Collection and Storage of Students' SIN Numbers Policy
- Owner: Registrar's Office
- Approver: Board of Governors; Provost and Vice-President, Academic
- Approval Dates: June 27, 2011
I. Preamble
The Social Insurance Number (SIN) is used by the Canadian Revenue Agency for tax reporting purposes. Although only certain government departments and programs are authorized to collect and use the SIN, there is no legislation that prohibits organizations from asking for it.
The SIN is a key piece of personal information that can be used to access other personal information and to commit identity theft. It is essential that organizations have in place clear policies and practices related to the collection, use, and storage of individual SIN’s to ensure that they are carefully protected.
At Toronto Metropolitan University (the "University"), the SIN policy will be supported by the University’s privacy protection policy.
II. Lawful Authority to Collect the SIN
The authority to collect and use the SIN is tied to a specific legislated purpose not to a particular organization. There are at least three Acts that provide lawful authority for the University to collect the SIN from students. These include:
1. Canada Student Financial Assistance Act and Regulations
2. Canada Student Loans Regulations (Canada Student Loans Act)
3. Income Tax Act
III. Purpose
This policy outlines authorized transactions at the University relating to the collection and use of the SIN and storage of this data in the Student Administration System (SAS) database. This policy will indicate the instances that require the University to ask for and store the SIN of its students.
IV. Policy
1. Acceptable Uses of SIN by the University
A student’s social insurance number is required by the University for three distinct purposes:
a. The processing of Ontario Student Assistance Program (OSAP) applications and the distribution of OSAP funding. All communication and data sharing between the University and the National Student Loan Centre require the SIN as the main identifier of the student.
b. The preparation of income tax documents the University is required to provide for all students who have been awarded a scholarship, bursary of other monetary prize.
c. As part of the documentation related to the employment relationship when students are hired for work by the University including employment funded through the work study program. This data would be collected and stored by Human Resources and is not addressed in this policy.
2. Collection and Storage of SIN
a. The social Insurance number should not be requested from any student or applicant except related to the acceptable uses noted above.
b. For OSAP purposes the SIN is collected through the OSAP application process and is stored in the bio/demo section of the student record in SAS.
c. For taxation purposes related to scholarships and bursaries the SIN should only be collected from recipients once they have been awarded a scholarship or bursary and not collected or stored through the application process.
d. No other forms in the Registrar’s Office including transcript request forms, course enrollment forms, etc. should include any request for the SIN.
e. No documents or lists should be produced by the University containing an individual student’s SIN unless required for one of the acceptable uses of SIN as described in this policy.
f. No false or temporary SINs should be entered into SAS manually or through file uploads.
3. Access to SIN Data
a. Only authorized staff should have access to the student SIN data stored in SAS.
b. Departments with staff who have access to the SIN data are required to have staff access control procedures in place.
c. All staff who are authorized to view and/or use the SIN data in SAS should receive annual training related to the information privacy policies of the University and in particular the information that is most sensitive related to identity theft issues i.e. name, birth date, SIN, etc.
4. Security of SIN Data
All documents, applications, or lists containing an individual student’s SIN should be stored in a location that is secure and can only be accessed by staff who have authorized access to this type of information.
5. Destruction of SIN Data
Where a business need no longer exists for the use of SIN data in SAS, it must be purged from the system.
6. Notification Related to This Policy
All processes and forms requiring the collection of SIN are to include a statement to the students indicating the university’s privacy policy and for what purpose their SIN is being collected and stored. In each case language should be developed in consultation with the University's Information and Privacy Coordinator.
V. Jurisdiction
This policy is under the joint jurisdiction of the Provost and Vice President Academic and the General Counsel and Secretary of the Board. Responsibility for ensuring that this policy is adhered to lies with the Registrar of the University.