Bank sends customers' pay stubs to wrong party
PIPEDA Case Summary #2002-28
[Principles 4.3 and 4.7, Schedule 1; and section 5(3)]
A husband and wife complained that a bank had improperly disclosed their personal information, specifically pay stubs, to a third party through the mail.
Summary of Investigation
The complainants had submitted to the bank in question certain documentation, including pay stubs, in the process of applying for debt reduction under the Canada Student Loan Program. A few weeks later they got a call from a person unknown to them in another part of the province, informing them that somehow their pay stubs had been enclosed in a letter that he had received from the bank. After notifying the complainants, this third party returned their pay stubs to them.
The bank did not dispute the complainants' allegation, but rather explained that the documentation had been misdirected as the result of a clerical error. A clerk had inadvertently put the complainants' pay stubs into the envelope intended for the other person. The bank sent letters of apology both to the complainants and to the third party and, as a goodwill gesture to the complainants', waived the husband's student loan payment for one month. The complainants were satisfied with this response by the bank.
Issued January 4, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.
The facts being undisputed, the Commissioner determined that the bank had improperly disclosed the complainant's personal information, albeit inadvertently, to a third party and thus had failed to protect the information with appropriate safeguards. He was also of the view that a reasonable person would not have considered the disclosure appropriate in the circumstances. He found therefore that the bank was in contravention of Principles 4.3 and 4.7 and section 5(3) of the Act.
The Commissioner concluded that the complaint was well-founded.
To prevent further errors of the same kind, the bank in question has instituted what it calls a "double verification process" for handling documentation to be mailed to customers. Initially, the person responsible for gathering the documentation makes a check to ensure that the right documents are assigned to the right intended recipient. Then, in the mailroom, after an address envelope has been placed on a given envelope, but before the envelope is sealed, a second check is done to ensure that the correct documentation is in the correct envelope.
- Date modified: