Privacy Risks to Consider Before Using SINs as Identifiers

I recently came across an article entitled “How Social Security numbers became Skeleton keys for fraudsters” which raises how, in the U.S., the Social Security number is overused and abused by hospitals, banks and even retailers, putting millions of Americans at risk of identity theft. The article goes on to explain how this number was never intended to become a de facto identifier and that as a result, this number has become a valuable commodity among fraudsters and identity thieves. The Identity Theft Resource Center, in its recent document “New Account Fraud – A Growing Trend in Identity Theft” reports that the number of breached records with SSNs totaled more than 165 million in 2015. Experts and the Social Security Administration recommend that people should push back when anyone asks for their SSN.

The problem raised in this article is not a U.S. problem. In Canada, in recent years, an increasing number of organizations, both in the private and in the public sector, have started using the Social Insurance Number (SIN) as a means of identification. In many cases, organizations inside and outside government ask for the SIN because it is a simple method of identification. Many may also use it as a client account number to save them from setting up their own numbering systems.

To give an example, Canada has recently announced its intention to implement the Organisation for Economic Co-operation and Development (OECD)’s Common Reporting Standard (the “CRS”) starting in July 2017, which would require amendments to the Income Tax Act and the Income Tax Regulations. The CRS requires financial institutions located in jurisdictions that have adopted the CRS to collect certain information about an accountholder’s tax residence status, and if applicable, the tax residence status of each natural person that is a controlling person, allowing local tax authorities to exchange the reported information with the tax authorities in the countries in which accountholders are tax residents. The CRS states that jurisdictions which do not issue a tax information number (or a “TIN”) may instead use other high integrity numbers with an equivalent level of identification, such as a social security/insurance number. It therefore appears that the “functional equivalent” to the TIN in Canada would be the SIN. This translates in the SIN being requested by foreign financial institutions, transferred to their relevant taxing authories and therefore circulating in foreign countries which may not have equivalent data protection requirements. It is possible that the sensitivity of the SIN and the important consequences and risks of these cross-border transfers were not anticipated.

What is the SIN?

The SIN was created in 1964 to serve as a client account number in the administration of the Canada Pension Plan and Canada’s varied employment insurance programs. In 1967, what is now Canada Revenue Agency started using the SIN for tax reporting purposes (for instance, for the purpose of administering certain specified federal government laws and programs, for example, income tax and the Canada Pension Plan). An individual’s SIN is the personal information of the individual to whom it has been assigned.

Risks of Harm Associated with an Inappropriate Use of the SIN

The use of the SIN as an identifier should be discouraged, especially in light of the fact that a SIN is a sensitive piece of information which may be used in a harmful way against the individual. As stressed by the Office of the Privacy Commissioner of Canada (“OPC”), the SIN “is a critically important piece of personal information for people dealing with federal and other institutions. Because of its value, the number is highly vulnerable to misuse if it falls into the hands of identity thieves.”

The article “How Social Security numbers became Skeleton keys for fraudsters” explains that when fraudsters have the SIN, along with the individual’s name and date of birth, they can use it not only to take over existing bank accounts, but also open new ones and access benefits and healthcare in the individual’s name. As a matter of fact, there are two main risks of harm associated with an inappropriate use of the SIN. First, there is a risk of data matching since the SIN is considered as a key piece of information which can open the door to other personal information given computer data matching technology which can link databases to one another. Second, a SIN can also be used to steal someone’s identity and to commit fraud and can be used to apply for a credit card or open a bank account, rent vehicles, equipment, or accommodations in someone else’s name, leaving the victim responsible for the bills, charges, bad cheques and taxes.

Recent Security Breaches Involving SINs

Many important security breaches involving SINs have occurred over the past years. That said, it is difficult to determine precisely the number of security breaches (and their extent) that have occurred, given that only one Canadian private sector law (the Alberta PIPA) has made security breach notification mandatory (although similar mandatory notification requirements are on the way for PIPEDA). Under this breach notification requirement, an organization having personal information under its control must, without unreasonable delay, provide notice to the Alberta OIPC of any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a “real risk of significant harm” to an individual as a result of the loss or unauthorized access or disclosure.

The Alberta OIPC publishes its findings for each security incident notified. Since this requirement came in force in 2009, by now we have a good idea of the type of information considered as being harmful upon being disclosed or made inadvertently accessible to unauthorized third parties. We note that a very high number of security breaches involving SINs have been reported since the coming into force of the mandatory breach notification requirement in Alberta. These cases pertain to security incidents involving SINs in the context of thefts, break-in or frauds, human error, mailing error or carelessness, or server, network or system breach including hacking. In each security incident involving SINs reported, the Alberta OIPC has consistently concluded that the data involved in the security incident was highly sensitive and that there was a real risk of significant harm.

The OPC has also issued findings which provide further insight on the fact that SINs are highly sensitive, on the type of stringent security measures which should be used when managing these numbers and confirming that SINs should not be circulated widely within an organization. In PIPEDA Settled case summary #4, several employees of a federally-regulated company involved in transportation complained that a list of employees, who were receiving severance packages and which included SINs, was forwarded to the employees’ union without their knowledge or consent. In case PIPEDA Case Summary #2002-69, a company was improperly using SINs as a way to identify employees.

It is important to point out that many public organizations have also reported security incidents involving SINs. One incident recently reported pertained to the CRA when a woman received a package from the Surrey Tax Centre which included her daughter’s requested information tax slips as well as the confidential personal information (income, benefits and SINs) of five strangers. In the same vein, Employment and Social Development Canada (ESDC) also sustained important breaches involving SINs including one important breach in 2013 in relation to the loss of an external hard drive containing the personal information including SINs of 583,000 Canada student loan borrowers, and 250 ESDC employees. The risk that SINs be lost is very real considering these recently reported complaints or investigations involving SINs in recent years.

Legal Restrictions on the Collection, Use and Transfer of SINs

While many organizations may be tempted to use the SIN as a way to identify an individual, identification purposes are generally not in themselves considered a legitimate basis for requiring an individual to provide the SIN. Privacy commissioners in Canada have warned, on several occasions, that SINs are sensitive information and that they are not identifiers. In PIPEDA Case Summary #2003-142, the OPC once again took the opportunity to stress that a SIN is not a piece of identification:

In keeping with the federal government’s position that the SIN should only be used for legislative purposes, I would urge Canadians to refrain from providing their SINs as identification. To do otherwise would be to risk making the SIN a de facto national identifier, instead of simply an individual’s account number for social benefit purposes.

Under private sector data protection laws, an organization can only collect a SIN if it is required by law. Under PIPEDA as well as the Alberta and the B.C. PIPAs, if the organization is requesting the SIN for purposes of identification, the organization has to clearly indicate that the collection is optional. In Quebec, the collection of a SIN for such identification purpose is illegal.

In the public sector, the Government of Canada has issued a Directive on Social Insurance Number (the “Directive”) which took effect on April 1, 2008. In substance, the Directive provides certain important requirements with respect to the collection, use and disclosure of the SIN, as well as with respect to obtaining policy authority for a new collection or a new consistent use of the SIN. With respect to the collection, use and disclosure of the SIN, the Directive provides that government institutions may collect, use and disclose the SIN only for the purposes listed in Appendix A of the Directive. In other words, the SIN “can only be collected or used for administrative or non-administrative purposes expressly authorized under specific acts and regulations, or under programs or activities made pursuant to lawful authority and approved by Treasury Board.” Moreover, the applicable case law confirms that collecting SINs for identification purposes is usually discouraged (See notably Investigation Report F‑2012-001, Southern Alberta Institute of Technology (Investigation #3089), Investigation Report F2005-IR-004, and Investigation Report, Investigation I93-075P (Ministry of Finance), Ontario Information and Privacy Commissioner, January 12, 1994).

In the event that the SIN is required by a foreign entity or if it will be shared with foreign-based entities, it is important to keep in mind that sending personal information, including SINs, to entities located outside of Canada involves additional risks. These foreign organizations may not be subject to laws pertaining to the protection of personal information which are as stringent as Canadian data protection laws and they may not be required to report a security incident affecting information under their control. Moreover, cross-border restrictions in Canada should be considered prior to transferring sensitive information to a foreign jurisdiction.

Private sector entities, before transferring personal information to a foreign organization, are usually required to enter into an agreement with the foreign organization to ensure compliance with specific data security obligations. Moreover, they must inform individuals whose personal information will be transferred outside of Canada that such information will be subject to foreign laws. The Commission d’Accès à l’Information du Québec, in its recent report entitled “Rétablir l’Équilibre”, is further recommending that organizations also analyze the impact and risks associated with the protection of personal information before sending any personal information outside of Québec. In the public sector, certain Canadian provinces, notably Nova Scotia and British Columbia, have made amendments to their respective data protection legislation in response to concerns regarding the U.S. Patriot Act, in order to ensure that personal information is stored and accessed only in Canada, unless specifically stated otherwise.

Alternatives to the Collection and Use of the SIN

There are certain alternatives to the collection and use of SINs for the purpose of identifying an individual. Other pieces of less sensitive personal identification that are issued by the government which contains a picture, such as a passport (which includes a temporary number), a residency card, a driver’s licence or a health insurance card, may suffice to establish the identity of a given individual. Another aspect to consider is that an organization may consider seeing certain pieces of identification to validate identity without “collecting” them or retaining this information. Another option that may address the concern raised with the cross-border transfer of SINs in the context of the CRS may be to create a new identifier tied to specific legislative purposes, such as a tax identification number (a TIN). Such a new identifier could be created in conjunction with the federal government or parliament to ensure compliance with both the domestic legislation currently in force and the transnational obligations arising from international treaties.

 

This content has been updated on November 29, 2016 at 9 h 58 min.