Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2003-169 (update)

Individual objects to bank's requirement to provide Notice of Assessment for income verification purposes

[Principles 4.3.3 and 4.4]

Complaint

An individual complained when, in response to his request to secure a line of credit and to obtain additional credit on a rental property he owned, his bank asked him to supply Notices of Assessment (NOAs), issued by the Canada Customs and Revenue Agency, for the two years prior to his requests.

Summary of Investigation

The complainant, who is self-employed, refused to provide the two NOAs, which he claimed resulted in the bank rejecting his requests. As proof of his income, he offered to provide the bank with a copy of his employment contract as president of a company listed with the Toronto Stock Exchange, as well as letters from his clients stating the amounts of his billings to them for the previous year. The bank refused.

According to the bank, an important factor in determining an applicant's credit worthiness is the continued availability of income, and it is the bank's assessment of stability of income and, by extension, the ability of the applicant to repay the debt that allows the bank to satisfy its primary responsibility as a prudent lender. The Office of the Superintendent of Financial Institutions requires banks to document this ability to repay.

The bank must therefore have a means of verifying a credit applicant's income. For salaried employees, the employer must confirm the applicant's income level, the number of years of employment, and whether it is full time or seasonal employment. This latter piece of information attests to the stability of the applicant's income. For self-employed applicants, the bank maintained that NOAs are the most credible source for confirming income.

The information on the NOA that is required by the bank includes the person's name, the tax year, his or her social insurance number (or some other means of identification), the total income, the net income, and whether the individual has taxes owing. The NOA, however, contains additional information, such as the individual's tax centre, and federal and provincial non-refundable tax credits, which is not required by the bank. The bank indicated that it needs the original NOA, and that it would be hesitant to accept NOAs that had portions blanked out, deleting information that the bank does not need.

The bank stressed that income verification must be obtained from "arm's-length" sources that have no conflict of interest with the applicant. The Commissioner's Office confirmed that requiring NOAs for this purpose is a common industry practice.

While the bank ultimately did waive the requirement for the complainant's NOAs with respect to the change in his line of credit on an exceptional basis, it maintained its requirement vis-à-vis the loan application.

Commissioner's Findings

Issued April 24, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.

In his deliberations, the Commissioner referred to a previous finding he made under the Privacy Act, in which a federal agency was requiring sole proprietors bidding in a contract process to supply, among other things, three years' worth of income tax returns and NOAs. The agency collected this information for the purpose of assessing the financial stability and capability of the sole proprietor to fulfil the contract. It argued that it was necessary to obtain financial information when there was a high degree of risk associated with the contract. Since there was little comprehensive financial information obtainable from a sole proprietor that could be used to conduct an accurate risk assessment, the financial information requested was the best and most accurate available.

In that case, although the Commissioner agreed with the agency that financial viability must be assessed, he did not understand how reviewing income tax information for a three-year period achieved such a purpose. In his view, conclusions could not be drawn about a sole proprietor's financial assets and capacity to fulfil a contract. Specifically, an income tax return did not present a complete picture of a sole proprietor's financial situation, nor would it be of material assistance in helping the agency assess the quality of a sole proprietor's bid for a contract. Furthermore, income tax returns include a vast amount of personal information about the individual and may also have a good deal of personal information about family members.

The Commissioner made a couple of distinctions between the situation involving the agency and the one involving the bank. First, the agency required extensive income tax information, whereas the bank asked only for two year's worth of NOAs. More significant, in the Commissioner's view, was the difference between the organizations' purposes for requesting this information. While the agency required financial disclosures to bid on a contract, the bank required them to determine a sole proprietor's creditworthiness. The Commissioner accepted the bank's argument that it must have the means to determine that sole proprietors have the financial capability to repay credit that may be extended to them and that such information come from an independent official source. The Commissioner was of the view that this was a valid purpose and one which the NOA satisfies.

The Commissioner, however, pointed out that the NOA contains information that, even by the bank's own admission, is not required to meet its purposes. He thus found that the bank was collecting more information than it needed to achieve its purposes, that it required the provision of the NOA as a condition for the credit and was therefore in contravention of Principles 4.3.3 and 4.4 of Schedule 1.

Accordingly, the Commissioner concluded that the complaint was well-founded. He recommended that the bank only collect the personal information that it requires for the purpose of verifying the income of self-employed applicants.

However, subsequent to this finding, the Acting Commissioner had occasion to consider the matter further in other findings.  The Acting Commissioner agreed that the bank required original NOAs and that it would be improper for the bank officials to alter original documents.