Litigation Claims Processing Program
Table of contents
Section 1 – Privacy Impact Assessment Overview (PIA)
Government Institution
Department of National Defence
Government official responsible for the PIA
Tim Kerr
Director, Litigation Implementation Team/Military Personnel Command
Head of the government institution or Delegate for section 10 of the Privacy Act
Deirdra Finn
Director, Directorate Access to Information and Privacy
Description of Program or Activity:
Internal Services
Internal Services are those groups of related activities and resources that the federal government considers to be services in support of programs and/or required to meet corporate obligations of an organization. Internal Services refers to the activities and resources of the 10 distinct service categories that support Program delivery in the organization, regardless of the Internal Services delivery model in a department. The 10 service categories are: Acquisition Management Services, Communications Services, Financial Management Services, Human Resources Management Services, Information Management Services, Information Technology Services, Legal Services, Materiel Management Services, Management and Oversight Services, and Real Property Management Services.
Standard or institution specific class of record:
A new COR has been developed and is pending approval from TBS.
Standard or institution specific personal information bank:
A new PIB has been developed and is pending approval from TBS.
Legislated authority for activity:
DND/CAF receives its legal authority to collect and disclose records within the specific court orders/settlement agreements. Within these court orders, DND/CAF is mandated to perform certain activities in collecting and disclosing records. Therefore, the legal authority for collection is within the court orders, while the disclosure authority is pursuant to those court orders, as well as ss. 8(1) and para. 8(2)(c) of the Privacy Act.
Summary of the project / Initiative/ Change:
The Litigation Claims Processing Program collects information required to receive and respond to court ordered class action settlement agreements and other outcomes. The Program is required to collect and disclose records of CAF members and employees of DND and SNPF to support the settlement agreement/outcome processes.
This Privacy Impact Assessment (PIA) identifies and assesses privacy risks to personal information related to the processing of claims by the Litigation Implementation Team (LIT) which are received from court ordered Administrators. Upon collection of the claim form, the LIT staff must verify employment and/or service, and in some cases, collect records to substantiate statements made in the claim form. The collection of records is expansive and includes personnel record, administrative records, military investigation records, security records, medical records, harassment records, and grievance records.
Once all records are collected, the LIT must respond to the Administrator utilizing response terms outlined within the court order. The responses may, at times, require the LIT to disclose records collected to substantiate statements made in claim forms. The Administrator is responsible for making a decision regarding compensation for some claims, while others must be referred to a court-appointed Assessor. When claims are referred to the Assessor, the Administrator may further disclose any or all information and records provided by the LIT.
The LIT does not make any decisions regarding the amount or type of compensation provided to the claimant; that is the responsibility of the Administrator and Assessor.
In the completion of this PIA, there were seven risks identified– one (1) Insignificant, one (1) Low, three (3) Medium, and two (2) High. A risk mitigation strategy has been developed which will result in a reduction of risk to an acceptable level within an acceptable timeframe.
Section 2 – PIA Risk Area Identification and Categorization
Risk Area Identification and Categorization
In its Directive on Privacy Impact Assessment, Treasury Board has expressed that the PIA must include a completed risk identification and categorization section and make public those risk ratings. A risk rating must be assigned to each risk areas named and described in Appendix C of the Directive on Privacy Impact Assessment. The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area. For this PIA the risk areas and associated risk levels are as follows:
Risk Area | Risk Level |
---|---|
Type of Program or ActivityAdministration of Programs / Activity and Services Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc.) |
2 |
Type of Personal Involved and ContextSensitive personal information, including detailed profiles, allegations or suspicions, bodily samples and/or the context surrounding the personal information is particularly sensitive. For example: personal information that reveals intimate details on the health, financial situation, religious or lifestyle choices of the individual and which, by association, reveals similar details about other individuals such as relatives. |
4 |
Program or Activity Partners and Privacy Sector InvolvementPrivate sector organizations or international organizations or foreign governments |
4 |
Duration of the ProgramLong-term program Existing program that has been modified or is established with no clear “sunset”. |
3 |
Program PopulationThe program affects certain individuals for external administrative purposes. |
3 |
Technology and PrivacyThe Litigation Claims Processing Program requires the development of a new system to collect and manage claims information but does not deploy surveillance technologies or the collection of biometrics. The systems utilize some automated data matching activities to perform service/employment verifications. |
|
Information TransmissionThe personal information is transferred to a portable device or is printed. |
3 |
In the Event of a Privacy Breach Impacting the IndividualIn the event of a privacy breach of the program’s systems, there are potentially significant and lasting negative impacts on the reputation and health/safety of claimants. LIT’s records store extremely sensitive information in the two systems, such as detailed descriptions of sexual assaults, MP investigations, grievances, harassment complaints, as well as treatment, medical records, and PTSD. The unauthorized disclosure of such information would, at a minimum, cause general embarrassment to victims and perpetrators, but greater health and safety risks exist; for example, a sexual assault victim may relive the sexual assault as a result of an unauthorized disclosure, aggravate/exacerbate PTSD, negatively impact relationships, etc. |
Page details
- Date modified: