Bank obtains meaningful consent to use SINs for credit matching purposes
PIPEDA Case Summary #2003-159
[Principle 4.3, Schedule 1]
The complainant alleged that the bank was inappropriately using her SIN as an identifier. She referred specifically to the language of the credit card application, which alerts the applicant to the bank's use of the SIN to keep an applicant's information separate from that of other customers. The complainant was concerned that the consent language on the application form gave the bank carte blanche permission to share her SIN with or to receive it from other financial institutions or credit bureaus. The complainant was also concerned that an applicant might be denied service if he or she refused to provide their SIN.
Summary of Investigation
Both the paper copy and the electronic version of the credit card application form have a box for the SIN. The word 'optional' has been placed in brackets immediately after the heading 'Social Insurance No." The application form also advises applicants that the bank uses the SIN to keep the applicant's information separate from that of other customers, including information obtained through the credit approval process.
If a customer voluntarily provides the SIN, he or she can subsequently withdraw consent, if they change their mind about agreeing to this practice. The bank tracks its customers' preferences regarding disclosure on its database. Under the heading 'Credit Bureau', the customer can choose or decline that his or her SIN be communicated to the credit bureaus.
The bank's Privacy Code is available on its Web site and distributed to new customers when they open an account. It advises customers that they have the option of refusing or withdrawing their consent to the bank's stated use practices. It also advises applicants that the provision of the SIN for credit products is optional.
Staff of the Commissioner's Office confirmed that credit bureaus only disclose the SIN to a bank that has obtained it, in the first instance, with the client's consent.
Issued April 16, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.
The Commissioner began his comments noting that the legislated uses of the SIN have expanded since its creation in 1964 as a client account number in the administration of the Canada Pension Plan and various employment insurance programs. He remarked that the federal government, in an effort to prevent the SIN from becoming a universal identifier, issued a policy limiting the collection and use of the SIN to specific acts, regulations and programs. He further noted that while there is no legislation that prevents organizations from asking for the SIN for other purposes, such as identification, organizations that are subject to the Act must clearly indicate to the customer that provision of the SIN is optional and not a condition of service.
In this case, the Commissioner determined that the bank clearly conveyed its policy that the provision of the SIN is optional for credit products. He also noted that the bank has an easy opt-out procedure if a customer withdraws his or her consent to the sharing of the SIN, and it tracks customer preferences on its database.
The Commissioner concluded that the complaint was not well-founded.
While the Commissioner was pleased with the bank's clearly stated policy and its opt-out procedures, he took the opportunity to stress that the SIN is not a piece of identification and should not be used as such. He stated:
"In keeping with the federal government's position that the SIN should only be used for legislated purposes, I would urge Canadians to refrain from providing their SINs as identification. To do otherwise would be to risk making the SIN a de facto national identifier, instead of simply an individual's account number for social benefit purposes."
- Date modified: