Privacy Impact Assessment Summary - All Events Response Operations
Government Institution: Public Health Agency of Canada - Health Security Infrastructure Branch
Name of Program: All Events Response Operations (AERO)
Government Official Responsible for the Privacy Impact Assessment: Russell Mawby, Director, Public Health Capacity Development Division, Public Health Agency of Canada
ATIP Coordinator: Cynthia Richardson
Description of Program or Activity: The All Events Response Operations (AERO) application, administered by the Public Health Workforce Development Unit (PHWDU) within the Centre for Public Health Infrastructure (CPHI), is a web-based database that facilitates the collection of information necessary to mobilise health professionals (initially epidemiologists), in support of responses to emergencies/public health events nationally and internationally. The application will strengthen the Agency's capacity to respond to emergencies/public health events by permitting the rapid and transparent identification of staff with the necessary skills, experience and expertise. AERO will enhance an existing paper-based system by integrating a business analysis tool that will enable the enumeration of response capacity and to identify response capacity gaps.
Legal Authority for Program or Activity: Legal authority for the collection of personal information in AERO is found under section 3 of the Public Health Agency of Canada Act and subsection 4(2) of the Department of Health Act.
Related Personal Information Bank: All Events Response Operations (AERO) - PHAC PPU 305.
Risk Identification and Categorization
As per the TBS Directive on Privacy Impact Assessment, the core PIA must include a completed risk identification and categorization section as outlined below. To have consistent risk categories and risk measurement across government institutions, standardized risk areas (itemized below) and a common risk scale are to be maintained as the basis for risk analysis.
The numbered risk scale is presented in an ascending order: the first level (1) represents the lowest level of potential risk for the risk area; the fourth level (4) represents the highest level of potential risk for the given risk area.
- Type of program or activity
- Risk scale 2
- Administration of program or activity and services
- Type of personal information involved and context
- Risk scale 1
- Only personal information, with no contextual sensitivities, collected directly from the individual or provided with the consent of the individual for disclosure under an authorized program.
- Program or activity partners and private sector involvement
- Risk scale 2
- With other government institutions.
- Duration of the program or activity
- Risk scale 3
- Long-term program or activity
- Program population
- Risk scale 1
- The program's use of personal information for internal administrative purposes affects certain employees.
- Personal information transmission
- Risk scale 3
- The personal information is transferred to a portable device (i.e., USB key, diskette, laptop computer), transferred to a different medium or is printed.
- Technology and privacy
- Does the new or substantially modified program or activity involve implementation of a new electronic system or the use of a new application or software, including collaborative software (or groupware), to support the program or activity in terms of the creation, collection or handling of personal information? Yes
- Does the new or substantially modified program or activity require any modifications to information technology (IT) legacy systems? No
- Specific technological issues and privacy N/A
- Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
- enhanced identification methods;
- surveillance; or
- automated personal information analysis, personal information matching and knowledge discovery techniques?
- Does the new or substantially modified program or activity involve implementation of new technologies or one or more of the following activities:
- A YES response indicates the potential for privacy concerns and risks, which will require consideration and, if necessary, mitigation.
- Impact on the individual or employee
- Potential risk of Breach that in the event of a privacy breach, there will be an impact on the individual or employee. Yes
Page details
- Date modified: