Best Practices for the use of Social Insurance Numbers in the private sector

July 2004

Should businesses ask individuals for their Social Insurance Number?

The Office of the Privacy Commissioner of Canada has long held the position that the Social Insurance Number (SIN) should not be used as a general identifier and that organizations should restrict their collection, use and disclosure of SINs to legislated purposes.

While recognizing that some private-sector organizations are required by law to request customers’ or employees’ SINs, we remain opposed in principle to the practice of requesting the SIN for general purposes of identification. We recommend that no private sector organization request the SIN from a customer, and that no customer give the SIN to a private-sector organization, unless the organization is required by law to request it.

To what extent is collection of SINs permissible in the private sector?

• Employers are authorized to collect SINs from employees in order to provide them with records of employment and T-4 slips for income tax and Canada Pension Plan (CPP) purposes.
• Organizations such as banks, credit unions, brokers and trust companies are required under the Income Tax Act to ask for customers’ SINs for tax reporting purposes (e.g., interest earning accounts, RRSPs, etc.).
• No private-sector organization is legally authorized to request customers’ SINs for purposes other than income reporting. Even in the case of a financial institution, if a customer’s account is not of a type that earns interest (e.g., if it is a credit account as opposed to a savings account), there is no legal requirement for the organization to collect the individual’s SIN, and no obligation for the individual to supply it.
• Even so, there is no law prohibiting an organization from asking for a customer’s SIN, or a customer from supplying the SIN, for purposes other than income reporting.

Although we do not recommend the practice, we recognize that an organization may ask for the SIN, and a customer may choose to supply it, for reasonable purposes of identification, provided that the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) are duly observed.

How does PIPEDA apply to the collection, use, and disclosure of SINs?

A SIN is the personal information of the individual to which it is assigned. As such, its collection, use, or disclosure is subject to all relevant provisions of PIPEDA. Notably, the following principles of Schedule 1 to PIPEDA apply.

• Principle 4.2 (Identifying purposes): An organization must inform the individual of its purposes for collecting the SIN and should do so at the time of collection, either orally or in writing (e.g., on an application form).
  • The organization should clearly specify whether it is requesting the SIN for purposes of income-reporting or for purposes of identification.
  • If requesting the SIN for purposes of income reporting, the organization should clearly indicate that the request is required by law.
  • If requesting the SIN only for purposes of identification, the organization should clearly indicate that the collection is optional.
  • If an organization that is required to collect the SIN for income-reporting purposes intends to use it also for purposes of identification, the organization should, at the time of collection, clearly specify this further intention and clearly indicate that the individual’s consent to the identification purposes is optional.
  • An organization must not use the SIN for any purpose not previously identified without first specifying the new purpose and obtaining the individual’s express consent to it. In other words, if the organization originally specified only income-reporting as the purpose for collecting the SIN, it must again seek the individual’s consent before using the SIN for purposes of identification.
  • Where the SIN is to be used for purposes of identification, an organization must provide a convenient mechanism whereby the individual may withdraw consent to such purposes any time after providing the SIN. The mechanism should be inexpensive, easy to execute, and immediately effective. A toll-free telephone number is recommended.
• Principle 4.3 (Consent): The knowledge and consent of the individual are required for any collection, use, or disclosure of a SIN. Where purposes for collecting the SIN are reasonable and clearly specified to the individual at the time of collection (e.g., on an application form), the organization may take the individual’s provision of the SIN as indication of consent.
• Principle 4.3.3 : “An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.”
  • Identification purposes are not in themselves considered a legitimate basis for requiring an individual to provide the SIN. If the SIN is being requested for purposes of identification only, the organization must not in any way suggest to the individual that the SIN is required as a condition for providing a product or service or otherwise establishing a business relationship.
  • Even where it is reasonable for an organization to ask a customer for proof of identity, a request for the SIN in particular must be represented and treated as optional. In verifying identity, an organization may request the SIN as one option among others, but never as a requirement in itself.
  • When banks or other credit-granting institutions need to confirm identity for the purposes of running a credit check on a loan applicant, it is acceptable to ask for the SIN as one among several identification options, but it should not be required as a condition for granting credit.