Employee objects to employer's use of bank account number on pay statement

PIPEDA Case Summary #2001-23

[Principles 4.3 and 4.7, Schedule 1]

Complaint

An employee of a telecommunications company complained that her employer:

1. Used her personal information for a purpose without her consent by printing her bank account and bank transit numbers on her pay statements; and
2. Did not adequately safeguard employees' pay statements given the sensitivity of the information in them.

Summary of Investigation

The employees of the telecommunications company in question receive their pay by direct deposit and their pay statements by delivery in sealed envelopes at the workplace. As a result of a merger and a subsequent conversion of payroll systems, bank account and bank transit numbers began to be included on all employees' pay statements as of January 1, 2001. Printing of such numbers on pay statements has become standard practice in both the private and the public sectors. On this company's statements, there is no indication what the numbers refer to; only a person familiar with the bank's information codes would know what the numbers represent. On delivery to the complainant's workplace, the sealed envelopes containing employees' pay statements are collected together in a larger envelope and left on a manager's desk, where they often remain unsecured and largely unattended for periods as long as 24 hours.

The complainant had originally consented to having her pay deposited directly into her bank account, but had never explicitly consented to having the numbers appear on her statement. She believed that her employer was thus using her personal bank account information without her consent and for a purpose inconsistent with that for which she originally had provided it. She also believed that her employer did not adequately safeguard employee pay statements at her workplace.

The company's position was that the information was still being used only for the original purpose of directly depositing payroll funds; that the practice of printing account and branch numbers on pay statements had become imperative for purposes of verifying allocations of funds and resolving discrepancies; and that many employees had already come to expect and rely upon the appearance of these numbers²on their statements. The company also argued that it did adequately safeguard its employees' bank account information by delivering statements in confidential sealed envelopes.

Commissioner's Findings

Issued November 5, 2001

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because telecommunications companies are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3, Schedule 1, states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. This principle also stipulates (4.3.5) that the reasonable expectations of the individual are relevant. Principle 4.7 states that personal information shall be protected by appropriate security safeguards appropriate to the sensitivity of the information.

On the first aspect of the complaint (consent), the Commissioner determined that employees who provide their bank account and bank transit numbers for direct-deposit purposes could reasonably expect those numbers to appear on transaction records for the entirely consistent purpose of verifying proper allocation of funds. He was satisfied that the complainant had thus implicitly given consent. He found that the company therefore had met its obligations under Principle 4.3, Schedule 1.

The Commissioner concluded that this aspect of the complaint was not well-founded.

In the second aspect of the complaint (security safeguards), the Commissioner determined that the company's operational controls at the complainant's workplace were not consistent with the sensitivity of the personal information contained in the pay statements. He found that the company did fail to meet its obligations under Principle 4.7, Schedule 1.

However, he noted that the company, on being informed of its obligations, had taken immediate and appropriate steps to correct its information management practices related to employee pay statements.

The Commissioner concluded that this aspect of the complaint was well-founded and resolved.

Further Considerations

As a short-term solution, the company agreed to implement tighter operational controls at the complainant's own workplace and offered the complainant the option of having her pay statement mailed to her home.