manis@ubc-cs.UUCP (11/24/86)
I'm now more confused on this matter than I was last week. According to John Grace (Canada's Privacy Commissioner), neither banks nor employers have the right to obtain your SIN. On the other hand, he then said that where an employer is acting on behalf of the government (in collecting UI payments and presumably income tax) it will need the SIN. As an example, UBC (along with many other employers) uses the SIN as an employee number. Similarly, I have always been told that the requirement for a SIN when opening a bank account is to allow the institution to send T4's regarding interest income. Perhaps this is untrue: perhaps the space in a T4 (or similar slip) which is marked "SIN" need not be filled out. I don't know. In any case, the SIN by itself doesn't really confer any great power on any nasties. The mapping from SIN to identity is supposed to be greatly controlled (and that's why the theft of Revenue Canada records is so serious). Anybody who wants to do cross-matching without the SIN can do so without any great problem. Names and addresses will give an incredibly high accuracy, especially if one has fairly sophisticated matching algorithms (using, e.g., phonetic codes on names). As Grace pointed out, the thing to protect is not your SIN by itself, but the collection of information which describes you. People who refuse to give their SINs seem to have no compunction in giving out their names, addresses, and telephone numbers. It's also worth noting that direct mail techniques have advanced to the point that such things as SINs are old hat. A recent Globe & Mail article described the direct mail techniques used in the last U.S. elections. One company working for the Democratic Party had developed a "gay algorithm" which allowed them to take a list of names and addresses and identify those people who were likely to be gay (based presumably on such things as location in a city and composition of the household), regardless as to whether the people in question were openly gay. Now, even though I'm in sympathy with the objectives in this case, I find this technique truly frightening (what if the government were doing things like this)?
jmlang@water.UUCP (11/25/86)
In article <504@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >... The mapping from SIN to identity is supposed to be greatly >controlled (and that's why the theft of Revenue Canada records is so >serious). I am not sure of the validity of the next sentence but I heard that it was true. There are more SIN in use than there are people in the country. Any comment. -- Je'ro^me M. Lang || jmlang@water.uucp Dept of Applied Math || jmlang%water@waterloo.csnet U of Waterloo || jmlang%water%waterloo.csnet@csnet-relay.arpa
gtward@watvlsi.UUCP (11/25/86)
In article <637@water.UUCP> jmlang@water.UUCP (Jerome M Lang) writes: >In article <504@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >>... The mapping from SIN to identity is supposed to be greatly >>controlled (and that's why the theft of Revenue Canada records is so >>serious). > >I am not sure of the validity of the next sentence but I heard that >it was true. There are more SIN in use than there are people in the country. > >Any comment. > This is not surprising at all. When you die, your SIN lives on. The government continues to use it. For example, the Orphan's Benefit that I receive is `charged to' my mother's SIN, and she died over 12 years ago. Greg Ward
manis@ubc-cs.UUCP (11/26/86)
In article <637@water.UUCP> jmlang@water.UUCP (Jerome M Lang) writes: >I am not sure of the validity of the next sentence but I heard that >it was true. There are more SIN in use than there are people in the country. It stands to reason that there are more SINs than people qualified to hold them. For example, I doubt that the SINs of deceased people are reused. In addition, people present on short-term visas are often issued SINs if they earn income while in Canada (that's why I have a US Social Security Number). There is also of course fraud.
clewis@spectrix.UUCP (Chris Lewis) (11/27/86)
In article <637@water.UUCP> jmlang@water.UUCP (Jerome M Lang) writes: >In article <504@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >>... The mapping from SIN to identity is supposed to be greatly >>controlled (and that's why the theft of Revenue Canada records is so >>serious). > >I am not sure of the validity of the next sentence but I heard that >it was true. There are more SIN in use than there are people in the country. Yes, mapping from SIN to identity (and vice-versa) is supposed to be very tightly controlled. But, the accuracy of the mapping is relatively poor - many people have more than one, many people don't have any etc. To give an indication of how bad - Medical research and other health organizations have been pushing for a universal health identifier (at least in Ontario). At one point they were pushing for the use of the SIN number because it is already in existence. However, the general consensus is now that the SIN number was too laxly regulated, and is now fairly useless for use in the health system - even for research, but especially for treatment. Not to mention the confidentiality issues (linking of health and non-health info). OHIP numbers are *MUCH* worse - one woman in Ontario was found to have 13 numbers! One family had over a hundred members! (crashed the OHIP computer a couple of times) Sweden has introduced a universal health identifier so that all health records can be linked together to provide the best possible health care along with very accurate research (mostly statistical - they don't care about the individual's ID per-se, only so that they can track data "elements" thru the system). Before Sweden introduced this, however, they had to put in place some pretty strong controls: 1) There is a Data Control Dept. who issues licenses to organizations allowing them to use the health id. Any organization or individual asking for the id without this license (which had to be producable on demand) is subject to penalty. 2) Each database using this id *must* be approved by the Dept. Considered are: use of data, data security, security clearances of personnel etc. 3) Each linkage between databases *must* be approved by the Dept. 4) All rulings made by the Dept are public knowledge (except rulings on individual's records, which are done in camera), and can be appealed. 5) All databases containing information are contained in registrys which also include the database "schemas". 6) Each individual has the right to demand at no cost to themselves a copy of their own record in any of these databases. If the individual has a quarrel with any item in the database, the database maintainer is obligated to reevaluate the data and modify or delete the item as necessary. The maintainer's actions can be appealed to the Data Control Dept. 7) There is even an established plan for the destruction of the primary databases (mapping databases, main hospital and govt. agency) in the event of foreign takeover! Generally speaking, the Health Records Commission approved of the implementation of a universal ID, provided that: 1) controls were set in place similar to Sweden to control the growth, usage and security of the id within the health sector 2) Legislation enacting this id must absolutely deny the use of this id for purposes other than health care and research. 3) The SIN number was *not* used. -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955
clewis@spectrix.UUCP (Chris Lewis) (11/27/86)
In article <586@ubc-cs.UUCP> manis@ubc-cs.UUCP (Vincent Manis) writes: >In article <637@water.UUCP> jmlang@water.UUCP (Jerome M Lang) writes: >>I am not sure of the validity of the next sentence but I heard that >>it was true. There are more SIN in use than there are people in the country. > >It stands to reason that there are more SINs than people qualified to >hold them. For example, I doubt that the SINs of deceased people are reused. >In addition, people present on short-term visas are often issued SINs if >they earn income while in Canada (that's why I have a US Social Security >Number). There is also of course fraud. In actual fact, I believe that both SIN and OHIP numbers are being recycled now. The latter I know for certain. The stupid turkeys didn't put enough digits in the stupid things (SIN 9, OHIP 8 - don't forget that one of them is a check digit!). OHIP (at least used to, policy may have changed slightly) reissues numbers if they have been inactive for 8 years or more. Then the original holder comes back from missionary work in Africa (or something). Voila! Two different people with the same number. This is an extreme problem within OHIP. Ditto SIN. -- Chris Lewis Spectrix Microsystems Inc, UUCP: {utzoo|utcs|yetti|genat|seismo}!mnetor!spectrix!clewis ARPA: mnetor!spectrix!clewis@seismo.css.gov Phone: (416)-474-1955