"Ben Laurie wrote" > [EMAIL PROTECTED] wrote: >> Example: >> Cash_Ur_check is in the business of cashing checks. To cash a check, >> they ask you for "sensitive information" like SIN, bank account number, >> drivers licence number, etc. They use the information to query >> Equifax or the like to see if the person has a good credit rating, if >> the rating is o.k. they cash the check. They keep all the information >> in the database, because if the client comes back 2 months later, they >> will send the same query to Equifax to see if the credit rating hasn't >> changed. >> These sensitive information are "indexes" to external databases (but >> Cash_Ur_check doesn't directly connect to these other databases). >> Cash_Ur_check doesn't need to use these data as indexes. Cash_Ur_check >> can use first/middle/last name of person as an index, or attribute some >> random number to the person, or something else, they should not use the >> SIN to identify a person. They should not do searches on SIN to find a >> person given his SIN. > > Sure, but Equifax should.
No, they shouldn't! If you think they should, you are missinformed. At least in Canada, the Privacy Act protects the SIN, Equifax cannot demand it. See for example http://www.privcom.gc.ca/fs-fi/02_05_d_02_e.asp and http://www.guardmycreditfile.org/index.php/content/view/244/139/ which says the following: "Even credit reporting companies can’t demand a SIN to generate a credit report. Trans Union Canada and Equifax Canada both have the ability to generate such reports without a SIN. If you ask these same companies to generate a credit report in the United States, they both require a Social Security Number." And if Equifax Canada can generate reports without a SIN, I don't see why Equifax in any other country couldn't. Of course, they like to have the SIN, since it makes things more convenient, but they don't really need it! That is the problem in most cases. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]