Company uses SIN for identification purposes

PIPEDA Case Summary #2003-146

[Section 2; Principle 4.5 of Schedule 1]

Complaint

An employee of a nuclear power plant complained that his employer was using his Social Insurance Number (SIN) for a purpose to which he had not consented.

Summary of Investigation

As part of a business transaction with another organization, the employer acquired a web-based tool that allows employees to view their own personal employment-related information on the company's intranet service. In order to access the part of the system containing an employee's pay and banking information, the employee must enter the last four digits of his or her SIN. SINs were not loaded separately to support the system. Rather, the system prompts for the last four digits of the employee's SIN and then looks up the number on the computer system, where it is already present for payroll and tax purposes, to validate it.

The complainant attempted to have the employer stop using the SIN as a password, to no avail. The individual's position is that he had provided his SIN for income tax and Canada Pension Plan purposes only, and not for use as a password.

The company originally understood that it had only acquired the rights to use the system, not to modify or amend it. It has since clarified that it can in fact change the requirement for the four digits of the SIN and agreed with the complainant and his union to change the prompt. To date, however, this has not occurred, though the matter is still under discussion.

Notwithstanding this, the company's position was that the use of the last four digits of the SIN did not in any way compromise the security of an employee's personal information. It was also of the view that this number could not be used as a personal identifier that would lead someone to other personal information about the individual, nor could it be used to recreate the first five digits of the SIN.

Commissioner's Findings

Issued April 7, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a nuclear power plant is considered a federal work, undertaking, or business.

Application: Section 2 defines personal information to be "...information about an identifiable individual...". Principle 4.5 establishes that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

As the SIN is clearly personal information about an identifiable individual, the Commissioner determined that four digits of it also qualified as personal information for purposes of the Act. He also considered the company's assertion that using these four digits did not in any way compromise the security of an employee's personal information to be irrelevant. In his view, the issue in this case was that of consent.

As the SINs had originally been collected for income tax and Canada Pension Plan reporting purposes, the Commissioner determined that the company was using employees' SINs for a new purpose, namely, identification, but that it had not obtained their consent to do so. He thus concluded that the employer was using employees' personal information without their consent for a purpose other than that for which it had been collected, in contravention of Principle 4.5.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner recommended that the company cease requiring employees to use the last four digits of the SIN as a password.