Human Resources Committee on April 17th, 2007

Thank you, Mr. Chair, for inviting us to discuss chapter 6 of our February status report on the management of the social insurance number.

I am accompanied by Nancy Cheng, assistant auditor general, and Nick Swales, the director responsible for this audit.

As you know, the social insurance number is a unique nine-digit number issued to Canadian citizens, permanent residents, and temporary residents working in Canada. It is used to record income, taxes paid, and contribution to government benefit plans, and it is also used in providing access to many government services. Service Canada issues social insurance numbers and maintains the social insurance register, which is the database that contains the basic personal information of people who apply for a social insurance number.

When we met with this committee last June to discuss our previous work on the management of the social insurance number, we indicated we were planning an audit to assess what progress had been made on recommendations from our 2002 audit of the social insurance number. That audit was itself a follow-up on earlier recommendations, so this year's report is our fourth audit on the management of the social insurance number since 1998. I am pleased to be able to discuss the results of our most recent audit with you today.

We found that Service Canada had taken action in many areas to address deficiencies we identified in 2002. It has improved the assignment procedure of SINs by strengthening the standards for establishing identity, citizenship and proof of need before issuing a SIN, by adding an expiry date to 900-series SINs, and by redesigning its process for assigning SINs. Service Canada has also improved its approach to SIN investigations. Investigations are now identified more from indicators of risk, and SIN investigators have access to better training and tools.

There is still work to be done in these areas, notably by completing the links necessary for Service Canada to validate birth, death and citizenship information with the provinces and with Citizenship and Immigration Canada. Nonetheless, our assessment has shown progress in these areas since our 2002 audit to be satisfactory.

However, our conclusion overall was that the government has not made satisfactory progress in addressing our 2002 recommendations because two significant concerns that we noted as long ago as 1998 have still not been solved.

Our first concern is that Service Canada still does not have adequate assurance about the quality of information in the social insurance register. It has not determined how accurate, complete, and reliable the data should be and it does not have a systematic means for measuring data quality. We consider this to be an important weakness, particularly since Service Canada is increasingly using the register to identify people accessing its services.

The second problem is that the Treasury Board policy on the use of the social insurance number is not sufficiently clear. The policy has not been updated since it was issued in 1989, even though Treasury Board Secretariat completed a study in 2003 that confirmed the existence of various gaps in its policies and procedures on use of the social insurance number. Our concern is that the lack of clarity leads to inconsistent application of policy requirements, thereby increasing the risk of inappropriate use of the social insurance number.

We did find that Service Canada and Treasury Board Secretariat have made progress in better understanding these problems since 2002, but it is our opinion that the government should have implemented solutions by this time.

We are pleased that the Treasury Board Secretariat, Human Resources and Social Development Canada and Service Canada agree with our recommendations and committed to action, in several cases by as early as this past March. The committee members may wish to ask Service Canada whether it has met these goals and whether it and the Treasury Board Secretariat are on target to complete the rest of their actions as planned.

Mr. Chairman that concludes my opening statement. We will be pleased to answer your committee's questions.

Thank you.

Yes, I am.

Mr. Chair, thank you for the invitation to speak to the committee about the Auditor General's status report on the management of the social insurance number and the ongoing efforts of Service Canada to strengthen the integrity of the SIN and the social insurance register.

I'm joined today by Onno Kremers, director general, Identity Management Services.

The SIN is an important element of Service Canada's vision for providing Canadians with seamless service focused on their needs. That is one of the reasons why we commissioned a review by PriceWaterhouseCoopers early last year to assess the progress we have made since the Auditor General's 2002 report. PWC concluded that the actions we were taking had increased the effectiveness and efficiency of processes, and has resulted in improved controls and an increased level of integrity within both the SIN and the SIR.

PWC also identified areas for improvement and we are focusing on those at this time as we address the recommendations of the Auditor General.

Mr. Chair, the first issue I'd like to discuss is the appropriate use of the SIN. The government's ongoing response to this issue is twofold.

First, it involves making sure that government policy on how the SIN should be used by departments is up to date and clear. My colleagues from the Treasury Board Secretariat will speak to this issue.

On a specific matter raised in the audit, I would like to mention that the Treasury Board has authorized the use of the SIN in the youth employment strategy program administered by Human Resources and Skills Development Canada.

The other important aspect of the Government's response is explaining to SIN holders how the SIN should be used so that they can better protect their personal information. Service Canada developed the SIN Code of Practice. The Code provides practical guidance and tools, and is available on our website.

A second key area of SIN management is the issuance process. We have implemented a new process, SIN rapid access, which makes it faster, simpler, and more secure to obtain a SIN. As part of this new approach, our citizen service agents issuing SINs have received mandatory training and certification.

In addition, we are accepting only proof of identity documents, such as a birth certificate, in support of a SIN application. We have also introduced expiry dates on SINs issued to temporary residents—the 900-series. This date is linked to their stay in Canada.

One of our goals is to have access to provincial vital events information at the time of SIN application. At present, we have agreements with New Brunswick, Ontario, British Columbia, and recently Alberta. We'll be introducing real-time data validation with Ontario and British Columbia this year. Work is proceeding with the remaining provinces and the territories to conclude similar agreements. We already have real-time access to immigration information for all temporary workers and permanent residents.

We have established a new SIN at birth service within Ontario and in B.C. This service combines three processes into one: registering a birth, applying for a birth certificate, and applying for a social insurance number. This makes it much simpler and less time-consuming for parents of newborns to obtain their child's important documents. It's a good example of Service Canada's vision of a seamless, client-centred service.

A third key area of SIN management is the integrity of the information in the social insurance register. Obviously, Mr. Chair, the improvements I have described in issuing SINs contribute directly to better information integrity through more rigour in the application process. As well, our vital events agreements allow us to obtain timely and accurate birth and death data from the provinces to improve the integrity of information held by the register.

As a further safeguard, we also placed dormant flags on SINs that have not been used for five years. Our latest annual dormant run was completed in January.

In addition, we are setting goals for register accuracy and completeness to understand how effective our measures to improve its integrity have been and to identify what further measures are still needed. To do this, we are first determining the current level of accuracy of key data. We will then determine the potential cost to federal programs of any errors, which will allow us to set goals. Once established, we will regularly monitor and report on our progress.

Service Canada will also continue to refine its risk-based approach to SIN-related investigations, which often result in corrections to the information in the Register.

Mr. Chair, I would like to take a moment to comment on the number of usable SINs compared to the population that is over 30 years old and resident in Canada.

As you know, there are significant numbers of Canadians who are studying or working or have retired outside the country who have SINs and may not be counted in population estimates. In fact, recent studies estimate that a sizable portion of the Canadian population is actually living abroad. Depending on how long these SIN holders have been away, their SINs may have been flagged as dormant.

Mr. Chair, the important point is that because SIN holders living abroad are not counted in population estimates, the total number of SIN holders will always be greater than the comparable population living in Canada. It is also important to remember that having a SIN does not automatically entitle anyone to program payments. It is just one of many controls. Applicants must also prove that they meet entitlement criteria specific to each program before receiving a payment. For example, to receive employment insurance, you must have separate proof that you have worked in insurable employment, have had your earnings interrupted, and have worked enough hours to qualify. Nonetheless, the SIN is one of our key program controls, and accordingly, its integrity is important. That is why we are taking all the measures I have described to strengthen the SIR. That is why we are seeking vital events agreements, and that is why we put risk flags on inactive SINs. In our view, and as the Auditor General has reported, we are heading in the right direction on this issue.

Mr. Chair, let me conclude by saying that we are pleased that the Auditor General has recognized the significant progress we have made since 2002 in many areas of SIN management. We also acknowledge that there are other areas where we can do better, and we are working hard on them.

Thank you, and we welcome the opportunity to answer any questions the committee may have.

Thank you so much, Mr. Chair.

My name is Jim Alexander, and I'm the deputy chief information officer at Treasury Board Secretariat. I'm accompanied today by Donald Lemieux, who is the executive director of the information and privacy policy division.

On behalf of Treasury Board Secretariat, I would like to begin by thanking the committee for this opportunity to discuss the role of Treasury Board Secretariat with regard to the management of the social insurance number.

We were called here today to talk about the recommendations from the Office of the Auditor General and how Treasury Board Secretariat is progressing in addressing them. I trust that all members of the committee have received copies of the deck that we provided to the clerk earlier.

As shown in slide 2 of the presentation, the OAG recommended that Treasury Board Secretariat should update the policy framework governing the use of the social insurance number by March 31, 2008, and ensure that the policy instruments governing the use of the SIN in the federal government close the gaps identified in the 2003 review.

As TBS indicated in the response to the recommendations, TBS is committed to updating and clarifying the policy requirements governing the use of the SIN in the federal government by March 31, 2008.

I'll discuss TBS's commitments in more detail later in the presentation. However, I'd first like to provide a general overview of the accountability structure for the management of the SIN. This will help to position Treasury Board Secretariat's privacy role with respect to the SIN, and then I'll provide an outline of TBS's policy renewal process as it relates to the SIN policy components.

On slide 3, the President of the Treasury Board, as designated minister under the Privacy Act, is responsible for developing and issuing privacy policy, including those components that govern how federal departments collect and use the SIN. The current policy components on the use of the SIN are part of the policy manual and guidelines on privacy and data protection. TBS privacy policies also provide direction and guidance on data matching, processing of privacy requests, and the conduct of privacy impact assessments. It should also be noted that the Office of the Privacy Commissioner of Canada monitors compliance with the Privacy Act, and as such, monitors SIN use by government institutions that are subject to the Privacy Act.

On slide 4, the SIN was conceived as an efficient tool for facilitating the comparing of data. In other words, the SIN was to be used for data-matching purposes within the federal government. The government's privacy policy components on the SIN were intended to ensure that there would be limits on SIN use at the federal level, as it could easily be used as a tool to link personal information held by various government institutions. The policy was intended to mitigate this risk. The policy components do not, nor were they ever intended to, address the reliability of the social insurance number or the integrity of the social insurance register, or the collection and use of the social insurance number in the private sector or in other jurisdictions.

On slide 5, in 2002, TBS, with the assistance of an interdepartmental committee, initiated a government-wide review of SIN and data matching. The review involved approximately 160 government institutions. The objectives of the review were to determine how and why federal institutions were using the SIN, to identify and review all current uses of the SIN by federal institutions, to propose the necessary revisions to data matching and SIN components of the policy, and to provide a final report with recommendations to the President of the Treasury Board. In 2003, a final report was presented to the then Treasury Board president, who instructed TBS officials to proceed with developing a draft revised policy in accordance with those recommendations.

On slide 6, in 2004, TBS needed to address the immediate privacy concerns related to transborder data flows and risks related to the U.S.A. Patriot Act. TBS launched, therefore, a government-wide review, which culminated in the publishing of the Privacy Matters report and guidance in 2006. This report outlined the results of the review and presented the government's strategy to address possible privacy risks posed by foreign legislation, namely the U.S.A. Patriot Act. The Privacy Commissioner expressed support for this strategy and the resulting documents that came out as guidance.

Despite being pulled on other priorities, TBS remains very committed to clarifying those policy gaps identified in 2003. For example, the current SIN policy was silent on the use of the SIN for purposes related to statistical research, audit, and evaluation purposes. Also, clarification was needed with respect to use of the SIN in the context of cross-jurisdictional personal information sharing agreements.

TBS intends to clarify what constitutes authorized use of the SIN for any new purpose. As indicated in our response to the Auditor General, we are committed to completing this work by March 2008.

On slide 7, the review and renewal of the SIN components of the TBS privacy policy were subsumed under the broader TBS effort to renew its entire policy suite. The objectives of this policy renewal are to clarify management responsibilities and accountabilities; establish a clear distinction between the duties of deputy heads and those of functional experts; create an integrated and streamlined consolidated policy infrastructure that is coherent across the policies; and establish an organizational structure to ensure that the policies, including the SIN policy requirements, remain current, relevant, and clear as changes happen. As such, it was important to align the SIN and data-matching policy work within the broader context of the TBS policy work.

Slide 8 speaks to the renewal process and timelines. In terms of the revision to the SIN and data-matching policy components, we've already undertaken extensive consultations with other federal institutions through a secretariat-led interdepartmental committee. We've also obtained the views of the Office of the Privacy Commissioner on the proposed revisions to the SIN and data-matching policy components, as well as areas of improvement for the privacy impact assessment policy. As indicated in the TBS response to the OAG, Mr. Chair, the secretariat will ensure that the TBS policy requirements governing the use of the SIN in the federal government are updated and clarified by March 31, 2008, to close those gaps identified in the 2003 secretariat review.

I've also included, for reference in the deck, an annex that lists the legislated uses of the SIN as well as other authorized uses of the SIN in the federal government.

Thank you, Mr. Chair, for your attention. I would be pleased to respond to any questions or clarifications.

Mr. Chair, let me begin by saying that the passport is not currently one of the documents we use for the purposes of issuing SINs. What we decided several years ago is to go back to foundation documents. You'll recall that in 2002, when the Auditor General looked at the SIN program, she found that there were several dozen different kinds of documents that could be used in the SIN issuance process as proof of identity, including photocopies of those documents that were notarized. The department decided to consolidate, go to the basic documents like the birth certificate and a handful of other documents, and build up from there.

The passport, as we all know, requires a proof of citizenship to be obtained and also includes a picture, which could be useful, and I wouldn't discount our allowing some of our clients in the future to use it if they happen not to have the birth certificate for some reason. But I'd like to point out that an awful lot of the SIN recipients are under 16 years old. So while a SIN could be used, it would almost never be used, given the way we've seen our clientele for SINs develop over time. I'm sure you know why that would be, with registered education saving plans and so on or new immigrants to Canada. Then the Canadian passport isn't the first document they would get. The SIN would probably be first.

But it's something we're always looking at. Part of what we want to do is maintain integrity at the same time as we provide good service to Canadians, and it is true that if you've invested in a passport and lined up to get one, then you ought to be able to use it for perhaps other government services. So it's something we'll take away and we'll look at again.

Onno, would you like to answer that?

For Canadians who are born in Canada we use original documents, such as a birth certificate or a citizenship document. For those who are not born in Canada we use immigration documents.

It's available on our website. It's been there for a couple of months. It is, we hope, written in user-friendly language. It's a long list of dos and don'ts for SIN holders and employers. It also provides guidance on what happens if you think your SIN has been compromised--say you lost your wallet and you're worried that someone may use your SIN, what to look for--or if you think it actually is happening, how to contact us and what we might do to help. But we want to keep it evergreen, so as we get feedback on the code of practice from employers and SIN holders, we'll revise it.

We are now considering how we can become a little more proactive in making Canadians know that the code exists. Now you have to find it on our website. Perhaps we should be advertising it a little bit more aggressively, and we're looking at that now.

We do make mention of the public reporting and the commitment by the department to provide that information. The department had agreed to the recommendations. I believe there has been one report that was presented, and then after that there was some mention made in the departmental performance reports. But we indicate in our audit that we found the information being provided was inadequate, that there needed to be more fulsome information. The department again agreed with that recommendation and indicated a commitment to improving on that.

Mr. Chair, we commissioned the work by Pricewaterhouse because the nature of SIN management in the SIR is one of continuous improvement. Knowing that the Auditor General had planned a follow-up audit, knowing it would be reported in February 2007, and knowing as well that we've been working very hard on improving the SIN, we wanted to know if there were things we could do before the Auditor General reported, to continue to make progress in the areas identified in 2002, and then fold in the recommendations of the Auditor General with the ongoing work that we'd already started from Pricewaterhouse. We'll probably do something like that again, going forward, rather than waiting for the next follow-up audit, getting an independent view of whether or not we're on the right track with this program.

We asked Pricewaterhouse to look at the areas of recommendation that the Auditor General had worked on in 2002. The report itself is available on our website in detail, but I'd be happy to table the comparison of the OAG recommendations and the Pricewaterhouse findings. What you'll see are very similar conclusions, not surprisingly. Pricewaterhouse told us what the Auditor General was going to say in February. There were areas where progress had been satisfactory, but they also made recommendations for further improvement in those areas, and we're working on those; and there were areas that weren't quite as good, and the Auditor General has observed them as well. We'd already started the work to move the yardsticks when the Auditor General reported.

You don't want me to respond?