Bank accused of divulging personal banking affairs to customer's employer

PIPEDA Case Summary #2002-30

[Principles 4.3, 4.3.5, and 4.5, Schedule 1; and Sections 2 and 5(3)]

Complaint

An individual complained that a bank had disclosed personal information about his banking affairs to his employer without his knowledge and consent.

Summary of Investigation

The complainant, a resident of a small western community, had had a heated argument one morning with an employee at his local branch of the bank in question. It was a branch where the complainant both held a personal account and also often engaged in business related to his employment. The argument had been about a cheque charge on his personal account. Later that same morning, his employer confronted him about the argument. The complainant learned that the manager of the bank branch in question had called the employer and informed him of the argument, specifically as it related to what the manager described as rude and inappropriate behaviour on the complainant's part. The branch manager had also broached to the employer the bank's intention of severing its financial relationship with the complainant. The manager had represented this call as a "business courtesy". He had wanted both to let the employer know that one of his employees had acted in a way that might reflect badly on the firm and to seek assurance that discontinuing personal service to the complainant would not adversely affect the business relationship the bank had with the employer. The next day, the branch manager again called the employer to inform him that the bank had indeed officially terminated its relationship with the complainant. At no time did the branch manager divulge to the employer any specific financial information about the complainant.

The bank took the general position that the disclosures in question fell into the category of "normal public discourse", comparable to "small-town gossip". Officials contended that it was within the branch's right to make such disclosures for purposes of extending business courtesy and protecting the bank's own interests in future business dealings with the complainant's employer. Essentially, the bank's position rested upon the application of Principle 4.3.5 of Schedule 1 and section 5(3) of the Act, both of which refer to the relevance of the individual's reasonable expectations. On that basis, the bank also presented various arguments to the effect that none of the specific items of information disclosed should be considered personal information for purposes of the Act.

Commissioner's Findings

Issued January 8, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.

Application: Section 2 of the Act defines personal information to be ". information about an identifiable individual .". Principle 4.3, Schedule 1, states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Principle 4.3.5 stipulates that the reasonable expectations of the individual are relevant in obtaining consent. Principle 4.5 states that personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

Finding no merit in the bank's arguments to the contrary, the Commissioner determined that the information at issue was clearly about an identifiable individual and thus had to be considered personal information for purposes of the Act.

For the Commissioner, the central issue was whether or not the complainant could reasonably have expected the disclosures at issue to have been made without his consent under the circumstances. The Commissioner agreed that, in a small town where people tend to know other people's business and make casual and inadvertent disclosures to one another, the complainant might reasonably have expected the disclosures at issue to be made eventually through the grapevine or, in the bank's words, normal public discourse. But the Commissioner could not agree that any reasonable person under any circumstances would expect his bank manager to make such disclosures to his employer. He found the bank had contravened Principles 4.3 and 4.5 of Schedule 1.

The Commissioner concluded therefore that the complaint was well-founded.

Further Considerations

In presenting his findings to the complainant, the Commissioner commented as follows:

"In my view, . the reasonableness of the situation ends exactly at the point where the [bank] manager, in the full knowledge that you had been acting on your own behalf at his branch that morning, nevertheless picked up the telephone at his office during business hours to inform your employer. This was not casual or inadvertent disclosure. This was not small-town gossip. This was a deliberate act of disclosure of personal information to a third party by a person who was acting in an official capacity and who had no right to make such disclosure. Moreover, the Act puts the rights of individuals above such notions as "business courtesy" and makes no distinction as to the size of one's community. Would any reasonable person anywhere expect his bank manager to disclose information about his personal banking affairs to his employer? The answer to this question is obviously no."