Privacy impact assessment: FCAC mandatory vaccination program

Introduction

This Privacy Impact Assessment (PIA) has been developed in regards to the Collection of information related to the FCAC Policy on COVID-19 Vaccination.

This includes input from HR, IT and ATIP teams within FCAC, and provides evidence that FCAC has considered and addressed privacy concerns.

Completion of the sections below with the information requested fulfills the minimum content requirements of the core PIA.

Section I–Overview and PIA Initiation

1. Financial Consumer Agency of Canada
2. Judith Robertson, Commissioner – head of institution
3. Julie Neveu – CHRO - senior executive for the new or substantially modified program or activity.
4. Collection of information related to the FCAC Policy on COVID-19 Vaccination
   • FCAC is committed to providing a safe, healthy, and respectful workplace for employees, partners, and stakeholders.
   • Vaccination is a key element in the protection of employees against COVID-19. FCAC employees, casuals, students, and participants of the Interchange Program will be required to provide information related to their COVID-19 vaccination status or requirements for accommodations.

   The objectives of this initiative are to:

   • take every precaution reasonable, in the circumstances, for the protection of the health and safety of employees
   • improve the vaccination rate of employees across the Agency and the federal public service in accordance with the direction issued by the Government of Canada
   • ensure that all employees are fully vaccinated to protect themselves, colleagues, and stakeholders from COVID-19. Given that operational requirements may include ad hoc onsite presence, this includes employees who are working remotely or teleworking.

   The expected results of this initiative are to:

   • ensure all employees of FCAC are fully vaccinated unless accommodated based on a certified medical contraindication, religion, or other prohibited ground of discrimination as defined under the Canadian Human Rights Act
   • ensure that personal information is only created, collected, retained, used, disclosed, and disposed of in a manner that respects the provisions of the Privacy Act and other applicable legislation
5. Legal authority for the program or activity
   • Section 11 of the FCAC Act
6. This initiative collects information related to the following Personal Information Banks (PIB):
   • Occupational Health and Safety (re: medical information)
     • RDA Number: 98/005
     • Related Record Number: PRN 922
     • Bank Number: PSE 907
   • Employee Personnel Record (re: medical information)
     • RDA Number: 98/005 and 98/018
     • Related Record Number: PRN 920
     • Bank Number: PSE 901

Section II–Risk Area Identification and Categorization

The core PIA must include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are to be maintained as the basis for risk analysis.

The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.

The initial step of the analysis consists of evaluating each risk area independently. The second step consists of grouping the individual results to determine if a more in depth analysis is required. The greater the number of risk areas identified as level 3 or 4, the more likely it is that specific risk areas will need to be addressed in a more comprehensive manner.

Refer to Directive on Privacy Impact Assessment, Appendix C – Core privacy impact assessment for detailed risk area identification and categorization options. FCAC responses to the new initiative below. 

a) Type of program or activity

Administration of program or activity and services

Level of risk to privacy: 2 

b) Type of personal information involved and context

Medical

Level of risk to privacy: 3

c) Program or activity partners and private sector involvement

With other government institutions

Level of risk to privacy: 2

d) Duration of the program or activity

Short–term program or activity

Level of risk to privacy: 2

e) Program population

The program's use of personal information for internal administrative purposes affects all employees.

Level of risk to privacy: 2

f) Technology and privacy

1. Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? Yes, ServiceNow
2. Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? No
3. Specific technological issues and privacy: Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
   • enhanced identification methods; No
   • surveillance; No
   • automated personal information analysis, personal information matching and knowledge discovery techniques? No

g) Personal information transmission

The personal information is transmitted using wireless technologies.

Level of risk to privacy: 4

h) Potential risk that in the event of a privacy breach, there will be an impact on the individual or employee.

Low / Medium / High – This initiative deals with the collection of medical information, limited to COVID-19 vaccination status.

• Financial Loss – N/A
• Health - Psychological impact - unlikely
• Reputation - Hurt, humiliation or embarrassment - unlikely
• Legal – N/A

i) Potential risk that in the event of a privacy breach, there will be an impact on the institution.

Low / Medium / High – FCAC has been transparent about the initiative and its purpose.

• Reputation – loss of public trust - unlikely
• Legal – N/A
• National Interest – N/A
• Operations – N/A
• Financial – N/A

For items h) and i), guidance was obtained from the ATIP Privacy Breach isk Impact Instrument

As a result of a low risk profile (per responses above), a core PIA can be completed – responses to required information are listed below.

Section III–Analysis of Personal Information Elements for the Program or Activity

1. Identify each element of personal information collected
   1. Name
   2. Medical information
   3. Other – depends on use of:
      • Religious Belief Affidavit
      • Medical Statement
2. Identify sub-elements associated with each element of personal information collected
   1. First name / Last name
   2. Vaccination status
      • Fully vaccinated per the Policy on COVID-19 Vaccination
      • Partially vaccinated per the Policy on COVID-19 Vaccination
      • Unvaccinated because I am requesting an accommodation per the Policy on COVID-19 Vaccination
      • Unvaccinated
      • Employees may also be required to provide proof of vaccination as part of the audit process. (as at Oct 18/21, awaiting further guidance from TBS)
   3. Other
      • If Religious Belief Affidavit used:
        1. reasons why your religious belief prohibits you from receiving the COVID-19 vaccine
        2. telephone number and signature of the employee
        3. name and signature of the Commissioner for Taking Affidavits
      • If Medical Statement used:
        1. Name, signature, telephone number, license number and province/territory of the licensed Physician/Nurse Practitioner
        2. telephone number and signature of the employee
3. Identify how the personal information will be recorded:
   1. Electronically (paper for employees on Interchange out)
   2. Electronically (paper for employees on Interchange out)
   3. on paper and electronically

Section IV–Flow of Personal Information for the Program or Activity

a. Identify the source(s) of the personal information collected and / or how the personal information will be created.

Employees will be the source of the personal information – they will complete an online survey/attestation, within a Protected B network.

1. Personnel in HR who may see this info either in the system or in a detailed report – CHRO, Director HR Programs and Policies, Manager, HR Operations, Senior HR Advisors in HR Operations and the Senior HR Advisor responsible for employee relations in the HR Programs and Policies division; Supervisors will be called upon to act when employees request accommodation or are partially vaccinated/unvaccinated/refuse to disclose (they will be able to deduce from that which of their employees are fully vaccinated). Senior HR Advisors will contact the supervisors to work with them when action is required.

If an accommodation is requested, the employee will, as necessary, also gather the name and signature related to the physician/nurse practitioner; or commissioner for taking affidavits.

1. The signed accommodation form (paper form) will be scanned and sent electronically to the employee’s supervisor
   1. The FCAC IM team will create a new folder for this in the File Plan

b. Identify both internal and external sources for the personal information's use and disclosure, that is, identify the areas, groups and individuals who have access to or handle the personal information and to whom it is provided or disclosed.

Use – the collected information will only be used by internal sources:

1. HR – Senior HR Advisors and others listed above – will see the attestations;
2. Employee Supervisors – will be made aware of the vaccination status of their employees when action is required, see the accommodations forms and COVID-19 test results (if applicable)

Disclosure of personal information will be made to the following groups:

1. Internal
   1. HR – CHRO; Director, Manager, Senior HR Advisors
   2. Employee Supervisors
   3. EXCO (Sr executive committee) and Directors – likely at the aggregate/summary level – may be made aware of the vaccination status on their indirect reports, for example when the employee is being put on leave without pay or exceptional accommodation measures are required.
2. External – reporting to the following groups may be required and is expected to be at the Agency/aggregate level
   1. Central Agencies (e.g., TBS)
   2. Office of the Privacy Commissioner (OPC)
   3. Other Government Department (OGD) of Canada organizations for the purposes of a related audit (e.g., HC or PHAC)

c. Identify where the personal information will transit and will be stored or retained.

• Attestation forms – will be completed online, using a Protected B cloud service provider – ServiceNow
  • Information will be stored in the ServiceNow cloud infrastructure.
  • The product was validated by SSC and GC IT security entities and meets the Protected B requirements.
  • The product was also hardened by FCAC IT infrastructure following industry best security practices.
• Accommodation forms will be sent to supervisors by employees and saved in the new folder in the File Plan (per above).

d. Identify where areas, groups and individuals can access the personal information.

• Individual employees will be able to access their own personal information via Privacy request to the FCAC ATIP Coordinator
• FCAC IT Network Administrators will be able to access the personal information, by virtue of the fact they administer the network; but they will be advised not to access the information.
• FCAC IM Division staff will be able to access the personal information, by virtue of the fact they can access all Agency documents on the network; but they will be advised not to access the information.

Section V–Privacy Compliance Analysis

At a minimum, the privacy compliance analysis must cover the following areas and identify specific compliance actions taken or to be taken to meet with each area's requirements:

• Collection authority (section 4 of the Privacy Act)
  • FCAC is collecting personal information directly related to Section 11 of the FCAC Act; as a result of the FCAC Policy on COVID-19 Vaccination.
  • Within the Medical statement and Religious Belief Affidavit, early disposal of personal information is being offered as an option and must be requested by the individual.
• Direct collection, notification and consent, as appropriate (section 5 of the Privacy Act)
  • FCAC will be collecting personal information that is intended to be used for an administrative purpose directly from the individual to whom it relates. Furthermore, FCAC is informing all individuals from whom it collects personal information of the purpose for which the information is being collected – this is included in the FCAC Policy on COVID-19 Vaccination.
• Retention (section 6 of the Privacy Act)
  • Personal information that has been used by FCAC for an administrative purpose shall be retained by FCAC for such period of time after it is so used as may be prescribed by regulation in order to ensure that the individual to whom it relates has a reasonable opportunity to obtain access to the information.
  • FCAC shall dispose of personal information under its control in accordance with the regulations and in accordance with any directives or guidelines issued by the deputy head in relation to the disposal of that information.
• Accuracy (section 6(2) of the Privacy Act)
  • FCAC shall take all reasonable steps to ensure that personal information that is used for an administrative purpose is as accurate, up-to-date and complete as possible.
  • As per the FCAC Policy on COVID-19 Vaccination, employees are provided the opportunity to update their information.
• Use (section 7 of the Privacy Act)
  • The personal information under the control of FCAC will only be used for the purpose for which the information was obtained or for a use consistent with that purpose.
• Disclosure (section 8 of the Privacy Act)
  • Personal information under the control of FCAC shall not, without the consent of the individual to whom it relates, be disclosed by FCAC with the exception of reasons listed in Section 8(2) of the Privacy Act.
  • It is anticipated that there may be reporting requirements to Treasury Board Secretariat or Other Government Departments (OGD), but reporting is expected to be done at an aggregate level (i.e., not revealing any personal information).
• Administrative, physical and technical safeguards
  • Only HR will have access to the Attestation results. Supervisors will be made aware of the results of their direct reports when action is required. Executives may be made aware of the results of their indirect reports when the employee is being placed on leave without pay or when exceptional accommodation measures are required for an employee who is unable to be vaccinated.
  • IT is ensuring that the IT network is Protected B and that access is limited to only those who require it for administrative purposes.
  • IT and IM staff will be advised against accessing any related personal information.
  • Supervisors will be advised not to disclose any personal information from their employees.
• Technology and privacy issues
  • Indicate any changes to the business requirements that have an impact on the system, software or program application and, consequently, may affect the current access controls and privacy practices related to the creation, collection, retention, use, disclosure and disposition of personal information.
    • ServiceNow is being used to collect/store the personal information (initial attestation); IT will ensure safeguards to protect access controls and privacy practices related to the creation, collection, retention, use, disclosure and disposition of personal information
  • Determine whether the current IT legacy systems and services that will be retained or those that will be substantially modified are compliant with privacy requirements.
    • Microsoft Outlook will continue to be used in FCAC’s Protected B environment.
  • Identify any awareness activities related to protection of privacy requirements in the new electronic environment.
    • NA

Section VI–Summary of Analysis and Recommendations (as applicable)

This is a low risk requirement based on the analysis / info listed above. Privacy concerns have been considered and addressed in the initiatives architecture.

Section VII–Supplementary Documents List

1. FCAC Policy on COVID-19 Vaccination
2. Privacy Act
3. ATIP Privacy Breach Risk Impact Instrument
4. Standard personal information banks

Section VIII–Formal Approval

The signature below indicates that the PIA has been formally approved in accordance with FCAC’s approval process.

Werner Liedtke, AC - Corporate Services
19 October 2021