PIPEDA Case Summary #2003-182

Couple allege non-consensual disclosure of personal information by credit reporting agency

[Principles 4.3 and 4.10.4, Schedule 1]

Complaint

A husband and wife complained that a credit reporting agency had

1. released their personal credit information to a company that had not obtained their consent; and
2. had not properly pursued an investigation into their complaint.

Summary of Investigation

The complainants had applied to the agency for copies of their respective credit reports. On receiving these, they observed that there had been disclosures of their credit information to a certain credit grantor with which they had never had any direct dealings and to which they had never authorized such disclosures. The couple complained to the agency, voicing their suspicion that the credit grantor in question had gained unauthorized access to their credit files at the request of its parent company, the wife's former employer with which she was currently engaged in a dispute. An agency representative told the complainants that their allegations would be investigated and the investigation results made known to them.

When they called three weeks later for a progress report, a different agency representative told them that no internal investigation had been initiated. This representative suggested that they make their own inquiries since the parent company in question was not a client and the agency thus had no jurisdiction to investigate. A third representative subsequently assured them that the agency would investigate their complaint, but by this time they had no confidence in the agency's word. They took their complaint to the Commissioner's Office.

The Office confirmed firstly that the third agency representative had indeed initiated an internal investigation. The owner of the parent company admitted to the agency that he had obtained the complainants' personal credit information without their authorization through his company's subsidiary, the credit grantor. While acknowledging that credit rules and regulations had been broken, he stated that extraordinary circumstances relating to his company's dispute with its former employee had compelled him to take such action.

The credit grantor's standard contractual agreement with the agency stipulated that the client must order consumer credit reports only for permissible purposes and must first obtain all consumer consents required under the applicable provincial credit reporting legislation. The agreement also stated that the agency could immediately terminate or suspend service if it reasonably believed that its client had breached any condition.

The agency did not terminate or suspend service to the offending credit grantor, but rather placed it on a year's probation. The agency assured the Office that this punitive measure would include audits and monitoring of the client's credit information applications and that further failure to comply would result in termination of the contract. However, there was evidence to suggest that the agency only imposed this measure when the Office requested proof of action taken.

After completing its investigation, the agency did not inform the complainants of the results for eight weeks, and then only after the Office indicated that this should be done. The agency notified the complainants that the unauthorized credit inquiries had been removed from their files because the client had been unable to prove a legitimate purpose or valid consent. The agency apologized to the complainants for any inconvenience caused.

Commissioner's Findings

Issued July 10, 2003

Jurisdiction: As of January 1, 2001, the Act applies not only to any federal work, undertaking, or business, but also to any organization in respect of disclosures of personal information outside a province for consideration. The Commissioner had jurisdiction in this case because the credit reporting agency in question engaged in such disclosures. However, the Commissioner did not have jurisdiction over the two other companies involved in the complaint.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.10.4 states that an organization must investigate all complaints and, if a complaint is found to be justified, must take appropriate measures, including, if necessary, amending its policy and practices.

Regarding Principle 4.3, the Commissioner deliberated as follows:

• There was no dispute that the credit grantor, at the request of its parent company, had obtained credit reports about the complainants from the agency without seeking their consent and that this transaction thus constituted unauthorized access to personal information, in contravention both of the applicable provincial legislation and of the credit grantor's contractual agreement with the agency.
• Conversely, there could be no dispute that the agency had, in a literal sense, disclosed the complainants' personal information to a third party without their consent. The question, however, was whether in the circumstances the agency might reasonably be held responsible for a breach of the Act.
• It was clear that the agency not only had not known that the complainants' knowledge and consent were lacking, but in fact had presumed, on the basis of a contractual agreement, that the company's purpose was permissible and that consent had been duly obtained.
• Given that these obligations had been clearly set out in the agency's standard contractual document, it was reasonable for the agency to have presumed that the signatory to the document had met them.

The Commissioner found therefore that the agency's disclosure of the complainants' personal information had been made in good faith and on reasonable presumption of consent, and thus did not in itself offend the Act.

Regarding Principle 4.10.4, observing that this principle was as much about an organization's follow-up to an investigation as about the conduct of the investigation itself, the Commissioner deliberated as follows:

• Though satisfied that the agency had indeed carried out an investigation, the Commissioner had some concerns regarding the adequacy of the follow-up.
• According to Principle 4.10.4, an organization must take appropriate measures if the investigation shows the complaint to be justified. The agency had found the complaint to be justified and had eventually taken certain measures against its client, but the measures taken - notably, that of putting the client "on probation" - fell short of being appropriate.
• In the first place, the evidence strongly suggested that the measures had been taken only at the Office's prompting.
• Secondly, even if the Act did not make it explicit, it was reasonable that one immediate measure an organization should take at the conclusion of a complaint investigation is that of informing the complainant of the results. It appeared, however, that the agency only notified the complainant of the results after the Office suggested that it was the appropriate thing to do.
• Thirdly, and most importantly, the measures taken by the agency had not been appropriate in relation to the seriousness of the offence. Whereas the agency's standard contractual agreement warned of "suspension" or "termination" of services for clients reasonably believed to be in breach, the agency had imposed "probation". The Commissioner did not believe that such a sanction conveyed a strong enough message to the company that its actions were unacceptable. He noted that punitive measures regarding such privacy breaches should reflect due regard on an organization's part for the integrity of personal information in its care, and ideally should serve as a deterrent to further breaches of a similar kind.

In sum, the Commissioner found that the agency had not taken appropriate measures upon finding that the complaint was justified.

He concluded that the complaint was not well-founded in respect of Principle 4.3, but well-founded in respect of Principle 4.10.4..

Further Considerations

The Commissioner made the following recommendations:

1. The agency should consider imposing and enforcing tougher penalties upon client organizations found to be in breach of contractual terms relating to access to consumers' personal information. Penalties could begin with suspension of services, followed by a probationary period involving frequent and rigorous audits.
2. The agency should develop and strictly apply a policy stipulating the timing and method of informing a complainant of the results of an internal complaint investigation.