Privacy Impact Assessment Summary - National Dose Registry (April 2013)

Government Institution
Health Canada - Radiation Protection Bureau
Name of Program
National Dose Registry (NDR)
Government Official Responsible for the Privacy Impact Assessment
Deborah Moir, Chief, Radiation Health Assessment Division, Health Canada
ATIP Coordinator
Amanda Wilson

Description of Program or Activity

The NDR is Canada's official repository for Occupational Radiation Dose Records operated by the Radiation Protection Bureau of Health Canada (within HECSB).  It contains the occupational radiation dose records of monitored radiation workers in Canada dating from the 1940s to the present. The NDR has records for over 800,000 individuals, which includes the records of approximately 152,000 individuals that are currently being monitored.

Legal Authority for Program or Activity

Legal authority for the collection of personal information in NDR is found under section 7 of the Radiation Protection Regulations and the Department of Health Act, paragraphs 4(2)(a.1), (b), (c), (h) and (i).

Related Personal Information Bank

The collection and use of personal information with the National Dose Registry is described in the Personal Information Bank (PIB) - National Dose Registry - HC PPU 080 however; as part of the PIA recommendations, the particular PIB will be updated to meet TBS requirements and to accurately reflect what information is being collected and the disclosures to Regulatory Authorities and employers and to provide individuals, employers and Worker Compensation Board with a dose history summary upon their request.

Risk Identification and Categorization

As per the TBS Directive on Privacy Impact Assessment, the core PIA must include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are to be maintained as the basis for risk analysis.

The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.

a) Type of program or activity
Administration of program or activity and services
Risk scale: 2
b) Type of personal information involved and context
Social Insurance Number, medical, financial or other sensitive personal information or the context surrounding the personal information is sensitive; personal information of minors or of legally incompetent individuals or involving a representative acting on behalf of the individual.
Risk scale: 3
c) Program or activity partners and private sector involvement
Private sector organizations, international organizations or foreign governments
Risk scale: 4
d) Duration of the program or activity
Long-term program or activity
Risk scale: 3
e) Program population
The program's use of personal information for external administrative purposes affects certain individuals.
Risk scale: 3
f) Technology and privacy

Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information?

NoFootnote 1

Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems?

NoFootnote 1

Specific technological issues and privacy

Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:

  • enhanced identification methods;
  • surveillance; or
  • automated personal information analysis, personal information matching and knowledge discovery techniques?

NoFootnote 1

g) Personal information transmission
The personal information is used in a system that has connections to at least one other system.
Risk scale: 2
h) Impact on the individual or employee
Potential risk of Breach that in the event of a privacy breach, there will be an impact on the individual or employee.
Risk scale: 2

Page details

Date modified: