Customers object to use of Social Insurance Number to activate credit card

PIPEDA Case Summary #2002-115

[Principle 4.3 and 4.3.2 of Schedule 1]

Complaint

The Commissioner received identical complaints from two individuals who objected when their new bank asked for their Social Insurance Number (SIN) for the purpose of activating their credit cards.

Summary of Investigation

Both complainants had a credit card with their former bank. When the bank amalgamated with another, the credit card business was sold to a different bank. All customer credit card account information was transferred to the new bank prior to the Act coming into force. Affected cardholders were issued new cards under the new bank's name, in 2001 and 2002.

To activate these cards, cardmembers were instructed to call a toll-free number. Cardmembers would initially reach an automated voice, instructing them to have their SIN ready. They were then told to enter their credit card number. If the individual did not enter the SIN or if there was a problem with entering the account number, the call was routed to a live operator, and other criteria were used to activate the card.

One complainant called the toll-free number, refused to provide his SIN, terminated the call and contacted the bank. He then returned his credit cards to the bank, and sent a letter objecting to use of the SIN in order to activate a credit card. The bank sent him another card. When he tried to activate it, he again refused to give his SIN, terminated the call and telephoned the bank to request that it close the credit card account immediately.

The other complainant called the toll-free number, refused to provide his SIN, and spoke to a live operator. He asked how the bank had his SIN on file. He was told that he had provided it on his original credit card application with his former bank.

The bank confirmed that it asked for the SIN for identification purposes because it is considered to be the only "good," unique identifier available. The bank indicated that it had received customers' microfilmed applications when it acquired the credit card business. It admitted, however, that it was not sure which customers had in fact provided their SIN and why, but asserted that the majority of these customers had provided it.

The complainants do not recall providing their SIN on their original applications. The bank indicated that it had not received either individual's application when it acquired the credit card business. These were not, therefore, available for review.

The bank stated that it had received very few complaints about this matter. In cases where it had, the bank immediately removed the SIN from the individual's records. The bank also changed its automated response system so that the SIN would no longer be requested during the card activation process. However, the bank indicated that, unless all financial institutions are required to do so, it would not review all of its cardholders' account records to ensure that the SINs were not on file unnecessarily.

Commissioner's Findings

Issued December 20, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 elaborates on the matter of knowledge and consent by establishing that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.

Given the bank's uncertainty as to the circumstances of the original collection of the SINs and given that the purpose of identification was other than the primary legislated purpose of income reporting, the bank should have made a reasonable effort to inform its new customers about this new purpose and to obtain their consent. The Commissioner could find no evidence that the bank had made such an effort or obtained customers' consent, and therefore found the bank in contravention of Principles 4.3 and 4.3.2 of Schedule 1 to the Act. He was, however, pleased that the bank had eliminated the use of the SIN for the purpose of activating a credit card.

The Commissioner therefore concluded that the complaint was well-founded and resolved.