Skip to main content
Start of content

HRPD Committee Report

If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.

APPENDIX D -
HUMAN RESOURCES DEVELOPMENT CANADA, COMMON CLIENT IDENTIFIER REPORT

EXECUTIVE SUMMARY

Background

  • In the last two years, under the auspices of HRDC, the federal/provincial/territorial income security programs have undertaken an exploration of the benefits and challenges associated with the possible introduction and use of a common client identifier (CCI) for income security programs in Canada. For the purpose of this study a common client identifier was defined as: a unique means of identifying an individual in an administrative file. The purpose of the study was to identify whether there was evidence that a common client identifier could:

      - maintain or enhance privacy and confidentiality;

      - enhance service delivery;

      - streamline program administration; and/or,

      - increase program integrity.

  • Options considered for the purposes of this study for use as a common client identifier included:

      - the status quo, i.e. the current Social Insurance Number (SIN);

      - a "modified" SIN; and,

      - a new number.

Current State

  • Our research indicated that the provincial and territorial income security jurisdictions are already using the SIN as an administrative identifier for their income security clients. In fact, approximately 90-100% (depending on the jurisdiction) of provincial/territorial income security clients have SIN's.
  • Our research also indicated that sharing information between HRDC income security programs and other federal/provincial/territorial programs is common place under the existing legislative framework. In fact, there are over 100 federal/provincial/territorial agreements in place. The key administrative identifier, in addition to name and date of birth, used to facilitate data matching is the SIN. There is no centralized coordination of all data matching agreements.
  • There are current issues arising from the inability to identify and authenticate clients within the income security programs. Access to the SIN Register by the provinces and territories will greatly facilitate verification of the identity of income security and income support applicants.
  • Current data matching processes, evolving partly around the Social Insurance Number, fulfill some of the goals of federal/provincial/territorial income security programs. However, a national system that is specifically designed to achieve the goals of verification of identity and eligibility which are shared by all IS jurisdictions could be more effective.
  • Most current data matching is re-active in that it occurs after the fact. An up-front, cross jurisdictional data matching process to validate client identification could minimize inappropriate benefit payment at the outset.
  • As reported earlier to the federal/provincial/territorial committee most of the data collected was qualitative rather than quantitative. Very little empirical data was obtained, perhaps due to the sensitivity of the subject matter and/or there simply were no hard numbers available. The cost-benefit analysis was based in large part on the qualitative evidence at hand.

Conclusions

  • Based on a review of the attached consolidated report and data gathered to date, there is no compelling case for introducing a common client identifier.
  • Our research does indicate, however, that consideration could be given to exploring the possibility of enhancing the current usage of the SIN to further enhance program integrity, improve service delivery and streamline program administration. Steps such as:

      1. under the existing framework, taking full advantage of the SIN register by expanding access to the to the provinces and territories to improve identity authentication.

      2. introducing preventative, up-front data matching, rather than after the fact matching, to validate benefit status, thus minimizing inappropriate benefit payment from occurring at the outset; and,

      3. further investigating the Belgian Crossroads Bank model and its applicability to the Canadian context. The model offers an interesting example to review. It connects eighteen social security agencies, a national register and the European Community register. There is no central repository or warehouse of information. Rather the model allows member agencies to be aware of the existence of files held in other agencies. All information exchange is reviewed and monitored by an independent committee authorized to review all data exchanges and investigate public complaints.

Next Steps

  • There are now several questions/issues that need to be considered:

      1. Based on the work conducted to date, do the federal provincial and territorial income security programs agree with the conclusions?

      2. Do the federal/provincial/territorial programs wish to proceed with further work/study as described in the above conclusions?

      3. If yes, how will this work/study be funded and coordinated?

Common Client Identifier Report

Introduction

Over the last few years there has been growing pressure for governments at all levels and jurisdictions to address the issues surrounding client identifiers. For government, the question of an identifier has become central to the topic of information sharing as a way to provide better services to government clients and/or to reduce government costs.

Service delivery for Human Resources and Development Canada, and for other federal, provincial and municipal departments is currently being redefined. Access to services will continue to be increasingly provided through alternative mechanisms such as kiosks, telephones and the internet. One way to improve service delivery and reduce costs to the public through technology.

The Scope of a Common Client Identifier

Client identifiers can span the spectrum from a national identifier to a program specific file number. An identifier which covers all residents of a country in all programs can be considered a national client identifier since it identifies a client in many unrelated government programs. At the other end of the spectrum is a program/context specific number allocated to one program and assigned only to the users of that program. One of the important factors when considering a CCI is to be aware of and actively manage scope.

Scope of the Report

For purposes of this report, a CCI is defined as a unique means of identifying an individual in an administrative file. Specifically as a mechanism for uniquely identifying an individual across income security programs, such that each individual is linked to one and only one identity.

Three options were considered:

  • the status quo, i.e. the current Social Insurance Number (SIN);
  • a "modified" SIN; and,
  • a new number.

Objective of the Report

The purpose of this report is to consolidate and synthesize information gathered and determine whether there is evidence that a CCI could:

  • maintain or enhance privacy and confidentiality;
  • enhance service delivery;
  • streamline program administration; and/or,
  • increase program integrity.

The purpose of this report is to summarize key findings and next steps and present them in a format conducive to making informed decisions.

Today, the SIN has become the administrative identifier for income security programs in Canada. Approximately 90-100% of income security program participants have and use the SIN as an identifier to interact with the income security programs. The need for a common method for governments to identify and "authenticate" their clients has been discussed by governments at all levels and in many international jurisdictions. Dependable personal identity information is required with almost all interactions with government, from applying for and delivery of financial benefits, linking to other programs and services, maintaining case files, to controlling fraud and error.

Since the late 1980's, data matching and information sharing agreements between jurisdictions have been proliferating, to the point that now there are more than 100 agreements in place between federal/provincial/territorial income security programs, with more pending. These have been enacted under the existing legal framework. The key administrative identifier, in addition to name and birthdate, used to facilitate this data matching is the SIN. Early agreements used name/birthdate matching of information, with the SIN as supporting information. Later agreements tend towards primary use of the SIN for data matching purposes. There is no central overall management, control or coordination of these agreements.

The Social Insurance Number has become the administrative identifier for information sharing between income security programs, Revenue Canada and Immigration programs in Canada. There is no centralized coordination of all data matching agreements.

There are current issues arising from the inability to identify and authenticate clients within the income security programs. In the past provinces and territories have not had the authority to access the information or share the information with the SIN Register (SIR). Although the provinces and territories have legal authority under the Income Tax Act to collect the SIN, access to the SIN Register is controlled by the Employment Insurance legislation.

Recent events have seen SIR policy change in this regard. The Policy branch of the National Services division within HRDC and the Canada Employment Insurance Commission have recently developed a master memorandum of understanding (MOU) that would extend access to the SIN Register to the provinces and territories. Approval of this policy has facilitated the establishment of data sharing agreements between the provinces and territories and the SIN Register. At least one province (New Brunswick) is currently working with the SIN Register staff to draft an information-sharing agreement to allow that province access to SIN Register information.

Access to the SIN Register by the provinces and territories will greatly facilitate verification of the identity of income security and income support applicants.

The current array of data matching and information sharing agreements between federal, provincial, and territorial income security programs in Canada is the administrative response to the need to ensure that benefits are accurate and clients are eligible for those benefits. Each individual data match is targeted to determining one particular bilateral "overlap" of benefit issuance. Each of these "matches" requires a separate legal agreement between the jurisdictions concerned.

Most provinces do not have the full complement of potential matches in place, but all provinces are working in that direction. Each province has started developing agreements with those jurisdictions where the perceived potential for identifying overpayments is highest (i.e., Employment Insurance and neighboring provinces).

Current data matching processes, evolving partly around the Social Insurance Number, fulfill some of the goals of federal/ provincial/territorial income security programs. However, a national system that is specifically designed to achieve the goals of verification of identity and eligibility which are shared by all IS jurisdictions could be more effective.

Most data matching is re-active in that it occurs after the fact. There is no formalized central control and management of data matching across all jurisdictions. There is no one agency accountable for all data matches. Further study could be done in this area and the exploration of a possible solution is proposed later in this report.

Most current data matching is re-active in that it occurs after the fact. An up-front, cross jurisdictional data matching process to validate client identification could minimize inappropriate benefit payment at the outset.

Estimating Costs and Benefits

A number of difficulties arose in attempting to estimate the costs and benefits for a CCI approach. These included:

  • The more detailed the implementation plan, the more accurate the cost and benefits estimates become. At a high level, before detailed implementation plans (that address exactly how the CCI will be used) have been defined, only gross estimates are possible.
  • Some of the impact of a Common Client Identifier-supported approach to increased data sharing between federal/provincial/territorial programs is in the deterrence factor. Measuring "non-occurrences" of overpayments is notoriously difficult.
  • Recouping overpayments that have already occurred (current situation) has a different impact on savings than preventing such overpayments from occurring in the first place. However, estimating the value of immediate reduction in overpayments against the recouping of perhaps the same level of overpayment over time is difficult.

Some applications of a CCI result in clients being determined ineligible on application or identified as ineligible at a later point. This aspect of calculating potential savings is a function of the time that the client would have received benefits without the enhanced data sharing process. Many jurisdictions have struggled with the selection of an appropriate time period on which to estimate savings, with some jurisdictions using only a one-month period for the overpayment, and others using various time periods depending on the category of client, and the average time-on-assistance for that category. There is no benchmark for calculating benefits paid out and therefore potential savings estimates vary significantly from jurisdiction to jurisdiction.

  • Some of the most significant potential costs and benefits to the implementation of a CCI are intangible: the ease and speed with which service is delivered, the reduction in the "hassle" factor for clients obtaining services and/or increased protection of public funds. Even in the face of a potentially high cost-benefit ratio, the fundamental question remains. Is it worth it from an intangible perspective?
  • Due diligence was given to collecting pertinent cost-benefit data to determine whether there was a CCI business case. Surveys and data gathering were conducted with all provinces and territories. Data gathering was also conducted in the international community.
  • As reported earlier to the federal/provincial/territorial committee most of the data collected was qualitative rather than quantitative. Very little empirical data was obtained, perhaps due to the sensitivity of the subject matter and/or there simply were no hard numbers available. Cost-benefit analysis was based in large part on the qualitative evidence at hand.
  • Many of the estimates made would require verification at a later stage with the appropriate federal/provincial/ territorial officials. In addition, in order to complete the cost-benefit analysis, a number of areas would require additional work regardless. For example:

      1. Workload savings/costs attributable to the implementation of an on-line registration and identification process.

      2. Costs to the Income Security programs (federal/provincial/territorial) to "hook up" to the registry.

      3. Cost of computer hardware for jurisdictions without network capabilities.

Principles for Enhancing Privacy and Confidentiality

This section clarifies the principles and ethical considerations that must underlie the development of any new information sharing system in federal/provincial/territorial income security programs using a CCI.

There are a variety of privacy principles that are in use in the jurisdictions across Canada, including the principles embedded in the federal/provincial/territorial privacy legislation, the principles developed by the CAR working group, OECD fair information practices principles, the Canadian Standards Association. In addition, the Canadian Privacy Commissioner has developed an ethical framework for the development of any new technologies for the delivery of government programs and services (based on the privacy checklist for technology as set out in the Commissioner's 1992-93 annual report).

Although the focus of this project has always been the CCI itself, it is the use of the CCI in conjunction with technology that has the greatest potential impact on privacy. Thus, an ethical framework for technology privacy assessment seems to be the most appropriate framework to assess the CCI options.

1. Beneficence

Technology is a tool to help the government deliver service to individuals, not a tool to transfer control of an individual's data to other persons or agencies or to conduct overt and covert surveillance on its citizens.

2. Non-discrimination

Technology should not limit government services offered to a client or be a condition for clients to have access to government services.

3. Respect

Technology must properly respect the legal and ethical rules pertaining to the rights of the individual to control the usage of their information.

4. Openness/Transparency

Individuals should have the right to refuse to participate in the use of the system; the right to know the nature of the information managed by the system, and the right to understand the nature of the situations likely to develop around the use of the system.

5. Informed Consent

The individual's prior consent is required for all uses of their information and any disclosure of that information to other bodies.

6. Access

Individuals have the right of access to and correction of the information held about them by the system.

7. Matching

Government should ensure that multi-use applications are segregated to prevent merging or cross-matching of data.

8. Gate-Keeping

Government has the duty to guarantee the confidentiality of all communications and transmissions surrounding the use of the system.

9. Responsibility

Government has the duty to ensure that those operating and maintaining the system exercise the highest standard of responsibility. Each new application should be monitored for adherence to general privacy principles.

In considering the development of an infrastructure to facilitate information sharing, it would be important to ensure the proper safeguards, both technological, privacy and legal, are in place. In addition, careful attention should be paid to the overall management, control and accountability structures. This framework could be used to assess the privacy impacts.

A Possible Model for the Future

The Belgian Crossroads Bank may be an attractive model to review and to assess in the Canadian context.

The Belgian Crossroads Bank connects eighteen social security agencies as well as the national register and the European Community register. Information exchange takes place either by means of on-line, time-delayed electronic exchange or by tape match.

There is no central repository or data warehouse of information, rather the Crossroads Bank is predicated on a network of social security systems. When an institution requires information it makes a request to the Crossroads Bank. If the request is legitimate and has received prior approval by the Comité de Surveillance, the Bank verifies whether the information is available. The information is then transferred to the Bank and forwarded to the requesting institution.

This model is based on obligatory participation of all social security institutions. Each individual is identified within the network of income security systems based on a unique identification key (a number). Data storage is decentralized and distributed among the institutions that are responsible for interacting and servicing the client. All information exchanges must go through the Crossroads Bank and be authorized by a "Control Committee". All information exchanges are recorded. The Crossroads Bank contains three reference directories:

      1. A person directory identifies where individuals have personal files within the social security institutions and for what periods.

      2. A data availability table identifies what type of data is available from each social security institution.

      3. An access authorization table indicates what type of data may be transmitted to which institutions for which type of files.

Applying the Model to Canada

  • For a model to work successfully, in the Canadian context, it would have to:
  • respond to the distributed administrative and delivery network of income security programs in Canada;
  • provide confirmation of identity in a pro-active manner;
  • provide accurate information about an individual's in-pay status on timely basis;
  • provide centralized coordination of data matching.
  • facilitate accurate data matching and guard against unethical matching;
  • address the concerns of the citizenry and the Privacy Commissioners with respect to privacy and confidentiality.

Responding to the Distributed Nature of the Canadian IS System

This model may be suited to meet the needs of the distributed nature in which Canadian programs are delivered among the federal, provincial/territorial and municipal levels of government. The Belgian model does not compromise the delivery structure of the IS programs. In fact, the model pre-supposes that delivery of programs and collection and maintenance of program information is the responsibility of the particular program within the delivery network. Because information is not centralized in one location but distributed and decentralized, data would continue to be stored and maintained by the various programs and different levels of government that are currently responsible for the information. The different data bases and systems would be linked into the network regardless of their geographic location or level of government. This particular model is predicated on having information reside in the location in which it is managed. Modern technology allows this information to be connected and shared regardless of where it is located or by which level of government it is managed.

Accurate Data Matching and Guarding Against Unethical Matching

All data matching is done via the Crossroads Bank. Most of the "standard" matches are pre-approved and conducted automatically on a scheduled basis resulting in timely and effective data matching. There are several safeguards in place to ensure unethical matches do not occur.

  • all matching is done via the Crossroads Bank. There are no matches that occur between individual institutions, thus all matching activity is surveyed;
  • all data matches have been pre-approved by the "Comité de Surveillance" (Control Committee);

      - The Control Committee is an independent body appointed by Parliament to review and authorize all data exchanges and review and investigate complaints made by the public. The Committee prepares an annual report of its work to Parliament.

  • all matching activity is recorded and tracked; and
  • each social security institution has their own security department to monitor and oversee matching activity.

Thus the Belgian model has a built in watch dog function by requiring all matching to occur through the Bank and not on a program to program basis. This watchdog function is already in place in the form of the privacy commissioners in Canada. As a result, any model developed could build on the current role of the federal and provincial/territorial privacy commissioners.

Accurate Information About In-Pay Status

The Crossroads Bank model contains pointer files that indicate where information can be obtained on the in-pay status of clients. This information is assessed prior to benefit payment minimizing the occurrence of mis-payment.

Similarly, in a Canadian model, a pointer file could be created to indicate that an individual is in-pay of a particular benefit. Today, in-pay status information is available under the auspices of the current data sharing agreements, however each agreement is separate and may not cover the whole spectrum of income security programs.

In a future scenario, if participation of all income security programs is obligatory, then complete information will be available to determine the eligibility of a client to receive benefit payment. This information could be made available up-front reducing incorrect payments before they can occur. If, in a particular case, further information is required, then the institution may go through the central Bank to request additional data on the individual's file if such information sharing is authorized.

Providing Identity Authentication

Access to a central register of basic tombstone data is a cornerstone in the Belgian concept. Information contained in the national register captures life events and basic tombstone information to assist with identity confirmation. However, like all data sharing within this model, the sharing of information has to be pre-approved by the Comité de Surveillance.

In the Canadian context, a similar identity authentication could be validated through the SIN register. With current policy changes that provide access to the SIN register, it is now possible for all jurisdictions to access tombstone information allowing for improved identity verification.

Addresses the Privacy and Confidentiality Concerns

It can be hypothesized that the Belgian model would address many of the concerns and fears of Canadian citizens and Privacy Commissioners with respect to privacy and confidentiality. This model is not predicated upon the creation of a data warehouse, rather a simple network of separate income security systems is joined together under the watchful eye of the Crossroads Bank and the "Control Committee".

As stated earlier, under the current Canadian structure there are a multitude of separate data sharing agreements. There are inter-provincial/territorial data sharing agreements, provincial/territorial-federal agreements and provincial/territorial-municipal arrangements already in place creating a intricate web of non-standardized information sharing agreements. As it stands in most cases today, these agreements have been reviewed and approved by the respective privacy commissioners.

Replacing this web with a formalized model similar to the Belgian model would not radically change the current Canadian structure. Instead of sharing information from institution to institution, this information would pass via a central authority whose role it would be to monitor and ensure regularity and formality to the method in which information is transferred within the income security sphere. This model could improve upon the current framework.

The diagram below provides a pictorial view of a possible future state model for Canada based on the Belgian model.

As stated earlier, this example of a possible future state is "food-for-thought". It should not be considered as a solution framework. Further research on the Belgian or similar models is required if this path is to be pursued. A hypothetical description of how this model could function is presented in the following paragraphs.

At the centre of the proposed model sits a Board (perhaps comprised of federal/provincial/ territorial privacy commissioners) with several key roles: Their role should include the following functions:

  • supervising and directing information security overall;
  • reviewing and authorizing/denying each data matching scenario before it occurs;
  • handling and responding to complaints; and
  • providing information security recommendations.

No client data would be held within the "central access control". It is at the centre where the " pointer files" would be located. Pointer files would indicate in which programs individuals had information (person directory); what type of data was available by each program (information directory); and which program was allowed to access what type of data (authorization directory). Because this information is, in and of itself, a compilation of data, it would be important to ascertain whether it was permissible under today's legislative framework to develop these pointer files or whether legislation or policy changes would be required to create this "new information".

In the hypothetical model, when a new applicant applies for an income security benefit, the applicant would apply to the appropriate program. Program staff would gather basic tombstone and eligibility information from the applicant and verify through the income security program network the individual's identity and in-pay status in other income security programs. Information on the client's in-pay status and personal data would be verified through the central access control (central bank) and the information would be passed back to the host program to determine eligibility based on the results of the data search. Pending approval, the client could then receive benefit payments according to his or her eligibility.

Each program within the income security network would be responsible for maintaining both their client information and program information up-to-date. Each program would continue to be responsible for ensuring that security and privacy of their own specific data is maintained and secured on an on-going basis.

Conclusions

Based on a review of the consolidated report and data gathered to date, there is no compelling case for introducing a common client identifier.

Our research does indicate, however, that consideration could be given to exploring the possibility of enhancing the current usage of the SIN to further enhance program integrity, improve service delivery and streamline program administration. Steps such as:

      1. under the existing framework, taking full advantage of the SIN register by expanding access to the to the provinces and territories to improve identity authentication.

      2. introducing preventative, up-front data matching, rather than after the fact matching, to validate benefit status, thus minimizing inappropriate benefit payment from occurring at the outset; and,

      3. further investigating the Belgian Crossroads Bank model and its applicability to the Canadian context. The model offers an interesting example for to review. It connects eighteen social security agencies, a national register and the European Community register. There is no central repository or warehouse of information. Rather the model allows member agencies to be aware of the existence of files held in other agencies. All information exchange is reviewed and monitored by an independent committee authorized to review all data exchanges and investigate public complaints.

Next Steps

  • There are now several questions/issues that need to be considered:

      1. Based on the work conducted to date, do the federal provincial and territorial income security programs agree with the conclusions?

      2. Do the federal/provincial/territorial programs wish to proceed with further work/study as described in the above conclusions?

      3. If yes, how will this work/study be funded and coordinated?

Previous Page Table of Contents Next Page