Interventions in Committee
 
 
 
RSS feed based on search criteria Export search results - CSV (plain text) Export search results - XML
Add search criteria
View David de Burgh Graham Profile
Lib. (QC)
Earlier, we were talking about passwords. Nowadays, we see two-factor authentication being used a lot more for bank accounts. Could the same thing be done for social insurance numbers?
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:23
I'm going to say the same thing I did earlier. I'm not an expert in social insurance numbers, but we strongly advise people to use two factors whenever possible. It's not perfect, but it improves the security of their information.
View Michel Picard Profile
Lib. (QC)
View Michel Picard Profile
2019-07-15 14:23
I'd like to revisit the issue of a unique identifier.
Other models exist. On other committees, we've talked about the popular Estonian model, I believe. It's a system that's in line with our discussions on open banking. All the information is centralized and people can access it using a unique identification number.
At the end of the day, no matter what you call it, a social insurance number is a unique identification number, so it's important to understand the system's limitations. It's all well and good to have the ultimate ultra-modern system, but if a single unique identifier is assigned to an individual, the information will always be vulnerable if someone gets a hold of it.
André Boucher
View André Boucher Profile
André Boucher
2019-07-15 14:24
Absolutely. I can't name them today, but a number of countries around the world have endeavoured to adopt a system that relies on a national unique identification number. Some have been successful, and others, less so. As you said, the number becomes an essential piece of information and the slightest vulnerability puts the data at risk.
Elise Boisjoly
View Elise Boisjoly Profile
Elise Boisjoly
2019-07-15 14:48
Thank you very much, Mr. Chair.
My name is Elise Boisjoly, and I am the assistant deputy minister of the integrity services branch at Employment and Social Development Canada. I am joined by Anik Dupont, who is responsible for the social insurance number program.
Thank you for the opportunity to join you today. My remarks will focus on the social insurance number, or SIN, program. Specifically, I will clarify what the social insurance number is and provide information on its issuance and use; inform the committee on privacy protection related to the SIN; and provide information on our approach in the case of data breach.
What is the SIN? The SIN is a file identifier used by the Government of Canada to coordinate the administration of federal benefits and services and the revenue system. The SIN is required for every person working in insurable or pensionable employment in Canada and to file income tax returns.
It is issued prior to your first job, when you first arrive in Canada or even at birth. During the last fiscal year, over 1.6 million SINs were issued.
The SIN is used, among other things, to deliver over $120 billion in benefits and collect over $300 billion in taxes. It facilitates information sharing to enable the provision of benefits and services to Canadians throughout their life such as child care benefits, student loans, employment insurance, pensions and even death benefits. As such, the SIN is assigned to an individual for life.
The SIN is not a national identifier and cannot be used to obtain identification. In fact, it is not even used by all programs and services within the federal government; only a certain number use it. The SIN alone is never sufficient to access a government program or benefit or to obtain credit or services in the private sector. Additional information is always required.
While data breaches are becoming increasingly commonplace, the Government of Canada follows strong and established procedures to protect the personal information of individuals. My colleague mentioned the Privacy Act and the Personal Information Protection and Electronic Documents Act, which is being administered by Innovation, Science and Economic Development Canada. They provide the legal framework for the collection, retention, use, disclosure and disposition of personal information in the administration of programs by government institutions and the private sector, respectively.
As my colleague mentioned, on November 1, 2018, a new amendment to the Personal Information Protection and Electronic Documents Act came into force, which requires organizations that experience a data breach and that have reason to believe there's a real risk of significant harm to notify the Office of the Privacy Commissioner, the affected individuals and associated organizations as soon as it's feasible. Violating this provision may result in a fine of up to $100,000 per offence.
At Employment and Social Development Canada, we have internal monitoring strategies, privacy policies, directives and information tools for privacy management, as well as a departmental code of conduct and mandatory training for employees on protecting personal information. We believe that any security breach affecting social insurance numbers is very serious and, in fact, we ourselves are not immune to such a situation. For example, in 2012, the personal information of Canada student loan borrowers was potentially compromised. The breach was a catalyst for further improvements to information management practices within the department.
Preventing social insurance number fraud starts with education and awareness. This is why our website and communication materials include information that can help Canadians better understand the steps they should take to protect their social insurance numbers. Canadians can visit the department websites, call us or visit us at one of our Service Canada centres to learn how best to protect themselves. It is important to note that protecting the information of Canadians is a shared responsibility among the government, the private sector and individuals. We strongly discourage Canadians from giving out their social insurance numbers unless they are sure that doing so is legally required or necessary. Canadians should also actively monitor their financial information, including by contacting Canada's credit bureau.
A loss of a social insurance number does not necessarily mean that a fraud has occurred or will occur.
However, should Canadians notice any fraudulent activity related to their social insurance number, they must act quickly to minimize the potential impact by reporting any incidents to the police, contacting the Privacy Commissioner and the Canadian Anti-Fraud Centre, and informing Service Canada. In cases where there is evidence of the social insurance number being used for fraudulent purposes, Service Canada works closely with those affected.
Despite ever larger data breaches, the number of Canadians who have had their social insurance number replaced by Service Canada due to fraud has remained consistent at approximately 60 per year since 2014.
That being said, we understand that many Canadians have signed a petition asking Service Canada to issue new social insurance numbers for those impacted by this data breach. The main reason we do not automatically issue a new social insurance number in these circumstances is simple: getting a new social insurance number will not protect individuals from fraud. The former social insurance number continues to exist and is linked to the individual. If a fraudster uses someone else's former social insurance number and their identity is not fully verified, credit lenders may still ask the victim of fraud to pay the debts.
In addition, it would be the individual's responsibility to provide their new social insurance number to each of their financial institutions, creditors, pension providers, employers—current and past—and any other organizations. Failing to properly do so could put individuals at risk of not receiving benefits or leave the door open to subsequent fraud or identity theft.
It would also mean doubling the monitoring. Individuals would still need to monitor their accounts and credit reports for both social insurance numbers on a regular and ongoing basis. Having multiple social insurance numbers increases the risk of potential fraud.
Active monitoring through credit bureaus as well as regular reviewing of banking and credit card statements remain the best protection against fraud.
In closing, protecting the integrity of the social insurance number is critical to us, and I can assure you that we will continue to take all necessary action to do so, including reading this committee's report and considering advice from this committee and others on how to best improve.
Thank you for your time. I'd be happy to answer your questions.
View Francis Drouin Profile
Lib. (ON)
Thank you very much, Mr. Chair.
I thank all witnesses for appearing before the committee on short notice.
I should mention that I am one of the victims of the data breach at Desjardins, as are many of my constituents.
Ms. Boisjoly, you referred to the online petition asking that the social insurance numbers of those affected be changed. Can you explain to the committee why that would not be done and why it would only complicate things without providing better security for Canadians?
Elise Boisjoly
View Elise Boisjoly Profile
Elise Boisjoly
2019-07-15 15:04
I briefly mentioned that in my presentation and I thank you for giving me the opportunity to talk about it at greater length.
First, an information leak does not necessarily mean that fraud or identity theft has occurred. Second, we do not automatically change social insurance numbers after a leak like this because it doesn't really solve the problem or automatically remove all risk of fraud.
Let me explain that first point a little more. If you do not change the social insurance number linked to a certain credit number and if a credit agency uses the old credit number, the person involved will not necessarily be able to get credit. In addition, if a lender does not properly check the identity of that person, and a fraudster borrows money using his name, the lender could ask him to pay the debt. So there can be other cases of fraud if lenders do not correctly check people's identity.
The second reason is that it can create serious problems of access to benefits and services. As I said in my presentation, victims of data breaches must warn everyone, financial institutions, credit agencies, past and future employers, and the managers of pension schemes to which they belonged with their old social insurance numbers, and make the necessary changes. Often, people no longer remember those to whom they have given their social insurance number, especially at the beginning of their careers. That can prevent people from receiving a pension, for example, because it is no longer possible to establish a link between an individual and the benefits to which they are entitled.
At federal level, we would certainly advise the Canadian Revenue Agency and all organizations involved. But changes could be made manually and there may be errors. This could complicate the calculation of pensions or employment insurance benefits. If someone forgets an employer and makes errors, the calculation of employment insurance benefits or the old age pension could be wrong.
View Francis Drouin Profile
Lib. (ON)
In other words, changing our social insurance number does not necessarily protect our personal information.
Why is another social insurance number issued in cases where fraud has been proven?
Elise Boisjoly
View Elise Boisjoly Profile
Elise Boisjoly
2019-07-15 15:07
When fraud has been proven, we look at the type of fraud and discuss the matter with the person involved. Often people decide not to change their social insurance numbers. They register, or have someone register them, at a credit checking agency. By so doing, they will be better protected than they would be if they changed their social insurance number. Often, having been informed, people decide not to change their social insurance number. In a very small number of cases, 60 per year since 2014, people insist on making a change when fraud has been confirmed. At that point, we allow a new social insurance number to be issued, but we will also explain that it will not necessarily solve the problem.
View Francis Drouin Profile
Lib. (ON)
Here is a more practical question.
Like everyone in the same situation as myself, I see a risk of fraud. How then can I advise the authorities, whether at Revenue Canada or Service Canada, that my social insurance number may perhaps be used fraudulently? Can I call Service Canada to advise them of that? Is there an internal process that allows the public to do that?
Elise Boisjoly
View Elise Boisjoly Profile
Elise Boisjoly
2019-07-15 15:08
Absolutely. Let me make two points about that.
First, since this leak was made public, we have received between 1,400 and 1,500 requests directly from members of the public. They have called us to find out how to better protect their personal data and we have given them a lot of information about doing so. They will often take the steps that we advise them to take, such as looking at the credit agency reports and checking their bank transactions.
Second, if they notice a suspicious activity, they must follow the very clear procedures to give us that information. If suspicious transactions are detected, we ask them to contact Service Canada, which will be able to take the steps needed to help them.
View Francis Drouin Profile
Lib. (ON)
Okay.
The website lists 29 cases in which Canadians are allowed to give out their social insurance numbers. To banking institutions and other entities, for example.
What does Service Canada do so that Canadians know when they should give out their social insurance number and when they should not? What recourse is possible when an organization asks for a social insurance number when it should not do so?
Elise Boisjoly
View Elise Boisjoly Profile
Elise Boisjoly
2019-07-15 15:10
Our website, our call centres and the Service Canada centres tell Canadians who they may give their social insurance numbers to. When we issue social insurance numbers, we actually tell people who they should and should not give it to. A certain number of organizations are authorized to ask for social insurance numbers, for example when a bank or creditor pays interest, which the Canada Revenue Agency needs to know.
If someone not on that list asks for a social insurance number, people can refuse and ask to provide another form of information. For example, a long time ago, landlords often asked tenants for social insurance numbers in order to check their credit. They can simply provide a credit report rather than give out their social insurance number. The person asking the question must—
View Pierre Paul-Hus Profile
CPC (QC)
The investigation has nothing to do with it because we know how the data breach happened. We also have an idea of where the data was sent, but, at the moment, that is not what we are interested in. We know that someone, somewhere on the planet, has our information and is in a position to harm us by stealing our identity. So we want to know whether our agencies can become proactively involved or, if not, what can be done.
You have a solution in my case, so that is already something that the public could be told about. It is important to do that quickly because people are not in a very good mood during their holidays. Then we will have to see if something else can be done.
The issue of the social insurance number has come up everywhere. A number of suggestions have been made. You are responsible for that file and you are saying that nothing can be done, at least not in that way. These are the answers that people need to hear. But the fact remains that we have to leave here telling people what the government can do to help, first Desjardins and second, the 2.9 million people who have been affected. We are hearing a lot about internal protocols, but, for the Canadians listening to us, that does not mean a lot. This is why I want to hear clear answers. I know that you are giving them when you can, but basically, when we leave here, we will need to know what can be done.
Maxime Guénette
View Maxime Guénette Profile
Maxime Guénette
2019-07-15 15:17
I can assure you that very proactive discussions are going on between the various departments involved.
As far as the revenue agency is concerned, as I said in my remarks, the social insurance number, the address and the date of birth are some of the pieces of information people need in order to identify themselves to the agency. We also need information on tax returns from previous years, which was not in the information stolen from Desjardins, according to the discussions we have had. However, once again, the investigation is still in progress. So these questions—
Results: 1 - 15 of 42 | Page: 1 of 3

1
2
3
>
>|