Access to Information and Privacy
Government Institution
Department of National Defence
Government official responsible for the PIA
Deirdra Finn, Director
Directorate Access to Information and Privacy
Head of the government institution or Delegate for section 10 of the Privacy Act
Isabelle Daoust - Corporate Secretary
Description of Program or Activity (from Departmental Results Framework):
Internal Services
Internal Services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization. Internal Services refers to the activities and resources of the 10 distinct service categories that support Program delivery in the organization, regardless of the Internal Services delivery model in a department. The 10 service categories are: Acquisition Management Services, Communications Services, Financial Management Services, Human Resources Management Services, Information Management Services, Information Technology Services, Legal Services, Materiel Management Services, Management and Oversight Services, and Real Property Management Services.
Standard or institution specific class of record:
Access to Information and Privacy: PRN 930
Security: PRN: 931
Standard or institution specific personal information bank:
Access to Information Act and Privacy Act Requests: PSU 901
Security Incidents and Privacy Breaches: PSU 939
Legislated authority for activity:
DND/CAF derives it legal authority for the collection of personal information for Access to Information Act and Privacy Act requests pursuant to section 13 of the Privacy Act, sections 8 and 11 of the Privacy Regulations, sections 6 and 11 of the Access to Information Act and section 4 of the Access to Information Regulations. The legal authority for Privacy Beach Management is derived from s.12 of the Financial Administration Act.
Summary of the project / initiative/ change:
DND’s Directorate of Access to Information and Privacy (DAIP) recognized the need to assess privacy risks regarding its own personal information collection activities which are comprised of processing requests for information received under the Access to Information Act and the Privacy Act, as well as privacy incident management. This PIA has been authored to assess the privacy risks related to DAIP’s collection, use, safeguarding, retention and disclosure of personal information collected in support of these three business lines. Furthermore, this PIA also assessed the privacy management framework of DND, including the existing privacy policies and related activities that fall under the responsibility of DAIP and are required and/or recommended by various TBS privacy policy instruments.
The scope of the PIA is to assess the privacy risks related to the personal information collection processes of DAIP; specifically, the following:
- Processing Formal and Informal Requests for Information Under the ATIA
- Processing Formal and Informal Requests for Information Under the Privacy Act
- Privacy Incident Management
- DAIP’s compliance with the Privacy Act and TBS policy instruments related to the above processes.
- DAIP’s responsibilities to develop and make available privacy policies and awareness
- DAIP’s responsibilities to provide advice and guidance to Program Areas on the development and submission of PIAs to the OPC and TBS.
The following are aspects are out of scope:
- Informal Privacy Act requests which are submitted directly to OPIs across DND/CAF and DAIP is not consulted in responding to such requests;
- Personal information collection, use, storage, and retention by DND/CAF personnel other than DAIP, as well as third parties;
- Privacy breach procedures and policies outside of DAIP, especially CFHS;
- DAIP’s processes and advice regarding disclosures pursuant to sub-section 8(2) of the Privacy Act.
- Guardian and Personnel Electronic Records Management Information System (PERMIS) are partly in scope; DAIP’s access and uses role is defined as are the user role management procedures. However, a complete assessment of these systems is out of scope.
Risk Area Identification and Categorization
In its Directive on Privacy Impact Assessment, Treasury Board has expressed that the PIA must include a completed risk identification and categorization section and make public those risk ratings. A risk rating must be assigned to each risk areas named and described in Appendix C of the Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. For this PIA the risk areas and associated risk levels are as follows:
Risk Area | Risk Level |
---|---|
Type of Program or Activity |
3 |
Type of Personal Involved and Context |
3 |
Program or Activity Partners and Privacy Sector Involvement |
4 |
Duration of the Program |
3 |
Program Population |
3 |
Technology and Privacy |
|
Personal Information Transmission |
4 |
In the Event of a Privacy Breach Impacting the Individual |
Page details
- Date modified: