Audit and Privacy Issues - Policy Regarding SINs in Canada
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Address to the Canadian Information Technology Security Symposium
May 12, 1999
Director, Issues Management & Assessment
(Check against delivery)
I was asked here today to speak to and respond to the privacy issues raised in the September 1998 Report of the Auditor General of Canada entitled, "Management of the Social Insurance Number".
Events have overtaken us, however, in that as of May 1, 1999, the Standing Committee on Human Resources Development and the Status of Persons with Disabilities released its response to the Auditor General in a report entitled, "Beyond the Numbers: The Future of the SIN in Canada". Given the release last week of that report, what I think I will do is focus my remarks today in relation to the privacy issues highlighted in that report.
Before we deal with the issue of privacy, however, we must first attempt to define it. I say attempt because the issue of privacy is far more complex and touches our lives in far more ways that you might imagine. Most people don't really think much about their privacy until they lose it. But once lost, it is gone forever, you can't get it back.
Perhaps the classic formulation of privacy, "the right to be let alone", is at the heart of what we are all seeking to preserve, what might be called the core content of privacy. But, in 1999, such a phrase can only emphasize how quaint that expectation is in a society where e-mail, Internet, personal communications devices and biotechnologies have changed the very context of our lives and have the power to strip us of any sense of personal privacy.
So, perhaps, for today's discussion, we might best think of privacy as our right as individuals to control the flow of information about ourselves, the right to fair, reasonable and confidential information practices.
This claim of informational privacy is based on the democratic notion of self-determination or autonomy. It is fundamental to living in a civil society in mutual respect. And it dictates that no one should have more control over your information than you.
But the more that can be known about a person, the less that person's autonomy. And these days, in an information society, our individual autonomy and our sense of control are on the line. That is the heart of the privacy problem and that is why privacy has become such an emotionally charged issue.
Anyone familiar with the Privacy Commissioner's Office - and that's a small group, I'll admit, will know that uses and abuse of the SIN have always elicited more than our passing interest. And perhaps, some of you are wondering why? Why does government's file number for our pension and employment insurance records continue to worry Canadians, and their privacy commissioners? And why does the prospect of a super SIN send shivers down our collective spines? I will try to answer.
Inevitably, when you talk about privacy to people, they have a SIN story to tell you. The Auditor General is certainly the latest - and arguably the best resourced - SIN story. But SIN is, in effect, the tip of the privacy iceberg. SIN is the symptom of the greatest threat to privacy in an information age. That threat is data-linkage-gathering information about an individual from many databases without their knowledge or consent and creating a new data file. Data linkages work fastest and best when each individual has a unique trusted identifier across all databases. So the information can be easily found and pooled to form more comprehensive profiles of individual characteristics and behavior.
This threat of pooling and the resulting surveillance is what people respond to viscerally, that is, the transfer of information and power to the controllers of the systems. And that is the practice that offends the privacy principles that personal information should be used only for the purpose for which it was collected, and that individuals should be able to decide for themselves how the information would be used.
This possibility of unauthorized and intrusive data matching, without the card holder's knowledge or consent, both across government departments as well as within the private sector and possibly between the public and private sectors, has raised the alarm and underscored the importance of putting privacy and the protection of personal information at the center of all debates about the current operation of the SIN system and its future.
Initiatives aimed at improving the SIN have become something of a stalking horse for government hopes for a single window for client services. And with that initiative comes a central database, a common client identifier and in all likelihood, an identification card, possibly with a biometric component.
The vaunted advantages for such a system are:
- elimination of fraudulent claims for social benefits or work authorizations for illegal immigrants;
- convenience for bureaucrats in linking disparate data bases;
- accurate identification of individuals; and,
- preventing one person from assuming another's identity.
The downsides are worrisome, however, because such initiatives can transform the relationship between citizen and state. With ID cards, for example, this is so in the sense that there is an expansion in the sphere of bureaucratic powers. In a process that privacy advocates call function creep, ID cards originally designed for a single use expand to multiple uses. The introduction of any such system leads to increased demands for its use to link multiple databases. We then see the call for a single multi-purpose application card for all government services and functions, such that life is impossible without holding and showing the card. The card then becomes a de facto internal passport.
Any system of universal ID, once established, is the slippery slope, it is a short step to then requiring people to have and carry ID cards which petty bureaucrats and police can demand at will. Even if the card is voluntary at the outset, the greater the number of agencies that use it, the greater the inconvenience not it use it. The end result is effective compulsion.
People react against this for a variety of reasons. Developers of new systems and technologies must recognize that, for many people, privacy, anonymity, solitude and the right to be left alone, are values that they hold dear and upon which they will not accept encroachments. Proposals for a national identification card provoke a genuine apprehension in people. The prospect of being reduced to a number and the threat of being a non-person without an identity card may evoke fears and emotional memories of the recent past. Initiatives of this type may spark intense reactions and resistance from many.
Many privacy advocates also see risks in a system that requires an increasing level of compliance in all aspects of one's life. Simon Davis of Privacy International, for example, suggests that the introduction of universal ID cards could invite the following:
- a reaction not to accept or to willingly choose to be denied a range of services;
- errors or failure in one part of the system leading to a domino effect involving suspension of benefits or entitlements in other areas; and,
- the autonomy or freedom of individuals being compromised because of the scale and nature of information collection.
As well, without care, he says, the card becomes an icon, its use is enforced through mindless regulation or policy, disregarding other means of identification, and in the process causing significant problems for those without the card, the card becomes more important than the individual. Loss of cards can result in loss of identity.
Furthermore, the card itself is just the visible top of an enormous data iceberg. The invisible hulk beneath the water is the centralized population register, which it accesses, a register that invites widespread computer surveillance of individuals. Access to the register will be broad and will grow as programs make their case for joining. Inevitably thousands of government employees will have legitimate access. We will all become "virtual persons" whose lives can be followed and perhaps influenced by government agencies. It matters not whether the surveillance is for our own good, to feed policymakers or to satisfy researchers' curiosity, dataveillance is every bit as intrusive.
Now, there is much benefit in the accurate identification of individuals for the proper reasons, at the proper times, for the appropriate purposes. In fact, the need for accuracy is one of the principles recognized in all privacy laws and codes of fair information practices around the world. The dilemma with ID cards occurs by virtue of their potential for unrestricted and un-regulated use in multi-applications and multi-linkages with disparate databases. This possibility threatens any vestige of personal control over one's own information, and threatens to put unlimited powers of social control in the hands of the bureaucracy. This is a prospect that invites us all to give thoughtful reflection on such proposals. Simply because we can do something does not mean that we should do it.
So during the current SIN debate, it is essential we remember what privacy really is. This is where the report of the Standing Committee on Human Resources Development and the Status of Persons with Disabilities will prove so valuable. The report acknowledges the immediate need to clean up the SIN mess. But the report also recognizes the human values that are at stake and the imminent danger of transforming the system into a national identifier.
Let me highlight for you five of the key recommendations of the Human Resources Development Committee report, "Beyond the Numbers: The Future of the SIN in Canada". (The following segment of this talk predominantly paraphrases that report.)
As mentioned, the report is in large part a response to the Auditor General who stated that, "It is time to review the current roles, objectives and uses of the Social Insurance Number." and that, "The government should determine what it wants to do with the SIN and should study other possible options at the same time." The Auditor General also proposed that Parliament play a major role in debating these issues and finding a satisfactory solution.
In this latter regard, the Standing Committee on Human Resources Development and the Status of Person with Disabilities has started that debate by determining that the issues identified by the Auditor General fall into two distinct categories which should be dealt with separately by the government. The first of these is the short-term fixing of the current system that should be undertaken as soon as possible. At the same time, they were aware that there are another set of broader public-policy issues that need to be addressed. These concern the question of whether the SIN system needs to be overhauled and/or replaced by a common client identifier. They therefore recommended that:
"In modifying the Social Insurance Number (SIN) system, the Government of Canada should ensure that it proceeds on two tracks simultaneously:
Immediately take steps to correct abuses of the management and control of the current SIN system
Address the longer term, broader public-policy issues related to the future of the SIN system, including the issues of privacy and data matching."
In respect to the immediate concerns over the management and control of the SIN, the committee recognized that the SIN was never intended to become, or to be thought of as, a national personal identifier for Canadians. Yet that is precisely how the SIN has come to be used. Canada now has a SIN system that is treated akin to a national identifier but contains none of the built-in safeguards that would or should govern such as system. To a privacy advocate like myself, this suggests that Canada now lives in the worst of all possible worlds, it possesses a de facto national identifier but with no privacy protection.
The Committee concluded that a formal legislative mechanism should be put in place to regulate the use of the SIN, as follows:
"After appropriate consultation, the Government of Canada should prepare a Social Insurance Number Cards and Numbers Control Act that would set out the legal uses of the existing SIN in both public and private sectors and provide for penalties and fines for the misuse and abuse of the SIN. A draft bill should be tabled with this Committee no later than 31 December 1999."
As well, despite anecdotal evidence about the widespread and inappropriate use of the SIN in the private sector, the Committee could not find any study substantiating private sector use or abuse. Therefore, the committee recommended that:
"All relevant federal government departments and agencies and the Privacy Commissioner of Canada should work with Statistics Cnada to conduct and complete by 31 December 1999, an assessment of the impact and extent of use of the SIN in the public and private sectors. The findings of this study should be used in the development of a public education campaign regarding the use and abuse of the SIN."
Their hearings also revealed a common conclusion: Canadians are generally unaware of the problems linked to the SIN as well as unaware of the scope and potential for abuse of the SIN. They do not have a clear understanding about the instances when they must provide their SIN, nor when they can refuse to divulge their number without suffering any adverse consequences.
According to the Committee, the same situation of operating in ignorance applies to businesses and services in the private sector-both large and small. They often use the SIN as a cheap and convenient bookkeeping tool and business owners and employees may request or require clients and customers to provide their SIN in completely inappropriate situations. Some go so far as to deny a good or service if individuals refuse to divulge their SIN.
Certainly, I can tell you that the improper use of SIN by the private sector generates the largest number of inquires received by my office. Individual Canadians, as well as all elements of the private sector, need to understand their rights and responsibilities with respect to the SIN.
The Committee therefore recommended that:
"Immediately following the passage of the Social Insurance Number Cards and Numbers Control Act, all relevant federal departments and agencies and the Privacy Commissioner of Canada should develop and embark upon a public education campaign regarding SIN in Canada. Such a campaign should:
Be directed to the public and businesses, services and organizations that operate in the private sector;
Inform citizens of the legitimate use of their SIN in both the public and private sectors;
Inform citizens of their legal right to refuse to release their SIN; Inform businesses, services and organizations of the legal limits on their use of the SIN;
Be made available and accessible to Canadians through a range of media including print, radio and television.
In respect of improving the integrity of the SIN Registry, the Committee recommended that the Social Insurance Registry should have access to information held in the vital statistics registries of the provinces both to confirm the status of card holders-whether they are alive or dead-and to confirm the authenticity of primary identifying documents.
The Office of the Privacy Commissioner acknowledges that this kind of data sharing arrangement is necessary to clean up and preserve the integrity of the Social Insurance Registry. We caution, however, that procedures based on efficiency carry potential privacy costs.
The Committee ultimately agreed and recommended that all initiatives involving the Social Insurance Number give privacy a high priority and that Canadian privacy commissioners be asked to comment on these initiatives.
As to the future of the Social Insurance Number system and the public policy considerations, the Committee realized that solving the immediate administrative problems identified by the Auditor General's report does not tackle the central and fundamental problem within the context of the SIN system. As parliamentarians, they quickly understood that their job was to address the extent to which the SIN system has evolved and strayed from its original intent. Over and over, a variety of witnesses repeated the fundamental importance of clarifying the purpose of the SIN.
The Committee, therefore, concluded that the broader public-policy debate should attempt to answer the following questions:
- "Should the Social Insurance Number return to its original purposes as an account number to identify files of government programs? If so, can the SIN system be salvaged . or be scrapped and replaced by a new card-for example, a Millennium card that incorporates new smart card technology such as computer chip or biometrics identification?
- Is it time formally to recognize the SIN's de facto use and to take steps to convert the SIN into a national personal identification number for each resident of Canada? Can the introduction of such a card be accompanied by the use of encryption and other smart card features what will protect individual privacy?"
As well, they concluded that any move to turn the SIN into a national identifier must entail widespread political debate as well as adequate and appropriate public input. The creation of a national identification system presents challenges to personal privacy that must be addressed. Personal privacy is too fragile; the guarantees are too weak, and likely to remain so. The temptation for both the public and private sectors to use the data in any national identification system for unintended or unauthorized purposes could be intense and would have to be counterbalanced by adequate technical and legal safeguards.
However, Canadians need an opportunity to weigh the costs and benefits of any significant alteration of, or replacement for, the Social Insurance Number and to debate these in a public forum. In light of that, the Committee recommended:
"HRDC should prepare a report by 31 December 1999 that sets out a series of options, including the associated costs, for improving or replacing the SIN system with an entirely new card system."
Finally, the Committee concluded that their study had underscored public policy considerations about technology, privacy and data matching that had been the focus of an earlier report. In April 1997, the former House of Commons Standing Committee on Human Rights and the Status of Persons with Disabilities tabled a report entitled, "Privacy: Where Do We Draw The Line?" which dealt with these in detail and at length. That report studied the impact of changing technology on human rights and privacy rights, and amplified and explained many of the concerns that were looked at in the narrow question of the future of the Social Insurance Number System. Due to the timing of the Report's release, however, there was no government response. Consequently, the Committee decided to adopt the recommendations of that previous report and request that the government respond to it.
At the end of its process, the Committee was still left with a series of questions that they did not have time to explore such as:
"If the SIN is modernized or replaced, how will citizens privacy rights be respected and protected?
How will we ensure that inappropriate data matching does not take place?
What are the best ways to guard Canadians against the rising incidence of identity theft?
Will we be prepared to respond to the request for a secure and unique identifier for Canadians as more and more commerce takes place electronically?
As technology expands and becomes more sophisticated, should the office of the federal Privacy Commissioner be given expanded powers to combat intrusions into personal privacy of Canadians and if so, what would the scope of those powers be?
What are the cost implications of ensuring privacy?
To what extent are Canadians prepared to shoulder the cost of expensive technology to ensure privacy?
How do we balance the need for increased efficiency with the rights of individuals to privacy protection?
How do we deal, in a proactive fashion, with fraud and abuse of the SIN system as well as other forms of card fraud?"
We agree that these questions need to be answered and I should simply like to end by raising with you some of the considerations we will have to look in dealing with these questions.
First, there must be sound, justifiable and proven reasons for pursuing a national identification system. To date, there has been a noticeable lack of empirical evidence supporting the need for identify cards. There is no lack of desire to find a quick fix to social and economic problems through technological solutions, but the hope for such novel solutions and the efficacy of those solutions are two different things. In this regard, ID cards may well be a technology in search of an application. Before we travel down this road, there must be a demonstrated need for such a system.
Second, if it is possible to demonstrate that there is such a need, the legislative process must precede the implementation process of any national identification system. As Alberta Privacy Commissioner Robert Clark once remarked, we cannot have the "technocrats stepping on the democrats". There must be recognized legislated uses of the number/card, protective mechanisms and practices to protect privacy, and penalties in place for the misuse and abuse of any identification system. We are very pleased with the Committee's recommendations in this regard.
Finally, the impact of the introduction of such an identification system must be fully explored and understood before implementing its use in a national system. We certainly would have to conduct not only a privacy impact assessment to determine the implications for privacy by the introduction of such as system, but a broader societal impact assessment should be completed as well. The introduction of an identification system is probably even more complex in its implications than in its applications. And these must be examined and assessed to help us understand the consequences that may result, and to help us make the right choices.
As the Committee observed, too many decisions about the current use of the SIN were made by default. This was, and is, not appropriate and should be avoided in future. In making decisions, politicians and Canadians need information and discussion.
My view, in the end, is that human values must play a key role in any such technological change involving personal information. We must acknowledge that privacy is a human right and that a reasonable expectation of informational privacy is fundamental to the provision, use and regulation of any new information systems or identification proposals. And these should guide us in the upcoming debate.
Thank you very much.
- Date modified: