1974 Valcartier Grenade Incident Program (VGIP)

The Department of National Defence (DND) and Canadian Armed Forces (CAF) is responsible for supporting the Navy, Army, Air Force and Special Forces in the defence of Canadian interests. The Department also supports and funds the Canadian Cadet Organization, which provides leadership, physical fitness, and citizenship training to youth across Canada.

On July 30, 1974, at a summer camp for army cadets held at Canadian Forces Base Valcartier, a live grenade exploded during a course on ordnance safety, killing six young cadets and injuring dozens more. With the exception of the immediate medical care received at the time of the incident, cadets affected by the incident were not assisted or compensated at the time.

On March 9, 2017, Canada’s Defence Minister announced a new program – the 1974 Valcartier Grenade Incident Program (VGIP) – to provide financial recognition and health care support for the victims of the 1974 incident. The Program is available to all former cadets present when the incident occurred, and to non-professional first responders who assisted in the immediate aftermath of the incident. Financial compensation is also available through the Program to the estates of the six cadets who perished in the incident, and those of cadets and first responders who have passed away.

1. Scope of the Privacy Impact Assessment (PIA)

DND is named in the Schedule to the Privacy Act and is subject to the privacy policies and directives of the Treasury Board of Canada Secretariat (TBS). Under the TBS Policy on Privacy Protection, all federal institutions subject to the Privacy Act are required to undertake an assessment of the privacy impacts associated with the development or design of new programs or services involving personal information (or when making significant changes to an existing program or service).

In keeping with the above, DND elected to undertake a PIA in relation to the VGIP. Although financial compensation is to be provided on a one-time basis, and while Medavie Blue Cross (a third-party health services organization) has been contracted by DND to help administer the VGIP, financial and health claims processing and adjudication will be performed by DND/CAF itself. As such, and where claims adjudication will involve the collection and use of personal information, a PIA was considered necessary.

The purpose of the PIA is to ensure that DND/CAF’s processing of personal information for financial and health claims complies with the federal Privacy Act and its supporting policies and directives. It includes a review of the Program registration process, and an assessment of approved uses and disclosures of personal information collected from eligible clients.

2. Privacy Assessment

Based on the results of the PIA, privacy risks arising from the collection, use, disclosure, and retention of personal information under the VGIP are expected to be moderate. Recommendations included in the PIA, where fully adopted, are expected to reduce those risks to an acceptable (or low) level.

Personal information to be collected under the Program will be limited to that which is required for the adjudication and payment of claims. Personal information will not be used or disclosed, except as authorized and provided by the individual. And all personal information collected by DND/CAF and its Program partners will be stored and secured in a manner commensurate with its sensitivity. Potential impacts on the privacy of eligible individuals will be managed by DND/CAF through appropriate legal, policy and technical measures geared at the protection of their personal information. This includes existing policies and practices in place to support the work of the Canadian Forces Health Services group.

3. Risk Area Identification and Categorization

A: Type of Program or Activity	Level of Risk to Privacy
Personal information is used to make decisions that directly affect the individual (i.e. determining eligibility for programs including authentication for accessing programs/services, administering program payments, overpayments, or support to clients, issuing or denial of permits/licenses, processing appeals, etc…).	2
B: Type of Personal Information Involved and Context	Level of risk to privacy
Only personal information provided by the individual – at the time of collection –- relating to an authorized program & collected directly from the individual or with the consent of the individual for this disclosure / with no contextual sensitivities. The context in which the personal information is collected is not particularly sensitive. For example: general licensing, or renewal of travel documents or identity documents.	1
Personal information provided by the individual with consent to also use personal information held by another source / with no contextual sensitivities after the time of collection.	2
Social Insurance Number, medical, financial or other sensitive personal information and/or the context surrounding the personal information is sensitive. Personal information of minors or incompetent individuals or involving a representative acting on behalf of the individual.	3
C: Program or Activity Partners and Private Sector Involvement	Level of risk to privacy
Within the department (amongst one or more programs within the department)	1
Private sector organizations or international organizations or foreign governments	4
D: Duration of the Program or Activity	Level of risk to privacy
Short–term program: A program or an activity that supports a short-term goal with an established “sunset” date.	2
E: Program Population	Level of risk to privacy
The program affects certain individuals for external administrative purposes.	3
F: Technology and Privacy	Level of risk to privacy
Does the new or modified program or activity involve the implementation of a new electronic system, software or application program including collaborative software (or groupware) that is implemented to support the program or activity in terms of the creation, collection or handling of personal information?	No
Does the new or modified program or activity require substantial modifications to IT legacy systems and / or services?	No
The new or modified program or activity involves the implementation of potentially privacy invasive technologies?	No
G: Personal Information Transmission	Level of risk to privacy
The personal information is used in system that has connections to at least one other system.	2
The personal information may be printed or transferred to a portable device.	3
The personal information is transmitted using wireless technologies.	4
I: Risk Impact to the Individual	Level of risk to privacy
Inconvenience.	1
Reputation harm, embarrassment.	2
H: Risk Impact to the Institution	Level of risk to privacy
Managerial harm. Processes must be reviewed, tools must be changed, change in provider / partner.	1
Organizational harm. Changes to the organizational structure, changes to the organizations decision-making structure, changes to the distribution of responsibilities and accountabilities, changes to the program activity architecture, departure of employees, reallocation of HR resources.	2
Financial harm. Lawsuit, additional moneys required reallocation of financial resources.	3
Reputation harm, embarrassment, loss of credibility. Decrease confidence by the public, elected officials under the spotlight, departmental strategic outcome compromised, government priority compromised, and impact on the Government of Canada Outcome areas.	4