Information & Ethics Committee on April 1st, 2014

I cannot comment on the overall impact of identity theft or on the economy. It's not something we are looking at.

Yes, the SIN code of practice is an element where we provide advice to employers, stakeholders, and individuals of what they should do or not do to protect personal information.

One example for employers is that we would recommend they don't use the social insurance number as the employee identifier on their system, and also we would recommend to only put the social insurance number in letters if required, like for a T4. But for other kinds of communication, we would recommend that they don't communicate the social insurance numbers. That would be an example that we put in the code of practice, just to increase their awareness around the importance of protecting the social insurance number, in particular.

I cannot speak about income tax fraud. I think CRA would be a better place to determine the techniques to identify that. But clearly for us, we put the dormant flag because when people are leaving the country—most of the time it's because they are not in the country or they could be active in a war zone—there's an issue of not knowing where they are any more. There's always increased risk as time passes that if that person wants to reactivate the SIN, it could be misused. and because of that, it's one of the things we implement. We begin to put what we call a dormant flag. It's a flag which is on the SIR to indicate that.... In that case, we require that the individual who wants to reuse their social insurance number come to the office to reactivate their social insurance number. That will give us additional assurance that it is the right person who wants to reactivate their SIN. It's to ensure that the right person receives the right benefit.

I will need to follow up specifically on what the process is for. But the reason parents would like to have a social insurance number at birth is to be able to contribute to the student savings account and be able to get the grants associated with it. Basically, that is one of the reasons.

Yes, because it's considered as program use.

Through our vital events linkages with the provinces and territories, when they get a birth certificate from the province, the newborn registration is marked in their SIR record as having been issued as part of the newborn registration process or SIN at birth.

For many years we had information on our Internet site to indicate that Service Canada will not reach clients that way. More recently, we took further steps. We put it more up front, on the first page of the Service Canada website, to ensure that people are aware that they could face phishing scams. It refers them to a more detailed page concerning what they should not respond to and gives examples of potential phishing scams.

But we are constantly playing a proactive role, in terms of putting it up front in our main Service Canada page, to ensure that people are aware that they could face those kinds of scams.

Actually, one of the contexts in which we've had to deal with attempted phishing scams is the government's Job Bank website. We have put up a number of messages there that say, among other things, that Job Bank will not ask you for your financial information, will not ask for money, and that this is the only validated job site.

The Canadian Anti-Fraud Centre provides a website with things to look for, such as phishing scams, how to prevent fraud and identity theft, among other things.

I will have to check. I don't think we systematically put an insert in with mailing information about potential phishing scams, but I will look into that to see whether we're doing something on a more systematic basis. My understanding is that we don't do it. In fact, as I said, these days the Internet has become the vehicle of preference to communicate information.

In fact, this would not be my opinion, but there's an agreement we have in terms of the three characteristics of what is considered a breach that needs to be reported to the Privacy Commissioner.

It's that the information is directly related to personal information that is sensitive, such as financial or medical information, or to a personal identifier such as the social insurance number. It's that there is a risk of identity theft or fraud. And it's if the incident may cause damage to the career, reputation, financial situation, security, health or well-being of the person.

This is the criteria that are used to assess if it is necessary to report the breach to the Privacy Commissioner.

Agreed.