Credit reporting agencies acquitted of misusing consumers' social insurance numbers

PIPEDA Case Summary #2003-194

[Principle 4.3, Schedule 1]

Complaint

An individual filed separate complaints against two credit reporting agencies, alleging that they were inappropriately collecting social insurance numbers (SINs) from banks and using them as identifiers without having the meaningful consent of the consumers concerned.

Summary of Investigation

The complainant believed that each agency had and was using for new purposes of identification, without the knowledge and consent of the individual consumers, a national database of SINs obtained from Canadian banks, which had originally collected the SINs for different purposes under the Income Tax Act. He proposed that the agencies be required to delete SINs from their databases unless they obtained each concerned individual's express consent to continued retention for identification purposes.

In fact, the agencies do not have separate databases dedicated to the collection and use of SINs as identifiers. Their business databases are organized by name and address, not SIN. They do collect SINs, in the sense that they sometimes receive an individual's SIN among other personal information provided by a bank in the course of business, and their databases can and do accommodate any SIN so received. However, they do not require or even request that banks provide an individual's SIN for the purposes of any business transaction.

The agencies also readily acknowledge that they do sometimes use the SINs thus collected - strictly for purposes of matching an application for credit with an existing consumer credit file on the database. The consumer's name and address are usually sufficient for matching purposes. However, in difficult cases, notably where the database contains more than one individual of the same name and postal area, the agencies use other personal information available on file, such as birthdate or SIN, to ensure an accurate match. Both agencies find the SIN to be the most effective identifier in such cases.

Any bank wishing to collect, use, or disclose SINs for any purposes other than income reporting in relation to interest-bearing accounts is obligated under the Act to identify such secondary purposes and obtain the individual's consent to them. In principle, therefore, any bank that discloses a SIN to a credit reporting agency for identification purposes has obtained the individual's consent to do so.

In their contractual agreements with subscribers, both agencies impose a consent condition upon banks and other businesses that make inquiries about the credit-worthiness of consumers. One of the agencies uses general language to the effect that, before requesting services, the subscriber must obtain all consumer consents required under the applicable law. The other agency uses more specific language to the effect that the subscriber, before providing any personal information, must obtain appropriate consent from the individual in accordance with applicable privacy legislation. The latter agency also imposes an equivalent condition in its contractual agreement with those subscribers who supply the agency with credit history data.

The Commissioner's Office verified that neither agency ever discloses a SIN on its own initiative and in any event never to any party other than the one that provided the SIN with the initial credit inquiry information.

Commissioner's Findings

Issued July 16, 2003

Jurisdiction: As of January 1, 2001, the Act applies not only to any federal work, undertaking, or business, but also to any organization in respect of disclosures of personal information outside a province for consideration. The Commissioner had jurisdiction in these cases because it was established that both credit reporting agencies in question were organizations that engaged in such disclosures.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

In each case, the Commissioner was satisfied that the agency did not have a separate database organized by reference to SIN, that it did not require or request that banks provide the SINs of credit applicants, that its use of any received SINs was limited to the purpose of ensuring the accuracy of a credit file match in difficult cases, and that it did not disclose any consumer's SIN on its own initiative and never to any party other than the one that had supplied the SIN in the first instance.

Moreover, in consideration of banks' obligations under the Act and their further obligation to comply with the consent-related conditions set out in their contractual agreements with the agencies, the Commissioner was of the view that it was reasonable for each agency to assume, on receiving any SIN from a bank, that the bank had obtained proper consent from the individual consumer to the collection, use, and disclosure of the SIN for identification purposes in the course of business with the agency.

In each case, therefore, he found that the agency was is in compliance with Principle 4.3.

He concluded that the complaints were not well-founded.