Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Financial institution discloses too much information in response to production order

PIPEDA findings #2017-012

August 29, 2017

Description

The complainant made a request to access his personal information and discovered his financial institution had provided police with what he believed to be too much information in response to production orders, specifically information regarding his RESP account dating back to 1999. We found the documents were outside the scope of the relevant production order, and were rather disclosed in response to an informal request from police, subsequent to the production order.

Takeaways

  • While institutions may disclose personal information without consent in response to a court order, they must take care not to disclose more information than what is specified in the order.

Report of findings

Complaints under the Personal Information Protection and Electronic Documents Act (“PIPEDA”)

  1. The complainant alleged that his financial institution disclosed his personal information in contravention of the Act when it faxed documents containing information about his Registered Education Savings Plan (“RESP”) to a municipal police service detective.
  2. The financial institution indicated that it disclosed the complainant’s personal information to the municipal police service based on three consecutive production orders that were issued by a provincial court. For the disclosure at issue in this complaint, it relied specifically on a production order issued in 2013. In its view, the information that was disclosed was disclosed in accordance with this production order and therefore in a manner consistent with paragraph 7(3)(c) of the Act.
  3. However, the wording of the 2013 production order is very specific and cites documents within a specific date range. The investigation determined that documents outside the scope of the production order were disclosed. In our view, the financial institution cannot rely on paragraph 7(3)(c) of the Act to justify the disclosure of the personal information at issue.
  4. Following the issuance of our Office’s Preliminary Report of Investigation with recommendations, the financial institution has agreed to review its procedures to ensure that they are clear and provide “job aids” and dedicated training to staff responsible for disclosures pursuant to production orders.
  5. Accordingly, we concluded that the matter is well-founded and resolved.

Summary of Investigation

Background

  1. The complainant was a client of a financial institution and he alleges that it disclosed his personal information in contravention of the Act when it faxed documents containing information about his Registered Education Savings Plan (“RESP”) to a municipal police service’s detective.
  2. Pursuant to an access to information request, the complainant discovered that documents listing transactions in his RESP account dating from 1999 had been faxed by the financial institution to the detective. The complainant stated that the detective had obtained a production order to obtain information relating to his accounts with the financial institution. However, in his view, the production order only provided for the release of documents relating to his RESP account for the period between 2008 to 2011 and, therefore, the documents containing information relating to transactions in 1999 fell outside the scope of this order.
  3. We reviewed the production order referred to by the complainant, which was issued in 2012. The order sought significant bank statement information from several accounts belonging to the complainant, including the RESP account. The specific wording of the request pertaining to the RESP account was:

    Bank statements in the name of [the complainant] for Registered Education Saving Plan [with the financial institution] account number [omitted], for the period November 2008 to September 2011.

  4. In response to the complaint, the financial institution indicated that it disclosed the complainant’s personal information to the municipal police service based on three consecutive production orders that were issued by a provincial court in relation to an investigation of the complainant for various offences under the Criminal Code. In the financial institution’s view, the information that was provided was provided pursuant to the production orders and therefore was disclosed in a manner consistent with paragraph 7(3)(c) of the Act.
  5. With respect to the disclosure of the complainant’s RESP account information from 1999 specifically, the financial institution stated that it was not done pursuant to the production order issued in 2012, as the complainant alleged, but pursuant to the subsequent production order issued in 2013, which requested the financial institution to provide all supporting documents for transactions relating to the complainant’s RESP account and which did not specify a timeframe for the documents in question. Therefore, “[s]ince the Production Order did not specify a period for which [the financial institution] was to provide a selection of transactions relating to the RESP, [the financial institution] provided what it believed was necessary to comply, including transactions which occurred in 1999.”
  6. Our Office reviewed the production order issued in 2013. The specific wording of the request pertaining to the RESP account in question was: “All supporting documents for transactions in accounts listed in attached “Appendix B” referring to [the financial institution] belonging to [the complainant].”
  7. Appendix B begins by stating: “Require supporting documents for the following transaction categories pertaining to [the complainant’s accounts with the financial institution]”. It then goes on to list the transaction categories that were requested for each account. The entry for the RESP account indicates a timeframe of “October 1 to December 31, 2010”. Under “Request Details”, it states “Prior Quarterly report for September 30, 2010, shows balance of “0” for RESP Family # [omitted]. For end of December 31, 2010, balance is $[omitted]. Require supporting documents to account for amount deposited into RESP”.
  8. The financial institution provided information in response to the production order issued in 2013, including with respect to the RESP account. Following receipt of this information, the detective contacted a Document Specialist at the financial institution in 2013 asking to get details about the funding of the RESP account when it first opened. In response, the Document Specialist faxed transactional information from 1999 to the detective.
  9. The financial institution provided us with its internal procedures for complying with a production order, which include the following guidance for employees responsible for responding to production order requests:

    Recognizing What is Being Requested

    *** Always pay attention to whether the production order specifically says including but not limited to, which entitles them to every account, or if they specifically reference one account. The same applies to information being requested “solely or jointly”. If they require opening documentation/credit applications that are held jointly be sure not to include information on the joint individual unless they are requested by the production order.

    You may comply with secondary requests such as supporting documents as long as it was included in the original production order and within the date range requested originally. Any requests for information outside of the original scope may require an additional production order to be issued. Any exceptions should be referred to the [a manager].

  10. The financial institution also believes that it had the complainant’s consent to disclose his personal information to law enforcement since the financial institution’s privacy policy stipulates that the financial institution may disclose personal information to any organization for the purpose of preventing or detecting criminal activity, which was the basis of the investigation by the municipal police service.

Application

  1. In analyzing the facts, we applied Principle 4.3 from Schedule 1, subsection 6(1) and paragraph 7(3)(c) of the Act.
  2. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
  3. Subsection 6(1) states that the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
  4. Paragraph 7(3)(c) stipulates that an organization may disclose personal information without the knowledge or consent of the individual if the disclosure is required to comply with a subpoena or warrant or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records.

Analysis and Findings

Analysis

  1. At issue is whether the financial institution can rely on the production order issued in 2013 for the release of the documents listing transactions in the complainant’s RESP account from 1999.
  2. It should be noted that the complainant has not taken issue with the other disclosures that the financial institution made in response to the production orders that were issued to it and which requested various records from the complainant’s accounts. In his complaint to our Office, the complainant has only raised concerns with respect to the disclosure of information relating to his RESP account information from 1999.
  3. With respect to this disclosure, our view is that the disclosure falls outside the scope of the production order issued in 2013. The production order indicates, in Appendix B, that supporting documents were requested to account for the amount deposited to the RESP account between October and December 2010. There was no mention of providing supporting documents in relation to the RESP account for prior periods.
  4. Given the specificity in Appendix B regarding the records that were being sought, we do not agree with the financial institution’s contention that it was required to disclose transactions that occurred in 1999. In our view, transactional information from 1999 was not covered by the production order issued in 2013 because the information is outside the date range and the nature of the information sought in Appendix B.
  5. We note that the financial institution’s internal procedures for complying with production orders acknowledge that an additional production order may be required if any requests for information are outside the original scope of the request for information. In this case, the subsequent request for information related to the RESP account did exceed the original scope of the production order. The respondent should therefore have refused to provide the additional information, unless a revised production order was obtained.
  6. Accordingly, the financial institution cannot rely on paragraph 7(3)(c) to have disclosed the RESP account information from 1999 without the complainant’s knowledge or consent.
  7. With respect to the financial institution’s alternative argument that the complainant consented to the disclosure of his personal information by his agreement to its privacy policy, we are not convinced. In our view, the broad and general language referred to by the financial institution in its privacy policy cannot be the basis for informed consent in the circumstances, particularly in light of both the sensitivity of the financial information at issueFootnote 1, and the reasonable expectations of someone in the complainant’s position.
  8. The specific clause referenced by the financial institution states that the financial institution may disclose personal information “[for the prevention and detection of fraud or criminal activity or for the management and settlement of loss related to fraud or criminal activity]”. This language is general in nature and makes no express reference to disclosure to law enforcement. Indeed, the reference to the prevention and detection of fraud or criminal activity suggests that this provision is aimed more at instances where the financial institution makes a disclosure of its own initiative as a result of information it has uncovered, which is quite a different situation from responding to a law enforcement request for information.
  9. Other provisions in the privacy policy support this view. In particular, the privacy policy also states that the respondent may disclose personal information “[for responding to orders, demands or requests from the court, or for complying with a court’s rules of production]”. This more specific reference suggests that disclosure to law enforcement authorities will be done pursuant to a valid legal demand.
  10. Moreover, the financial institution’s own internal privacy policy that contains information as to how the financial institution handles customers’ personal information, contradicts the financial institution’s position. In particular, the Privacy Code states that if the financial institution discloses customer information pursuant to a subpoena, search warrant or other court and government orders, it will use “reasonable efforts” to ensure “[only the personal information that is legally required to be disclosed is disclosed”] and that “[informal requests for personal information from government or law enforcement authorities are not complied with].” This further supports the view that a customer would not reasonably expect the financial institution to disclose personal information to law enforcement simply upon request.
  11. Finally, even if it were drafted differently, we doubt whether the privacy policy, which, by its nature, contains general terms which customers agree to when they sign up for the financial institution’s services, would be the appropriate vehicle for obtaining express customer consent to a disclosure of sensitive financial information in response to a law enforcement request.
  12. In response to our Preliminary Report of Investigation, the financial institution took exception to the conclusion that the complainant’s RESP account contains sensitive personal information and asked our Office to explain its position. The financial institution referred to Royal Bank of Canada v. Trang at para. 36 (“Trang”), in which the Supreme Court of Canada indicates that while financial information is generally extremely sensitive, the degree of sensitivity of specific financial information is a contextual determination.
  13. We agree that sensitivity is a contextual determination, but the context here – financial account information held in confidence by the financial institution on behalf of its customers – points to the information being more sensitive, not less. We note in this regard that the financial institution’s privacy policy state that the financial institution is committed to keeping its customer’s personal information confidential and private.
  14. The facts of this case are distinguishable from Trang. In Trang, the Supreme Court of Canada found that the information at issue in that case (i.e., the current equity in a mortgage) was “less” sensitive based on the fact that there was already a “broad scope” of information about the mortgage that was publically available.Footnote 2 In contrast, in this case, there is no evidence suggesting that the RESP information sought by the municipal police service detective was publicly available or to otherwise displace the general presumption that, as financial information, the RESP information is to be considered sensitive. In this regard, the financial institution has not put forward a rationale, other than a general reference to Trang, as to why it disagrees with our Office’s conclusion with respect to the sensitivity of the personal information at issue. In any event, we note that sensitivity is only one of the factors to be considered and that our Office also took into account the reasonable expectations of someone in the complainant’s position, which also points to consent not being available in this case.
  15. We are therefore of the view that the financial institution cannot rely on Principle 4.3 to justify the disclosure of the personal information at issue.
  16. In our letter and Preliminary Report of Investigation, we recommended that the financial institution review its procedures for complying with production orders and ensure, through dedicated training, that the employees responsible for responding to production order requests follow due diligence procedures so that only personal information that falls within the scope of production orders is disclosed.
  17. Notwithstanding its view about the sensitivity of RESP information, the financial institution has agreed to ensure that employees responsible for responding to production order requests understand their responsibility to provide personal information within the scope of the production order. The financial institution will review its procedures to ensure that they are clear and will provide “job aids” and dedicated training to the respective business unit relating to disclosures pursuant to production orders.

Conclusion and recommendations

  1. Accordingly, we conclude that the matter is well-founded and resolved.
Date modified: