Customer objects to bank using Social Insurance Number to activate credit cards
PIPEDA Case Summary #2002-105
[Principles 4.2.4, 4.3.2, and 4.5 of Schedule 1]
An individual complained that his bank had inappropriately used his Social Insurance Number (SIN) for a purpose to which he had not consented.
Summary of Investigation
When the complainant called the bank to activate his new credit card, the bank asked him for his SIN in order to confirm his identity. Since the complainant had not provided his SIN on the credit card application form, but had given it previously when he purchased an interest-bearing product from the bank, he concluded that the bank did not have separate databases for its products. He maintained that the bank should keep this information separate to ensure that the SIN is only used for the purpose of income reporting.
The bank indicates that it has separate databases for each of its products, as well as a customer information database that aggregates much of the information related to an individual client. The customer information database will include the SIN if the customer has purchased an income-generating product. Customer service representatives within the bank can access this database.
In this case, the complainant's credit card database only contained very little personal information. As a result, it was concluded that the customer service representative must have accessed the customer information database, which contained his SIN.
Issued December 19, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.2.4 states that when personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. Principle 4.3.2 elaborates on the issue of knowledge and consent and states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.5 establishes that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
While the Commissioner was satisfied that the bank adequately stated the original purposes for collecting SINs from customers, he did not think that these purposes contemplated the use of SINs as identifiers for activating credit cards. Since customer identification for credit card activation is a new use, a new statement of purpose and consent are required. He determined that the bank had not made a reasonable effort to obtain either.
He determined that the bank had no valid basis for inferring consent to an additional use and, by asking for the SIN as an identifier, was using personal information without consent for a purpose other than that for which it had been collected. He therefore found that the bank was in contravention of Principles 4.2.4, 4.3.2, and 4.5. He was, however, pleased that the bank had eliminated the use of SINs to activate credit cards.
The Commissioner therefore concluded that the complaint was well-founded and resolved.
- Date modified: