Individual objects to request for SIN for purpose of credit inquiry and clause consenting to disclosure of personal information

PIPEDA Case Summary #2003-151

[Principles 4.3, 4.3.2, 4.3.3; section 5(3)]

Complaint

An individual made two allegations against a telecommunications company: (1) that it required two pieces of identification, notably his Social Insurance Number, as a condition of obtaining cellular phone service; and (2) that the consent clause in the service agreement allowed the company to disclose his SIN to credit providers without informing him of the disclosure or the reasons for it.

Summary of Investigation

When signing up for a cellular phone service, the complainant was asked to provide two pieces of identification, including his SIN. He was told by company representatives that this information was needed for a credit check and would not be kept afterwards. A short time later, upon receipt of the phone, he noticed that his SIN was included on the service agreement. He also noted a clause, indicating that this information could be forwarded to any other credit provider. The complainant objected, stating that the clause allowed the company to disclose his personal information without him being informed or knowing the reason for such an action. The company informed the complainant that it required subscribers to agree to the disclosure of all of their personal information obtained during the course of a credit inquiry to credit providers as a condition of obtaining cell phone service. The complainant returned the phone.

According to the company, cellular phone service is a form of unsecured credit. When new subscribers sign up for a plan wherein they pay for calls after they have been made, a credit check is conducted. Company representatives are required to inform customers of this before asking for two pieces of identification. The forms of identification requested are: credit card, date of birth, driver's licence, or SIN. The investigation confirmed that the complainant provided his SIN and date of birth, but it could not be determined whether or not the SIN had been specifically requested.

Regarding the second allegation, the company explained that it is required by Canadian Radio-television and Telecommunications Commission (CRTC) regulations to obtain a customer's permission to disclose his or her personal information to a third party. Therefore, the company includes a consent clause in its service agreement that is intended to obtain the customer's permission to disclose his or her credit history with the company to credit agencies and to other credit providers, such as banks or large stores. In an attempt to be clearer, the company changed the wording of the clause during the course of the investigation.

Commissioner's Findings

Issued April 14, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings or businesses as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 specifies that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Section 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

On the first count of the complaint, the Commissioner determined that the practice of requesting two pieces of identification for the purpose of conducting a credit check met the requirements outlined in Principle 4.3.3 and section 5(3).

As for the second count, the Commissioner determined that, although the company was formally seeking consent, in accordance with CRTC regulations and Principle 4.3 of the Act, it was rendered meaningless since the wording of the clause at the time of the complaint did not clearly specify what information the company would be disclosing to credit agencies. Similarly, the Commissioner did not consider the newly revamped wording to be any clearer in that respect. He therefore found that the consent clause failed to meet the expectations set out in Principle 4.3.2.

The Commissioner thus concluded that the first count of the complaint was not well-founded, but that the second count was well-founded.

Further Considerations

The Commissioner recommended that the company modify the wording of the consent clause to clearly indicate what information is to be communicated to credit agencies.

Date modified: