IRCC IFHP – Privacy Impact Assessment - Executive Summary
Summary of Issues and Mitigation Strategies
About the IFHP
The Migration Health Branch is responsible for the administration and delivery of the Interim Federal Health Program, which provides limited, temporary coverage of health care benefits to resettled refugees, refugee claimants and certain other groups who are not eligible for provincial or territorial health insurance and do not have private insurance. These responsibilities include establishing requirements for eligibility, developing a schedule of benefits, identifying and registering health professionals affiliated with the program, and managing and monitoring the delivery of the program through a third-party claims administrator.
Scope of the PIA
The purpose of the present PIA is to identify and analyze the potential privacy risks associated with the exchange of personal information under the IFHP, and to provide recommendations to manage or mitigate any risks identified.
The PIA centers on the review and analysis of program policies, practices and controls governing the handing of personal information under the IFHP, as they relate to the third party claims administrator. Although the focus of the PIA is on the exchange of information with Medavie, the PIA also include a review of core program management activities, where relevant.
Summary of Privacy Issues and Mitigation Strategies
Three preliminary privacy issues were identified as part of the PIA process, as set out in the table below:
|1. Identifying Purposes
|The IFHP’s current privacy notice, as appended to paper and on-line application forms, does not meet the government’s minimum notice requirements. As such, there is a risk that individuals may not be properly notified of the purposes for which their personal information may be collected, used, disclosed, and retained, contrary to section 5(2) of the Privacy Act.
|IRCC is drafting a new Privacy Notice for inclusion on both its paper and on-line application forms. The Notice will include all disclosure requirements set out under the TBS Directive and/or reference the same by way of a link to relevant program PIBs. The PIBs enumerated in the IFHP’s Privacy Notice will make express reference to the program activities of the IFHP.
|While all IFHP data is encrypted prior to transmission, thus reducing the risk of IFHP data being compromised in transit, the risk of intrusion remains, i.e., IFHP client data may not be safeguarded in a manner commensurate with its sensitivity. Data could also be intercepted or breached.
|MHB applied for and received a new data encryption key, which is used to hash and encrypt data for transmission between IRCC and the third party claims administrator. The encryption key has been shared with the third party Claims administrator and has been in use since May 2018. A new data encryption key will be obtained on a 6 year cycle.
|3. Openness and Transparency
|IRCC’s personal information bank for Health Migration does not fully describe the program activities and personal information handling practices of the IFHP. As such, there is a risk that the Department is not seen as open and transparent about the program’s data holdings and privacy practices.
|IRCC will ensure that all PIBs supporting the IFHP properly reflect the program’s collection, use, disclosure and retention of personal information. In order to address this, IRCC will update the Health Protection PIB so that it reflects the IFHP’s handling of personal information.
IRCC is exploring the possibility of creating a stand-alone PIB.
- Date modified: