Privacy Impact Assessment Summary: Global Visa Application Centre Network (2017-2018)

About the Program

VACs are service providers authorized under a formal Global VAC Network contract with the Government of Canada to collect biometric information from biometric-required IRCC applicants and to provide administrative support services to applicants submitting an application to IRCC overseas.

Applicants information and privacy are protected

• VACs do not play a role in the decision-making process and are expressly forbidden to provide any visa-related advice to applicants.
• All decisions on applications are made by Canadian visa officers at the visa office.
• VACs do not represent the Government of Canada. VACs are managed by private companies or international organizations. They are only authorized to provide specific services to applicants under the terms of a formal agreement with IRCC.
• Protection of personal information is a primary consideration for the Government of Canada when choosing any service provider such as a VAC. Each VAC must protect personal information. Any failure to comply with the terms of the formal agreement signed between the GoC and the service provider could result in the cancellation of the agreement.
• Applicants that suspect that their privacy may have been breached are encouraged to notify the visa office responsible for processing their application.

Scope of the PIA

To provide an update of the current PIA and a comprehensive privacy analysis of the new services and business requirements being included in the next VAC contract:

• Appointment Scheduling Service;
• Assisted Service: e-Applications;
• Assisted Service: Online Forms;
• Assisted Service: Scanning;
• Collection of Government of Canada Fees;
• Webchat, E-mail, SMS and Social Media;
• Read/write Access to Removable Media;
• VAC Sharing;
• VAC Co-location with a Private Entity;
• Hub and Spoke; and
• Shared Intranet Portal.

Report Findings

This PIA update has identified possible low and medium privacy risks for which IRCC has taken all the necessary mitigation measures to address each of these risks. The Office of the Privacy Commissioner has identified areas of specific concern to IRCC, and IRCC shares these concerns. IRCC has addressed the risks mentioned, in the VAC Global Contract directly, and through the contractual imposition of standards articulated elsewhere in government and internationally recognised business specifications. IRCC will also incorporate the recommendations during their regular review of the Department’s Personal Information Banks.