said by DKS:
Indeed. They can have your SIN for Canada Revenue purposes.
Your SIN is the authorized number for income tax purposes under section 237 of the Income Tax Act and is used under certain federal programs. You have to give it to anyone who prepares information slips (such as a T3, T4, or T5 slip) for you. Each time you do not give it when you are supposed to, you may have to pay a $100 penalty. Check your slips. If your SIN is missing or is incorrect, advise the slip preparer. You also have to give it to us when you ask us for personal tax information.
Your SIN card is not a piece of identification, and it should be kept in a safe place. For more information, or to get an application for a SIN, contact Service Canada.
If you read the report the SIN is legitimate to use when starting a buisness and or post billed service (credit) relationship to verify the personage, but its not legal to make it the only identification unless dealing with the primary provider only -- Revenue Canada (it remains optional for everyone else.)
its just a matter of laziness and 3rd parties that refuse anything else until they are all complained against. Since everything is outsourced of course, you rely on your 3rd party to tell you what is legal or not and to do the background research for you. That and having your own privacy legal team as required by law can be severely expensive.
Naturally the privacy commissioner can't go after the third parties people (since their only activated when a customer complains about a direct interaction) so its the primary service provider that gets it.:rolleyes:
(since most people don't know or have any direct relationship with the aggregates, privacy commissioner can't do anything.)
Reccomendation 114 and recommendation 92 in that report is always the kicker with every single telco operator thanks to mass production in the call centre Environment. Without the solid source you start asking for really really weird questions that get very intrusive. Forcing every service contract to wait 48 or more hours for approval of service will put you out of buisness so its part of the buisness to verify instantly, in whatever means possible.
The Telco/store/employer/merchant/bank for instant gratification uses some third party provider who themselves refuses anything but such information for their aggregation. The chain of command from then on makes the third party's practices the company's practices though hard-coded processes.
Even up to those in PR who are as hard-coded as the CSR robots on the phone. (hence the Cogeco issue mentioned)
(see 'Express Address' on Pg 41 and 42. I bet thats whom Sasktel uses for identity verification. Hence why their mentioned)
That, outdated CRM software that forces them into archaic methods (because their too cheap to do it properly like 90% of IT out there), zero tolerance scripting on everything, and mass production cause these kinds of issues.
Its probably cheaper for Sasktel to pay the modest fine they'll get then to implement the training runs outside of their outsourcing.
Though change the third party and you will see these things stop dead flat within 3 months.
Like everyone you will see the process change to reflect more legal means once the verification methods (forced) into doing the checking via primary sources in-house, or through an aggregator that does.