Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)

PIPEDA Case Summary #2003-223

Bank accused of collecting too much information from credit card applicant

[Principles 4.3.3 and 4.4 of Schedule 1]


An individual complained that a bank required her to provide an excessive amount of information in order to obtain a credit card.

Summary of Investigation

The complainant telephoned the bank to apply for a credit card. During the course of this process, the complainant was asked to provide information about her vehicle's model year, the number of kilometres on it, its current value, and her property and school taxes. Although she did not think such information was necessary, she provided it because she wanted the card and was told by the customer service representative that her application would not be considered without it. She later reconsidered and cancelled her application.

According to the bank, this information is needed to determine the applicant's ability to repay the debt, which is particularly important when granting unsecured credit. To help determine this ability, the bank calculates the applicant's debt servicing ratio by dividing the amount needed to service debts and other fixed expenses by the applicant's income. Assets are included in the credit card application process to determine whether the debt could be paid back if income is adversely affected. It was for these reasons that the bank asked the complainant about her vehicle and her taxes.

At the time the complainant made her application via the bank's telephone service, the bank's policy was to take a full credit application, including information about assets and liabilities. Subsequently, the bank shortened its application process and changed its procedures. However, the bank noted that when using the shorter applications there is an increase in the denial rate and often it must go back to the client for more information in order to fulfil the client's request for credit. It stated that while a full credit application is still available and applicable in certain cases, it believed it has simplified the process for clients.

Commissioner's Findings

Issued September 16, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Principle 4.4 stipulates that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization.

In making his determinations, the Commissioner deliberated as follows:

  • He first determined that the bank's purpose, namely to determine the applicant's ability to repay the debt, appeared to be legitimate.
  • Although the bank subsequently shortened its application process and now only requests additional information when needed, the Commissioner nevertheless believed that it was reasonable for the bank to request information concerning the model year, number of kilometres, and the current value of the complainant's vehicle, as well as her property and school taxes. Such information was used to evaluate her ability to cover payments and pay the debt. He concluded that the collection of such personal information was in compliance with the Act.

The Commissioner concluded that the complaint was not well-founded.

Further Considerations

The Commissioner commended the bank for shortening its application process and only requesting additional information when needed.