Privacy Impact Assessment: Government of Canada Vaccine Attestation Tracking System (GC-VATS)

Description of the program/activity

On October 6, 2021, the Treasury Board (TB) issued the Policy on COVID-19 Vaccination for the Core Public Administration Including the Royal Canadian Mounted Police (herein the Policy on Vaccination), which requires employees of the core public administration (CPA), including members and reservists of the Royal Canadian Mounted Police (RCMP), to be vaccinated from COVID-19.

Through the Policy on Vaccination, federal employees within the CPA are required to attest to their vaccination status in the Government of Canada Vaccine Attestation Tracking System (GC-VATS). GC-VATS was developed specifically to collect and retain the data required to track the vaccination status of employees.

All employees must attest to their vaccination status regardless of whether they work onsite, remotely, or offsite, unless they are accommodated based on a certified medical contraindication, religion, or another prohibited ground of discrimination as defined under the Canadian Human Rights Act(CHRA).

For employees who are unable to be vaccinated based on a medical contraindication, religion, or another prohibited ground of discrimination as defined under the CHRA, GC-VATS allows employees to request an accommodation and allows managers to record a decision. Supporting documents, such as medical statements or religious affidavits, are stored by federal institutions outside of GC-VATS.

Those individuals to whom the duty to accommodate applies and those who are partially vaccinated may be required to submit to testing to determine whether they have been infected with COVID-19. A testing protocol was developed by Health Canada to provide guidance on frequency and procedures. A separate system, the Rapid Testing Attestation Solution (RTAS), was developed by the Treasury Board of Canada Secretariat (TBS) to record and track COVID-19 testing information.

Those individuals unwilling to be vaccinated or refusing to disclose their vaccination status and who are not otherwise accommodated are subject to being placed on leave without pay (LWOP).

To ensure that employees are fully vaccinated, the policy requires employees to provide truthful and accurate vaccination and accommodation information for all aspects of the policy. Failure to do so could constitute a breach of the Values and Ethics Code for the Public Sector and may result in disciplinary action. To ensure that false attestations are not provided and to ensure the accuracy of attestations, federal institutions will audit employees’ vaccination attestations. GC-VATS is used to record the outcome of that verification.

GIC appointees

Governor in Council (GIC) appointments are those made by the GIC—the Governor General acting on the advice of Cabinet. An Order in Council (OIC) is the legal instrument that, when signed by the Governor General, effects an appointment.

The Policy on Vaccination does not apply to GIC appointees, as Treasury Board is not their employer. However, through amendments to the Terms and Conditions applying to Governor in Council appointees(GIC Terms and Conditions), GIC appointees must, unless accommodated, comply with any COVID-19 vaccination requirements applicable to the institution to which they are appointed, thereby extending the vaccination requirements laid out in the Policy on Vaccination to GIC appointees within the CPA.

Consequently, some GIC appointees within the CPA use GC-VATS for their vaccination attestations (or a paper form process) and RTAS for testing (if required), following the same process as CPA employees. Conversely, most individuals appointed to a non-CPA institution adhere to institution-specific processes for attestation and rapid testing (if required).

In support of the GIC Terms and Conditions, the Privy Council Office (PCO) tracks compliance with the vaccination attestation requirements of GIC appointees. If a GIC appointee is non-compliant with the GIC Terms and Conditions, this triggers the PCO’s long-standing business process for seeking a decision from the GIC on administrative action with respect to an appointee. A briefing package containing details of the non-compliance is created and forwarded to Cabinet – the outcome may result in an OIC placing the appointee on LWOP.

Need for and scope of this Privacy Impact Assessment

In October 2021, the Secretary of the Treasury Board approved an exception request from the Chief Human Resources Officer (CHRO) to submit this PIA, and register the new personal information bank (PIB), after implementation of the Policy on Vaccination and the corresponding personal information collection practices. The exception was granted until May 2, 2022.

Primarily, this PIA describes and analyzes the functionality and use of GC-VATS and RTAS by the CPA, as well as several non-CPA institutions that are using one or both systems. Specific to the Policy on Vaccination, this PIA assesses how TBS provides guidance on the requirements and how the policy requirements are put into practice by GC-VATS and RTAS users. It also assesses the policy requirements in general.

This PIA includes an assessment of relevant features of GC-VATS and RTAS, such as user access, user roles, security, support, reports and retention. Additionally, this PIA describes and analyzes the functionality of GC-VATS and RTAS: how they are used by employees, managers and human resources professionals.

TBS centrally collects vaccination and testing information in these two systems, which represents a new collection of personal information, Therefore, a PIA is required pursuant to section 6.3.1 of the TBS Directive on Privacy Impact Assessment. Furthermore, this PIA has been created as a multi-institutional PIA, in accordance with section 6.3.7 of that same directive and in discussion and collaboration with the PCO. As GIC appointees must abide by the vaccination requirements of the institutions to which they are appointed, including the GIC appointee data (attestation and testing information) and related PCO activities into this PIA was determined to be appropriate and efficient.

For the PCO, the scope of this PIA is limited to its collection of vaccination attestation information, as well as the guidance provided to deputy heads on what attestation data should be forwarded to the PCO. At a summary level, this PIA also describes the PCO’s business process for seeking a decision from the GIC on administrative action with respect to an appointee in the event of their non-compliance with the GIC Terms and Conditions; however, this is not a PIA on that existing and established process.

As this is a multi-institutional PIA between TBS and the PCO, signatories are provided from both institutions, which reflect approval of the PIA contents as they relate to their own specific institutions. That is, approval of this PIA by the PCO is limited to the PCO content and the risks and recommendations that impact the PCO. The same is applicable to TBS.

While not a signatory to the PIA, due to its role in COVID-19 testing, officials from Health Canada’s Testing Secretariat were reviewers of this PIA.

Findings and privacy risk mitigation recommendations – TBS

This PIA has identified 11 risks: seven Low risks, four Medium risks and zero High risks, with 20 risk mitigating recommendations. One risk applies specifically to the PCO, one risk applies to PCO and TBS, and the remaining nine are directed at TBS.

Generally, the risks identified in this PIA are typical of a multi-institutional PIA that assesses two new systems and an entirely new collection of personal information. In fact, some of the risks are unavoidable for a new collection: the need for a new personal information bank and seeking approval of a retention period for the new collection. In all, the action plan table below enumerates the 11 risks and 20 recommendations; however, there is one risk that is the most noteworthy: whether the collection of attestation information is demonstrably necessary.

Demonstrably necessary

This PIA provides a thorough summary and assessment regarding the implication of the term “demonstrably necessary.”

The decision of the Federal Court of Appeals^{Footnote 1} in Union of Canadian Correctional Officers (Appellant) v. Attorney General of Canada (FCA, No. A-463-16) states that section 4 of the Privacy Act does not have an inherent necessity test, but rather the obligation to establish a “direct, immediate relationship” between the required information and the government’s activities. The direct and immediate relationship requirement has been met for the collection activities outlined in the Policy on Vaccination. Therefore, there is compliance with section 4 of the Privacy Act.

The term “demonstrably necessary” is a policy requirement in section 6.2.8 of the TBS Directive on Privacy Practices, which requires federal institutions to “limit the collection of personal information to what is directly related to and demonstrably necessary for the government institution’s programs or activities.”Assessing a program’s collection against the term “demonstrably necessary” is also a consistent request from the Privacy Commissioner. In fact, in a December 2021 letter, the Office of the Privacy Commissioner requested, in part, that TBS perform a demonstrably necessary assessment of its collection of vaccination attestation information.

In developing the Policy on Vaccination, TBS worked to determine how it could implement the program in the least privacy invasive manner while still collecting the personal information required to ensure compliance with the policy. Each data element was assessed to determine whether it was directly related to and demonstrably necessary for the policy. As a result, TBS made the decision to collect attestation information instead of proof of vaccination. It was determined that this collection would result in the least invasive collection of personal information, while ensuring the health and safety of employees should they be required to return to the office on an ad hoc basis.

Findings and privacy risk mitigation recommendations – PCO

For GIC appointees who are compliant with submitting an attestation, the PCO wants to collect only de‑identified, statistical data; however, due in part to unclear instructions from the PCO, some institutions submitted identifiable vaccination attestation information on GIC appointees. The PCO will not retain that data, but it should issue guidance to deputy heads so future collections are supported by clear instructions to avoid over-collection by the PCO.

Based on the fact that existing GIC appointee data has already been collected and that the process for collecting data on a new appointee does not result in the PCO collecting any information, it is likely that this risk is limited to future data collection exercises by the PCO, which are unlikely in the absence of any changes to the Policy on Vaccination. If such an exercise occurs, the PCO should provide clear instructions to deputy heads on what data elements should be submitted.

Action plan

Following the creation of version 1.0 of this PIA, the privacy risks and recommendations in this PIA were reviewed by multiple senior-level executives and subject matter experts within TBS and the PCO. In response, the action plan was created to provide a management response to the recommendations, as well as a timeline and a lead who is responsible for ensuring that the mitigation activity is completed by the established timeline. Each institution will track their own action plan items independent of one another and report progress to senior executives within their respective institution.