Customer objects to bank using Social Insurance Number to activate credit cards

PIPEDA Case Summary #2002-105

[Principles 4.2.4, 4.3.2, and 4.5 of Schedule 1]

Complaint

An individual complained that his bank had inappropriately used his Social Insurance Number (SIN) for a purpose to which he had not consented.

Summary of Investigation

When the complainant called the bank to activate his new credit card, the bank asked him for his SIN in order to confirm his identity. Since the complainant had not provided his SIN on the credit card application form, but had given it previously when he purchased an interest-bearing product from the bank, he concluded that the bank did not have separate databases for its products. He maintained that the bank should keep this information separate to ensure that the SIN is only used for the purpose of income reporting.

The bank's privacy policy addresses the use of the SIN by indicating that it is required for income-bearing products in order to comply with the Canada Customs and Revenue Agency's income-reporting requirements. The policy indicates that providing the SIN is optional for credit products.

The bank indicates that it has separate databases for each of its products, as well as a customer information database that aggregates much of the information related to an individual client. The customer information database will include the SIN if the customer has purchased an income-generating product. Customer service representatives within the bank can access this database.

In this case, the complainant's credit card database only contained very little personal information. As a result, it was concluded that the customer service representative must have accessed the customer information database, which contained his SIN.

The bank maintained that using the SIN for identification purposes was not a contravention of the Act, and pointed out that activating a credit card was simply an internal transaction designed to assist the customer. The bank was of the view that it had implicitly obtained its clients' permission to use any of the personal information previously provided when it sent clients its privacy policy, which included a general statement about using such information to serve the customer. Nevertheless, the bank recognized that the use of SINs is a sensitive issue for many people and has discontinued using them to activate credit cards.

Commissioner's Findings

Issued December 19, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.2.4 states that when personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose. Principle 4.3.2 elaborates on the issue of knowledge and consent and states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.5 establishes that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

While the Commissioner was satisfied that the bank adequately stated the original purposes for collecting SINs from customers, he did not think that these purposes contemplated the use of SINs as identifiers for activating credit cards. Since customer identification for credit card activation is a new use, a new statement of purpose and consent are required. He determined that the bank had not made a reasonable effort to obtain either.

The Commissioner considered the privacy policy's statement about using information to serve a customer too broad and vague to form a reasonable basis for meaningful consent in this instance. He stated that if an organization intends to use SINs as identifiers, it should tell its customers exactly that.

He determined that the bank had no valid basis for inferring consent to an additional use and, by asking for the SIN as an identifier, was using personal information without consent for a purpose other than that for which it had been collected. He therefore found that the bank was in contravention of Principles 4.2.4, 4.3.2, and 4.5. He was, however, pleased that the bank had eliminated the use of SINs to activate credit cards.

The Commissioner therefore concluded that the complaint was well-founded and resolved.