications, medical referrals, assessment templates and consent forms—authorizing the Department to collect information2—are routinely used for this purpose.

17. Employees who assist Veterans must exercise discretion when determining what information should be collected to address a Veteran’s needs and manage the individual’s case. The Department’s privacy policy instructs staff not to accept personal information about or from a Veteran solely because it is offered or the information may be required at a later date.

18. We reviewed the various forms used to collect personal information, interviewed staff and examined a sampling of Veterans’ files. We found the information collected on application forms and assessment templates is limited to that which is required for the purpose of assessing Veterans’ entitlements. Similarly, we found no evidence during our examination of Veterans’ hard copy and electronic files to suggest the Department is collecting personal information that it does not need to deliver its programs and services.

19. We did note however, that information relating to one financial benefit is routinely collected prior to being required. The Earnings Loss (EL) benefit is payable to a Veteran in recognition of the economic impact of a military career-ending or service-related disability on the individual’s ability to earn income. The EL benefit is intended as an income replacement provided to the Veteran during his or her participation in the Rehabilitation Program.3 The EL benefit is also provided to a Veteran if, following the approval of a rehabilitation or vocational assistance plan, it is determined the individual is unable to work due to a permanent disability.

Financial Benefits

"Rehabilitation Program clients may also be eligible for income support through VAC's Financial Benefits Program. The Earnings Loss Benefit guarantees you will have a monthly income equivalent to 75% of your monthly military salary. It is important [emphasis added] for you to make an application for the Earnings Loss Benefit when you apply for the Rehabilitation Program."

Exhibit 1: Excerpt from the Rehabilitation Program Client Information Guide

20. We found that a completed EL benefit application and supporting documentation are collected before eligibility for the Rehabilitation Program has been determined. In essence, the information is collected with the presumption that the Veteran’s eligibility will be confirmed.

21. The Rehabilitation Program Client Information Guide provided to Veterans encourages them to submit an application for the EL benefit when they apply for the Rehabilitation Program (see Exhibit 1). The Department explained that, if the personal information required for the EL benefit was collected after eligibility for rehabilitation or vocational assistance was determined, the Veteran would face an extended delay in receiving financial assistance. While the current process may have merit from a practical perspective (i.e., reducing the turn-around-time to process the EL application), it is not in keeping with section 4 of the Privacy Act. Should the Veteran’s application be denied, the Department has, in effect, collected personal information prior to having the authority to do so.

22. It is important that Veterans be fully informed of the Department’s rationale for collecting the EL benefit application before their eligibility for the Rehabilitation Program has been established. This will enable Veterans to apply for the benefit in advance—should they choose to do so—while ensuring the Department’s collection practices satisfy the requirements of the Privacy Act.

23. Recommendation

Veterans Affairs Canada should ensure that Veterans understand they are under no obligation to submit the Earnings Loss benefit application before their eligibility for the Rehabilitation Program has been confirmed.

Department’s response:

Agreed. In an effort to make program accessibility seamless for Veterans, the Department currently includes an application for Earnings Loss with each Rehabilitation application package. To address this recommendation, the Department is now advising all applicants that they are under no obligation to apply for Earnings Loss when they apply for the Rehabilitation Program. Applicants are also advised of the benefits of applying for both programs at the same time.
Top of Page Table of ContentsPolicies and practices related to the use of Veterans’ information respect privacy

24. Section 7 of the Privacy Act governs the use of personal information. Generally, a government institution may use personal information only for the purpose for which the information was obtained or compiled, or for a use consistent with that purpose. With respect to consistent uses, the Treasury Board Secretariat has provided the following guidance:

    For a use to be consistent, it must have a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled.

    A test of whether a proposed use is “consistent” may be whether it would be reasonable for the individual who provided the information to expect that it would be used in the proposed manner. This means that the original purpose and the proposed purpose are so closely related that the individual would expect the information would be used for the consistent purpose—even if the use is not spelled out.

25. We expected to find that the Department is using Veterans’ personal information for authorized purposes. We examined policies, procedures and processes, interviewed staff and examined a sample of Veterans’ electronic and paper files.

26. The Department requires personal information to determine eligibility and entitlements, disburse benefits, and provide services under the Department’s various programs. We found no evidence of Veterans’ personal information having been used for a purpose other than that for which it was obtained, or for a use inconsistent with that purpose.
Top of Page Table of ContentsGuidelines to limit personal information in ministerial briefing notes have had a positive impact

27. The Minister of Veterans Affairs is routinely briefed on departmental matters. The types of briefings vary and will depend on the purpose of the communication. Some briefing notes are for information purposes only, while others seek a decision on a proposed course of action.

28. The Minister also receives correspondence from Veterans and individuals acting on their behalf. These are referred to as ministerial inquiries. In addition to a draft reply, the Minister is provided with a background report containing information deemed relevant to the issue(s) raised in the correspondence.

29. In response to our 2010 investigation, Veterans Affairs Canada acknowledged that the inclusion of excessive personal information in ministerial briefing material was an issue. As part of its Ten-point Privacy Action Plan to address this and other issues, the Department established new procedures for preparing briefing notes and other documents for internal use. These procedures (guidelines) were implemented in October 2010. They are comprehensive, setting out the requirements for the inclusion, handling and sharing of personal information in briefing documents. The guidelines emphasize that briefing material should contain only personal information that is absolutely necessary [emphasis added] to meet the objective of the briefing. Employees are also instructed to consider whether this objective can be achieved without including personal identifiers, such as Veterans’ names.

30. In the fall of 2011, the Department established centralized work units to process ministerial briefing documents, and the employees involved in drafting client-specific briefing notes and background reports have received training on the new guidelines. We verified that a quality assurance process is in place to ensure the content of ministerial briefings is limited to the information the Minister needs to respond to Veterans’ concerns.

31. We reviewed a sampling of 88 client-specific ministerial briefing documents that were prepared between April 1, 2011 and March 1, 2012. We found that approximately 98 percent of them adhered to the “need to know” principle—that is, the personal information contained in the records was limited to what was necessary to fulfill the purpose of the briefing. While two briefing documents contained information that extended beyond what was strictly required, it should be noted that the briefing documents were prepared prior to the establishment of the quality assurance process.
Top of Page Table of ContentsSystem modified to require employees to indicate reason for accessing client database

32. Generally, an individual’s right to privacy includes control over the use of his or her personal information. In the context of this audit, this refers to a Veteran’s right to know how his or her information is used and for what purpose(s).

33. The Client Service Delivery Network (CSDN) is an integrated system that supports the delivery of disability pensions and awards, economic support, and health care benefits and services.

34. When Veterans contact the Department with questions, concerns or requests, the information is logged in the CSDN. We were informed that in 2011-12, the Department received 800,000 inquiries from Veterans and the CSDN processed over eight million interactions. An interaction may require staff in various geographical locations and different parts of the organization to access a Veteran’s file for the purpose of responding to the inquiry or facilitating the provision of a service or benefit. Moreover, a Veteran may have complex issues that require support from a number of departmental officials. Consequently, a Veteran’s CSDN file may be accessed on multiple occasions by different employees, each with a legitimate reason for doing so.

35. Although the CSDN creates a record when a Veteran’s file is opened and the information it contains is updated, staff did not consistently record the reason the account was accessed. In April 2012, a new drop-down “Access Reason” menu was introduced to capture this information and enhance the records that support the rationale for accessing a file (see below).

Exhibit 2: Client Service Delivery Network Access Reason window
Exhibit 2: Client Service Delivery Network Access Reason window

36. Once the user inputs a client identifier (e.g., Veteran’s name or service number), the Access Reason window appears. The drop-down menu contains nine categories (reasons) for accessing a file. If the “Inquiry” category is selected, the user must add details about the specific nature of the inquiry. If no selection is made, or the user does not provide the additional information required, an error message appears and the user is denied access to the file.

37. This enhancement is important from a privacy perspective; it allows the Department to readily identify when a Veteran’s file has been accessed, by whom and for what reason. And, by extension, it provides valuable data in terms of monitoring system access and analyzing whether Veterans’ personal information is being used for authorized purposes.
Top of Page Table of ContentsManagement of Veterans’ consent needs to be strengthened

38. As previously reported, government institutions can use personal information for the purpose for which it is collected, or for a use consistent with that purpose. They may also disclose the information for the same purposes. There are other circumstances in which personal information may be disclosed (released) without the individual’s consent. These exceptions are set out in subsection 8(2) of the Privacy Act. Such disclosures are discretionary, meaning that even if the disclosure is permissible under the Act, an institution exercises its discretion and decides whether or not to release the information.

39. We expected to find that the Department’s disclosure practices complied with the Privacy Act. We examined its policies, procedures and processes, interviewed staff and examined Veterans’ files. Although we found no evidence of systemic non-compliance, we did observe weaknesses in how consent is managed.

40. As a general practice, the Department obtains the Veteran’s consent prior to releasing his or her personal information to a third party (e.g., external health care professional, community service provider). Consent may be obtained at the time the Department collects the Veteran’s information for program use, or subsequently when the requirement for disclosure arises. The consent form contains the Veteran’s name and service number, the third party to whom the Veteran authorizes the release of the information, and the nature of the information that may be shared.

41. During our review of Veterans’ files, we found signed consent forms that did not specify the name of the third party or the nature of the information the Department was authorized to release. Moreover, we noted numerous instances of disclosure where the corresponding consent was not captured on file. It is important that consent be consistently and sufficiently recorded on file. In the absence of such sound record keeping practices, the Department cannot be assured that all disclosures are appropriate.

42. Veterans Affairs Canada receives thousands of telephone inquiries monthly. In 2004, the Department centralized its phone service, introduced a toll-free line, and established client contact centres. With operations in Kirkland Lake, Halifax, Montreal and Winnipeg, the National Contact Centre Network (NCCN) usually serves as the first point of contact for the Department. NCCN analysts receive inquiries from various sources, including Veterans and third parties acting on their behalf, community health care providers, elected officials and the public. An inquiry may be general in nature (e.g., information regarding a program or service) or it may relate to a specific Veteran.

43. Procedures are in place to guide NCCN analysts in responding to requests for personal information. If a call is received from a Veteran about his or her file, the analyst must authenticate the individual’s identity. A series of security questions are used for this purpose. When identity is confirmed, the analyst will access the Veteran’s electronic records in the CSDN and respond to the inquiry or refer it elsewhere within the Department. If the Veteran is unable to answer all of the authentication questions, the analyst is prohibited from disclosing personal information from the file.

44. The Department also receives inquiries from third parties acting on Veterans’ behalf, including family members, neighbours and representatives of the Royal Canadian Legion. We were informed that NCCN analysts will only release information if the third party holds an official power of attorney for the Veteran, or if the Veteran has identified the third party as an authorized contact—and thereby has consented to the disclosure.

45. NCCN analysts consult the Contacts screen in the CSDN to make this determination. The screen has data fields for the authorized contact’s name, the duration of consent (start and end dates), and the information the Veteran has authorized the Department to release (recorded in the Comments field).

Exhibit 3: Client Service Delivery Network Contacts screen
Exhibit 3: Client Service Delivery Network Contacts screen

46. Although not a standard practice, a Veteran’s verbal consent may be accepted to facilitate certain disclosures to third parties. For example, a family member may contact the Department regarding a specific issue. Prior to responding, the NCCN analyst will ask to speak to the Veteran, authenticate his or her identity and obtain their authorization to release the information to the family member. We were told that a verbal authorization is considered a one-time consent for a specific issue, and the circumstances of the disclosure are documented on the Veteran’s file. A written consent must be submitted if the Veteran wishes the Department to provide personal information to a family member on an ongoing basis.

47. The CSDN Contacts screen is a tool designed to mitigate the risk of an unauthorized disclosure of Veterans’ personal information. To be effective, the data it contains must be current and complete. We found a number of deficiencies in this regard: authorization end (expiry) dates were not recorded in approximately 60 percent of the electronic files examined, and the nature of the consent was absent in over one-third of the cases. While few in number, we also observed files that did not specify whether the power of attorney was for financial matters, health care or both, or whether it had been invoked.

48. Veterans have the right to withdraw or revoke their consent at any time. While the Department’s consent policy instructs staff to enter a note in the CSDN when a Veteran exercises this right, the policy is silent in terms of ensuring the Contacts screen is updated accordingly. Moreover, the employees we interviewed were generally unaware of the process for withdrawing consent, or who was responsible for ensuring such withdrawal was recorded in the Contacts screen. The current practice records a revocation of consent in a client note where it may be buried among numerous other notes; this increases the likelihood that it will be overlooked by employees unless they specifically search for it.

49. In the absence of complete and current data appearing in the CSDN Contacts screen, there is a risk that employees will disclose Veterans’ personal information inappropriately on the basis of inaccurate or outdated information.

50. Recommendation

Veterans Affairs Canada should ensure that Veterans’ consent is consistently recorded on file and easily accessible for verification.

The Department should also establish mechanisms to provide assurance that consent is accurately reflected in the Client Service Delivery Network.

Department’s response:

Agreed. Veterans Affairs Canada has recently introduced a new departmental policy on the use of privacy notices and consent. This new policy will help ensure that Veterans’ consent is consistently recorded on file.

The Department will further support its new policy through a number of changes to the Client Service Delivery Network, which will ensure consent is accurately and consistently reflected. An interim system change has been implemented on the Client Service Delivery Network, while the full system change will be complete by September 2013.
Top of Page Table of ContentsFiles have been kept longer than necessary

51. Federal institutions develop retention and disposal schedules to manage their records. These schedules establish how long records will be kept before they are destroyed or transferred to the control of Library and Archives Canada. The Librarian and Archivist of Canada issues Records Disposition Authorities (RDAs) for this purpose.4

52. We expected to find that Veterans Affairs Canada had established retention and disposal schedules for Veterans’ files, with complementary processes and procedures. Although an RDA had been issued to allow for the disposal of records that the Department no longer requires, we found that it had not been applied to a large number of eligible files.

53. Prior to 2008, all Veterans’ files in regional offices were deemed to have archival value. Consequently, the records were retained indefinitely. In 2008, Library and Archives Canada re-evaluated the Department’s information holdings and changed the designation of over 100,000 boxes of files to “non-archival” with a retention period of seven years after the death of the Veteran (or last known dependent) or, if the date of death is unknown, 100 years after the Veteran’s date of birth. This change in designation has had a significant impact on the Department as each box must be reviewed to determine which records can be destroyed. Work is underway in this regard; we were informed that 10,000 boxes of files have been processed in the last two years. The Department is exploring options to expedite the processing of the remaining files.

54. We also verified that the Client Service Delivery Network does not have the technical capability to dispose of information. Therefore, information is kept indefinitely in the database, which departmental officials acknowledge as being non-compliant with information and privacy requirements. We were told that extensive analysis is required before data can be safely deleted.

55. A records retention and disposal schedule is important from a privacy perspective. It provides a mechanism for ensuring that personal information is destroyed when it is no longer required. Any further retention exposes the information to potential misuse.

56. Recommendation

In addition to the work underway, Veterans Affairs Canada should implement processes to ensure electronic and paper records are disposed of upon the expiration of their established retention periods.

Department’s response:

Agreed. The Department has revised its retention and disposition practices for key departmental information. This involves the review of more than two million paper files. The disposal work is underway and will be fully completed by March 2015.

Due to the complexity of the Department’s primary electronic system (Client Service Delivery Network), extensive analysis will be required to assess and determine appropriate disposition of electronic data. This initial analysis and assessment will be completed by April 2013.
Top of Page Table of ContentsSafeguarding Veterans’ Personal Information

57. Sound security practices are an essential component for meeting the protection requirements established under the Privacy Act. Appropriate measures and controls must be present to ensure personal information is not subject to unauthorized access, use, disclosure, alteration or destruction.

58. Treasury Board policy establishes baseline (mandatory) security requirements to protect and preserve the confidentiality and integrity of government assets, including personal information. Federal departments and agencies are responsible for conducting their own assessments to determine whether safeguards above baseline levels are necessary.

59. We expected to find appropriate safeguards in place to protect Veterans’ personal information. We examined departmental procedures, processes, system access controls and contracts with third party service providers. We also conducted physical inspections during our visits to regional and district offices.
Top of Page Table of ContentsRisks associated with the primary client database have not been fully assessed

60. Information technology (IT) security is the process of preventing and detecting unauthorized use of computer systems. Evolving technology presents threats that may affect the confidentiality and integrity of personal information. To prevent unauthorized access to any part of a computer system, institutions must protect data through the use of appropriate safeguards. IT systems should also be subject to ongoing monitoring, as well as routine vulnerability assessments and testing.

61. Although the audit was not designed to examine the Department’s overarching IT security infrastructure, we did look at the measures in place to protect its operational systems. We found that the Department has implemented administrative, physical and technical safeguards that adhere to standard industry practices. These include firewalls, intrusion detection systems, network zoning and effective change management. The IT systems are housed in secure areas with restricted access.

62. Veterans Affairs Canada has identified areas for improvement in its overall IT environment and progress has been made to address them. A more rigorous threat and risk assessment (TRA) process has been implemented and vulnerability assessments have been performed on public-facing applications. While threat and risk assessments are prepared for new systems, they have not been conducted on all existing systems. The Department was in the process of conducting a TRA on the Client Service Delivery Network (CSDN) at the time we completed our audit.

63. Treasury Board Secretariat’s Operational Security Standard: Management of Information Technology Security requires federal organizations to certify and accredit an IT system prior to approving it for operation. Certification verifies that mandatory security requirements for an IT system have been applied. It also verifies that controls and safeguards to protect data are functioning as intended. Accreditation signifies that management has authorized operation of the system and has accepted any residual risk.

64. The Department’s IT systems, including the CSDN, have not been subjected to a formal certification and accreditation process, as required by Treasury Board’s security standard. This exposes the Department to a risk that systems may have undetected security weaknesses that could affect the integrity of the personal information residing in them.

65. Recommendation

Veterans Affairs Canada should establish a formal certification and accreditation process and ensure that all IT systems that retain personal information are subjected to it.

Department’s response:

Agreed. In consultation with the Chief Information Officer Branch of the Treasury Board Secretariat, Veterans Affairs Canada will establish a process for Certification and Accreditation of all its IT systems that retain personal information. This process will be in place by December 2012. The Department’s largest and most critical electronic system, the Client Service Delivery Network, will be the first system subjected to this process.
Top of Page Table of ContentsEmployee access rights to electronic data have been modified to respect the “need to know” principle

66. Controlled access to an IT system represents a key safeguard because it restricts the use of personal information to those who have a legitimate need. An effective method of mitigating the risk of data being compromised is to limit access rights to the system. We looked at:

    * how the Department determines who needs access to the CSDN and to what information within the system; and
    * the administrative processes and procedures in place for ongoing management of this access.

67. Approximately 70 percent of the Department’s employees provide direct service to Veterans. Access to information within the CSDN is based on an employee’s position and the requirements of that position. Many employees may have the same position; for example, the Department employs 246 case managers.5 The CSDN has several access levels; each level establishes the type (subset) of information that an employee can view and the functions the employee can perform within the system.

68. In November 2010, the Department established a committee to review access to the CSDN. All positions were examined as part of this exercise. Questionnaires to validate access requirements were developed and sent to all units. Managers and supervisors were required to submit the rationale for the CSDN access levels deemed essential for employees to fulfill their job functions. The submissions were reviewed and either accepted or rejected, often after questioning the rationale provided. Once CSDN access levels for a position were approved, the access levels of all employees occupying that position were revised accordingly. This process was completed in February 2012.

69. We confirmed that CSDN access has been removed for 45 positions (499 employees). Moreover, access levels were reduced for 95 percent of the remaining positions. This is a positive development from a privacy protection perspective; the Department has exercised due diligence in reassessing who should have access to the system, as well as the level of such access.

70. We also found that the Department has processes and procedures to grant, remove and manage access to the system. To obtain access, a request is submitted to a central unit. This unit verifies that the employee requires access and then grants the level assigned to the employee’s position. Should the employee change positions, the access level is modified to reflect the requirements of the new position. If an individual leaves the Department or is absent on extended leave, access rights are removed.

71. We did note that the Department uses a manual process to establish and maintain access levels. Access rights are assigned to each individual rather than assigning the employee to a pre-defined role within the system that contains the necessary access levels. Since manual procedures are more prone to error, there is a risk that users may be granted inappropriate levels of access.

72. Automated role-based access within a system facilitates the ongoing management of access rights. It grants access permissions to roles and assigns employees to those roles. Changes made to the access levels of a role are automatically assigned to all employees with that role. In other words, access levels can be verified by confirming employees have the correct role rather than examining the validity of each specific access level assigned to an employee.

73. Recommendation

To mitigate the risk of employees having access to Veterans’ information that they do not need, the Department should automate role-based access for the Client Service Delivery Network.

Department’s response:

Agreed. As part of the Department’s original Ten-point Privacy Action Plan, issued in November 2010, a significant review of access rights to the Client Service Delivery Network was completed in February 2012. As a result of this review, the Department will automate role-based access for the Client Service Delivery Network by April 2013.
Top of Page Table of ContentsEnhanced activity logging is required to monitor access to client health care claims

74. Veterans Affairs Canada provides a wide range of health care benefits and services to clients, including medical, surgical and dental treatment; aids for daily living; special equipment; and prescription drugs. The Department has contracted a third party, Medavie Blue Cross (MBC), to manage the processing of Veterans’ health care claims. As part of this arrangement, MBC developed the Federal Health Claims Processing System (FHCPS), which it owns and operates. The FHCPS provides automated claims adjudication, issues payments to medical service providers and processes reimbursements to Veterans for eligible expenses. MBC issues client health identification cards to facilitate the provision of many services and benefits.

Exhibit 4: Medavie Blue Cross client health identification card
Exhibit 4: Medavie Blue Cross client health identification card

75. We expected to find adequate safeguards in place to protect personal information transmitted to, and stored within, the FHCPS. We also expected to find that access to the data is restricted to those with a legitimate need. We examined policies and procedures, IT security controls and the processes for managing access to the system.

76. The Department commenced outsourcing the management of client health care claims in 1989. The current agreement with MBC was established in 2003. It contains key security and privacy provisions, including:

    * all work and services must be performed in Canada by Canadian citizens;
    * security and physical measures to protect Veterans’ information must be in accordance with Government of Canada security standards;
    * the information collected must be directly required for the purpose of providing the services stipulated under the contract;
    * the information cannot be used for secondary purposes;
    * MBC must obtain client consent forms to support program administration; and
    * employees with access to Veterans’ information must have Enhanced Reliability security clearance.

77. Although not required under the contract, the Department and MBC have established a protocol for reporting a privacy breach. In addition to identifying the individual(s) impacted by a breach, MBC provides the Department with a summary of the incident, the results of its investigation, and any corrective action taken to prevent a recurrence.

78. As reported above, the FHCPS is owned and operated by MBC. While the company’s overall IT security infrastructure was not examined as part of the audit, we did confirm that a secure, dedicated link is used to transfer data electronically between Veterans Affairs Canada and MBC. The Department works with MBC to ensure appropriate IT security controls are in place. These controls are tested regularly and reviewed annually by an external auditor. The external review assesses the effectiveness of the controls surrounding system access management, as well as physical, network and application controls. A copy of the external audit report—and MBC’s management action plan to address any reported deficiencies—is provided to the Department.

79. Veterans Affairs Canada and MBC share responsibility for managing access to the FHCPS, with each entity retaining control over granting, modifying and removing access rights for their respective employees. MBC has established procedures for this purpose; they include confirming employees are Canadian citizens, have been security cleared, and require access to the system to perform their duties. Processes are also in place to remove or modify FHCPS access if an employee transfers to a new position, departs or is absent on extended leave. The controls established by MBC to manage system access rights are examined annually as part of the external audit.

80. In terms of the Department, the processes and procedures for managing access to the FHCPS mirror those used for the CSDN. This includes the use of a manual process to establish and maintain access levels, as well as assigning FHCPS access rights to individuals rather than assigning them a role within the system.

81. However, unlike the CSDN, Veterans Affairs Canada has not completed a review of FHCPS user privileges to ensure access is in keeping with the “need to know” principle. Our testing indicates there are weaknesses in this regard. We reviewed a sampling of 26 users (departmental employees) and found that over one-third had access to information that was not required for their defined roles.

82. Moreover, we found that certain user activities are not recorded. Although changes to a Veteran’s file are captured in FHCPS audit logs, read-only access is not. Logging user activity is crucial to determining whether access rights have been appropriately exercised. Without full activity logging, a Veteran’s file may be accessed with no means of detection.

83. Recommendation

Veterans Affairs Canada should review employees’ access to the Federal Health Claims Processing System to ensure user privileges are in keeping with the “need to know” principle. The Department would benefit from automating role-based access within the system.

Veterans Affairs Canada should also ensure that all user activities, including read-only access to files, are logged for monitoring and audit purposes.

Department’s response:

Agreed. Veterans Affairs Canada has engaged the current Federal Health Claims Processing System contractor to ensure user privileges are in keeping with the “need to know” principle. Additionally, the Statement of Requirements for the new contract addresses both issues raised in the recommendation. A Request for Proposal (RFP) will be posted to MERX in 2012. The present contract expires in 2015.
Top of Page Table of ContentsThere is no record of actions taken to address security risks identified during site inspections

84. Treasury Board Secretariat’s Operational Security Standard on Physical Security provides mandatory requirements to counter threats and risks to government assets, including personal information. We expected to find that physical safeguards to protect Veterans’ personal information were commensurate with the sensitivity of the information.

85. The Department’s head office, regional and district offices are controlled by various security measures. Intrusion detection alarm systems, electronic access control cards and secure storage facilities are commonly used to restrict access to operational areas and records. These safeguards are complemented by the presence of security guards and closed-circuit television cameras at some locations.

86. The Security and Real Property Division conducts site inspections at each regional and district office on a three-year rotational basis. The inspections identify security risks and recommend strategies to minimize them, and thereby improve the Department’s physical security environment. The assessments address various issues, including perimeter security, physical access controls, and the security of sensitive assets and information.

87. We reviewed a sampling of 20 site inspection files6 and found they were silent on whether the security risks highlighted in the reports had been addressed with the implementation of appropriate mitigation measures. The files also lacked confirmation of senior management’s review and acceptance of the findings and recommendations. Departmental security officials confirmed that regional and district managers are not required to formally respond to the findings or provide records highlighting the actions taken to address noted deficiencies. In the absence of formal sign-off by senior management, there is no assurance that security risks that may impact Veterans’ privacy have been fully considered.

88. Recommendation

Veterans Affairs Canada should ensure all actions taken to address observations noted during physical security site inspections are appended to the assessment reports. In addition, management should, through sign-off, formally acknowledge and accept the risks identified in these assessments, as well as the mitigation measures—either taken or planned.

Department’s response:

Agreed. Veterans Affairs Canada has already revised its site review process to require that management action plans be appended to the assessment reports and address any identified risks, including a follow-up mechanism.
Top of Page Table of ContentsParticularly sensitive personal information is sent by fax

89. The use of facsimile (fax) technology to transmit personal information poses certain risks. If sent by unsecure means, the information may be intercepted or exploited. It could also be inadvertently sent to the wrong individual, or a fax machine may be accessible to many employees in an office environment, thereby increasing the risk that the contents of the message may be exposed. Consequently, faxing should be used judiciously and measures should be adopted to mitigate the risk of an inappropriate disclosure.

This facsimile service is a non-secure facility. Information that is classified as top secret, confidential or medically-related client/personal information shall not be transmitted on the facsimile network.

Protected information, including particularly sensitive information (except for medically-related client/personal information), may be sent over the facsimile network if authorized by the responsible manager.

Exhibit 5: Notice on facsimile cover sheet

90. Departmental policy provides direction to staff on the use of fax technology to transmit client information. While the policy outlines additional precautions—such as contacting the recipient prior to sending a message, verifying the fax number and confirming receipt of the transmission—it places limited restrictions on the type of Veterans’ information that may be faxed. The only guidance in this regard is found on the Department’s standard fax cover sheet, which contains a notice stating that, “medically-related client/personal information must not be sent over the facsimile network.”

91. We found that Veterans’ information is often faxed, both within the Department and to external recipients. Although referrals to medical service providers and consent forms account for many of the transmissions, our interviews with staff and examination of files confirmed that faxes may include information about a Veteran’s general health or psychiatric conditions, as well as pension-related information. The practice of transmitting such information by fax contravenes the instructions provided on the fax cover sheet.

92. The standard fax cover sheet is also deficient. It does not include a warning that the information is intended for the named recipient only, or that any unauthorized use, disclosure or distribution is prohibited. Moreover, it does not provide explicit instructions for the recipient to follow if a fax is received in error.

93. The Treasury Board Secretariat’s Guidelines for Privacy Breaches outline a number of measures to prevent the unauthorized disclosure of personal information. They advise against sending personal information by fax unless absolutely necessary. Our inquiries suggest that faxes are often used by Veterans Affairs Canada for reasons of expediency (convenience), rendering privacy a secondary consideration.

94. Recommendation

To mitigate the risk of inappropriate disclosure, Veterans Affairs Canada should ensure that the use of fax technology to transmit sensitive personal information is restricted to such cases where it is required by time constraints.

The Department should also ensure that its standard fax cover sheet includes a statement regarding the confidentiality of the message, and provides instructions for notifying the Department in the event that a fax is received in error.

Department’s response:

Agreed. The Department has revised its standard fax cover sheet with a statement regarding the confidentiality of the message, as well as instructions for notifying the Department in the event a fax is received in error. In addition, communication has been issued to staff regarding the appropriate use of fax.
Top of Page Table of ContentsInspection of telework sites would ensure privacy risks are addressed

95. The Treasury Board Secretariat issued its Telework Policy in 1999, the objective of which is “to allow employees to work at al
Canadian Veterans Advocacy - One Veteran One Standard

Web Site: http://www.canadianveteransadvocacy.com/index.html

Main FaceBook Group: https://www.facebook.com/groups/CdnVetsAdvocacy/

Main FaceBook Page: https://www.facebook.com/CanadianVeteransAdvocacy


Canadian_Vet

  • Administrator
  • Hero Member
  • **********
  • Posts: 1546
    • View Profile
    • Canadian Veterans Advocacy
House of Commons - NPD, CON on Privacy Report
« Reply #2 on: October 06, 2012, 06:41:57 PM »
Sylvain Chicoine Châteauguay—Saint-Constant, QC

Mr. Speaker, yesterday the Privacy Commissioner confirmed that the Conservatives have made many, many mistakes when it comes to protecting veterans' personal information.

According to the report, the Department of Veterans Affairs is outsourcing the disposal of veterans' files.

The report also reveals a lack of monitoring to ensure the secure destruction of files containing personal information on veterans.

When will the Conservative government take privacy protection seriously?

----------

Eve Adams Parliamentary Secretary to the Minister of Veterans Affairs

Mr. Speaker, we welcome the recommendations brought forward by the independent Privacy Commissioner.

We are taking steps to ensure our processes meet the highest possible standards.

Our department is implementing all 13 of her recommendations.

Our Conservative government treats the privacy of our nation's heroes as paramount. We will always act to ensure that their privacy is respected.

---------------

Djaouida Sellah Saint-Bruno—Saint-Hubert, QC

Mr. Speaker, the Conservatives are once again on the defensive regarding their treatment of veterans. They are the ones who ignored the advice of the Surgeon General by making irresponsible cuts affecting the treatment of soldiers suffering from post-traumatic stress disorder. Yet, the ombudsman is clear: only 0.2% of the total defence budget is spent on mental health.

Why did the Conservatives not listen to the NDP and spare veterans from their irresponsible cuts?
Canadian Veterans Advocacy - One Veteran One Standard

Web Site: http://www.canadianveteransadvocacy.com/index.html

Main FaceBook Group: https://www.facebook.com/groups/CdnVetsAdvocacy/

Main FaceBook Page: https://www.facebook.com/CanadianVeteransAdvocacy


Canadian_Vet

  • Administrator
  • Hero Member
  • **********
  • Posts: 1546
    • View Profile
    • Canadian Veterans Advocacy
Veterans Affairs needs more improvements, privacy watchdog says
« Reply #3 on: October 07, 2012, 05:33:28 PM »
Veterans Affairs needs more improvements, privacy watchdog says

October 5, 2012 - 4:00am By PAUL McLEOD Ottawa Bureau

http://thechronicleherald.ca/wires/143975-veterans-affairs-needs-more-improvements-privacy-watchdog-says

OTTAWA — An audit of Veterans Affairs Canada by the nation’s privacy watchdog contains pro-Veterans Affairs talking points from the department itself.

The audit from privacy commissioner of Canada Jennifer Stoddart follows up on a 2010 report revealing personal health information of critics of the department was included in briefings to the minister.

The new report outlines a slew of changes at the department in the past two years. The findings section begins by saying, “Veterans Affairs Canada takes its obligation to protect veterans’ privacy seriously.”

This is almost identical to a talking point found on the department’s website that reads, “Veterans Affairs Canada takes its responsibility to protect the privacy and rights of all veterans very seriously.”

A few other sections of the audit’s findings also resemble department mottos, from saying senior management is “committed to ensuring” practices comply with rules to the fostering of a “culture of privacy” throughout the organization.

This is a sign that the office is not as independent as it should be, says Sean Bruyea, the veteran whose medical information was initially leaked.

“Basically, the investigators followed hook, line and sinker everything the department said,” said Bruyea, a highly vocal critic of the department.

Bruyea said he believes the report downplays massive problems in Veterans Affairs because auditors did not want to rock the boat.

“Most of the (privacy office) employees are career bureaucrats that work in the public service, so they’re unlikely to offend their future bosses if they transfer out of that office,” said Bruyea.

Commissioner Stoddart called Bruyea’s comments “very serious allegations” and insisted her office is fully independent.

She said it’s not surprising for some of the department’s language to bleed into her report because that is what they would have told auditors. She said findings would only be included if auditors found them to be true at the end of the audit.

“We adhere to the highest standards of independence. We will repeat, if we find it credible, the messaging coming from the department,” Stoddart said in an interview.

“If they say they adhere to the highest standards and we have found in our audit that they have made this commitment and are going to carry it out, then we can pass on that message.”

Stoddart was noticeably harsher on Veterans Affairs in the interview than she was in the audit.

The audit repeatedly said the office found “no evidence of systemic non-compliance with the disclosure provisions of the Privacy Act,” though it does say there is room for improvement.

In her interview, Stoddart said, “There were major systemic problems at the Veterans Affairs Department” and there still are “systemic information handling issues.”

Among the findings of the report were that some disclosures of personal information were made without the needed consent forms included in the file, and details surrounding consent were not always entered in the electronic records.

Furthermore, the electronic system records when there is activity on a personal file but does not record if someone logs on just to read a file. As a result of limited technical capabilities, many documents that were forced to be purged after a time limit are being kept in the database indefinitely.

While the audit makes several recommendations, overall it lauds the department for significant improvement in its privacy systems over the past two years.

(pmcleod@herald.ca)
Canadian Veterans Advocacy - One Veteran One Standard

Web Site: http://www.canadianveteransadvocacy.com/index.html

Main FaceBook Group: https://www.facebook.com/groups/CdnVetsAdvocacy/

Main FaceBook Page: https://www.facebook.com/CanadianVeteransAdvocacy


CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Vets minister halts ombudsman privacy probe
« Reply #4 on: November 10, 2012, 01:57:58 PM »
Vets minister halts ombudsman privacy probe

9 November 2012

http://www.tonightnewspaper.com/2012/11/09/vets-minister-halts-ombudsman-privacy-probe/

Murray Brewster, The Canadian Press | Last Updated:Fri, 09 Nov 2012 21:48:15 GMT

OTTAWA - An investigation by Canada's veterans ombudsman into a controversial breach of privacy was quietly shut down last year on the instructions of Veterans Affairs Minister Steven Blaney, newly released documents reveal.

Blaney asked the ombudsman to discontinue a probe that his predecessor had ordered in January 2011, after the confidential medical information of veterans advocate Sean Bruyea was spread around the department in an alleged smear campaign.

Information from a psychiatrist's letter was stitched into a ministerial briefing note at the same time Bruyea, an outspoken critic, was publicly criticizing a controversial overhaul of veterans benefits in 2006.

Former veterans minister Jean-Pierre Blackburn asked the ombudsman to investigate Bruyea's privacy breach, even though the office of the privacy commissioner was already looking in to what happened.

The hope was the ombudsman would get to the bottom of why the personal information of Bruyea and others was rifled through by bureaucrats — motives that were not the focus of the overarching privacy audit by commissioner Jennifer Stoddart.

But in July 2011, just two months after Blackburn went down to electoral defeat, Blaney — Blackburn's replacement at the cabinet table — wrote to ombudsman Guy Parent to ask that the probe be halted.

"I have since been able to carefully review this case with my officials," Blaney wrote in the letter, obtained by The Canadian Press.

"We have determined that the best course of action is a review by the office of the privacy commissioner. In this way, the commissioner can complete an assessment of the department's actions and conclude on its compliance with the requirements of the Privacy Act."

Lisa Monette, a spokeswoman for the ombudsman, said Parent agreed the privacy commissioner was best positioned to review the matter, but that the ombudsman "stood willing to assist as needed."

A spokesman for Blaney, Niklaus Schwenker, said the minister acted swiftly to refer the matter to Stoddart, and reiterated that the Harper government has "brought forward sweeping privacy improvements within the department."

The federal government settled a lawsuit with Bruyea out of court and has implemented a series of measures meant to tighten up the handling of personal information within the department.

Veterans Affairs is in the unusual position of holding a vast amount of personal data — including medical files — on ex-soldiers, some of whom turn into outspoken critics.

A number of advocates other than Bruyea have claimed their files were used to discredit them within the department and political circles.

One of the country's most decorated veterans of the Bosnia war, retired sergeant Tom Hoppe, is one of those who says officials were snooping in his records in 2006.

Hoppe, who plans to protest by not wearing his medals on Remembrance Day, said no one has atoned for the violations of personal privacy.

In an audit released a few weeks ago, Stoddart gave the veterans department a thumbs-up, suggesting it had cleaned up its act.

Blaney's letter startled New Democrat veterans critic Peter Stoffer, who said it calls into question the independence of the ombudsman.

"When he gets a request to look into something, that office should have the independence and the staff to do so," Stoffer said. Precisely why the privacy breaches occurred remains an unresolved issue, he added.

"They had a change of heart — why? There's no question the government suddenly changed its mind and didn't want the ombudsman to look into it. Obviously they're trying to hide something."

Schwenker pointed out that Parent had the option of continuing with the investigation.

"The Office of Veterans Ombudsman does not follow our direction and is fully independent," he said late Friday. "The independent ombudsman is free to pursue any case he wishes and MP Stoffer knows this full well."

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Minister defends decision to halt vets privacy breach probe
« Reply #5 on: November 10, 2012, 04:34:22 PM »
Minister defends decision to halt vets privacy breach probe

Veterans advocate Sean Bruyea says minister 'interfered' in independent probe
CBC News
Posted: Nov 10, 2012 3:00 PM ET
Last Updated: Nov 10, 2012 3:27 PM ET

http://www.cbc.ca/news/canada/story/2012/11/10/pol-the-house-steven-blaney-sean-bruyea-veterans.html



Veterans Affairs Minister Steven Blaney is defending his decision to halt an investigation by Canada's veterans ombudsman into a controversial breach of privacy, saying that the Office of the Privacy Commissioner was best suited to handle the matter.

Blaney asked Guy Parent, the federal veterans ombudsman, in July 2011 to discontinue a probe his predecessor had ordered seven months earlier, according to documents obtained by The Canadian Press.

In an interview with CBC Radio's The House, Steven Blaney, the minister of Veterans Affairs, told host Evan Solomon "any privacy breach of a veterans file is totally unacceptable."

Blaney said as soon as he was informed there could be a potential breach of privacy he asked federal privacy commissioner Jennifer Stoddart to investigate and instructed officials in the Department of Veterans Affairs to "fully cooperate."

But in January 2011, Blaney's predecessor, former Veterans Affairs minister Jean-Pierre Blackburn, felt it necessary to order the veterans ombudsman to investigate the matter even though he knew the privacy commissioner was already looking into what had happened separately.

The focus of Stoddart's audit was different from that of the veterans ombudsman.

Blackburn ordered the probe after hundreds of senior bureaucrats accessed the confidential medical information of Gulf War veteran Sean Bruyea in an alleged smear campaign. The federal government later settled a lawsuit with Bruyea out of court but other veterans have since made similar complaints.

When asked why he cancelled an investigaton his predecessor thought was relevant, Blaney said, "for me, it's clear. In this country, the privacy commissioner is the best one to investigate in any potential breach of privacy.

"We as parliamentarians have dedicated a privacy commissioner and given her full power to do a thorough investigation, that's why this is the best person and the best office," the Veterans Affairs minister said.

In an audit released a few weeks ago, Stoddart gave the Veterans Department a thumbs-up, suggesting it had cleaned up its act.
Veterans' complaints mount

After settling with Bruyea, the federal government implemented a series of measures intended to ensure that the personal information of veterans is better handled within the department. But news that Blaney halted a controversial investigation did not sit well with the veterans advocate.

In an interview airing on The House, Bruyea told Solomon "the minister interfered in an independent investigation."

"If the minister and the department had nothing to fear from the ombudsman's investigation... why didn't the minister let it go forward?" Bruyea asked.

Blaney rejected the assertion by opposition critics that his decision to shut down the investigation called into question the independence of the veterans ombudsman.

The ombudsman "is free to study" what he feels is important, Blaney said.

Bruyea doesn't blame the veterans ombudsman. Instead, Bruyea said what this shows is the veterans ombudsman job should be legislated by Parliament, as is the case with independent officers of Parliament like the federal privacy commissioner or the auditor general.

Blaney was in Trenton on Saturday to attend the unveiling of a new Afghanistan Repatriation Memorial. He spent the better part of Veterans' Week defending the federal government's record and treatment of veterans — including news that soldiers' families are raising serious concerns over the care their loved ones are receiving at the largest veterans care facility in the country.

Retired sergeant Tom Hoppe, one of Canada's most decorated veterans of the Bosnia war, has said he will not be wearing his medals on Remembrance Day Sunday in protest of the federal government's treatment of vets. Hoppe has previously said publicly that his personal privacy was violated when federal officials snooped in his records in 2006.

Meanwhile Prime Minister Stephen Harper, who is on a trade mission in Manila, was asked by reporters why a federal burial fund for poor veterans was rejecting two-thirds of applicants.

"Let me just say that government of Canada puts, as you know, a very high priority on care for our veterans. This government has made enormous, billions of dollars worth of investments in programs, particularly for the most needy veterans," Harper told reporters at a news conference with the Philippine President Benigno Aquino.

"Obviously those programs are under constant review and we will continue to assess their suitability going forward," Harper said.

The federal government has ended its legal fight to maintain tax clawbacks on disability payments for soldiers. It has also put money into "helmets-to-hardhats" programs to help former servicemen and women enter the workforce.

Last week, a group of Afghanistan war veterans filed a class-action lawsuit against the federal government, saying the disability payment regime under the New Veterans Charter violates their human rights.

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
CITIZENS’ GROUP CALLS FOR PUBLIC INQUIRY INTO VETERANS AFFAIRS
« Reply #6 on: November 14, 2012, 12:30:39 PM »
*****FOR IMMEDIATE RELEASE****

CITIZENS’ GROUP CALLS FOR PUBLIC INQUIRY INTO VETERANS AFFAIRS

St. John’s - Privacy breeches at Veterans Affairs have not been properly investigated, according to citizens’ group Our Duty, and it is calling for a full public inquiry.

This comes days after it was revealed that Minister Steven Blaney ordered a halt to an investigation by the Office of the Veterans Ombudsman shortly after Blaney took office.

“The federal government has been playing a shell-game with the truth,” said Our Duty President Jeff Rose-Martland, “It is time for an independent public inquiry.”

The issue first came to light 2 years ago with the Sean Bruyea affair. A veteran and advocate, Bruyea had his medical files pried into by the Minister’s office after he spoke out against the New Veterans Charter. But Bruyea was not the only person targeted. It also emerged that Sgt Tom Hoppe, a decorated veteran, and former Ombudsman Pat Stogran were also victimized by the Ministry. Deputy Minister Tinning was briefed on the medical records of Retired Forces Nurse Louise Richard prior to a meeting. Private medical information was used to bully Harold LeDuc of the Veterans’ Review and Appeal Board. The veteran behind the SISIP class-action suit against Veterans Affairs, Dennis Manuge, had his medical and financial records used in a Ministerial briefing. Sylvain Chartrand, advocate for reservists, had his records passed from VAC to National Defence.

“Enough is enough,” said Rose-Martland, “The Privacy Commissioner investigated, but could only report on non-compliance. The Ombudsman’s investigation was ordered by Minister Blackburn to look into why these breeches took place. Then came the election, Blackburn was replaced by Blaney, and suddenly the Privacy Commissioner is the one supposed to handle it. This is nothing more than a cover-up.”

Our Duty has been made aware of dozens of cases. “It appears to be standard procedure for VAC officials. As soon as a veteran speaks out, senior bureaucrats in the Ministry go digging into Service Delivery files,” said the citizen advocate, “That’s absolutely forbidden by the Privacy Act and by VAC policy. The Ministry and Service Delivery are supposed to be separate entities. If a veteran has a problem with Service Delivery, they have to appeal to the Deputy Minister to request a Ministerial review - the Minster is not permitted to act on his own. So why, exactly, can the Ministry pull those same files when a veteran criticizes them?”

“It gets worse,” Rose-Martland continued, “We have learned that family members of advocates have also been targeted. Why? Why would the Minister need to know what someone’s brother’s file says? He wouldn’t, not legitimately. The public needs to know what sort of games the Ministry is playing with peoples lives.”

Our Duty notes that Minister Blackburn had promised departmental officials would face severe sanctions for these acts, yet those officials received bonuses last year.

“We have inquiries stifled and cut off. We have threats and intimidation by Veterans Affairs. We have people who broke the law being rewarded. All on the taxpayer dime.”

“We want a full public inquiry into these matters,” said the Our Duty President, “The public needs to know exactly what has been happening in that Ministry: who is doing these things, who ordered it, and most importantly, why? What has this information been used for? And is this still going on?”

“This inquiry needs to have teeth. It needs to be able to investigate and to lay criminal charges. Most importantly, it needs to report back to the taxpayers, because we are the ones who will be paying damages.”

###

MEDIA CONTACT:
Jeff Rose-Martland
exec@ourduty.org

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Veterans Affairs manager who probed privacy breach praised by superiors for minimizing impact on staff

Officials warned public would be unhappy with light punishments
 
By DAVID PUGLIESE, Ottawa Citizen November 13, 2012

Read more: http://www.ottawacitizen.com/news/Veterans+Affairs+manager+probed+privacy+breach+praised+superiors+minimizing+impact+staff/7542726/story.html#ixzz2CDlYXxlb


Sean Bruyea, a veterans advocate, had his personal and financial information violated thousands of times by Veterans Affairs officials.
Photograph by: Chris Mikula , Ottawa Citizen

A Veterans Affairs manager who investigated his colleagues during a probe into one of Canada’s largest privacy breaches was thanked by a senior bureaucrat for the way he ensured that the impact on staff was minimized, according to newly released documents.

That has prompted the Ottawa veteran at the centre of the scandal, former Canadian Forces officer Sean Bruyea, to label the 2010 in-house investigation a farce and to call on government to do more to ensure the personal information of retired military personnel is safeguarded.

The documents show the internal investigation only involved about 60 per cent of the 650 individuals who accessed Bruyea’s personal file, which was looked at almost 4,500 times over a 10-year period.

Most of the incidents took place during the last four years after Bruyea became an outspoken advocate for veterans and a critic of Veterans Affairs.

The file contained details about Bruyea’s medical and mental health, the type of prescription drugs he takes and his financial and pension information, among other data.

Privacy Commissioner Jennifer Stoddart found that Veterans Affairs broke the law when it came to handling the retired officer’s personal information but she only looked at a small number of incidents.

A more detailed examination was left to department officials. But from the beginning those investigators decided not to look into the actions of more than 250 employees who accessed Bruyea’s file because they had since left the department. Of the remaining 393 cases, Veterans Affairs managers were allowed in most cases to determine whether their employees were in the wrong.

In the end, 54 workers were found to have inappropriately accessed Bruyea’s file; 36 received an “administrative memo,” nine were given a written reprimand, and nine received one-day suspensions.

None lost their jobs, despite assurances from then-Veterans Affairs minister Jean-Pierre Blackburn that firings and 30-day suspensions would await those public servants who violated the law. Prime Minister Stephen Harper had also vowed “strong sanctions” against those who abused veterans’ personal information.

Veterans Affairs officials knew they could have a problem with how the public might view the punishments that were handed out. “External publics may not be pleased with the lack of severity of the designated corrective measures,” one of the documents points out.

The documents, released through the Access to Information law, also show Veterans Affairs managers were happy about the way fellow staff member Tim Rose conducted the investigation.

Stéphane Breau, director of client relations, wrote Rose: “Hi Tim, I didn’t thank you for each individual case, but I am very grateful for the great work you did in ensure (sic) we reduced the staff’s impact as much as we could.”

The 36 public servants who were given an “administrative memo” for accessing Bruyea’s personal information were thanked for their co-operation and told that “employee assistance” was available to them on a 24-hour basis.

“I remain confident this memorandum will serve its purpose and remind you of the importance of respecting at all times the confidentiality of all Veterans Affairs’ client information,” a form copy of the memo noted.

Asked why they accessed Bruyea’s file, some employees said they were “curious” while others pointed out they examined his personal information because the former airman had been critical of Veterans Affairs.

The Citizen requested an interview with Rose and other officials involved, but instead Veterans Affairs provided an email statement, noting the “Government of Canada will not tolerate any violation of Veterans’ privacy.”

Bruyea says such a statement by the department is ridiculous. “Nothing has changed inside and unfortunately I can see this type of thing happening again to other veterans,” he said.

Veterans Affairs Minister Steven Blaney’s press secretary issued a statement Tuesday night, noting that “Minister Blaney and our government take privacy matters extremely seriously.”

“That is why we have brought forward the most sweeping privacy improvements in the history of the department, including the 10-point Privacy Action Plan and Privacy Action Plan 2.0,” Jean-Christophe de le Rue stated in an email. “We will continue to take action to safeguard the privacy of veterans.”

Since Bruyea’s case has come to light, other veterans have come forward to complain their personal information in Veterans Affairs files has been compromised.

Department bureaucrats appeared fixated on Bruyea, producing some 28,000 pages of records on the veteran, as well as monitoring his media appearances and his advocacy activities before Parliament. Bruyea has called for a better deal for the country’s retired and injured military personnel.

But federal bureaucrats didn’t take kindly to Bruyea’s attempts to highlight what he saw as problems.

“Folks, it’s time to take the gloves off here ... it’s not that this person is spreading misinformation for his own purposes, it is that this must by now be creating grave doubts among soldiers who now need to know their government backs them ... snooze ya lose comes to mind let’s do something here,” Darragh Mogan, then an executive director at the department, wrote in early 2006 after Bruyea questioned veterans benefits.
© Copyright (c) The Ottawa Citizen

Read more: http://www.ottawacitizen.com/news/Veterans+Affairs+manager+probed+privacy+breach+praised+superiors+minimizing+impact+staff/7542726/story.html#ixzz2CDloIndo

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
***** POUR DIFFUSION IMMÉDIATE ****
 
GROUPE DES CITOYENS POUR APPELS ENQUÊTE PUBLIQUE SUR LES ANCIENS COMBATTANTS CANADA

St. John’s - Bris de confidentialité du ministère des Affaires des anciens combattants n'ont pas été l'objet d'enquêtes, selon le groupe de citoyens de Notre Devoir, et il appelle à une enquête publique complète.
 
Cette intervient quelques jours après qu'il a été révélé que le ministre Steven Blaney a ordonné l'arrêt d'une enquête par le Bureau de l'ombudsman des vétérans peu de temps après Blaney a pris ses fonctions.
 
«Le gouvernement fédéral a joué un shell-jeu avec la vérité» a déclaré le président de Notre Devoir Jeff Rose-Martland «Il est temps pour une enquête publique indépendante. »
 
Le premier problème est apparu il y a 2 ans avec l'affaire Sean Bruyea. Un ancien combattant et avocat, Bruyea avait ses dossiers médicaux fouillait dans le bureau du ministre, après qu'il s'est prononcé contre la nouvelle Charte des anciens combattants. Mais Bruyea n'était pas la seule personne ciblée. Il est également apparu que le sergent Tom Hoppe, un vétéran décoré, et ancien Médiateur Pat Stogran ont également été victimes par le ministère. Sous-ministre Tinning a été informé des dossiers médicaux des infirmières à la retraite des Forces, Louise Richard avant la réunion. Ces informations médicales privées ont été utilisées pour intimider Harold Leduc, de l'anciens combattants révision et appel. Le vétéran derrière le, RARM recours collectif contre le ministère des Anciens Combattants, Dennis Manuge, a eu ses dossiers médicaux et financiers utilisés dans une information ministérielle. Sylvain Chartrand, avocat pour les réservistes, avait passé ses dossiers d'ACC à la Défense nationale.
 
«Assez, c'est assez» dit Rose-Martland «Le Commissaire à la protection d'une enquête, mais ne pouvait rendre compte de la non-conformité. L'enquête du Médiateur a été ordonnée par le ministre Blackburn de se pencher sur pourquoi ces culottes ont eu lieu. Puis vint l'élection, Blackburn a été remplacé par Blaney, et soudain le commissaire est celui qui est censé y faire face. Ce n'est rien de plus qu'un cover-up.»
 
Notre travail a été mis au courant de plusieurs dizaines de cas. «Il semble que ce soit la procédure standard pour les fonctionnaires d'ACC. Dès qu'un vétéran s'exprime, les hauts fonctionnaires du Ministère vont fouiller dans les fichiers de prestation de services » a déclaré l'avocat des citoyens « C'est absolument interdit par la Loi sur la protection des renseignements personnels et de politique d'ACC.» Le ministère et la prestation des services sont censés être des entités séparées. Si un ancien combattant à un problème avec la prestation de services, ils doivent faire appel à la sous-ministre de demander une révision ministérielle - La ministre n'est pas autorisé à agir en son propre accord. Alors pourquoi, exactement, le ministère peut tirer ces mêmes fichiers lorsqu'un ancien combattant leur reproche quelques choses? »
 
«Il y a pire» Rose-Martland a poursuivi «Nous avons appris que des membres de la famille des défenseurs ont également été pris pour cible. Pourquoi?, Pourquoi le ministre a t-il besoin de savoir ce fichier du frère de quelqu'un qui a reprocher quelques choses au ministre? Il ne devrait pas être en mesure de savoir ses informations privées, en tout cas, pas légitimement. Le public a besoin de savoir quelle sorte de jeux du ministère est entrain de jouer avec la vie des gens. »
 
Notre Devoir, note que le ministre Blackburn avait promis que les fonctionnaires du ministère ferait face à des sanctions sévères pour ces actes, mais aux contraires, les fonctionnaires ont reçu des primes l'an dernier.
 
«Nous avons des enquêtes étouffées et coupé. Nous avons des menaces et des intimidations de la part des anciens combattants. Nous avons des gens qui enfreignent la loi, et qui en sont récompensés. Tout sur les sous des contribuables. »
 
«Nous voulons une enquête publique complète sur ces questions», a déclaré le président Notre Devoir «Le public a besoin de savoir exactement ce qui s'est passé dans ce ministère: qui fait ces choses, qui l'a commandé, et surtout, pourquoi? Ce qui a été utilisé cette information pour? Et est-ce encore? »
 
«Cette enquête doit avoir les dents. Il doit être en mesure d'enquêter et de porter des accusations criminelles. Plus important encore, il doit rendre compte aux contribuables, parce que nous sommes ceux qui devront payer des dommages-intérêts. »


--------------

Contact pour les médias

français
Sylvain Chartrand CD
13300 Rue de L'aquilon
Mirabel, PQ
J7J 1V9
450-939-1815
smchartrand@videotron.qc.ca
 
anglais
Jeff Rose-Martland
4 Neville Pl
St. John's, NL
A1E 2E7
(709) 739-1842
rosemartland@gmail.com
exec@ourduty.org

###

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Veterans call for inquiry into privacy violations
« Reply #9 on: November 14, 2012, 09:06:18 PM »
Veterans call for inquiry into privacy violations

MURRAY BREWSTER

OTTAWA — The Canadian Press

Published Wednesday, Nov. 14 2012, 8:08 PM EST

Last updated Wednesday, Nov. 14 2012, 8:12 PM EST

http://www.theglobeandmail.com/news/politics/veterans-call-for-inquiry-into-privacy-violations/article5318663/?utm_source=facebook.com&utm_medium=Referrer%3A+Social+Network+%2F+Media&utm_campaign=Shared+Web+Article+Links



The country’s veterans Ombudsman received nine privacy violation complaints over the past five years, seven of which were handed over to Canada’s Privacy Commissioner – a move questioned by a growing number of ex-soldiers.

A high-profile advocate who claims his medical files were raided wants the federal solicitor-general to investigate whether it was appropriate for Ombudsman Guy Parent to “take a back seat” on the issue.

He also asks whether the Veterans Minister overstepped his authority by shutting down a probe initiated by his predecessor.

Former warrant officer Harold Leduc, who was recently dropped from a federal agency that reviews benefits claims of ex-soldiers, says he believes his complaint about alleged privacy violations deserved to be investigated by both the Ombudsman and Privacy Commissioner Jennifer Stoddart.

A citizens’ group on the East Coast weighed into the issue on Wednesday, demanding a public inquiry into what it called a pattern of privacy violations at Veterans Affairs that targeted advocates.

A spokeswoman for Mr. Parent says each complaint was dealt with appropriately and denied the Ombudsman had been usurped. “As an independent body, the Office of the Veterans’ Ombudsman does not back down from investigations on request,” said Claude Rochon in an e-mail statement.

“The decision to halt the review of this specific potential privacy breach was made when it was confirmed that the relevant mandated federal authority, in this case the Office of the Privacy Commissioner, had been seized with the matter.

“Parallel investigations by our office and the Office of the Privacy Commissioner would not have been a sensible use of resources.”

Last week, it was revealed Veterans Affairs Minister Steven Blaney quietly ended one of the privacy probes by the Ombudsman, which his predecessor, Jean-Pierre Blackburn, had ordered.

Like Mr. Parent, Mr. Blaney said he believed that investigation was best handled by Ms. Stoddart. A few weeks ago, the Privacy Commissioner, in a comprehensive audit, gave the department a thumbs-up and said its procedures for handling information have been tightened.

But that hasn’t satisfied advocates, include a St. John’s-based organization active in supporting ex-soldiers.

“The federal government has been playing a shell-game with the truth,” said Our Duty president Jeff Rose-Martland, who has written extensively on veterans’ issues.

He claims his organization has been made aware of dozens of unreported allegations of privacy violations and called for a full inquiry.

In addition to Mr. Leduc, veteran Tom Hoppe, one of the country’s most decorated peacekeepers and a member of the Ombudsman’s advisory committee, had a complaint before Mr. Parent.

With no perceived action from the Ombudsman, both men wrote the minister on June 4, 2012, imploring to Mr. Blaney to take further steps to protect personal information within the department, and to resolve their complaints.

“We applaud your recent efforts within your ministry to limit the future misuse of veterans’ personal medical information within Veterans Affairs,” they wrote in a joint letter.

“However, these changes do not address the damage caused to us by the acquisition and subsequent misuse of our medical information by senior members of your ministry.”

Mr. Leduc wrote again on Sept. 27, 2012, but Mr. Blaney urged him to contact the Privacy Commissioner.

“As you are aware, the Veterans Review and Appeal Board is an independent tribunal and operates at arm’s length from the minister of Veterans Affairs to ensure a fair appeal process for veterans and their families,” said Mr. Blaney’s reply last week.

“Therefore with regard to your concerns about privacy, I would encourage you to contact the Office of the Privacy Commissioner, as previously recommended by my office.”

A spokesman for Mr. Blaney said the department has been given clear direction to handle privacy complaints.

“Our officials have been clearly instructed to notify the Privacy Commissioner when informed of any evidence of a privacy breach and we invite any veteran who believes their privacy has been breached to immediately contact the office of the privacy commissioner without delay,” said Niklaus Schwenker in an e-mail note.

“Officials at the Department of Veterans’ Affairs have been instructed to co-operate fully with the privacy commissioner in all cases.”

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Privacy: Release from Harold Leduc
« Reply #10 on: November 15, 2012, 09:24:00 AM »
Release from Harold Leduc

FOR IMMEDIATE RELEASE
13 November 2012



Victoria, BC - Growing up in the Canadian way is an aspect of life that I take very, very seriously. This very same way of living demonstrates kindness, caring, and compassion towards all, especially those who have been injured or killed while defending our beautiful Country. I served my country with dignity and respect. Taking care of my injured brothers and sisters by assisting them in their struggle to get some small amount of compensation was and will always remain an honor. It is therefore with sadness that I must say;
I’m disgusted that the Minister of Veterans Affairs Canada (VAC) shows no shame in covering up nefarious activities that target and seriously harm disabled veterans with illegally gained information from privacy breaches.

Therefore today I am asking the Attorney General of Canada to fully investigate all circumstances associated with these despicable attacks against our Country’s defenseless disabled veterans to determine if charges are warranted.

The Minister admitted stopping an ongoing investigation that would have implicated him and others. He knows that the Privacy Commissioner’s investigation would clear him because of their restricted mandate and because VAC had already cleaned up their act in May 2009 when my privacy breaches were investigated and apologized for. He’s shown that he can’t be trusted.

It’s no wonder my numerous pleas to the Prime Minister, Minister, the Privy Council Office and Veterans Ombudsman to stop the vile behaviour of the Veterans Review and Appeal Board (VRAB) officials that severely injured my military related PTSD fell on deaf ears. The Minister knew his official’s put my life was at risk and acted in contempt of the 2010 Canadian Human Rights Commission mediation but he let them increase their retaliation against me anyway.

The public record shows that these nefarious activities are wide spread and target more than a few disabled veterans who’s only crime is that they were disabled in our country’s service and are trying to improve their fellow veterans and families quality of life to the level this Government has promised.

It’s time to stop the Government’s abuse against defenseless disabled veterans and it’s time for the Attorney General to investigate the Minister’s covered up. Don’t let us down, Attorney General, we’ve suffered enough and veterans deserve nothing less that justice, truth, reconciliation and a Government that is honest and transparent.

It’s generally accepted that to abuse a disabled person is low; but to deliberately hurt defenseless disabled veterans who were injured standing up for democracy and their rights is the lowest of the low. I am certain the voting public will agree!

- 30 -
For more information or to schedule an interview please contact Harold Leduc

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Veterans demand inquiry into motivations behind privacy violations
« Reply #11 on: November 15, 2012, 11:46:08 AM »
Veterans demand inquiry into motivations behind privacy violations

Murray Brewster, Wednesday, November 14, 2012 5:16 PM

Read it on Global News: Global News | Veterans demand inquiry into motivations behind privacy violations

OTTAWA - The country's veterans ombudsman received nine privacy violation complaints over the last five years, seven of which were handed over to Canada's privacy commissioner — a move questioned by a growing number of ex-soldiers.

A high-profile advocate, who claims his medical files were raided, wants the federal solicitor general to investigate whether it was appropriate for ombudsman Guy Parent to "take a back seat" on the issue.

He also asks whether the veterans minister overstepped his authority by shutting down a probe initiated by his predecessor.

Former warrant officer Harold Leduc, who was recently dropped from a federal agency that reviews benefits claims of ex-soldiers, says he believes his complaint about alleged privacy violations deserved to be investigated by both the ombudsman and privacy commissioner Jennifer Stoddart.

And a citizens group on the East Coast weighed into the issue Wednesday, demanding a public inquiry into what they say is a pattern of privacy violations at Veterans Affairs that targeted advocates.

A spokeswoman for Parent says each complaint was dealt with appropriately and denied the ombudsman had been usurped.

"As an independent body, the Office of the Veterans' Ombudsman does not back down from investigations on request," said Claude Rochon in an email statement.

"The decision to halt the review of this specific potential privacy breach was made when it was confirmed that the relevant mandated federal authority, in this case the Office of the Privacy Commissioner, had been seized with the matter.

"Parallel investigations by our office and the Office of the Privacy Commissioner would not have been a sensible use of resources."

Last week, it was revealed Veteran Affairs Minister Steven Blaney quietly ended one of the privacy probes by the ombudsman, which had been ordered by his predecessor, Jean-Pierre Blackburn.

Like Parent, Blaney said he believed that investigation was best handled by Stoddart. A few weeks ago the privacy commissioner, in a comprehensive audit, gave the department a thumbs-up and said its procedures for handling information have been tightened.

But that hasn't satisfied advocates, include a St. John's, N.L.-based organization active in supporting ex-soldiers.

"The federal government has been playing a shell-game with the truth," said Our Duty president Jeff Rose-Martland, who has written extensively on veterans issues.

He claims his organization has been made aware of dozens of unreported, alleged privacy violations and called for a full inquiry.

In addition to Leduc, another veteran, Tom Hoppe, one of the country's most decorated peacekeepers and a member of the ombudsman's advisory committee, had a complaint before Parent.

With no perceived action from the ombudsman, both men wrote the minister on June 4, 2012, imploring to Blaney to take further steps to protect personal information within the department, and to resolve their complaints.

"We applaud your recent efforts within your ministry to limit the future misuse of veterans' personal medical information within Veterans Affairs," they wrote in a joint letter, obtained by The Canadian Press.

"However, these changes do not address the damage caused to us by the acquisition and subsequent misuse of our medical information by senior members of your ministry."

Leduc wrote again on Sept. 27, 2012, but Blaney urged the former senior warrant officer to contact the privacy commissioner.

"As you are aware, the Veterans Review and Appeal Board is an independent tribunal and operates at arm's length from the minister of Veterans Affairs to ensure a fair appeal process for veterans and their families," said Blaney's reply last week, also obtained by The Canadian Press.

"Therefore with regard to your concerns about privacy, I would encourage you to contact the Office of the Privacy Commissioner, as previously recommended by my office."

A spokesman for Blaney said the department has been given clear direction to handle privacy complaints.

"Our officials have been clearly instructed to notify the privacy commissioner when informed of any evidence of a privacy breach and we invite any veteran who believes their privacy has been breached to immediately contact the office of the privacy commissioner without delay," said Niklaus Schwenker in an email note.

"Officials at the Department of Veterans' Affairs have been instructed to co-operate fully with the privacy commissioner in all cases."

Read it on Global News: Global News | Veterans demand inquiry into motivations behind privacy violations

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Privacy Violation as a Weapon Against Veterans
« Reply #12 on: November 16, 2012, 09:39:47 PM »
Privacy Violation as a Weapon Against Veterans

Jeff Rose-Martland

Author, Playwright, Citizen Advocate

http://www.huffingtonpost.ca/jeff-rosemartland/veterans-canada_b_2143716.html



The term privacy violation has been in the news so much that most of us tune it out. Really, who cares that some employee looked at someone's file somewhere? Even if it's wrong, isn't that simply human nature, to be curious? Even if it was malicious, why should everyone care? And aren't media reports just making the violation worse, anyway?

Privacy Violation -- Snooping in files one has no legitimate need to see

Which is the problem with the phrase; it only applies to the act of looking and doesn't adequately describe the crime. Privacy violation applies to a bored employee who browsed files looking for friends and relatives as a way to fill time between coffee breaks. But the term equally applies to digging up dirt for malicious purposes. In both cases, the crime is the same: illegally accessing information. But the intentions are very different. And yet, media uses the same phrase, over and over, and we have stopped paying attention.

Compare privacy violation with excessive speed. We hear about speeding on our roads all the time. Some times, excessive speed means driving a little over the limit because it is rush hour. Other times, excessive speed means driving a souped-up street machine at 250kmph through residential streets. We mostly ignore the first reports, but we are outraged at the second.

Which is how we should be with privacy violations in federal departments.

Two years ago, Sean Bruyea came forward with proof that staff at the Minister of Veterans Affairs had violated his privacy. This wasn't any minor bored-clerk stuff. His medical and financial details had been circulated after he criticized the New Veterans Charter. In the minutes of a VAC conference call, an had said "it's time to take the gloves off here" a senior veterans official said -- like a statement from a mob-movie. And they did: Bruyea's benefits were modified and cancelled. VAC even tried to get him committed to a mental hospital.

Privacy Violation -- Bureaucrats using your private information to attack you.

Then there's Harold Leduc. Leduc was a member of the Veterans Review and Appeal Board, which reviews benefits claims. Leduc is also a veteran. Fellow board members decided they didn't like the way Leduc was doing his job. So they pulled his VAC file and passed it around. Leduc got a regular barrage of snide comments about his service and injuries. He was told that everyone was waiting for his nervous breakdown. He was reminded of the events that gave him PTSD. Leduc is now asking the Attorney General to investigate.

Privacy Violation -- Co-workers using your private records to bully you.

There are many, many more cases at Veterans Affairs. Those that have gone public have two things in common: they have all spoken out about VAC policy and they are all veterans. Some can prove the Minister was given their information. Some can only prove that Ministerial staff was reading their files. Some allege their benefits were affected after they spoke out; some claim their medical histories were used to discredit them. Some can show they were personally attacked; some can prove their families were also targeted.

Privacy Violation - The use of private information to intimidate or threaten individuals.

When Bruyea came forward, the Privacy Commissioner investigated...sort of. Ms Stoddart was only able to report on the facts of the violations and not on the reasons behind them. Had senior bureaucrats breeched his privacy? Yes. Why? She couldn't tell us. What was the information used for? She couldn't tell us. What action should be taken against the offenders? It wasn't her decision to make.

The same would be true for Harold Leduc.

Amid much fanfare and hyperbole, then-Minister Jean-Pierre Blackburn announced that the Office of the Veterans Ombudsman would get to the bottom of things, that heads would roll, that charges would be laid if warranted.

A few months later, the new Minister, Steven Blaney, quietly ordered the inquiry halted. And a few months after that, some of the people implicated received big, fat, performance bonuses. Heads rolled, alright. They rolled all the way to the bank, still attached to their bodies.

Privacy Violation - A great way to advance your career.

Should we be concerned? You bet. Look at the victims. These are people who swore to defend Canada. We trusted them with our country and our lives. They were trained to dedication and determination. They were awarded medals for their service to us -- they have honours. And honour. And irreproachable reputations to carry them past these attacks.

We don't know what happened at Veterans Affairs. We also don't know if this is just Veterans Affairs. If a government department was willing to attack decorated veterans for expressing their opinion, then what chance would you or I have?

Privacy Violation -- A weapon used by government to stifle dissent.

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Stuart Langridge’s mother gets Queen’s medal
« Reply #13 on: November 23, 2012, 09:05:34 PM »
Stuart Langridge’s mother gets Queen’s medal

By Chris Cobb, Ottawa Citizen November 23, 2012 8:16 PM

Read more: http://www.ottawacitizen.com/Stuart+Langridge+mother+gets+Queen+medal/7603370/story.html#ixzz2D6MY2R9F

Sheila Fynes, mother of the late Afghanistan veteran Cpl. Stuart Langridge, has been awarded the Queen Elizabeth II Diamond Jubilee Medal.

Fynes, whose son hanged himself at CFB Edmonton in March 2008, challenged military police investigations into Langridge’s suicide and forced a rare public inquiry at the Military Police Complaints Commission. The hearing ended last month after 62 days.

The Canadian Veterans Advocacy nominated Fynes for the Jubilee Medal with the citation: “To Sheila Fynes in recognition of her sense of duty towards the health and well-being of veterans particularly those CF members suffering from PTSD and trauma. By giving voice to these silent warriors she hopes to influence changes how they are evaluated, diagnosed and treated.”

© Copyright (c) The Ottawa Citizen

CVA_Posting

  • Administrator
  • Hero Member
  • **********
  • Posts: 536
    • View Profile
    • Canadian Veterans Advocacy
Off-site destruction of veterans’ files opens privacy pitfalls, Stoddart warns

By Colin Horgan | Oct 4, 2012 5:15 pm



In her latest report to Parliament, Privacy Commissioner Jennifer Stoddart worries that the way Veterans Affairs disposes of documents in some regions could leave sensitive personal details unsecured.

Apart from two regional offices, the department outsources the disposal of veterans’ paper records to private companies.
Stoddart reports
For more on Privacy Commissioner Jennifer Stoddart’s report, click here.

The report revealed that, “approximately one-third” of those arrangements “are not governed by written contracts with terms and conditions that satisfy Treasury Board security requirements.” It also found there is “an absence of systematic monitoring to verify that records are destroyed in a secure manner.”

Of the 25 sites where veterans’ records were shredded, 10 “reported that the process is not monitored.” The audit also “confirmed” that Veterans Affairs “does not systematically monitor contractors’ off-site disposal practices through periodic inspections.”

Stoddart told iPolitics Thursday that the problem is not limited to Veterans Affairs. She said her office has “seen this phenomenon of sensitive records being put in dumpsters and anyone can come along and get them” take place all across Canada.

“This is, I think, a legitimate concern on our part,” Stoddart said. “We were however pleased to note that they agreed that they will do contracts for information disposal and that they will supervise them according to government security standards.”

And while Veterans Affairs is well positioned to proactively address veterans’ privacy issues overall, it still has work to do in other areas as well.

According to the audit, Veterans Affairs has “sent a clear signal that privacy is vital to its operations and has dedicated significant resources to improving the way it manages the personal information of veterans.” However, the commissioner found that while “key elements of a comprehensive privacy management program are in place,” there is room for improvement.

The audit exposed examples where consent forms necessary to release information sometimes did not specify “the third party or the information the department was authorized to release.”

Additionally, the audit found that in some cases, “disclosures had been made and the corresponding consent was not included in the file.” Sometimes the details surrounding consent were also not entered into the department’s Client Service Delivery Network, the “primary electronic repository for veterans’ records.”

The recent audit also found that despite the establishment of protocol to address privacy breaches within Veterans Affairs, the commissioner discovered “evidence of privacy breaches that were not reported to the head office and/or the Access to Information and Privacy Coordinator.”

Still, despite these failings, the commissioner found “virtually all” of the ministerial briefings it reviewed “adhered to the need-to-know principle – the personal information was limited to that necessary to fulfill the purpose of the briefing.”

The commissioner’s audit was conducted in the shadow of an investigation it launched in 2010 that found Veterans Affairs broke the law by distributing medical and financial information belonging to one of the department’s outspoken critics, retired intelligence officer, Sean Bruyea.

Bruyea’s medical information, including diagnosis, symptoms and prognosis, were included in a 2006 briefing note to former veterans minister Greg Thompson. A second briefing note, dating back to the former Liberal veterans minister in 2005, also contained sensitive information.

The commissioner’s investigation at the time found officials from different branches of Veterans Affairs, including program policy, communications and media relations, were involved in discussing and contributing to the briefing notes and also had full access to them.

Asked Thursday whether the improvements that Veterans Affairs did make were those she was looking for in the wake of the Bruyea scanal, Stoddart told iPolitics this audit helped her office get a clearer idea of what was going on.

“I think going in we didn’t really have the full picture from that investigation. We knew that there were far too many people that had access to veterans records, and we knew that they were misusing the personal information,” Stoddart said. “We didn’t know until we did this audit about the other things, about working off-site, about the broader access, about security issues, about obtaining consent, all of these things they can up in the audit, so we can make quite a few recommendations over and beyond the questions that came up in the initial investigation.”

In a statement to iPolitics Thursday, a spokesman for Veterans Affairs Minister Steven Blaney said the commissioner’s recommendations were “welcome,” and pointed to recent initiatives to “strengthen privacy safeguards through the Privacy Action Plan 2.0.”