Bank uses SINs for credit matching purposes without meaningful consent

PIPEDA Case Summary #2003-142

[Principles 4.3 and 4.3.2 of Schedule 1]

Complaint

An individual complained that a bank is inappropriately using social insurance numbers to confirm the identity of credit card applicants with credit bureaus and is doing so without properly informing the applicants and obtaining their consent. The complainant was also concerned that the language in the credit card contract did not clearly indicate that customers have the option of disallowing such use without jeopardizing their access to banking services.

Summary of Investigation

The bank's purpose for using the SIN, obtained in the context of an application for a credit card, is to accurately match the credit history file of creditors. In the bank's view, this is a very limited, legitimate purpose, which it explicitly discloses as part of the credit application. The bank stated that the requirement to provide a SIN for this purpose is optional and that a customer can refrain from providing it or instruct the bank to remove it from his or her records.

Both the electronic and hard copy versions of the application forms include a statement about the SIN being used for identification purposes. However, neither version indicates that supplying the SIN is optional. Both types of forms, in fact, contain instructions stating that all information needs to be completed. The electronic version appears to indicate that the applicant can withdraw consent to using the SIN for credit matching purposes. However, the bank advised that in fact this opt-out provision does not apply to the SIN. Both versions contain statements indicating that by signing the form or clicking the appropriate box, the applicant agrees to all the terms outlined on the form.

The bank agreed that the language of its application forms was problematic and stated its intention to make changes to the forms, clarifying that the provision of the SIN for credit history file matching purposes was optional.

Commissioner's Findings

Issued March 18, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2 states that organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

The Commissioner began his comments noting that the legislated uses of the SIN have expanded since its creation in 1964 as a client account number in the administration of the Canada Pension Plan and various employment insurance programs. He remarked that the federal government, in an effort to prevent the SIN from becoming a universal identifier, issued a policy limiting the collection and use of the SIN to specific acts, regulations and programs. He further noted that while there is no legislation that prevents organizations from asking for the SIN for other purposes, such as identification, organizations that are subject to the Act must clearly indicate to the customer that provision of the SIN is optional and not a condition of service.

In this case, the Commissioner determined that the bank did not do an adequate job of conveying its policy that the SIN was optional and not a condition of service. Since the bank was not making a reasonable effort, consistent with the expectations established in Principle 4.3.2, to ensure that the customer was properly informed that the SIN was optional, the Commissioner found that the bank was not obtaining valid, meaningful consent from applicants, as stipulated in Principle 4.3.

The Commissioner thus concluded that the complaint was well-founded.

Further Considerations

While the Commissioner was pleased that the bank was taking steps to address this issue by clarifying on the application forms that the provision of the SIN for identification purposes was optional, he took the opportunity to stress that the SIN is not a piece of identification and should not be used as such. He stated:

"In keeping with the federal government's position that the SIN should only be used for legislative purposes, I would urge Canadians to refrain from providing their SINs as identification. To do otherwise would be to risk making the SIN a de facto national identifier, instead of simply an individual's account number for social benefit purposes."