Using SIN for identity verification cannot be a condition of service
PIPEDA Case Summary #2017-006
December 20, 2017
Lessons Learned
- A private sector organization should only require a customer to provide their social insurance number (SIN) when it is required for income reporting obligations.
- Though using SIN for identity verification may help maintain the integrity and/or accuracy of a customer’s personal information, a private organization cannot require customers to provide it as a condition of service for identity verification.
- For more information, individuals can refer to Protecting Your Social Insurance Number. Organizations can consult our guidance Best Practices for the use of Social Insurance Numbers in the private sector.
Complaint
The complainant alleged that a financial institution did not allow customers to opt out of providing their social insurance number (SIN) to credit reporting agencies for the purpose of identity verification when applying to open a savings account. While he had no issue with providing his SIN for income reporting purposes, he did not want it to be shared with credit reporting agencies to verify his identity.
Summary of Investigation
When notified of the complaint, the financial institution confirmed to our Office that it collects and uses SINs for legally required income reporting obligations, and to verify the identity of prospective customers with credit reporting agencies. The financial institution took the position that using the SIN as an extra validation point for the credit report identification method was to the customer’s benefit because it could help maintain the integrity and/or accuracy of their personal information. The financial institution also referred to guidelines issued by FINTRAC and the Government of Canada as support for its position that it was appropriate for an online bank, which does not have face to face contact with its customers, to require users to consent to the use of the SIN for identification purposes.
Outcome
We reviewed the FINTRAC guidelines on Methods to identify individuals and confirm the existence of entities, which provide guidance to the financial sector on how organizations can meet their legal obligations to verify the identity of prospective clients before providing banking services. We also reviewed documentation from Employment and Social Development Canada (ESDC), entitled Protecting your Social Insurance Number and SIN Code of Practice, which provides individuals and private sector organizations with guidance on appropriate and inappropriate uses of the SIN. None of these sources required, or suggested, the use of individual SINs for identity verification purposes. We therefore found that the financial institution was contravening Principle 4.3.3 of Schedule 1 of the Act by requiring consent to this practice.
Our office recommended that the financial institution stop requesting a customer’s consent to the use of SIN for identity verification purposes as a condition of service. The financial institution agreed to implement changes to its online application process and associated privacy communications, by making use of the SIN for identity verification optional, rather than a condition of service. It committed to implementing these changes by February 15, 2018.
We therefore determined the matter to be well-founded and conditionally resolved.
Update: In a follow-up discussion with the financial institution, the OPC confirmed that the institution had fully complied with our recommendations.
- Date modified: