Directive on Social Insurance Number
1. Effective date
1.1 This directive takes effect on April 1, 2008.
1.2 It replaces the "Policy requirements related to the Social Insurance Number (SIN)" section in the Policy on Privacy and Data Protection (1993).
2.1 This directive applies to government institutions as defined in section 3 of the Privacy Act (the Act), including parent Crown corporations and any wholly owned subsidiary of these corporations.
2.2 The directive does not apply to the Bank of Canada, nor does it apply to use of the SIN by the provinces or territories or in the private sector.
2.3 The directive does not apply to a government institution whose head has been delegated, under subsection 71(6) of the Act, the authority to approve new personal information banks or substantial modifications to existing personal information banks that include the SIN. The head of such a government institution will, however, be required to comply with the specified terms and conditions related to the handling of the SIN outlined in the delegation.
3.1 The SIN is a nine-digit number used in the administration of specific Canadian government programs and activities. It is not a piece of identification; rather, as defined in the Employment Insurance Act (EIA), the SIN is a number suitable for use as a file number or account number or for data-processing purposes. As a personal identifier, the SIN plays a vital role in the sound management and integrity of key federal government programs and activities. Human Resources and Social Development Canada has legislative authority for issuing the SIN and maintaining the Social Insurance Registry (SIR), including disclosure of information from the SIR under subsection 139(5) of the EIA.
3.2 The Privacy Act and its Regulations provide the legal framework for the collection, retention, accuracy, use, disclosure and disposition of personal information in the administration of programs and activities by government institutions. Personal information includes, among other things, identifying numbers, such as the SIN. The SIN facilitates data matching, which in turn can raise privacy concerns. As such, the Government of Canada is committed to using the SIN in an effective manner while ensuring that adequate policy measures are in place to protect the privacy of individuals in the delivery of programs and activities.
3.3 The Privacy Act requires that a government institution not collect any more personal information than is necessary for its programs or activities. These programs and activities are required to be established under a parliamentary authority. The Act also states that government institutions have to collect, whenever possible, personal information directly from the individual, and ensure that individuals are informed of the purpose for which the information is being collected. Under the Privacy Act, personal information may be used by a government institution without the individual's consent only for:
- The purpose for which the information was collected;
- A use which is consistent with that purpose; or
- A purpose for which the information may be disclosed to the government institution under subsection 8(2) of the Act.
3.4 In addition to the protection afforded to all personal information under the Privacy Act, in 1989, the government chose to implement a policy restricting the collection and use of the SIN to specific administrative purposes. In keeping with the historic intent to limit the use of the SIN, this directive outlines the specific privacy requirements related to the collection, use or disclosure of the SIN by government institutions and establishes the policy process to be followed to obtain approval of a new collection or a new consistent use of the SIN in the federal public sector.
3.5 This directive is to be read in conjunction with the Policy on Privacy Protection.
3.6 This directive is issued pursuant to the authority of the President of the Treasury Board provided under paragraph 71(1)(d) and subsections 71(3) and 71(4) of the Privacy Act.
3.7 Additional mandatory requirements for government institutions that are subject to the Privacy Act are set out in the Policy on Privacy Protection and the Policy on Privacy Impact Assessment.
4.1 Definitions to be used in the interpretation of this directive are in the Policy on Privacy Protection.
5. Directive statement
The objectives of this directive are:
5.1.1 To outline specific restrictions on the collection, use and disclosure of the SIN by government institutions;
5.1.2 To specify the processes for establishing policy authorization for a new collection or new consistent use of the SIN.
5.2 Expected results
The expected results of this directive are:
5.2.1 Sound management and decisions with respect to the collection and use of the SIN;
5.2.2 Collection and use of the SIN by government institutions only for the authorized and lawful purposes outlined in Appendix A; and
5.2.3 Consistent notification of the purposes for which the SIN is being collected by government institutions and public reporting of these uses.
6.1 Collection of the SIN
With respect to the SIN, government institutions are required to comply with the collection, use and disclosure provisions of the Privacy Act and are responsible for:
6.1 Collection of the SIN
6.1.1 Collecting the SIN only for the purposes listed in Appendix A;
6.1.2 Providing notification to individuals when collecting the SIN for both administrative and non-administrative purposes, so that they understand:
- Why the SIN is being collected;
- How it will be used; and
- What the consequences are for not providing the SIN; for example, being ineligible for a benefit or privilege.
The requirement to notify does not apply where the notification might defeat the purpose or prejudice the use for which the information is collected, for example, in the case of an investigation. See Appendix A for more information on lawful investigations.
6.2 Use and disclosure of the SIN
6.2.1 Ensuring that any use or disclosure of the SIN is consistent with and related to the purposes listed in Appendix A. This means ensuring that, when disclosing the SIN, the institution collecting the SIN has lawful authority to do so. This includes intergovernmental programs and activities.
6.2.2 Putting in place an agreement, arrangement or contract when the disclosure of the SIN is to occur on a routine or systematic basis.
6.2.3 Including specific provisions within arrangements, agreements or contracts stipulating that the SIN will only be used for purposes which are consistent with the terms of the arrangements, agreements or contracts. The specific provisions will also comply with this directive and the Privacy Act.
6.3 Obtaining policy authority for a new collection or a new consistent use of the SIN
6.3.1 Ensuring that any proposal seeking policy authority for a new collection or a new consistent use of the SIN:
- Is for purposes related to administering pensions, income tax, health or social programs; and
- Is consistent with the definition of the SIN under the Employment Insurance Act.
6.3.2. There are two ways by which government institutions can establish lawful authority for a new collection and a new consistent use of the SIN. These are:
- Referring expressly to the SIN in new or amended statutes or regulations:
Government institutions follow the federal legislative process in order to have the SIN referred to explicitly in a new or existing statute or regulation. This process does not require policy approval by Treasury Board; or
- Establishing implicit legal authority:
Government institutions are to have parliamentary authority for the program or activity for which personal information is being collected. Under the Privacy Act, personal information including the SIN can be collected only if it relates directly to such a program or activity. Government institutions are to also have a demonstrable need to collect or use the SIN under that program or activity.
In the case of a new consistent use, the new use must have a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled.
6.3.3 In the case where a government institution establishes implicit legal authority, it then has to seek policy approval from Treasury Board Ministers prior to implementing a new collection or a new consistent use of the SIN. Details on the process for obtaining policy approval for a new collection or a new consistent use of the SIN are outlined in Appendix B.
Note: the SIN may still be used or disclosed in a manner consistent with subsection 8(2) and paragraphs 8(2)(b) to 8(2)(m) of the Privacy Act. There is no need to seek special policy authority for such uses and disclosures. The original collection must nevertheless have been in compliance with this Directive.
6.4 Identification of SIN use
6.4.1 Identifying the SIN use in personal information bank descriptions in the government institution's chapter in Info Source by citing:
- The authority under which the number is collected; and
- The purposes for which it is used.
6.5 Monitoring and reporting requirements
Heads of government institutions or authorized delegate(s) are responsible for:
6.5.1 Monitoring compliance with this directive within their institutions.
6.5.2 Notifying Treasury Board Secretariat (TBS) officials of changes in the institution's responsibilities resulting from government restructuring or legislative amendments that require changes to the "List of Authorized Purposes of the SIN" (Appendix A).
Treasury Board Secretariat is responsible for:
6.5.3 Monitoring compliance with this directive by analyzing and reviewing:
- Personal information bank descriptions required by the Privacy Act;
- Annual reports to Parliament;
- Statistical reports on the administration of the Privacy Act; and
- Other information obtained or requested by TBS that is relevant to the administration of the Privacy Act.
6.5.4 Reviewing this directive and its effectiveness five years following its implementation. When substantiated by risk-analysis, TBS will also ensure that an evaluation is conducted.
7.1 The consequences that apply to non-compliance or compliance with this directive are identified in section 7 of the Policy on Privacy Protection.
8. Roles and responsibilities of government organizations
8.1 Treasury Board Secretariat is responsible for issuing policy direction and guidance to government institutions with respect to the administration of the Privacy Act. As such, TBS:
- Ensures that PIBs are maintained and managed in compliance with the Act;
- Prescribes the format and content of the annual report, which may include specific reporting requirements related to new uses of the SIN;
- Reviews and approves new or revised PIBs, including those that propose new uses of the SIN, for government institutions that are departments under the Financial Administration Act; and
- Directs the terms and conditions for approval of PIBs, as well as the terms and conditions for delegating the review and approval of PIBs, to heads of these institutions.
8.2 Human Resources and Social Development Canada is the government institution with parliamentary authority for issuing SINs and maintaining the SIR, including disclosure of information from the SIR under subsection 139(5) of the EIA.
8.3 The Privacy Commissioner of Canada is an Officer of Parliament who investigates complaints from individuals regarding the handling of personal information, including the SIN, by federal government institutions. In addition, the Commissioner has the authority to conduct compliance reviews of the privacy practices of government institutions as the practices relate to the collection, retention, accuracy, use, disclosure and disposal of personal information by government institutions subject to the Act. The Commissioner has the power of an ombudsman and can make recommendations with respect to any matter which has been investigated or reviewed. In addition, the Commissioner can report on institutional activities in annual or special reports to Parliament.
10.1 Please direct enquiries about this directive to your institution's ATIP Coordinator. For interpretation of this directive, the ATIP Coordinator is to contact:
Chief Information Officer Branch
Treasury Board Secretariat
219 Laurier Avenue West
Ottawa ON K1A 0R5
Telephone: 613- 946-4945
Appendix A - List of Authorized Purposes for SIN Collection or Use
The SIN can only be collected or used for administrative or non-administrative purposes expressly authorized under specific acts and regulations, or under programs or activities made pursuant to lawful authority and approved by Treasury Board. The Acts and Regulations that explicitly refer to the SIN, and the specific programs and activities that are authorized are listed below.
Express reference in Acts or Regulations
- Budget Implementation Act 1998 (Canada Education Savings Grants)
- Canada Disability Savings Act
- Canada Elections Act
- Canada Labour Standards Regulations (Canada Labour Code)
- Canada Pension Plan Regulations (Canada Pension Plan)
- Canada Student Financial Assistance Actand Regulations
- Canada Student Loans Regulations (Canada Student Loans Act)
- Canadian Forces Members and Veterans Re-establishment and Compensation Act
- Canadian Wheat Board Act
- Employment Insurance Act
- Excise Tax Act (Part IX - Goods and Services Tax)
- Farm Income Protection Act
- Family Support Orders and Agreements Garnishment Regulations (Family Orders and Agreements Enforcement Assistance Act)
- Gasoline and Aviation Gasoline Excise Tax Application Regulations (Excise Tax Act)
- Income Tax Act
- Labour Adjustment Benefits Act
- Old Age Security Regulations (Old Age Security Act)
- Tax Rebate Discounting Regulations (Tax Rebate Discounting Act)
- Veterans Allowance Regulations (War Veterans Allowance Act)
Programs or activities
- Immigration Adjustment Assistance Program – renamed to Immigration Resettlement Assistance Program in 1998 (Citizenship and Immigration) including the Immigration Program Accounts Receivable (IPAR).
- Income and Health Care Programs (Veterans Affairs)
- Tax Case Appeals (Canada Revenue Agency)
- Labour Adjustment Review Board (Human Resources and Social Development Canada)
- National Dose Registry for Occupational Exposures to Radiation (Health Canada)
- Rural and Native Housing Program (Canada Mortgage and Housing Corporation)
- Social Assistance and Economic Development Program (Indian and Northern Affairs)
- Aboriginal Programs (Human Resources and Skills Development Canada)
- Apprenticeship Incentive Grant (Human Resources and Social Development Canada)
- Opportunities Fund for Persons with Disabilities (Human Resources and Social Development Canada)
- Universal Child Care Benefit Program (Canada Revenue Agency)
- Youth Employment Strategy (Human Resources and Social Development Canada)
- Pension Plans for the Public Service, Canadian Forces and the Royal Canadian Mounted Police
The following is a list of uses of the SIN that are appropriate given the historical and legislative context. The SIN is not systematically, but rather, is incidentally collected as part of the requirements of administering these programs or activities.
Historical file retrieval
Library and Archives Canada and the Department of National Defence are authorized to use the SIN for retrieval of historical files in instances when the SIN is the only identifier available for former government employees and former military personnel. This is because the SIN was the identifier used before the conversion to an employee identifying number or military service number was made. Also, Canada Mortgage and Housing Corporation is authorized to use the SIN for file retrieval and enquiries associated with the Rural and Native and Housing program, which was terminated in 1993. The Canadian Government Annuities Program is authorized to use the SIN in the administration of their program. Other government institutions may have similar requirements; however, the use of the SIN would be limited to historical file retrieval only.
Lawful investigation and SIN collection and use
Entities are to limit their collection of the SIN to specific circumstances when the SIN is relevant and directly related to investigative activities or when it is collected or provided as part of the evidence gathering process. This may also include the activities of government institutions involved in investigations and intelligence gathering with respect to suspected money laundering and terrorist financing.
Other purposes related to administration of legislation
The Canada Deposit Insurance Corporation (CDIC) may collect and use the SIN:
- When a member institution's future viability is in doubt or its failure is imminent and the CDIC needs to conduct preparatory examinations in anticipation of having to make timely deposit insurance payments under the Canada Deposit Insurance Corporation Act; and
- When a member institution fails and the CDIC needs to make deposit insurance payments under the Canada Deposit Insurance Corporation Act, in addition to fulfilling its other obligations under that Act.
Finance Canada is authorized to share the SIN with the Canada Revenue Agency as per the Income Tax Act and the Excise Tax Act.
The Public Service Commission is authorized to collect the SIN from Public Works and Government Services Canada for the purpose of creating a client service number.
Non-administrative purposes only
Statistics Canada, Library and Archives Canada and the Auditor General of Canada are authorized to use the SIN for non-administrative purposes in a manner consistent with the administration of the Statistics Act, the Library and Archives of Canada Act and the Auditor General Act, respectively.
Appendix B - Obtaining Policy Approval
Step 1 - Initial assessment
Government institutions seeking to determine whether policy approval for a new collection or new consistent use of the SIN is appropriate have to assess the following:
- The necessity of the SIN in the administration of the program or activity:
- This means establishing that the collection of the SIN is more than simply advantageous but, rather, is integral to the program or activity and is demonstrably necessary. It also means establishing that non-use of the SIN would have significant detrimental impacts.
- The reasons for not proceeding with legislative amendments to expressly authorize the new collection or new consistent use of the SIN.
- An institution that wishes to pursue policy approval through Treasury Board, after considering the necessity of using the SIN and the reasons for not obtaining new express parliamentary authority, must take into account:
- The authorities provided under the institution's enabling legislation(s);
- The relation of the proposed new SIN use to an existing SIN use or other legislative uses of the SIN;
- The Privacy Act and possible considerations related to the Charter of Rights and Freedoms; and
- The Policy on Privacy Protection and its relevant directives and standards.
It is imperative that institutions establish parliamentary authority for the collection, which will form the legislative basis for denying access to a right, benefit or service if an individual does not provide the SIN. It is to be noted that requesting consent from the individual as a way of obtaining the SIN does not replace the requirement to demonstrate parliamentary and policy authority as outlined in this directive.
Step 2 - Analysis and consultation
Before seeking approval from Treasury Board Ministers, the following process is required:
- Notify the Privacy Commissioner in compliance with section 6.2.12 of the Policy on Privacy Protection and subsection 9(4) of the Privacy Act.
Step 3 - Seeking approval
Obtain approval from Treasury Board Ministers:
- Government institutions are required to either prepare a submission requesting approval of a new collection or new consistent use of the SIN or include the request as part of a broader submission for the program or activity. The considerations assessed under step 1 of this Appendix are to be reflected in the body of the submission.