This PIA was an assessment of the potential privacy risks associated with implementation of website and panel surveys by the Federal Public Service Health Care Plan Administration Authority (hereinafter referred to as the “PSHCP Administration Authority”) and hosted by a third party survey provider.
The PSHCP Administration Authority is a not-for-profit corporation that oversees the administration and interpretation of the Public Service Health Care Plan (the “Plan”). In accordance with its Letters Patent issued by the President of the Treasury Board under subsection 7.2(1) of the Financial Administration Act (FAA) the Administration Authority’s activities include:
- Ensuring that the Plan Administrator adjudicates claims according to the Contract
- Conducting audits and evaluations regarding the payment of benefits
- Managing the appeals process
- Communicating with Plan members
- Collecting information about Plan performance and reporting it to the Partners Committee
The PSHCP Administration Authority’s website is the official site used for providing the public and Plan members with information related to its role and activities; the Plan Administrator and related contract; and Plan members and benefits.
The PSCHP Administration Authority is looking to implement surveys on its website to gain feedback on various PSHCP issues so they can evaluate and make improvements. These surveys will allow the PSHCP Administration Authority to measure overall satisfaction with its website and programs. Using data obtained from these surveys will allow the PSHCP Administration Authority to determine what specific information and resources its audience wants and whether or not the information available to them is useful.
The Administration Authority has retained the services of a third party survey provider, SimpleSurvey, to collect and store survey data. SimpleSurvey offers commercial tools which allow users to create customized web-based surveys that are hosted by SimpleSurvey. The surveys are not intended to ask for nor collect personally identifiable information. SimpleSurvey is a Canadian company with all data hosted on servers that are located in Canada.
Based on the completion of the Privacy Impact Assessment, the privacy risks associated with the implementation of website and panel surveys by the Administration Authority is considered as low and will require minor adjustments to administrative processes to mitigate against privacy concerns.
This PIA is intended to be an evergreen document, and as such, will be modified as new implementation details, lessons learned, or best practices arise in the future delivery of surveys by the Administration Authority.
Risk Area Identification and Categorization
Level of Risk to Privacy - 1 (low) to 4 (high): 1
Description of Risk: Information collected via surveys is not intended to be used for the purpose of making decisions about an identifiable individual.
Level of Risk to Privacy - 1 (low) to 4 (high): 1
Description of Risk: The implementation of surveys is not intended to ask for nor collect personally identifiable information from respondents.
Level of Risk to Privacy - 1 (low) to 4 (high): 4
Description of Risk: A Private sector organization will be used for the implementation of surveys by the Administration Authority.
Level of Risk to Privacy - 1 (low) to 4 (high): 3
Description of Risk: The implementation of surveys by the Administration Authority is considered to be on-going with no established sunset date at this time.
Level of Risk to Privacy - 1 (low) to 4 (high): N/A
Description of Risk: The Administration Authority’s use of surveys is targeted to PSHCP members only. It is unlikely that the use of surveys will present widespread risks to a large population of individuals
Level of Risk to Privacy - 1 (low) to 4 (high): Yes
Description of Risk: Use of automated web-based survey software tools provided by third party survey provider.
Level of Risk to Privacy - 1 (low) to 4 (high): 4
Description of Risk: The personal information is transferred using wireless technologies.
Level of Risk to Privacy - 1 (low) to 4 (high): 1
Description of Risk: The risk impact to individuals is considered to be low.
Level of Risk to Privacy - 1 (low) to 4 (high): 2
Description of Risk: The overall impact is considered low.