Privacy Impact Assessment of the Federal Public Service Health Care Plan Administration Authority Website Survey Initiative

This PIA was an assessment of the potential privacy risks associated with implementation of website and panel surveys by the Federal Public Service Health Care Plan Administration Authority (hereinafter referred to as the "PSHCP Administration Authority") and hosted by a third party survey provider.

The PSHCP Administration Authority is a not-for-profit corporation that oversees the administration and interpretation of the Public Service Health Care Plan (the "Plan"). In accordance with its Letters Patent issued by the President of the Treasury Board under subsection 7.2(1) of the Financial Administration Act (FAA) the Administration Authority’s activities include:

  • Ensuring that the Plan Administrator (Sun Life Financial) adjudicates claims according to the Contract
  • Conducting audits and evaluations regarding the payment of benefits
  • Managing the appeals process
  • Communicating with Plan members
  • Collecting information about Plan performance and reporting it to the Partners Committee

The PSHCP Administration Authority's website is the official site used for providing the public and Plan members with information related to its role and activities; the Plan Administrator and related contract; and Plan members and benefits.

The PSCHP Administration Authority is looking to implement surveys on its website to gain feedback on various PSHCP issues so they can evaluate and make improvements. These surveys will allow the PSHCP Administration Authority to measure overall satisfaction with its website and programs.  Using data obtained from these surveys will allow the PSHCP Administration Authority to determine what specific information and resources its audience wants and whether or not the information available to them is useful.

The Administration Authority has retained the services of a third party survey provider, SimpleSurvey, to collect and store survey data. SimpleSurvey offers commercial tools which allow users to create customized web-based surveys that are hosted by SimpleSurvey. The surveys are not intended to ask for nor collect personally identifiable information. SimpleSurvey is a Canadian company with all data hosted on servers that are located in Canada.

Based on the completion of the Privacy Impact Assessment, the privacy risks associated with the implementation of website and panel surveys by the Administration Authority is considered as low and will require minor adjustments to administrative processes to mitigate against privacy concerns.

This PIA is intended to be an evergreen document, and as such, will be modified as new implementation details, lessons learned, or best practices arise in the future delivery of surveys by the Administration Authority.

Risk Area Identification and Categorization

Risk Area

Level of Risk to Privacy
1 (low) to 4 (high)

Description of Risk

A. Type of Program or Activity

1

Information collected via surveys is not intended to be used for the purpose of making decisions about an identifiable individual.

B. Type of Personal Information Involved and Context

1

The implementation of surveys is not intended to ask for nor collect personally identifiable information from respondents.

C. Program or Activity Partners and Private Sector Involvement

4

A Private sector organization will be used for the implementation of surveys by the Administration Authority.

D. Duration of the Program or Activity

3

The implementation of surveys by the Administration Authority is considered to be on-going with no established sunset date at this time.

E. Program Population

N/A

The Administration Authority’s use of surveys is targeted to PSHCP members only. It is unlikely that the use of surveys will present widespread risks to a large population of individuals

F. Technology and Privacy

Yes

Use of automated web-based survey software tools provided by third party survey provider. 

G. Personal Information Transmission

4

The personal information is transferred using wireless technologies.

H. Risk Impact to the Individual

1

The risk impact to individuals is considered to be low.

I. Risk Impact to the Institution

2

The overall impact is considered low.