Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2001-22
Company asks for customer's SIN as a matter of policy
[Principles 4.3.3 and 4.4.1, Schedule 1; and section 5(3)]
An individual complained that a telecommunications company had improperly collected her personal information in the form of her Social Insurance Number (SIN).
Summary of Investigation
In signing-up the complainant for Internet connection, the telecommunications company in question had asked her for her SIN. According to the complainant, the company representative with whom she had spoken had told her, "No SIN, no connection," and she had therefore felt obliged to give up her number in order to obtain the service. It was the company's written policy to collect sins from persons requesting services. The purpose of this policy was to avoid confusion over similar names among customers. However, by the same policy, the company did not insist on obtaining the SIN in cases where the customer refused and did advise its employees that the collection was not obligatory.
Issued November 5, 2001
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses, as defined in the Act.
Application: Principle 4.3.3, Schedule 1, states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes. Principle 4.4.1 states that organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Regarding Principle 4.4.1, the Commissioner determined that, by the company's own policy, the collection of sins was non-obligatory and therefore not necessary to fulfil explicitly specified and legitimate purposes. He found that the collection was thus indiscriminate and that the company was not in compliance with this principle.
Regarding Principle 4.3.3, the Commissioner was satisfied that the complainant had clearly received the impression that giving her SIN was a condition of service. He found therefore that the company was not in compliance with this principle.
Regarding section 5(3), the Commissioner was mindful of his Office's longstanding position that the SIN should not be used as a universal identifier and that citizens should not give out their SIN unless legally required to do so for purposes of the limited number of federal government programs authorized for such collection. He was satisfied that a reasonable person would object to the collection of sins for purposes of Internet connection. He found that the company was therefore not in compliance with section 5(3).
The Commissioner noted that the company had removed the SIN from the complainant's file and was in the process of changing its policy so that sins would no longer be requested.
The Commissioner concluded therefore that the complaint was well-founded and resolved.
The Commissioner also recommended that the company take steps to review its files and remove any other unnecessary sins collected from its other customers.