The Social Insurance Number Code of Practice
Section 4 - Private sector's responsibilities
Private sector organizations are only required to collect the Social Insurance Number (SIN) for employment, income tax purposes, government benefit remittances, and other government program requirements.
Despite the limited number of legally required uses of the SIN by the private sector, many businesses use the SIN for a variety of other reasons, such as a client identification number, to increase accuracy in obtaining a credit rating and as an identity document. Using the SIN for these purposes is strongly discouraged. According to the Auditor General's 2002 report on the status of the Social Insurance Number in Canada, practices such as these have greatly jeopardized the integrity of the SIN and has increased the risk of SIN fraud and abuse. The Office of the Privacy Commissioner of Canada has expressed similar concerns and recommends that private sector organizations refrain from requesting the SIN from a client or customer, and that clients and customers should not give their SIN to a private sector organization, unless required by law. The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the use of the SIN. For more information, please visit the Office of the Privacy Commissioner's website.
4.1 Key responsibilities of private sector organizations
The SIN is considered to be personal information under the Personal Information Protection and Electronic Documents Act (PIPEDA); therefore, it's collection, use, disclosure and protection are covered by this legislation. PIPEDA balances an individual's right to privacy with an organization's need to collect, use or disclose personal information for legitimate business purposes.
To respect the principles of this legislation, private sector organizations should fulfill four responsibilities.
1. A private sector organization should never use the SIN as a piece of identification or as a customer identity number.
- The SIN is not an identity document and should not be used for that purpose. If a client's identity needs to be verified, request other pieces of identification.
- Private sector organizations should never ask for a customer's SIN unless they are legally required to collect it (for example, for income reporting purposes). If private sector organizations collect the customer's SIN, they have to fully comply with PIPEDA in disclosing the purpose and obtaining consent. They must then only use the SIN for the disclosed purposes.
- If an organization needs to assign a customer identity number to its clients, the number should be created and used only by that organization. Using the SIN, which was created for another purpose, as an identity number puts clients' personal information at risk and jeopardizes the integrity of the SIN. This practice also increases the chances that identity thieves will target the organization because of the valuable information linked to that number.
2. A private sector organization must inform its clients why it is requesting the SIN at the time of the request, and must only use the SIN for that purpose.
- There is only one reason a private sector organization is required to collect the SIN from its customers – income reporting (for example, financial institutions that must report interest earned in a person's bank account). If the organization is asking for the SIN for that reason, it should clearly state that the request is required by law.
- If a private sector organization decides to request the SIN for other purposes, such as identification, the organization must state clearly at the time of the request why the SIN is being requested and how it will be used. The organization must also tell the person that they do not have to provide their SIN if they do not want to.
- An organization must not use the SIN for any unidentified purpose without the customer's consent.
3. A private sector organization cannot make clients provide their SIN as a condition for receiving a product or service, unless there is a legal requirement for the SIN.
- An organization should ensure that its customers are sufficiently informed and that they consent to the collection and use of their SIN.
- If asking for a customer's SIN for any purpose other than a legal requirement, the organization must not, in any way, suggest to this person that their SIN is required as a condition of receiving a product or service.
- If providing a SIN is not legally required, an organization should offer the customer a convenient mechanism for them to withdraw consent at any time after providing the SIN, if there is to be ongoing use of SIN. The mechanism should be clear, inexpensive, easy to execute, secure and effective.
4. Private sector organizations must protect their clients' personal information, including Social Insurance Numbers, from theft and inappropriate use or disclosure.
- If private sector organizations are entrusted with their customers' personal information, including SINs, they must ensure that this information is safe and secure from theft or inappropriate use or disclosure.
- Customers' personal information should be stored and disposed of safely and securely. Access should be restricted to authorized persons.
- Private sector organizations should follow Annex 7, Private Sector Dos and Don'ts: Requesting, Collecting, Using and Storing the SIN.
- If customers' SINs are stolen or inappropriately used or disclosed, the organization must take immediate steps to minimize the potential damage. See Annex 4, SIN at Risk: Action Plan for Organizations.
4.2 Questions and answers about SIN use in the private sector
1. Why do some private sector organizations request the SIN?
Private sector organizations, such as banks, credit unions and trust companies have a legal obligation to ask for a customer's SIN for any accounts and investments that pay interest. If an account is not interest-earning, the organization is not required by law to ask for the customer's SIN and the customer is not required to provide it.
Some private sector organizations will ask for a customer's SIN, usually for identification or client account number reasons, or to increase accuracy in credit bureau matching, even though there is no legal requirement to request it. Although this practice is strongly discouraged, it is not illegal to do so. However, the organization must tell the customer why his or her SIN is being collected and commit to using it for only that purpose. If the SIN is not legally required, the organization must clearly state that providing the SIN is optional and offer the customer other options.
Before providing their SIN, customers have the right to ask what the legal requirements are for the SIN. Except for specific government programs, customers have a choice about when their SIN is collected and used. It is their decision, and it is one they should carefully consider.
2. Can a private sector organization request the Social Insurance Number as a form of identification?
Identification is not a legitimate reason to ask someone to provide his or her SIN. If your organization wishes to request a SIN for identification purposes only, you must not in any way suggest to the person that his or her SIN is required in order to receive a product, a service or otherwise establish a business relationship.
3. How can private sector organizations obtain more information about the SIN?
Additional information on the SIN is available on the Service Canada website, by calling toll-free at 1-800-206-7218 and selecting option “3” or by visiting a Service Canada Centre.
4. What should private sector organizations do if clients' personal information, including the SIN, is put at risk (for example, through theft or inappropriate disclosure)?
Theft or inappropriate disclosure of personal information can still occur, no matter what policies and practices are in place. Organizations should be prepared by developing measures to minimize any potential damage. To find out what steps organizations can take, see Annex 4, SIN at Risk: Action Plan for Organizations.
5. What should private sector organizations do with SINs collected from clients before PIPEDA was enacted, when consent was not required?
The provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) , including the consent principle, apply to all personal information held by an organization, no matter when the information was collected. In some cases, destroying or erasing older files may be the most appropriate way to deal with this information. However, organizations do not necessarily need to seek consent to continue holding and using SINs on file. To decide whether a customer's SIN should be kept, ask the following questions:
- Is the information still serving (or has it ever served) a useful or necessary purpose?
- Is there a legal or contractual requirement to keep the information?
- Is it likely the individual would expect the organization to continue holding the information on file?
If the answer to any of these questions is ‘no', it is best to dispose of these SINs in a safe and secure manner.
6. What should private sector organizations do to protect the security and privacy of SINs and other personal information they have in their care?
Any organization that collects SINs should take steps to ensure they are protected from theft or loss, and can be disposed of securely. SINs stored in hard-copy format should be kept under lock and key. SINs stored electronically should be encrypted or password protected, from other personal information. Some fax machines retain personal information, such as the SIN, from previous transmissions. Be sure that any equipment or material that could contain personal and private information is disposed of securely.
Organizations should only allow access to SINs to those employees who need the information to perform their duties. These employees should be required to sign confidentiality agreements and should be aware of possible disciplinary consequences if they misuse another individual's personal information, including the SIN.
For more information on protecting the security and privacy of SINs, refer to Annex 7, Private Sector Do s and Don'ts: Requesting, Collecting, Using and Storing the SIN.
7. Do private sector organizations have to inform individuals about the personal information in their possession?
Organizations should pursue a policy of openness with their clients, and readily disclose personal records to the individual to whom they belong. Individuals are entitled to be aware of the content of any personal information about them being held by private sector organizations. For more information on PIPEDA's Openness Principle, please visit the website of the Office of the Privacy Commissioner.
4.3 Service Canada's commitment to private sector organizations
Identity fraud, including stolen, lost and borrowed SINs, can lead to increased costs for individuals, organizations and governments. Although many private sector organizations are not legally required to collect a SIN for purposes other than employment, some continue to collect and use clients' SINs for a variety of additional purposes.
Given this use of the SIN in the private sector, Service Canada is committed to:
- offering guidance, information, education and tools to help organizations fulfill their SIN responsibilities and provide direction on alternatives to using the SIN
- providing assistance to organizations in the event that SIN information in their care has been compromised
- working with organizations to detect, report and investigate suspected misuse of a SIN.
- Date modified: