Access to Information and Privacy

Government Institution
Department of National Defence

Government official responsible for the PIA
Deirdra Finn, Director
Directorate Access to Information and Privacy

Head of the government institution or Delegate for section 10 of the Privacy Act
Isabelle Daoust - Corporate Secretary

Description of Program or Activity (from Departmental Results Framework):

Internal Services
Internal Services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization. Internal Services refers to the activities and resources of the 10 distinct service categories that support Program delivery in the organization, regardless of the Internal Services delivery model in a department. The 10 service categories are: Acquisition Management Services, Communications Services, Financial Management Services, Human Resources Management Services, Information Management Services, Information Technology Services, Legal Services, Materiel Management Services, Management and Oversight Services, and Real Property Management Services.

Standard or institution specific class of record:

Access to Information and Privacy: PRN 930
Security: PRN: 931

Standard or institution specific personal information bank:

Access to Information Act and Privacy Act Requests: PSU 901
Security Incidents and Privacy Breaches: PSU 939

Legislated authority for activity:

DND/CAF derives it legal authority for the collection of personal information for Access to Information Act and Privacy Act requests pursuant to section 13 of the Privacy Act, sections 8 and 11 of the Privacy Regulations, sections 6 and 11 of the Access to Information Act and section 4 of the Access to Information Regulations. The legal authority for Privacy Beach Management is derived from s.12 of the Financial Administration Act.

Summary of the project / initiative/ change:

DND’s Directorate of Access to Information and Privacy (DAIP) recognized the need to assess privacy risks regarding its own personal information collection activities which are comprised of processing requests for information received under the Access to Information Act and the Privacy Act, as well as privacy incident management. This PIA has been authored to assess the privacy risks related to DAIP’s collection, use, safeguarding, retention and disclosure of personal information collected in support of these three business lines. Furthermore, this PIA also assessed the privacy management framework of DND, including the existing privacy policies and related activities that fall under the responsibility of DAIP and are required and/or recommended by various TBS privacy policy instruments.

The scope of the PIA is to assess the privacy risks related to the personal information collection processes of DAIP; specifically, the following:

• Processing Formal and Informal Requests for Information Under the ATIA
• Processing Formal and Informal Requests for Information Under the Privacy Act
• Privacy Incident Management
• DAIP’s compliance with the Privacy Act and TBS policy instruments related to the above processes.
• DAIP’s responsibilities to develop and make available privacy policies and awareness

• DAIP’s responsibilities to provide advice and guidance to Program Areas on the development and submission of PIAs to the OPC and TBS. 

The following are aspects are out of scope:

• Informal Privacy Act requests which are submitted directly to OPIs across DND/CAF and DAIP is not consulted in responding to such requests;
• Personal information collection, use, storage, and retention by DND/CAF personnel other than DAIP, as well as third parties;
• Privacy breach procedures and policies outside of DAIP, especially CFHS;
• DAIP’s processes and advice regarding disclosures pursuant to sub-section 8(2) of the Privacy Act.
• Guardian and Personnel Electronic Records Management Information System (PERMIS) are partly in scope; DAIP’s access and uses role is defined as are the user role management procedures. However, a complete assessment of these systems is out of scope.

Risk Area Identification and Categorization

In its Directive on Privacy Impact Assessment, Treasury Board has expressed that the PIA must include a completed risk identification and categorization section and make public those risk ratings. A risk rating must be assigned to each risk areas named and described in Appendix C of the Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. For this PIA the risk areas and associated risk levels are as follows:

Risk Area	Risk Level
Type of Program or Activity Compliance or regulatory investigations and enforcement	3
Type of Personal Involved and Context Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.	3
Program or Activity Partners and Privacy Sector Involvement Private sector organizations, international organizations or foreign governments (for ATIA and, to a lesser extent, Privacy Act request consultations)	4
Duration of the Program Long-term program or activity with no clear sunset date	3
Program Population The program's use of personal information for external administrative purposes affects certain individuals.	3
Technology and Privacy No associated risks have been identified.
Personal Information Transmission The personal information is transmitted using wireless technologies. Note: P&G staff have remote access capability via work-issued laptops which are connected through VPN.	4
In the Event of a Privacy Breach Impacting the Individual Information collected by DAIP is in relation to ATIA/Privacy Act requests and privacy breaches. The potential impact of a breach related to this information could be detrimental to an individual’s reputation as records commonly include service records and medical information. These reputational harms could extend to financial harms to service members regarding their existing service or in future employment outside of DND/CAF.