Access to Information and Privacy

Government Institution
Department of National Defence

Government official responsible for the PIA
Deirdra Finn, Director
Directorate Access to Information and Privacy

Head of the government institution or Delegate for section 10 of the Privacy Act
Isabelle Daoust - Corporate Secretary

Description of Program or Activity (from Departmental Results Framework):

Internal Services
Internal Services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization. Internal Services refers to the activities and resources of the 10 distinct service categories that support Program delivery in the organization, regardless of the Internal Services delivery model in a department. The 10 service categories are: Acquisition Management Services, Communications Services, Financial Management Services, Human Resources Management Services, Information Management Services, Information Technology Services, Legal Services, Materiel Management Services, Management and Oversight Services, and Real Property Management Services.

Standard or institution specific class of record:

Access to Information and Privacy: PRN 930
Security: PRN: 931

Standard or institution specific personal information bank:

Access to Information Act and Privacy Act Requests: PSU 901
Security Incidents and Privacy Breaches: PSU 939

Legislated authority for activity:

DND/CAF derives it legal authority for the collection of personal information for Access to Information Act and Privacy Act requests pursuant to section 13 of the Privacy Act, sections 8 and 11 of the Privacy Regulations, sections 6 and 11 of the Access to Information Act and section 4 of the Access to Information Regulations. The legal authority for Privacy Beach Management is derived from s.12 of the Financial Administration Act.

Summary of the project / initiative/ change:

DND’s Directorate of Access to Information and Privacy (DAIP) recognized the need to assess privacy risks regarding its own personal information collection activities which are comprised of processing requests for information received under the Access to Information Act and the Privacy Act, as well as privacy incident management. This PIA has been authored to assess the privacy risks related to DAIP’s collection, use, safeguarding, retention and disclosure of personal information collected in support of these three business lines. Furthermore, this PIA also assessed the privacy management framework of DND, including the existing privacy policies and related activities that fall under the responsibility of DAIP and are required and/or recommended by various TBS privacy policy instruments.

The scope of the PIA is to assess the privacy risks related to the personal information collection processes of DAIP; specifically, the following:

The following are aspects are out of scope:

Risk Area Identification and Categorization

In its Directive on Privacy Impact Assessment, Treasury Board has expressed that the PIA must include a completed risk identification and categorization section and make public those risk ratings. A risk rating must be assigned to each risk areas named and described in Appendix C of the Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. For this PIA the risk areas and associated risk levels are as follows:

Risk Area Risk Level

Type of Program or Activity
Compliance or regulatory investigations and enforcement


Type of Personal Involved and Context
Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.


Program or Activity Partners and Privacy Sector Involvement
Private sector organizations, international organizations or foreign governments (for ATIA and, to a lesser extent, Privacy Act request consultations)


Duration of the Program
Long-term program or activity with no clear sunset date


Program Population
The program's use of personal information for external administrative purposes affects certain individuals.


Technology and Privacy
No associated risks have been identified.

Personal Information Transmission
The personal information is transmitted using wireless technologies.
Note: P&G staff have remote access capability via work-issued laptops which are connected through VPN.


In the Event of a Privacy Breach Impacting the Individual
Information collected by DAIP is in relation to ATIA/Privacy Act requests and privacy breaches. The potential impact of a breach related to this information could be detrimental to an individual’s reputation as records commonly include service records and medical information. These reputational harms could extend to financial harms to service members regarding their existing service or in future employment outside of DND/CAF.

Report a problem or mistake on this page
Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, contact us.

Date modified: