Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2003-211

Bank accused of improperly disclosing overdraft information to another bank

[Subsection 5(3) and Principle 4.3.8, Schedule 1]

Complaint

A couple complained firstly, that their bank had improperly disclosed their sensitive personal banking information to another bank, and secondly, that the bank had refused to allow them to withdraw their consent for future information disclosure to other lenders, credit bureaus or credit-reporting agencies.

Summary of Investigation

The complainants accepted a personal credit reserve and signed a loan authorization and credit agreement as part of the service arrangement on their joint chequing account at a bank. The bank notified the couple twice by mail that their account was being used inconsistently with their agreement and had been overdrawn for more than six months, and informed them that the account would be referred to a third party for follow-up if the overdraft was not eliminated. Receiving no response, the bank closed the account and transferred the outstanding overdraft balance to its collections unit.

In the meantime, the couple had established a new banking relationship with another bank, which approved a loan for them and sent a bank draft to the first bank for payment of the complainants' personal credit reserve balance. An employee of the first bank told the new bank that the account had been closed and that the draft would therefore be returned. After subsequent investigation, an employee of the first bank spoke again to the new bank and said that the bank draft would be kept after all. The employee went on to say that the couple's account had been transferred to a loss account and that the account details had been sent to the bank's collections unit.

When informed by the new bank of this latter conversation, the couple expressed concern that their personal banking information had been released to another bank without their permission. They complained to the first bank, which subsequently expressed written concern about the disclosure of information. In their response, the couple also stated that they wanted to withdraw their consent for the sharing of their private banking information with any other lenders, financial institutions or credit-reporting agencies.

The first bank's position was that it had the couple's consent to the disclosure of their personal information by virtue of the personal loan service authorization they had signed a few years earlier when their personal credit reserve was arranged. This document stated that the couple authorized the bank to disclose to other lenders, credit bureaus or other credit-reporting agencies personal and credit information about them. The bank further stated that the couple could not withdraw their consent for future disclosure because the sharing of such personal information is required to maintain the integrity of the Canadian credit-granting system.

Commissioner's Findings

Issued September 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Principle 4.3.8 states that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

With respect to the first count of the complaint, the Commissioner deliberated as follows:

  • The first bank did not dispute that it did disclose the personal information at issue to the other bank.
  • Through the authorization the couple had previously signed, the bank did have their consent in general to the disclosure of personal and credit information to other lending institutions.
  • A broad consent clause such as appeared in that authorization did not justify the indiscriminate disclosure of personal information for any purpose.
  • Under subsection 5(3), regardless of any prior authorization, it is incumbent on an organization to ensure that a disclosure of personal information in any set of circumstances is carried out for a reasonable purpose.
  • It was evident that the bank only disclosed the information because one of its employees had made an error in telling the new bank that its draft would be returned.
  • Although such a mistake is understandable, it was clearly not necessary for a bank employee to disclose the circumstances of the couple's overdraft account in the second phone call. The employee could simply have stated that an error had been made and that the draft would not be returned.
  • The bank itself had also stated that it was concerned about the disclosure of information.

On this basis, the Commissioner determined that the couple's personal information was disclosed for a purpose that a reasonable person would not find appropriate in the circumstances. He found, therefore, that the bank was in contravention of subsection 5(3).

He concluded that the first count of the complaint was well-founded.

With respect to the second count of the complaint, the Commissioner deliberated as follows:

  • It has been confirmed in other cases considered by the Office that the credit system in Canada depends upon the fulfillment of myriad contractual and legal obligations.
  • If individuals could withdraw their consent to disclosure of their credit history with a particular lender, the credit system would not work.

On this basis, the Commissioner determined that the bank was justified, on legal and contractual grounds, in refusing to honour the couple's request for withdrawal of consent to the sharing of their personal financial information with other lenders, credit bureaus or credit-reporting agencies. He found, therefore, that the bank was not in contravention of Principle 4.3.8.

The Commissioner concluded that the second count of the complaint was not well-founded.