Common menu bar links

Home > Commissioner's Findings > Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

Institutional links

Got Spam? Learn how to protect yourself Securing Personal Information: A Self-Assessment Tool for Organizations Privacy For Small Business Online Tool Privacy Quiz for businesses Research funded by the OPC Privacy Breach? Information for Organizations How to lodge a Privacy complaint

Commissioner's Findings

Search Findings
Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2004-259

A bank required two specific pieces of identification as well as additional information in order to issue a bank card

[Principle 4.3.3]

Complaint

An individual complained that in order to obtain a bank card, she had to provide the bank with two pieces of identification, as well as additional information.

Summary of Investigation

When the individual requested a bank card, a bank employee requested two pieces of identification. The individual provided her driver's licence and her employee ID card containing her photograph, a physical description, and her date of birth. The bank employee refused to accept the ID card and demanded the individual's health insurance card. Then the bank employee asked for the individual's address and date of birth. The individual replied that this information was on the ID provided. The individual was refused the bank card. Subsequent to this incident, the individual met a bank official, who apologized for what had occurred and stated that it would not happen again.

Pursuant to the notice of complaint, a bank representative stated that the bank employee regularly asked for two pieces of ID, in contravention of bank policy. The representative said that the driver's licence that had been offered was actually sufficient to identify the individual and issue her a bankcard. Pursuant to these events, the bank urged the bank employee in question to update his training on the client identification required for a bankcard.

Findings

Issued January 27, 2004

Jurisdiction: The Personal Information Protection and Electronic Documents Act (the Act) has applied to federal businesses since January 1, 2001. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal business under the definition in the Act.

Application: Principle 4.3.3 of Schedule 1 of the Act stipulates that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.

The bank admitted that the driver's licence was sufficient to identify the individual and issue her a bank card. The Assistant Commissioner concluded that, in this case, the collection of personal information failed to comply with Principle 4.3.3 in Schedule 1 of the Act. She also found that a reasonable person would not find this kind of information collection acceptable for the purposes of obtaining a bank card.

The Assistant Commissioner pointed out, though, that bank staff had met with the individual after the incident and had apologized. In addition, the bank staff had met with the bank employee in question and had urged him to update his training on the client identification required for a bankcard.

The Assistant Commissioner concluded that the complaint was well-founded.



Date Modified: 2004-04-01
Return to Top of Page
Top of Page
Important Notices