Bank discloses customer's personal information to employer

PIPEDA Case Summary #2004-267

[Principles 4.3 and 4.5]

Complaint

A customer of a bank complained that one of its employees improperly disclosed his personal information.

Summary of Investigation

The complainant, who is a police officer, and his bank were involved in a dispute over one of his accounts. He and his bank manager had had a number of conversations to address the problems, but the matter remained unresolved.

The complainant wrote to the vice-president of the bank outlining his concerns regarding the account and the bank manager. The issue was referred to the manager of the bank's customer care group for action. This individual contacted the bank manager, who commented on the complainant's behaviour towards her. The customer care manager then contacted a senior member of the bank's security branch, who was responsible for conducting investigations into violence in the workplace. When the security official met with the bank manager, the latter indicated that she felt intimidated by the complainant and was concerned for her safety. The security official, who was a former police officer, telephoned the internal affairs branch of the complainant's employer to inform them that the complainant was acting in an aggressive and intimidating manner towards the bank manager. According to the security official, he went on to add that the complainant had made no specific threat and that the bank did not wish to issue a formal complaint.

On the same day as this conversation, the internal affairs official sent an e-mail to several senior officials within the organization, stating that he had received a telephone call from the bank, that the complainant was involved in a civil dispute with the bank, and that he had incurred a sizable debt and was under financial pressure. The e-mail noted that the bank's purpose for calling was to ensure that the employee was coping with his personal stress. The author of the e-mail confirmed to our Office that the contents of this message accurately reflected his conversation with the security official.

While the security official indicated to our Office that he was not sure that those were his exact words, he did not disagree with the e-mail's contents. He indicated that he did not believe that he had revealed any of the complainant's personal financial information because he did not provide any details about his finances. According to the security official, he was trying to put things in context for the complainant's employer.

Findings

Issued April 30, 2004

Application: Section 2 defines personal information as "information about an identifiable individual"; Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate; and Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• Although the complainant objected to the fact that the bank provided its security official with his personal information, she was satisfied that this was done for an appropriate reason. The bank manager had indicated that she was concerned about his behaviour, and the security official, who was responsible for conducting investigations into violence in the workplace, was asked to look into the matter. In order to do so, he required information about the complainant.
• The problem, however, began when the security official telephoned the complainant's employer. Although the official did not believe that he had disclosed any of the complainant's personal information, it was clear from the internal e-mail sent by the employer's internal affairs bureau, that he had. "A sizeable debt," "under financial pressure," and the fact that the complainant's was involved in "civil dispute" with the bank were all pieces of information about the complainant as an identifiable individual.
• The bank collected and held the complainant's personal information for the purpose of establishing and maintaining a banking relationship with him. The Assistant Commissioner found it difficult to reconcile this purpose with the security official's reason for calling the complainant's employer — namely, to alert them to his financial difficulties and to ensure that he was coping.
• Thus, the Assistant Commissioner found that the bank had not only disclosed the complainant's personal information without his consent, it also did so for purposes other than those for which it was collected — a contravention of both Principles 4.3 and 4.5.

She therefore concluded that the complaint was well-founded.

Further Considerations

The Assistant Commissioner noted that although she was aware that the bank provides privacy training to its employees, she was recommending that the security official be reminded of his obligations under the Act.