Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2003-217

A telecommunications company requires two pieces of identification from a subscriber

[Principles 4.3.3, 4.4 of Schedule 1; subsection 5(3)]

Complaint

An individual complained that a telecommunications company required that he provide two pieces of identification when he applied for a second residential phone line to be installed.

Summary of Investigation

When the complainant applied for a second residential phone line to be installed, the representative of the telecommunications company asked him to provide two pieces of identification. According to the company, when a new phone service or an additional service is requested by a subscriber, as was the case here, the company's standard procedure is to inform the individual that he or she must provide these pieces of identification to confirm his or her identity. Examples of acceptable pieces of identification include: birth certificate, driver's licence number, health card number or Social Insurance Number. The telecommunications company considers its clients to be credit worthy for phone services and retains a file of all of its users. The pieces of identification that are provided are therefore compared to those that are included in the file to ensure that they correspond.

During the investigation, the complainant indicated that the company representative had told him that the purpose of collecting the information was to confirm his identity. However, he said that he had been told that he could provide only two types of identification: his driver's licence and his health card. He refused to provide the requested information and cancelled his application for a second residential phone line.

Commissioner's Findings

Issued August 5, 2003

Jurisdiction: As of January 1, 2002, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Commissioner had jurisdiction in this case because the telecommunications company is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3.3 of Schedule 1 of the Act stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Principle 4.4 indicates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Finally subsection 5(3) of the Act stipulates that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

In similar cases against the company, the Commissioner has already established that a reasonable person would find that the organization collects personal information properly in order to verify the consumer's identity or to confirm a potential client's credit standing. He therefore found that the collection of information was not unreasonable and that the company respected Principle 4.3.3 of Schedule 1 and subsection 5(3) of the Act.

Moreover, the Commissioner indicated that companies that collect information for the purpose of a credit check or to confirm identity must limit the collection to information that is necessary for the purposes identified by the organization, as mentioned in Principle 4.4 of Schedule 1 of the Act. The investigation revealed that the company asked for two pieces of identification and the Commissioner believed that because of this, it limited its collection of information that was necessary, thus complying with Principle 4.4 of Schedule 1 of the Act.

The Commissioner found that the complaint was not well-founded.