Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA Case Summary #2002-46
Bank accused of inappropriately demanding birthdates from account applicants
[Principle 4.4, Schedule1; section 5(3)]
An individual complained that a bank had improperly attempted to collect his personal information, specifically his date of birth, when he tried to open an account by telephone.
Summary of Investigation
The complainant alleged that he had called to open an investment savings account and had been told by the bank's telephone representative that his date of birth was required "for revenue reporting purposes". He objected on the grounds that the bank already collected his social insurance number (SIN) for the purpose of revenue reporting. Later he inquired at the bank's local resource centre, where a supervisor confirmed the bank's practice of requiring all account applicants to provide their birthdates, but clarified that the purpose was not revenue reporting, but rather verifying the identities of telephone callers.
The investigation confirmed that this was the bank's express purpose in collecting birthdates. Notably, the bank's online application form designates this collection as mandatory and indicates by means of a pop-up box that the date of birth is required for "future security verification".
Regardless of the purpose identified, the complainant objected to the requirement for account applicants to provide date of birth. In his view, the bank already collected enough personal information aside from birthdates to fulfil its stated purpose of security verification. He argued that, even if the bank could make a case for needing more information to fulfil that purpose, it should collect information less likely to be used for extrinsic purposes such as mass marketing. He suggested that his SIN could serve the purpose of identifying him as well as revenue reporting.
The bank at first indicated that its collection of birthdates was not strictly mandatory and offered to make an exception in the complainant's case, allowing him to provide an alternative form of identification if he still wished to open an account. However, the bank subsequently withdrew that offer and announced that its new policy was to collect birthdates from all account applicants without exception, in keeping with the proposed regulatory amendments to the Proceeds of Crime (Money Laundering) Act. If those proposed regulations become law as expected, all financial institutions will be required to collect dates of birth as account identifiers.
Issued April 26, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.4, Schedule 1, states that the collection of personal information must be limited to that which is necessary for the purposes identified by the organization. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
Regarding Principle 4.4, the question for the Commissioner was whether the collection of birthdates was necessary to fulfil the purpose of security verification.
Noting that the expectation of a regulatory requirement did not in itself constitute a requirement, the Commissioner determined that there was no current legal necessity for the collection. Though not disputing the necessity for banks to verify identities by telephone, he also determined that there was no intrinsic necessity for the collection of birthdates, since that is only one of several possible means of verifying identities of telephone callers. He agreed that the bank could just as well fulfil the purpose of security verification by reference to other information it collected - notably the SIN, as the complainant had suggested. In sum, he determined that there was no current necessity for the bank to collect birthdates from account applicants and no reason for the bank to represent such collection as mandatory.
Regarding section 5(3), the Commissioner was satisfied that a reasonable person would not find it appropriate for the bank to insist upon the mandatory collection of birthdates from account applicants merely on the expectation of a future legal requirement.
The Commissioner found that the bank was in contravention of Principle 4.4 of Schedule 1 and section 5(3) of the Act.
The Commissioner concluded therefore that the complaint was well-founded.
The Commissioner recommended that the bank cease collecting dates of birth as a mandatory condition for the opening of accounts until such collection becomes an actual regulatory requirement.