Categories
Accountability Governance Transparency

StatsCan to collect Social Insurance Numbers despite lack of authorisation, oversight

If the census test currently underway is any indication, Statistics Canada is planning to collect a critical piece of personal identification from respondents during the upcoming census. A quick ‘told ya so’ (see What’s the end game) before proceeding.

A Social Insurance Number (SIN) can be used to obtain much more than just Canada Revenue Agency tax file data. That’s why the Government of Canada advises citizens to closely guard their SIN numbers from those not authorised to collect or use them.

Who can ask for my SIN number?
Frequently Asked Questions, Office of the Privacy Commissioner May 15, 2014 (last modified)

Annex 2 – Authorized Federal Uses of the SIN
The Social Insurance Number Code of Practice, Service Canada March 4, 2014 (last modified)

The referenced Privacy Commissioner and Service Canada pages both indicate the legislated and authorised users of Canadian SIN numbers. One agency absent from the list: Statistics Canada. The advice from both the Privacy Commissioner and Service Canada is that citizens shouldn’t share their SIN numbers with unauthorised users; at this point, that includes Statistics Canada. Whether that changes remains to be seen.

It’s here the story gets interesting, since the person who would authorise Statistics Canada’s SIN collection, use and disclosure – which StatsCan claims it needs to compensate for the mandatory long-form Census cancellation  – is none other than Treasury Board President Tony Clement. Yes, the same Tony Clement who as Industry Minister in 2010 cancelled the mandatory long-form – supposedly over privacy concerns – is now responsible for authorising StatsCan’s invasion of Canadians’ privacy to compensate for his decision.

The recently appointed Privacy Commissioner adds another interesting aspect to the story. To put the LLFF reference in perspective, in 2000 then Privacy Commissioner Bruce Phillips took the federal government to task over LLFF invasion of privacy – SIN collection being a end-run around those LLFF concerns. As a career federal government lawyer, Daniel Therrien’s recent nomination raised concerns among civil liberties and privacy advocates (and the federal NDP), as he was recently responsible for justifying the government’s questionable information sharing practices with the US.

Also, a couple of posts last year (here and here) briefly mentioned a few points that went largely unreported in the 2011 long-form Census cancellation story, which primarily focused on the federal government’s decision to change it to a voluntary survey. Little was written about how StatsCan senior management helped along the survey’s demise. The quip by a former StatsCan senior bureaucrat, quoted in the linked CP write-up suggesting survey respondents who refuse to provide their SINs are somehow NSA conspiracy theorists, speaks to an unfortunate but prevalent disposition StatsCan management have toward survey respondents. StatsCan’s incredibly short-sighted Lockheed Martin contract decision, which ultimately led to the long-form Census cancellation, speaks volumes.

 Update 10/07/2014

The Office of the Privacy Commissioner has confirmed StatsCan proceeded with its plan to collect SIN info before the Commissioner had a chance to review it. The OPC is “aware of this initiative” and “currently reviewing it”.

Despite being responsible for authorising federal government agencies’ collection and use of SIN information, Treasury Board Services has refused to confirm whether it had received and/or approved such a request from StatsCan; TBS refused to comment at all on the matter, redirecting all questions to StatsCan.

For its part, StatsCan did not seek official authorisation or approval from TBS. Rather, it asserts this obscure note (see Non-administrative purposes only) authorises it to collect SIN information under the Statistics Act. Problem: The Act doesn’t “expressly authorize” StatsCan to collect/use SIN info, as required under

Appendix A – List of Authorized Purposes for SIN Collection or Use
Directive on Social Insurance Number,Treasury Board Services May 16, 2008 (last modified)

In fact, the Act doesn’t reference Social Insurance Numbers at all. Nor is StatsCan listed in the referenced TBS directive Appendix as an authorised SIN user for any purpose. Basically, at this point there’s no oversight of StatsCan’s SIN collection, use and disclosure.

And that’s without addressing the obvious: that the administration of a survey by the federal government agency whose primary purpose is the administration of surveys can’t reasonably be deemed a “non-administrative purpose”.

Will update further if/when more details are provided. As it stands, the ‘apparently’ has been dropped from the title: StatsCan neither sought nor received approval for its SIN collection scheme from Treasury Board, nor was its scheme reviewed or approved by the federal Privacy Commissioner.

 Update 11/07/2014

Further to a question asking who would have signed off on StatsCan’s SIN collection scheme, final approval would have been with the Chief Statistician – although the Assistant Chief Statistician of the Census, Operations and Communications Field would likely have been the executive making the final decision.

Update 12/07/2014

To address a question/comment regarding a line from the original CP story (linked up top)

The agency is trying to find out if people will reveal a key identifier they’ve been so often warned to protect.

Actually, the agency would have had a decent idea of how people would respond to the question before proceeding with the test questionnaire. Like most somewhat competent agencies that conduct surveys, StatsCan did qualitative testing (focus groups, potential respondent interviews, etc) before finalising the 2016 test questionnaire; while not perfect, these qualitative tests usually give a good indication of the expected wider public response. The 2016 Census/NHS public consultations and tests were conducted in 2012

Update 15/07/2014

Turns out the Office of the Privacy Commissioner was less than forthcoming. Apparently, in 2011 StatsCan had received negative feedback from Mr. Therrien’s predecessor, Jennifer Stoddart, regarding its proposed use of the SIN (and related alternatives, such as a PIN)

Final Report on 2016 Census Options: Proposed Content Determination Framework and Methodology Options
Statistics Canada, August 29, 2012

In her October 31, 2011 written response to Statistics Canada, the Privacy Commissioner of Canada expressed great concerns around the adoption of a PIN. The response included, among others, the following comments:

Our Office and other privacy commissioners have long been opposed to using the SIN as a common identifier. Successive Privacy Commissioners have warned of the dangers of establishing any system of universal identification, be it a modified SIN or some other number.

If the current Privacy Commissioner is ‘reviewing’ what appears to have been fairly clear disapproval of StatsCan’s SIN collection scheme from his predecessor, and apparently isn’t concerned that StatsCan proceeded with the scheme prior to said review, that’s a concern. (The linked 2016 Census doc also mentions the LLFF in the context of StatsCan’s SIN collection scheme.)

 

Leave a Reply

Your email address will not be published. Required fields are marked *