Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that a financial institution required customers to provide their Social Insurance Number (SIN) for identity verification purposes as a condition of opening a savings account. The OPC found that while the institution collected SINs for legally required income reporting, it could not mandate its use for identity verification. The institution agreed to make the use of SIN for identity verification optional rather than a condition of service.

• Requirement of SIN for identity verification as a condition of service.
• Appropriate use of SIN by private sector organizations.
• Interpretation of FINTRAC guidelines regarding identity verification.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint against an insurance company that collected and used an individual's credit score during an auto insurance claims assessment. The OPC found that the company did not have a legal basis to use credit scores for fraud detection in this context and did not obtain meaningful consent from the individual because they failed to clearly state that providing consent was optional. The company also lacked openness in its policies regarding credit score usage.

• Appropriateness of using credit scores for fraud detection in auto insurance claims assessment.
• Whether meaningful consent was obtained for the collection and use of credit score.
• Whether the insurance company over-collected personal information.
• The company's openness regarding its credit score collection and use policies.

An individual complained that their former automobile insurance company refused to delete their personal information upon withdrawal of consent. The company initially refused, citing the need to provide insurance history to other insurers. The Office determined that the company should have treated the request as a withdrawal of consent. The company subsequently deleted the information from its records after the individual accepted the implications. However, the company was not required to ensure deletion from third-party records to which the information had been lawfully disclosed. The company was also found to be in contravention for not having clear policies on third-party disclosures.

• Withdrawal of consent for the continued use of personal information
• Deletion of personal information from an organization's records
• Deletion of personal information from third-party records after lawful disclosure
• Accountability for information disclosure policies and procedures