This Web page has been archived on the Web.

2007 February Status Report of the Auditor General of Canada

Main Points

What we examined

A Social Insurance Number (SIN) is a unique nine-digit number used by any person who earns money through work, pays taxes, contributes to a pension plan, or uses any of a number of government services. SINs are issued and administered under the Employment Insurance Act, largely by Service Canada within Human Resources and Social Development Canada. How federal departments may collect and use the SIN is governed by legislation and the Treasury Board's privacy policies.

We looked at the progress the Department and the Treasury Board Secretariat have made in responding to our recommendations from 2002, when we reported that the Department (then Human Resources Development Canada) had not done enough to safeguard and strengthen the integrity of the SIN. We also reported that the policy on how federal organizations should use the SIN was unclear and open to different interpretations. In this follow-up audit, we assessed whether the Department and the Secretariat had taken satisfactory action to ensure the appropriate use of the SIN; to strengthen the process for issuing new SINs and replacement cards; to ensure the accuracy, completeness, and reliability of data in the Social Insurance Register; and to improve the investigation of SIN-related fraud.

Why it's important

Several of the federal government's largest programs use the SIN. In the 2005–06 fiscal year, the SIN was used in issuing about $12.5 billion in Employment Insurance benefits, about $53.8 billion in Old Age Security and Canada Pension Plan benefits, and more than $1.3 billion in Canada Student Loans. By law, anyone submitting income tax information to the Canada Revenue Agency must also use the SIN. This includes some municipal and provincial agencies, employers, banks, credit unions, and trust companies.

The importance of the SIN is clear from its widespread use both within and outside the federal government. For example, the Social Insurance Register is used to validate the identity of individuals applying for certain federal benefits. Confirming identity has taken on heightened importance in light of growing security concerns, identity fraud, and use of the Internet and telephone for service delivery. Consequently, maintaining the privacy, security, and integrity of the SIN and the Register is critical in order to protect individuals, businesses, and government from SIN-related fraud.

What we found
  • Overall progress in addressing our previous recommendations is unsatisfactory because two significant and long-standing issues remain unresolved, despite satisfactory progress in several other areas.
  • The Department has made satisfactory progress in improving the way it issues SINs and identifies and investigates SIN-related fraud. It has strengthened the standards for establishing identity, citizenship, and proof of need before issuing a new SIN or a replacement card. It has also redesigned the process for issuing SINs and has taken steps to adopt a more risk-based approach to SIN investigations.
  • While the Department has continued its efforts to improve the Social Insurance Register—the database containing the basic personal information provided by individuals who apply for a SIN—its progress is unsatisfactory. It has set no goals for the accuracy, completeness, and reliability of the data, and its measurement of data quality has been unsystematic and limited in scope. The Department therefore has limited assurance that the accuracy, completeness, and reliability of Register data are adequate, a concern we first raised in 1998. However, current efforts underway during this audit and plans to develop a comprehensive quality measurement and reporting system for the Register indicate that the Department is heading in the right direction to resolve this important issue.
  • The policies that govern how federal departments may use the SIN are not clear. The current policies were issued by the Treasury Board under the Privacy Act in 1989. In 2003 the Treasury Board Secretariat completed a comprehensive review on the use of the SIN and data matching in the federal government. The review found several gaps in the existing policy framework, including a need for greater clarity concerning the use of the SIN for identity validation and data matching, a concern we first raised in 1998. However, due to other priorities, the Secretariat has not yet issued updated policies and guidelines. In the meantime the continuing lack of clarity has led to different interpretations and applications of the current policies on control of the SIN.

Human Resources and Social Development Canada, Service Canada and the Treasury Board Secretariat have responded. They have agreed with our recommendations and have committed to take action. Their responses are included throughout the chapter.

Introduction

6.1 Canadian citizens, permanent residents, and temporary residents with valid authorization to work in Canada are eligible to receive a Social Insurance Number (SIN). The SIN is a nine-digit number, unique to every SIN holder, and a person legitimately has only one number at a time.

6.2 SINs are the responsibility of the Canada Employment Insurance Commission as legislated by the Employment Insurance Act. The Commission has delegated the responsibility for issuing and administering SINs to Human Resources and Social Development Canada. Within the Department, Service Canada is responsible for operational policy, delivery, and administration of the SIN.

6.3 Several of the federal government's largest programs use the SIN. In the 2005–06 fiscal year, the SIN was used in issuing about $12.5 billion in Employment Insurance benefits, about $53.8 billion in Old Age Security and Canada Pension Plan benefits, and more than $1.3 billion in Canada Student Loans. By law, anyone submitting income tax information to the Canada Revenue Agency must also use the SIN. This includes some municipal and provincial agencies, employers, banks, credit unions, and trust companies.

6.4 Although collection and use of the SIN by the federal government is authorized only under specific legislation and programs, there is no legislation that stops private sector organizations from requesting it. However, when asking for an individual's SIN, organizations must comply with the Personal Information Protection and Electronic Documents Act, which governs the protection, collection, use, and disclosure of personal information in the private sector.

6.5 The widespread use of the SIN both within and outside the federal government demonstrates its importance. The SIN is a key piece of information that may be used to obtain additional pieces of personal information; consequently the use, abuse, and misuse of the SIN may affect the administration of federal and provincial programs, as well as operations in the private sector. Maintaining the privacy, security, and integrity of the SIN is critical to protect individuals, businesses, and government from SIN-related fraud.

6.6 In 1998, the Office of the Auditor General reported problems in the way the SIN was managed. We conducted a follow-up in 2000 and reported that some improvements had been made. In 2002, we audited the integrity of the SIN again and found little further progress. The Auditor General advised parliamentarians that we would re-examine the issue at a later date. This chapter provides a status report on the progress Human Resources and Social Development Canada and the Treasury Board Secretariat have made in addressing the observations and recommendations included in our 2002 audit of the Integrity of the Social Insurance Number.

What we found in 2002

6.7 In 2002 we reported that Human Resources Development Canada had been slow to address many of the observations and recommendations from our 1998 audit of the Management of the Social Insurance Number. Progress on some key issues had been limited and we concluded that the Department had not done enough to safeguard and strengthen the integrity of the SIN. Specifically, we noted the following:

  • Three departmental programs were using the SIN without the required Treasury Board authorization. As well, the Treasury Board direction on how and when to use the SIN within the federal government was unclear. Weaknesses also existed in activities to increase public awareness of how and when to use the SIN appropriately.
  • There had been limited progress in strengthening the process for issuing a SIN, for both a regular and a 900-series SIN (issued to an applicant who is not a Canadian Citizen or a permanent resident).
  • There had been limited progress in bringing the Register's reliability and completeness to an appropriate level. No standard for the quality of the data of the Social Insurance Register had been established, and problems with the integrity of the information in the database persisted.
  • There was no risk-based analysis of SIN-related activities and the level of effort for investigations was not necessarily based on risk. Despite some progress to provide investigators with better training and tools, improvements were still required.
Significant events since 2002

6.8 Following our 2002 audit the Public Accounts Committee and the Standing Committee on Human Resources Development and the Status of Persons with Disabilities held hearings, issued reports, and made recommendations to improve the management of the SIN. These recommendations are included in Appendix A of this chapter.

6.9 In May 2005 the Service Canada initiative was established within Human Resources and Social Development Canada to deliver a growing number of services and benefits on behalf of federal departments and agencies. Service Canada intends to use the SIN and Social Insurance Register as a foundation to accurately and consistently identify individuals across its service channels. Since 2002 the Department has increased its use of the Register to validate the identity of applicants for several of the large social programs it delivers, including Employment Insurance, Old Age Security, and the Canada Student Loans Program. It uses the SIN to match information applicants provide to basic personal data in the Register to validate their identity.

6.10 The increasing use of the SIN and the Register to streamline service delivery and accurately identify individuals has implications for both privacy protection and program integrity. As the use of personal information increases, including the SIN and other information stored in the Register, protecting individual privacy rights becomes more critical. Additionally, a wider range of government benefits becomes accessible to individuals who are fraudulently using a SIN and other personal information that is not their own. As we observed in 2002 the SIN can play an important role in identity theft and fraud. There are indications that the incidence of identity theft has increased dramatically since our 2002 audit and it continues to be a major concern of consumer protection and law enforcement agencies. The Department has identified identity theft or fraudulent identities as a significant risk not only to the management of the SIN and the Register, but also to federal programs that rely on this information.

6.11 Growing security concerns, identity fraud, and use of the Internet and telephone for service delivery have heightened the importance of confirming identity. In November 2002 the Federal/Provincial/Territorial Council on Identity in Canada issued a policy framework to guide processes for establishing identity by governments in Canada. One of the primary goals of the framework is to protect the Canadian public from identity theft and identity fraud. The Council suggested that government-issued documents should be based on an appropriate degree of assurance that the bearer is who he/she claims to be. It also highlighted the importance of foundation documents, such as provincial birth certificates and citizenship and immigration documents; strong verification processes; and the protection of privacy in establishing identity.

Focus of the audit

6.12 The objective of our audit was to assess the progress Human Resources and Social Development Canada and the Treasury Board Secretariat have made in responding to observations and recommendations contained in the 2002 audit of the Integrity of the Social Insurance Number. We looked at the progress made in response to each of the 10 recommendations made in our previous report. Specifically, we assessed whether the Department and the Treasury Board Secretariat had taken satisfactory action to ensure the appropriate use of the SIN; to strengthen the process for issuing new SINs and replacement cards; to ensure the accuracy, completeness, and reliability of the data in the Social Insurance Register; and to improve the investigation of SIN-related fraud.

6.13 More details about the audit objectives, scope, approach, and criteria are in About the Audit at the end of this chapter.

Observations and Recommendations

Appropriate use of the Social Insurance Number

6.14 The Privacy Act governs how federal government organizations should manage personal information, including the Social Insurance Number (SIN). In 1989 the Treasury Board approved the Policy on Data Matching and Control of the Use of the Social Insurance Number (now included in its Policy on Privacy and Data Protection) to ensure that government organizations correctly applied the provisions of the Privacy Act. The policies also aimed to address two concerns: that the SIN would become a universal identifier, and that matching and linking of personal information, perhaps by using the SIN, represented a threat to individuals' privacy and therefore needed to be appropriately controlled.

6.15 To address the first concern, the Treasury Board's Policy on Privacy and Data Protection confirmed the government's intention to prevent the SIN from becoming a universal identifier. Federal programs can use the SIN for administrative purposes only when specific legislation authorizes this use, or when the use meets all three of the following conditions:

  • it is directly related to a use authorized by legislation;
  • it is related to pensions, income tax, or health and social programs; and
  • it is authorized by the Treasury Board.

6.16 Since our 2002 audit new uses of the SIN and the Social Insurance Register in the federal government have occurred in ways consistent with the Treasury Board's Policy on Privacy and Data Protection, for example, through

  • changes to legislation or regulations, such as the 2004 amendments to the Old Age Security Regulations, which allowed the use of the Social Insurance Register to determine the age and identity of applicants;
  • increased use under existing legislative authorities, such as the automated use of the Register to validate the identity of applicants for Employment Insurance; and
  • Treasury Board authorization to add new programs to the list of authorized uses, such as the Opportunities Fund for Persons with Disabilities, added in 2003.

6.17 Exhibit 6.1 lists the current federally legislated and Treasury Board-authorized uses of the SIN.

6.18 To address the concern about increased matching and linking of personal information, the Treasury Board's policy requirements for data matching included detailed procedures for federal organizations to follow when considering a data match. The requirements for analysis, consultation, and public notification aim to ensure that any match undertaken is necessary, and that its implementation is transparent to Canadians. In May 2002 the Treasury Board issued the Privacy Impact Assessment Policy, which effectively extended the policy on data matching by requiring federal organizations to assess the privacy implications of the design, implementation, and evolution of programs and services. This includes any new data matching activities or changes in the use of personal information, including the SIN.

Policy on the use of the Social Insurance Number has not been updated

6.19 In 1998 we reported a critical gap between the framework for using the SIN and its current role in the federal government. In particular, we reported that controls and responsibilities over data matching needed to be revisited. In our 2002 audit we found that a lack of clarity remained concerning the appropriate ways to use the SIN, and whether or not it was being used simply as a file number or also as a means to validate identity. The Treasury Board Secretariat had not updated the policy guidance on the use of the SIN since 1989 and had not assessed how federal programs were using it. We reported, however, that the Secretariat planned to undertake a review of SIN use and expected to report the results in June 2003. It committed to making every effort to resolve any issues with the policy that the review identified.

6.20 Since then the Secretariat completed the review and prepared a comprehensive report in August 2003. The report contained a historic overview of the use of the SIN, a review of the use of numerical identifiers and data matching in other jurisdictions, and input from various stakeholders. It also included a self-reported inventory of SIN use by all federal organizations, and looked at why and how departments were using the SIN. Finally, it outlined a complete picture of the issues involved and the decisions that will have to be made to arrive at a policy framework on the use of SIN and data matching in the federal government.

6.21 The review identified various gaps in the policies and guidelines issued to federal government departments on the appropriate use of the SIN. Work therefore began in the fall of 2003 to develop new guidance. Based on input from an interdepartmental committee on SIN use and data matching, the Secretariat started drafting updates to the policy instruments. It also sought views from various departments and the Office of the Privacy Commissioner on issues and difficulties to address in the proposed revisions.

6.22 The Secretariat informed us that progress in updating the policy framework was delayed in 2004 to address other pressing policy issues. Officials also informed us that when work on the SIN policy framework began again in 2006, its scope had been expanded to include all Treasury Board privacy policies as part of the current Treasury Board initiative to review all its policies. Current plans are to complete the revisions to the policies controlling the SIN in the federal government in the 2007–08 fiscal year.

6.23 In our examination of the use of the SIN by Human Resources and Social Development Canada during this audit, we identified clear examples of the types of weaknesses in the policy framework that the Treasury Board Secretariat identified in its 2003 review. These examples specifically relate to the Department's increased use of the SIN and Social Insurance Register to validate identity—an activity that falls within the Treasury Board definition of a data match. In particular, we noted the following:

  • The Secretariat's 2003 review noted that the definition of a data match is not clear and that, consequently, evaluating compliance with the data matching policy is problematic. We found that the Department has applied the Treasury Board's policy requirements for data matching inconsistently when implementing identity validations using the Social Insurance Register. When implementing a validation process for the Canada Student Loans Program, the Department acknowledged that the procedure was a data match and followed the requirements for analysis and consultation set out in the policy. However, when implementing a similar validation for the Old Age Security program, the Department indicated it did not consider the procedure to be a data match, and therefore did not follow the policy requirements.
  • The Secretariat's 2003 review observed that the mechanisms for monitoring compliance with the Treasury Board's policy requirements for data matching were weak, particularly because they rely on self-reporting by departments. We found that Human Resources and Social Development Canada did not adhere to the public notification provisions when it implemented the Canada Student Loans Program identity validation process using the Register.

6.24 Although progress had been good between our 2002 audit and 2004, under the current schedule, ten years will have passed since we first raised concerns about the policy framework for the use of the SIN within the federal government, and five years will have passed since the Secretariat identified specific gaps before revisions to the policy framework are completed. We consequently assess progress in this area as unsatisfactory (Exhibit 6.2).

One program continues to use the Social Insurance Number without authority

6.25 In our 2002 audit we found that three programs delivered by Human Resources and Social Development Canada (then Human Resources Development Canada) were using the SIN without proper authority.

6.26 As explained in paragraph 6.15 the Treasury Board can authorize a specific program to use the SIN where its use meets certain conditions. In 2003 the Treasury Board Secretariat requested and was granted authorization to add to the list of authorized programs two of the three programs that were identified in 2002 as using the SIN without proper authority: the Opportunities Fund for Persons with Disabilities and the Aboriginal Human Resources Development Strategy.

6.27 At the time of this audit, the third program, Youth Initiatives, had not been granted authorization to use the SIN, but continued to do so. Draft submissions requesting Treasury Board authorization were prepared in the 2003–04 fiscal year; however, they were never finalized. Instead, the Youth Initiatives program was restructured to align it more closely to the broader Youth Employment Strategy, which involved other departments. The Treasury Board Secretariat indicated that it would address the use of the SIN by all departments involved in the Strategy as part of its 2003 review of the use of the SIN and data matching in the federal government. However, as indicated in paragraph 6.22, actions to address gaps identified in the review have not been completed. Department and Secretariat officials told us that a renewed effort was underway in late 2006 to obtain the necessary authorization for Human Resources and Social Development Canada's administrative use of the SIN in its youth employment initiatives. As shown in Exhibit 6.2, progress in this area is rated as unsatisfactory.

6.28 Recommendation. The Treasury Board Secretariat should

  • meet its commitment to update the policy framework governing the use of the SIN in the federal government by 31 March 2008, and
  • ensure that the policy instruments governing the use of the SIN in the federal government close the gaps identified in its 2003 review.

The Treasury Board Secretariat's response. The Treasury Board Secretariat is committed to ensuring that the personal information of Canadians is protected in accordance with the provisions of the Privacy Act and the requirements of the Policy on Privacy and Data Protection, which governs use of the SIN and data matching by federal government institutions. As the Auditor General has noted, the Secretariat has already completed significant work on developing the proposed policy changes governing the use of the SIN and data matching. The Secretariat has completed a review of SIN and data matching practices across the federal government and prepared a comprehensive report in 2003. Extensive consultations have been undertaken with other federal institutions through a Secretariat-led Interdepartmental Committee and, as well, the views of the Office of the Privacy Commissioner have been sought on the proposed revisions.

The Secretariat will ensure that the Treasury Board policy requirements governing use of the SIN in the federal government are updated and clarified by 31 March 2008, to close the gaps identified in the 2003 Secretariat review.

A code of practice to encourage appropriate use of the Social Insurance Number has been developed

6.29 To combat the proliferation of inappropriate use of the SIN outside the federal government, we expected that, since our 2002 audit, Human Resources and Social Development Canada would have assessed the public awareness of how and when to use the SIN appropriately and taken steps to better inform stakeholders about its appropriate use.

6.30 In 2003 and 2005 the Department conducted various focus groups and surveys to evaluate the public's attitude and awareness of the SIN and to assess communication products related to its use. In response to these findings, the Department began work to better inform the broader public about the appropriate use of the SIN.

6.31 In particular, Service Canada has developed a code of practice on the use of the SIN. The draft code sets out the roles and responsibilities of all SIN users, including individuals, employers, private sector organizations, federal and provincial government partners, and Service Canada and its employees. It includes mechanisms for monitoring and ensuring adherence to the code, as well as requirements for annual reporting on its implementation and effectiveness. Service Canada informed us that it planned to publicly launch the code before the end of March 2007. As shown in Exhibit 6.2, progress in this area is rated as satisfactory.

Issuance of Social Insurance Numbers

6.32 The Employment Insurance Act and Regulations require that a SIN be issued only after determining an applicant's identity and citizenship status. Individuals apply for a SIN by submitting an application accompanied by proof-of-identity and proof-of-need documents. Service Canada reports that approximately 90 percent of applications are received in-person at more than 320 local service centres across the country, with the remaining 10 percent of applications received by mail. Service Canada received approximately 1.5 million SIN applications in the 2005–06 fiscal year.

6.33 In 2002 we reported significant deficiencies in the way new SINs and replacement cards were issued—both regular and 900-series SINs (those issued to applicants who are not Canadian citizens or permanent residents). In this audit we examined the actions taken by Human Resources and Social Development Canada to address these concerns. Specifically, we reviewed its changes to the policies and practices associated with establishing identity and proving need, its improvements to the controls of 900-series SINs, and the Department's redesign of the SIN issuance process.

The proof-of-identity program has been strengthened

6.34 In 2002 we observed significant weaknesses in the Department's practices to accurately identify all persons to whom it assigns a SIN. In particular we were concerned about the reliability of the documents used to establish identity, as it accepted many different documents, some with known deficiencies.

6.35 Changes to the proof-of-identity program. Immediately after our last audit, the Department (then Human Resources Development Canada) implemented key changes to the documents it accepts as proof of identity and proof of need when issuing a SIN. Most notably, it reduced the number of primary documents from 38 to 13, and an applicant must submit only original documents issued from provincial vital statistics authorities or Citizenship and Immigration Canada. For example, the Department no longer accepts baptismal certificates or certified photocopies; instead, an individual must provide an original birth certificate issued by a province. These changes to the proof-of-identity program reflect the importance of using foundation documents as a basis of establishing identity—a principle recognized in the policy framework of the Federal/Provincial/Territorial Council on Identity in Canada.

6.36 Validating documents with issuing authorities. While the Department has improved the standards for the proof-of-identity program, challenges remain in its ability to validate foundation documents with the source authorities when issuing a SIN.

6.37 Citizenship and Immigration Canada is the source authority for some of the proof-of-identity documents required to obtain a SIN. The Department has had access to immigration data since 1996. In 2004 the Department (then Human Resources and Skills Development Canada) reported that obtaining electronic access to citizenship data was delayed pending a major systems upgrade by Citizenship and Immigration Canada, expected at that time to be complete in 2006. The Department informed us that it had begun discussions with Citizenship and Immigration Canada in August 2006 and that it expected to finalize an agreement by March 2007 to obtain access to citizenship data and improve its links to immigration data.

6.38 Provincial vital statistics agencies are the source authority for the other proof-of-identity documents required for a SIN. The Department has had real-time access to birth information in New Brunswick since 1998. It uses this information to validate the birth information applicants provide when applying for a new SIN or replacement card. Since 2004 the Department has been actively pursuing vital events information sharing agreements with provinces and territories. These agreements would allow the real-time exchange of data to validate information individuals provide at the time of a SIN application, as well as the development of integrated services, such as processing a SIN application and birth registration at the same time. The Department signed agreements with Ontario in 2005 and British Columbia in 2006. In June 2006 the Department reported to Parliament that it planned to have agreements in place with most provinces and territories within the next year. By the completion of our audit the Department had not yet established regular access to birth information with Ontario or British Columbia, but was working with the provinces to develop this capacity. Also, we were informed by Service Canada that an integrated SIN and birth registration service was available to residents of Ontario as of September 2006.

6.39 Satisfactory progress. In this audit we found that the Department has made satisfactory progress to improve its proof-of-identity program by strengthening the policies and practices associated with establishing identity and proving need (Exhibit 6.3). The Department has made reasonable efforts to improve its ability to validate documents it accepts as support for SIN applications with the authorities who issue them; nevertheless, it is essential that it continue to work diligently to establish this capacity as soon as possible.

Controls over 900-series Social Insurance Numbers have improved

6.40 Service Canada also issues SINs to short-term visitors, refugee claimants, seasonal workers, and foreign students. These numbers begin with a nine to distinguish them from regular SINs and to indicate that the bearers require separate authorization to work in Canada because they are not Canadian citizens or permanent residents.

6.41 In our 2002 audit we observed poor controls over these 900-series SINs. In this audit we found that Service Canada now requires applicants to provide original documents, such as a work permit from Citizenship and Immigration Canada, in order to prove their need for a SIN. The Department also requested amendments to the Employment Insurance Act and Regulations to add an expiry date to 900-series SINs, which is tied to a person's authorization to stay in Canada. This legislative change came into effect on 30 March 2003. Holders of 900-series SINs at the time of the change had one year to complete a new SIN application and provide valid documentation to prove their identity and need. If individuals did not renew their SIN within the one-year transition period, an expiry date of 3 April 2004 was automatically added to their SIN record. New applicants for 900-series SINs receive a SIN card bearing an expiry date. As shown in Exhibit 6.3, we rate the Department's progress in this area as satisfactory.

A redesign strengthens the Social Insurance Number issuance process

6.42 In 2002 we found that SINs were issued without proper control and that staff lacked adequate training, tools, and information. Some specific concerns included unclear roles and responsibilities, and inconsistent practices for confirming identity and eligibility for a SIN.

6.43 Starting in 2004 the Department conducted a detailed review of the full process for issuing a SIN, identifying significant inconsistencies, duplications, and risk areas. As a result of this review it developed a new SIN application process to improve service to Canadians and strengthen the issuance process (Exhibit 6.4). Service Canada began implementation of the new issuance process in March 2006.

6.44 Since at the time of our examination, the new issuance process was being implemented, we did not audit its operation. Instead we reviewed its design to determine if the proposed changes would address our previous concerns. We reviewed the new process during our on-site visits and performed system walk-throughs to confirm our understanding of the manual and automated processes. Officials informed us that, as of November 2006, the new process was operational in all Service Canada Centres across Canada.

6.45 The new design. According to the design of the new process, service centre agents process an application by interviewing the applicant guided by an online application processing system that includes standardized searches of the Register and automated prompts to ensure consistency. Agents validate proof-of-identity and proof-of-need documents, determine eligibility for a SIN, update the Register, and issue the SIN while the applicant is physically present at the service centre with their original proof-of-identity and proof-of-need documentation. The agents identify and resolve anomalies in information immediately, sometimes with the assistance of on-site investigators. In contrast, under the previous system for issuing SINs, many of the validation processes were performed manually by agents located at the Department's National Services in Bathurst, New Brunswick, using the proof-of-identity information that service centre agents recorded on the paper application at the time of their initial review. Discrepancies or errors in information were resolved by returning the application to the service centre for follow-up with the applicant. Exhibit 6.4 illustrates the redesign of the SIN issuance process.

6.46 Mandatory training. An important way in which the new approach can be expected to strengthen the process for issuing SINs is the requirement for all service centre agents to be trained and certified before they are granted access to the Register. This mandatory training incorporates the updated proof-of-identity program and involves formal classroom training, coaching, and evaluation and certification of skills. Officials indicated that as of November 2006, more than 1,300 individuals had been trained and certified.

6.47 Some new risks. The new issuance process poses some new risks, however. Limited separation of duties exists in the new system since agents at service centres now have control over key steps in the issuance process. Also, significantly more individuals now have access to the Register to update and change information—more than 1,300 individuals compared to a few dozen previously.

6.48 A robust quality assurance system is essential to appropriately manage these risks. As of August 2006 the Department had implemented the first step of its quality assurance system for the new issuance process—mandatory training and certification of agents. The Department informed us that the remaining steps, such as random quality reviews and error measurement, would be implemented by March 2007. Officials acknowledged the new risks associated with the redesigned issuance process and the delay between its implementation and the implementation of the remaining steps of its quality assurance system. They informed us they were developing interim measures, such as reviews of system user access and spot checks of new SIN applications, to control the risks until the quality assurance system is fully implemented. We are satisfied with the Department's actions to manage the risks during this transition period.

6.49 Satisfactory progress. We found that, if implemented as designed, the new approach with its enhanced training requirements and automated tools and processes can be expected to strengthen the controls over how SINs are issued. Coupled with the improvements made to the proof-of-identity program and controls over the 900-series SINs, we rate the progress to improve the SIN application process as satisfactory, as shown in Exhibit 6.3.

The Social Insurance Register

6.50 The basic personal information that individuals who apply for a SIN provide is recorded in a database called the Social Insurance Register. The Register contains all SINs previously issued, as well as information on applicants, such as name, date of birth, and mother's maiden name. In the 2005–06 fiscal year, Service Canada spent about $19 million on the Register's administration.

6.51 In 1998 and again in 2002 we reported that the Register's data quality was a concern. We recommended that the Department (then Human Resources Development Canada) set goals for the completeness and reliability of the Register and take the steps necessary to meet them. In 2002 we also observed that inactive SINs could be used as a first step to access benefits, such as Employment Insurance and Old Age Security, because federal programs that use SINs were not informed of those identified in the Register as inactive.

6.52 In this audit we expected the Department to have clearly defined goals for the accuracy, completeness, and reliability of the information in the Register; to have taken steps to improve the data quality; and to have mechanisms to systematically maintain and measure the quality of the data. Given the Department's use of the SIN and data within the Register to validate identity, we also expected that when doing so, it would use the relevant information in the Register, keep the information up to date, and take appropriate actions based on the risks posed.

Goals for data quality have not been established

6.53 In this audit, we found that although the Department has continued its efforts to improve the Register, it has not yet clearly defined acceptable levels of accuracy, completeness, and reliability for Register data.

6.54 In an effort to set goals for the quality of Register data and to establish an action plan to achieve these goals, the Department completed a study in early 2004. This baseline study included, among other things, an assessment of the accuracy, completeness, and reliability of certain fields in the Register. It recommended immediate next steps, such as

  • determining which of the Register's data fields are key to validating identity;
  • establishing objectives for the accuracy of key fields; and
  • exploring ways to examine data accuracy levels, including validation with partners and accelerating the development of links with vital events information.

6.55 The Department conducted a second review in late 2004 to validate the findings of the baseline study and provide further analysis of the Register's data quality. This review reported that departmental initiatives underway to streamline the issuance process and obtain access to vital events information would contribute to improving the data quality but may take up to 18 months to fully implement. The review recommended that in the interim, the Department should take several actions, many of which echo the recommendations of the earlier baseline study. (See our overall assessment of progress to ensure data quality starting at paragraph 6.76.)

Efforts to improve the Register have continued

6.56 Since 2002 Human Resources and Social Development Canada has continued its efforts to improve the quality of Register data. Using the 2004 baseline study as a guide, the Department undertook cleanup efforts, many of which concentrated on areas identified in previous audits as indicators of potential weaknesses in the Register. For example, it has decreased the excess in the number of usable SINs over Canadian population estimates, as well as the number of SINs issued prior to 1976 without confirmation of identity.

6.57 The excess in the number of usable SINs over the population has decreased but needs monitoring. In 1998 and again in 2002 we observed discrepancies between the number of usable SINs in the Register and Statistics Canada's estimate of the Canadian population. Excess usable SINs in the Register are a concern because of the risk of fraud associated with multiple SINs belonging to one individual or SINs belonging to fictitious identities.

6.58 The Department has worked to better explain the excess and reduce it. The 2004 baseline study found that the excess SINs can largely be explained by out-of-date information (for example, unrecorded deaths) or information the Register does not capture (for example, emigration). We estimate that as of June 2006, the number of usable SINs exceeded the estimate of the Canadian population aged 30 years and older by about 2.9 million, a significant reduction from the 5 million excess reported in our 2002 audit.

6.59 The Department addressed the incomplete death information in the Register in several ways. For example, in 2005 it investigated SINs belonging to individuals over 100 years old, identifying a considerable number of SIN holders as deceased and removing these numbers from the usable SINs. Linkages with data from the Old Age Security and Canada Pension Plan programs have also assisted in maintaining up-to-date death information. Service Canada expects further improvements as it expands its access to vital events information.

6.60 The Department also marks SINs with extended inactivity as dormant. A SIN may be inactive for a variety of reasons including emigration, an unrecorded death, an unused multiple SIN, or a fictitious identity not in use. The dormant flag identifies the SIN as being at higher risk of fraud if it is subsequently used to access benefits.

6.61 Of the 2.9 million excess usable SINs in June 2006, 2.1 million were flagged as dormant. The Department excludes dormant SINs from the total number of usable SINs when reporting on the excess. Accordingly, as of June 2006, its estimate of the excess usable SINs is around 800,000. As we observed in our audit work and as the Department's own studies have noted, the dormant flag does not automatically render a SIN unusable; rather, it is an indication of risk associated with inactivity.

6.62 An excess in the number of usable SINs in the Register indicates a risk to data quality. Continued analysis and monitoring of the number of usable SINs in the Register compared to Canadian population estimates is therefore necessary. The Department has not adequately assessed the risks posed by the excess number of usable SINs, including those marked dormant and those that are not, since 2004.

6.63 The number of uncertified SINs in the Register continues to decrease. Prior to 1976 SINs were issued without requiring proof of identity. As of June 2006 the Register shows about 6.4 million of these uncertified SINs, a significant decrease from the 8 million reported in 2002. The number of uncertified SINs as of June 2006 represents about 20 percent of the usable SINs in the database. As was the case in 2002, the Department plans to validate additional SINs as it obtains access to provincial and territorial vital events information. (See our overall assessment of progress to ensure data quality starting at paragraph 6.76.)

Measuring the quality of Register data is limited

6.64 To properly manage the data quality, it is important to keep the information in the Register up to date and to systematically measure the accuracy, completeness, and reliability of the Register data.

6.65 Maintaining the data. We expected the Register data to be up to date, validated against source information, and corrected when identified as either out of date or in error. We found that the Department has some processes in place to maintain the data, but that opportunities for improvement exist.

6.66 Service Canada maintains the Register by undertaking various cleanup projects and by updating SIN information using secondary data sources. Examples of data transfer processes it uses to maintain some of the information include updating dormant information in the Register with data from the Canada Revenue Agency, and renewing the Register's death information with data from the Old Age Security and Canada Pension Plan programs. To help ensure the data continue to make sense and have not been corrupted, the Department uses regular system reports to identify, analyze, and correct errors during these updates.

6.67 Opportunities to improve the maintenance of the data exist, however. As noted in paragraphs 6.59 and 6.63, access to provincial vital events information would improve Service Canada's ability to validate Register data against source information.

6.68 Measuring quality. We expected that data quality would be systematically measured, not only to maintain the current quality level, but also to demonstrate improvements. We found that since 2002, the Department has at times measured some components of the quality of the Register data, but that measurement of the accuracy, completeness, and reliability of the data has been unsystematic and limited in scope. An independent review, commissioned by Service Canada in spring 2006, is the most recent assessment. The review observed that the Department had not defined critical versus non-critical errors in the database. The review included some limited testing of the accuracy and completeness of the data within the Register and recommended that management consider further testing to more precisely estimate the potential level of error in the entire database.

6.69 Since its creation Service Canada has been developing a methodology to measure the Register's data quality. This work culminated with studies conducted in early 2006 that proposed a methodology for a systematic approach to the measurement of errors, the development of key performance indicators, and an ongoing quality management strategy. Officials confirmed that by March 2007, they expected the quality measurement and reporting system to be established, and reporting on key performance indicators to be available. (See our overall assessment of progress to ensure data quality starting at paragraph 6.76.)

Using the Register to validate identity is a good control, but can be improved

6.70 In 2002 we observed that dormant SINs could be used as a first step to access benefits, such as Employment Insurance and Old Age Security, because federal programs that use SINs were not informed of those identified as dormant. In this audit we examined how dormant SINs and other information in the Register are used to validate identity in three social programs the Department administers: the Canada Student Loan Program (CSLP), Old Age Security (OAS), and Employment Insurance (EI).

6.71 Along with basic personal information, such as name, date of birth, sex, and mother's maiden name, the Register contains risk indicators, known as flags or conditions (Exhibit 6.5). In most cases, SIN flags are an alert to an unusual situation and indicate an increased level of risk.

6.72 Validating identity is the first step in assessing eligibility for program benefits. In each of the three programs we reviewed, the Department compares Register data to certain information the applicant provides, such as name and date of birth. If the information matches within predetermined risk-based tolerances, the applicant is considered to have been accurately identified. If it does not, additional processes are needed to resolve the discrepancy and confirm the applicant's identity. A mismatch in Register data and information the applicant has provided or the existence of a risk flag does not automatically make the SIN unusable, and the program must have manual processes in place to respond properly to these situations.

6.73 For the SIN validation processes and the use of risk flags to be effective, relevant information in the Register needs to be kept up to date and used as part of the identity validation process. Additionally, follow-up in the event of a discrepancy or a risk flag needs to be commensurate with the risk posed.

6.74 In this audit we observed differences in the way the SIN validation processes have been implemented, but that overall these processes help improve identity validation. We found, however, that use of the Register in this way could be improved. Specifically, we noted that some key information was not kept up to date and that differences in practices were not always supported by an appropriate analysis of the risks posed:

  • The dormant risk flag was not kept current. The Department has updated the dormant flags only every second year despite internal policies indicating that the dormant flag information needs to be updated annually to reflect the most current information on the use or activity of a SIN.
  • The OAS and CSLP programs do not use the dormant flag in validating identity. Departmental officials told us that the decisions not to use the flag for these programs were based on risk, but they were not able to provide the supporting analyses. This approach also differs from the Department's descriptions of the purpose and functioning of this flag.
  • In the event of a discrepancy in the identity validation process for EI, applicants may be asked only to return a signed copy of their application instead of providing additional identification documents. The Department was unable to provide a risk analysis supporting this practice.
  • A date of birth mismatch on a CSLP application will be passed without subsequent follow-up when it is due to an incomplete birth record in the Register that originated from the immigration database. Though these cases are rare, the decision not to require follow-up was not based on an analysis of the risks posed and is inconsistent with practices followed in the event of other types of birth date mismatches in the CSLP SIN validation process.
  • Certain cases with high risk flags, such as a fraud flag, identified in the CSLP validation process were not being actively followed-up on. Although they are not passed for the purposes of issuing a loan, it is still important to know how and why these SINs are being used to apply for benefits. While these situations are likely infrequent, the Department was unable to provide the volume of these types of cases.
  • Only one of the three programs we examined, the CSLP, had a formal process to facilitate the correction of information in the Register after resolving discrepancies in the course of a SIN validation.

(See our overall assessment of progress to ensure data quality starting at paragraph 6.76.)

6.75 Recommendation. When using the Register to validate identity, Human Resources and Social Development Canada and Service Canada should ensure

  • key Register information is up to date,
  • key Register information is used, and
  • their follow-up actions are commensurate with risk.

Human Resources and Social Development Canada's and Service Canada's response. The Department recognizes the importance of maintaining the integrity of key Register information and supports establishing efficient, effective, and consistent SIN validation processes. Since 2002 the Department has undertaken a number of initiatives to strengthen the integrity of key Register information, including introducing an expiry date on SINs issued to temporary workers to coincide with their authorized stay in Canada, and implementing agreements with Ontario and British Columbia to directly receive and validate birth and death information (representing 54 percent of the population).

To further ensure that key Register information is up to date, Service Canada is continuing its negotiations with other provinces and territories to implement similar agreements to receive and validate birth and death information. The Department is also continuing to ensure that due diligence is met with regards to the treatment of dormant flags.

Service Canada will undertake a study to confirm the use, usefulness, and relevance of the existing information, including risk flags, for programs that use the Register to validate identity. Options will be assessed to address identified weaknesses and implement necessary corrective measures in SIN-related program areas.

Moreover, the Department will continue to conduct investigations and follow-up commensurate with identified risk for programs under its responsibility.

Although heading in the right direction, progress to ensure Register quality is unsatisfactory

6.76 Our examination of the Social Insurance Register involved a number of areas related to data quality—setting goals, making improvements, measuring quality, and using the data to validate identity. The Department's work to improve the accuracy, completeness, and reliability of the data and to implement a quality management system for the Register is moving in the right direction. Nevertheless, Service Canada currently has no goals for data accuracy, completeness, and reliability, and we consider the lack of systematic and comprehensive measurement of the Register's data quality a significant risk given the importance of the SIN. The Department's use of Register data to validate identity is a good control that can be further improved. Based on the cleanup initiatives undertaken, the Register data may be more accurate, complete, and reliable than it was in 2002; but, without the systematic measurement of errors, Service Canada has limited assurance that its quality is adequate.

6.77 The quality of Register data is a long-standing issue. Our previous recommendations and those of the parliamentary committees emphasized the expectation that the Department will measure and report on progress in relation to specific goals and time frames. We first reported this issue in 1998 when we recommended the Department develop a comprehensive plan with appropriate measures and time frames to bring the reliability and completeness of the Register data to an appropriate level. The prevalence of identity theft and the associated risks and costs to individuals and other stakeholders make the integrity of the Register important not only for the Department, but for all programs that rely on the SIN. For these reasons, we rate progress in this area as unsatisfactory (Exhibit 6.6).

6.78 Recommendation. Human Resources and Social Development Canada and Service Canada should

  • set goals for the accuracy, completeness, and reliability of the data in the Social Insurance Register; and
  • implement a comprehensive quality management program to systematically measure, maintain, and report on the quality of the data in the Register.

Human Resources and Social Development Canada's and Service Canada's response. The Department agrees that establishing goals is important. At the same time, performance targets must be based on sound analysis. Therefore, prior to establishing goals, Service Canada undertook a number of studies on the accuracy of key fields in the Register, the use of vital events information, and the preparation of methodologies to estimate benchmark levels of Register error.

Service Canada will complete its work currently under way on benchmark levels to define key performance indicators for the ongoing measurement of Register completeness, accuracy, and reliability. Based on these results, Service Canada will establish goals for Register data and develop a plan to measure and report on performance in the 2007–08 fiscal year.

Public reporting is inadequate

6.79 In 2002 we found that the Department's reporting on the Social Insurance Register could be improved. Following our audit both the Public Accounts Committee and the Standing Committee on Human Resources Development and the Status of Persons with Disabilities made recommendations regarding their expectations for the frequency and content of the reporting (Appendix A).

6.80 Parliament asked for clear reporting. Specifically, the committees asked the Department for two types of information on its management of the SIN in order to monitor the extent and speed of activities:

  • results-based performance information, including defining expected results, targets, and reporting against those expectations; and
  • information on progress in developing and implementing improvements, including timelines for implementation and, where deadlines are missed, explanations and descriptions of corrective action.

6.81 The Department agreed to these recommendations. We therefore reviewed its reporting to Parliament on SIN-related activities. We expected to find results-based performance reporting, including clear performance expectations, targets, and reporting against those expectations, as well as information on improvement initiatives, with time frames and clear explanations of results that fell short of expectations.

6.82 Results-based performance reporting. At the time of the audit Service Canada had not yet developed performance expectations and targets to measure and report on the results of its SIN-related activities. It had therefore not reported on its SIN-related activities in this way.

6.83 Reporting progress on improvements. Since 2003 the Department has reported regularly on activities to improve the management of the SIN; however, some key information has not been fully reported. In October 2003 the Department issued a progress report on its SIN initiatives that included specific activities to achieve described objectives; results, both completed and in progress; planned next steps; and for the most part, timetables and milestones. Starting in the 2003–04 fiscal year the Department reported on the improvements to the management of the SIN in its departmental performance reports; however, some key information has not been included. In its 2003–04 Departmental Performance Report, explanations for deadlines that had been missed were limited. In subsequent Departmental Performance Reports, progress on only a few initiatives was described, commitments were often open-ended, timeframes for achieving activities were not always clearly described, and progress was not updated when the initiatives were delayed or incomplete.

6.84 Good performance reporting is fundamental to effective governance and accountability to Parliament. In its February 2003 report the Standing Committee on Human Resources Development and the Status of Persons with Disabilities observed that it was difficult to assess the implementation and progress of the Department's SIN-related activities in the absence of deadlines for specific actions and reports on progress. Progress is rated as unsatisfactory (Exhibit 6.7).

6.85 Recommendation. Human Resources and Social Development Canada should ensure that its next reports to Parliament on the management of the Social Insurance Number and improvements to the Register include

  • clear and concrete performance expectations,
  • time frames for achieving these expectations,
  • key results reported against these expectations, and
  • explanations for gaps and shortcomings in the results achieved.

Human Resources and Social Development Canada's response. The Department is fully committed to continuing improvement in the management of the Register and the SIN and will address the Auditor General's recommendations in future reports to Parliament, such as the Departmental Report on Plans and Priorities and the Departmental Performance Report, once goals have been established.

Investigations related to the Social Insurance Number

6.86 In our 2002 audit we noted that the expanded use of the SIN both inside and outside the federal government had increased the potential for fraud. A fraudulently obtained SIN can be used to access federal and provincial social programs, to defraud banks, to misrepresent income to the Canada Revenue Agency, and to steal a real identity. New technologies have increased the opportunities to create fake or fraudulent SINs and SIN cards.

Steps have been taken to adopt a risk-based approach to investigations

6.87 In our 2002 audit we found that the Department (then Human Resources Development Canada) had not completed a risk-based analysis of its SIN-related activities. We were also concerned that investigations did not concentrate on high-risk areas.

6.88 Important steps to implement risk-based management have occurred. In 2003 the Department held workshops to identify and assess some risks associated with the SIN. In 2004 and 2005 it further articulated these risks and ways to manage them as it defined the Service Canada initiative and developed its three-year work plan and implementation strategy. For example, a risk identified in Service Canada's implementation strategy is that it had not built the foundations for program integrity. Mitigation plans included obtaining greater access to vital events information and developing enhanced risk analysis to identify and better target investigations. In late 2005 the Department amalgamated the risk management, integrity, and investigations functions for all Service Canada programs and services, including the SIN.

6.89 We found that the Department identifies SIN investigations in a variety of ways, many of which are based on risk:

  • The Department receives complaints or referrals from the public and partner organizations on potential abuse or reports of lost or stolen SINs.
  • Front-line staff use a risk-based approach to identify and refer suspicious or irregular applications to investigators prior to issuing the SIN. In all the sites we visited, the Department had successfully integrated this process into the front-line staff's responsibilities.
  • A risk flag or discrepancy in the information in the Register is identified when individuals apply for a SIN or other program benefits.

6.90 We also found that once identified, SIN investigations are no longer discretionary; procedures now require action for all SIN cases identified for investigation. Investigators with whom we spoke during our site visits confirmed these procedures.

6.91 A final step to ensure investigations concentrate on high risk is needed. A final and important step of risk-based management is adjusting to changing circumstances based on ongoing monitoring of identified risks and the strategies taken in response to them. The Department does not track information on the sources of SIN investigations or their results and it performs limited analysis of trends and patterns in the nature of investigations. For example, the Department has not performed a comprehensive review of investigations triggered by risk flags in the Register to determine if the flags are effective at identifying cases requiring investigations, as was recommended in the Department's own studies on risk flags. This type of analysis would allow the Department to strengthen its processes for identifying and investigating cases based on lessons learned so that investigation efforts concentrate on the highest risk areas.

6.92 Progress is satisfactory. Since 2002 the Department has taken important steps in adopting a more risk-based approach to investigating SIN-related fraud. Although work is still required to fully implement risk-based management for SIN investigations, we rate progress as satisfactory (Exhibit 6.8).

6.93 Recommendation. Human Resources and Social Development Canada and Service Canada should implement a means to evaluate and monitor the causes and results of SIN investigations and use this information to ensure investigation efforts concentrate on high-risk areas.

Human Resources and Social Development Canada's and Service Canada's response. The Department is developing an enterprise-wide approach to risk management, and the SIN Application Review Program (SARP) is an integral part of this risk approach. The SARP is a front-end process, in which staff involved in taking SIN applications are required to assess the information presented and the client's demeanour. This is used to determine whether additional information is needed or whether the application should be referred to an investigator.

The Department plans to analyze and monitor the causes and results of SIN investigations, including the key factors related to the SARP, such as documentation used for the SIN application, and use these to target high-risk SIN investigations in the future.

Tools and training for investigators have improved

6.94 Since our last audit, the Department has developed and is now delivering an integrated course on SIN investigations. Although some investigators in the local offices we visited had not yet received this training, we noted that a key part of the course is identifying fraudulent documents and using the associated tools.

6.95 We also found that investigators have access to a variety of tools, including new sources of information, for example, risk alerts shared from partner organizations such as the Canada Border Services Agency. Investigators in the offices we visited indicated that one of the most useful tools was the guide containing pictures and descriptions of authentic documents. This reference guide was available in all the local sites we visited, though it was last updated only in 2003.

6.96 As shown in Exhibit 6.8, we found that the Department has made satisfactory progress in providing SIN investigators with more formal training and access to adequate tools. However, it needs to keep the information current.

6.97 Recommendation. Human Resources and Social Development Canada and Service Canada should ensure that investigators have access to current training and tools for identifying fraudulent documents and investigating SIN-related fraud.

Human Resources and Social Development Canada's and Service Canada's response. The Department has developed training and tools to assist investigators in identifying fraudulent documents and investigating SIN-related fraud. This material will be regularly updated to ensure it remains complete, accurate, and relevant in conducting investigations on SIN-related fraud.

Conclusion

6.98 Overall, progress in addressing our 2002 audit observations and recommendations has been unsatisfactory. While satisfactory progress has been made in several areas, two important issues are not yet resolved. First, the policies that govern how federal departments may use the SIN are not clear. Second, Human Resources and Social Development Canada does not systematically measure the quality of information in the Social Insurance Register. Both are long-standing issues that we first raised in 1998. Although we found that the Department and the Treasury Board Secretariat have taken important steps to develop a better understanding of these two key issues and to define options for resolving them, we believe that by this time the government should have implemented solutions.

6.99 The use of the SIN by federal organizations is governed by provisions of various pieces of legislation, as well as elements of various policies and guidelines. As the Treasury Board Secretariat noted in its 2003 review of SIN use in the federal government, several elements of the policy and guidelines issued to departments are unclear and open to different interpretations. The Secretariat has still not issued updated policies and guidelines. In the meantime, this lack of clarity leads to inconsistent application of policy requirements, thereby increasing the risk of inappropriate use of the SIN.

6.100 Service Canada has made satisfactory progress in addressing deficiencies in many areas. For example, the development of the SIN code of practice, the redesign of the SIN issuance process, changes to proof-of-identity standards, and improvements to the identification and investigation of SIN-related fraud represent considerable work to strengthen the management of the SIN.

6.101 Service Canada has also made efforts to improve the quality of the data in the Register; however, it has not established goals for data quality, and its measurement of the accuracy, completeness, and reliability of the data is unsystematic and limited in scope. Accordingly, it has limited assurance that the quality of the information is adequate. Service Canada informed us that it plans to address these issues with the quality management strategy currently under development.

6.102 Obtaining improved access to vital events information is an important part of Service Canada's plans to address several outstanding issues—such as validating proof-of-identity documents with source authorities, measuring and maintaining the Register's data quality, and further improving investigations. While Service Canada expects to have agreements in place with most provinces and territories by March 2007, these agreements represent only the first, albeit important, step. Service Canada's challenge will be to work with the provinces and territories to fully implement the various aspects of these agreements in a timely manner.

6.103 The growing incidence of identity theft, fraud, and security risks necessitates strong management of the Social Insurance Number—including clear policy guidance on its use in the federal government—that better reflects today's risks and challenges. Although heading in the right direction, Human Resources and Social Development Canada and the Treasury Board Secretariat need to quickly and successfully implement sustainable solutions to ensure that the SIN is appropriately used and adequately safeguarded.

About the Audit

Objective

The objective of the audit was to assess the progress Human Resources and Social Development Canada and the Treasury Board Secretariat have made in responding to observations and recommendations contained in the 2002 audit of the Integrity of the Social Insurance Number.

Scope and Approach

Our audit was designed to follow up on the progress made in addressing the 10 recommendations made in the 2002 audit. The observations and recommendations of this audit concerned the appropriate use of the SIN; the process for issuing new SINs and replacement cards; the accuracy, completeness, and reliability of the Social Insurance Register; and the investigation of SIN-related fraud. The 2002 audit was itself a follow-up of a previous audit report in 1998. Where relevant we considered the observations and concerns raised in the 1998 audit.

The departments included in our audit were

  • Human Resources and Social Development Canada, including Service Canada; and
  • the Treasury Board Secretariat.

We conducted audit work at the national headquarters of the Treasury Board Secretariat, of Human Resources and Social Development Canada. In addition, we visited the regional headquarters, two local service centres responsible for service delivery, and SIN operations in each of the following three regions: Ontario—Toronto; Québec—Montréal; Alberta—Edmonton. Finally, we reviewed operations and processes used to manage the Social Insurance Register at National Services in Bathurst, New Brunswick.

Our work involved interviews, document review, analysis of Register data, process and system walk-throughs, and testing of sample cases. In particular we examined the following:

  • the steps taken by the Department and the Treasury Board Secretariat to support appropriate use of the SIN within the private sector and within the federal government;
  • the changes the Department had implemented and was implementing to strengthen controls over the issuance of new SINs and replacement cards, both regular and the 900-series SINs;
  • the actions the Department had taken to improve the accuracy, completeness, and reliability of Register data; to set goals for measuring and monitoring its quality; and to report on its SIN-related activities;
  • how the Department uses the information in the Register to validate identity in three social programs it administers: Employment Insurance, Old Age Security, and Canada Student Loans; and
  • the changes the Department made to adopt a more risk-based approach to investigating SIN-related fraud, including how it identifies cases requiring investigation, how it ensures that its investigative resources are concentrated in areas of highest risk, and the tools and training it provides to investigators.

Criteria

The following criteria guided our audit work:

  • The SIN should be collected and used according to legislation and policy.
  • The Treasury Board Secretariat should monitor departmental compliance with its policy requirements on the use of the SIN and data matching.
  • Human Resources and Social Development Canada should be aware of how the SIN is used and should encourage its proper use.
  • Human Resources and Social Development Canada should make reasonable efforts to ensure that it provides new SINs and replacement cards only to eligible individuals.
  • Human Resources and Social Development Canada should make reasonable efforts to ensure that the Social Insurance Register is accurate, complete, and reliable for authorized uses.
  • Reporting on activities to improve the management of the SIN, including the quality of Register data, should be complete and accurate.
  • Fraud detection and investigation efforts should be based on risk.

These criteria were based upon the Employment Insurance Act and Regulations; the Privacy Act; the Treasury Board's Management Accountability Framework and Integrated Risk Management Policy, as well as the Treasury Board's policies on Privacy and Data Protection and on data matching.

Audit work completed

Audit work for this chapter was substantially completed on 31 August 2006.

Audit team

Assistant Auditor General: Nancy Cheng
Principal: Sylvain Ricard
Director: Nicholas Swales
Project Lead: Jennifer McLeod

Véronique Duguay
Julie Poirier
Étienne Robillard
Lisa Séguin
Annie Thériault

For information, please contact Communications at 613-995-3708 or
1-888-761-5953 (toll-free).

Definitions:

Administrative purpose—Use of the SIN or other personal information about an individual in a decision-making process that directly affects that individual, for example, as part of determining whether an individual is eligible for a particular benefit. In contrast, a non-administrative purpose occurs when no decisions are being taken in relation to individuals, for example, for statistical, research, evaluation, or audit purposes. (Return)

Data match—The comparison of personal information obtained from different sources. (Return)

Proof-of-identity program—The requirement for individuals applying for a SIN to provide documentation such as a birth certificate to confirm their unique identity. The concept, established in 1976, was intended to permit the unique verification of an individual's identity and status in Canada in order to prevent the multiple issuance to and use of SIN numbers by a single individual. (Return)

Vital events information—Information held by provincial and territorial governments on key life events, such as births, deaths, marriages, or name changes. (Return)

Data quality—The degree of accuracy, completeness, and reliability of information. (Return)

Usable SIN—A SIN that exists in the Social Insurance Register and is not identified as lost or stolen, used or obtained fraudulently, expired (for 900 series), cancelled, or belonging to a deceased individual. (Return)

Dormant SIN—A SIN that the Department has identified as higher risk due its lack of recent activity or use. Using information provided by the Canada Revenue Agency, the Department marks a SIN as dormant if it belongs to an individual 23 years or older who has not filed a tax return or for whom no income was reported in the last five years (for example, government issued benefits, interest bearing bank accounts, work income, investments, and tax returns).

A SIN remains dormant until it is used in an income-related activity or until an application for a new, replacement, or amended SIN is received and the SIN holder provides proof of identity and an acceptable explanation for the period of inactivity. (Return)  

Uncertified SIN—A SIN issued without any requirement to provide proof-of-identity documentation. Prior to 1976, no proof-of-identity program existed. (Return)

Risk-based management—A systematic approach to making program decisions and taking action by

  • identifying the risks;
  • assessing and ranking the risks;
  • selecting and implementing strategies to reduce the risks; and
  • monitoring and evaluating the risks and mitigation strategies, and adjusting them accordingly. (Return)