Your HR Team Is Leaking SINs Every Week and Nobody Is Checking

The SIN Problem Nobody Talks About

Every time a Canadian employee is onboarded, their Social Insurance Number passes through at least four or five hands — the hiring manager who collected it on the TD1 form, the payroll administrator who entered it into the system, the HR coordinator who filed the paper copy, the benefits provider who needs it for enrollment. In a company of 50 people, that's hundreds of SIN touches per year, happening over email, shared drives, printed forms, and payroll software exports.

The Privacy Commissioner of Canada's guidance on SINs is clear: you should only collect them when legally required, you should store them securely, and you should not retain them longer than necessary. What the guidance doesn't tell you is how to actually enforce any of that when your HR team is running on a mix of Outlook, Google Drive, BambooHR, and a filing cabinet.

Most organizations know they have a SIN problem. Almost none of them know how big it is.

What an Actual HR Data Leak Looks Like

Here's a scenario that plays out regularly across Canadian organizations. A payroll coordinator sends a spreadsheet to a new benefits broker. The spreadsheet was built for internal use — it has employee names, start dates, salary bands, and SINs because someone added that column three years ago and it never got removed. The broker receives it, processes what they need, and stores it on their own systems. Nobody flagged the SIN column. Nobody asked whether the broker needed those numbers. The transfer wasn't documented.

That's a PIPEDA violation. The information was disclosed to a third party without authorization, for a purpose beyond what it was collected for, with no contractual safeguard in place. The organization didn't know it happened because there was no automated system looking for SINs moving through their file-sharing infrastructure.

The same pattern repeats with banking information collected for direct deposit. With disability or medical documentation submitted during a leave of absence. With addresses and emergency contact details that end up in onboarding packets forwarded to managers who didn't need them.

Why Manual Processes Can't Catch This

The problem with relying on human judgment to catch PII exposure is that it scales in the wrong direction. As your organization grows, the number of PII-bearing documents grows faster than the number of people paying attention to them. A 10-person company can reasonably expect the founder to know where sensitive information lives. A 75-person company cannot.

HR staff aren't privacy specialists. They're good at hiring, benefits administration, and keeping people organized. Asking them to manually audit every outgoing document for SINs, banking details, health information, and home addresses on top of their actual job creates resentment and selective compliance. They'll catch the obvious ones and miss the embedded ones — the SIN in a PDF attachment, the address embedded in a scanned form, the banking details that got OCR'd into a searchable format.

Automated PII detection doesn't replace good HR judgment. It supplements it by catching what humans miss at volume.

The Specific PII Types Flowing Through HR

A realistic HR department handles most of the following on a regular basis:

Identity documents: SINs, driver's licence numbers, passport numbers collected during background checks or I-9 equivalent verification, permanent resident card numbers.

Financial data: Bank account and routing numbers for direct deposit, salary history from previous employers, benefits contribution amounts, garnishment details.

Health information: Disability certificates, doctor's notes, insurance claim documentation, accommodation requests that describe medical conditions.

Background check results: Criminal record checks (where legally permitted), reference check notes that may include personal details, credit check results for certain roles.

Emergency contacts: Home addresses, personal phone numbers, details about family members who haven't consented to any data collection at all.

Each of these has different sensitivity levels and different handling requirements under PIPEDA. The SIN specifically should trigger the highest level of scrutiny — the OPC has issued specific guidance that SINs should only be collected when required by law, and that their unnecessary collection is itself a violation.

What PIPEDA Actually Requires of Employers

PIPEDA applies to employee information in federally regulated workplaces. For provincially regulated businesses in Quebec, Alberta, and British Columbia, provincial privacy laws apply instead — and Quebec's Law 25, in particular, imposes stricter requirements than PIPEDA on many points.

The core obligation under PIPEDA is accountability. Your organization is responsible for the personal information it holds, including how it's collected, stored, used, and disclosed. The accountability principle doesn't care that a leak happened because of a third-party payroll processor or a careless email. The obligation stays with your organization.

The breach of security safeguards provisions that came into force in 2018 add another layer. If a data breach creates a "real risk of significant harm" to employees, you must report it to the Privacy Commissioner and notify affected individuals. The threshold for "significant harm" includes financial harm — which leaking a SIN or banking details clearly satisfies.

Starting to Understand Your Exposure

The first step isn't buying software. It's doing an honest inventory of where employee PII currently lives in your organization. A useful exercise is to map the lifecycle of a SIN: where is it collected, what systems store it, who has access, where has it been sent externally, and how is it destroyed when an employee leaves.

Most organizations that go through this exercise discover PII sitting in places they didn't expect: old email threads, shared Google Drive folders with overly broad access, HR reports that get exported and forgotten, backup systems that haven't been audited in years.

Automated scanning — running detection against your file stores, email archives, and shared drives — gives you a picture of the actual exposure, not the hypothetical one. That's where a tool like Shielk changes the conversation from "we think we're compliant" to "here's exactly where our SINs live and who has touched them."

The organizations that take this seriously before an incident are the ones that avoid reporting obligations. The ones that discover their exposure during an OPC complaint investigation are the ones that learn what compliance actually costs.