Bank accused of misrepresenting purposes in collecting date of birth
PIPEDA Case Summary #2002-45
[Principles 4.2 and 4.4, Schedule1]
An individual complained that a bank had improperly attempted to collect his personal information, specifically his date of birth for revenue reporting purposes, when he tried to open an account by telephone.
Summary of Investigation
The complainant alleged that, when he had called to open an investment savings account, a telephone operator for the bank had told him that his date of birth was required "for revenue reporting purposes". He objected on the grounds that banks by law collect social insurance numbers (SINs) for revenue reporting purposes and he could not see the need to collect birthdates as well for the same purposes.
The bank confirmed that its policy is to collect birthdates as a mandatory condition for opening accounts and to permit no flexibility in the kinds of information collected from account applicants. However, the bank represented its purpose for collecting birthdates as being not revenue reporting, but rather identification of applicants. The bank also made reference to the proposed amendments to the Proceeds of Crime (Money Laundering) Regulations, which if they pass as expected later this year will require all financial institutions to collect birthdates as identifiers of account holders.
In the absence of any records relating to the telephone conversation in question, it was not possible to identify the operator who had dealt with the complainant. Hence, it was not possible to inquire into the apparent discrepancy between the stated and the official purpose for collecting birthdates or to otherwise assess the operator's understanding of the bank's policy and purposes regarding collection of personal information.
It was possible, however, to determine the bank's usual practice in identifying purposes, by reference to the bank's online application form for investment savings accounts. That form does designate birthdate as a "mandatory" collection, but neither the form itself nor the Terms and Conditions accompanying it explain how an applicant's birthdate is used or why the collection is designated as mandatory. In short, there is no evidence whatsoever that the bank makes a practice of identifying its purposes in collecting personal information from account applicants.
Issued April 11, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.2 states that the purposes for which information is collected must be identified at or before the time of collection. Principle 4.2.1 states that the organization must document the purposes for which it collects personal information. Principle 4.2.3 states that the identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected and that this can be done either orally or in writing, depending upon the way in which the information is collected. Principle 4.4 states that the collection of personal information must be limited to that which is necessary for the purposes identified by the organization.
The Commissioner determined as follows:
- The expectation of a requirement does not in itself constitute a requirement. The possibility that revised regulations may one day compel all banks to collect dates of birth from customers in no way makes it necessary for the bank to collect dates of birth now or justifies a policy of doing so.
- Far from demonstrating any necessity of collecting birthdates for a specific purpose, the bank has made no discernible effort to document or otherwise identify any purposes for collecting personal information from account applicants.
- Despite having designated certain items of information as mandatory on its online application form, the bank does not, at or before the time of collection, specify to the individual its purposes for collecting those items.
- Since purposes are not documented or otherwise identified in the first place, it follows that the bank can in no way be deemed to limit its collection of personal information to that which is necessary for identified purposes.
The Commissioner found therefore that the bank had failed to comply with Principles 4.2, 4.2.1, 4.2.3, and 4.4.
The Commissioner concluded therefore that the complaint was well-founded.
The Commissioner recommended as follows:
- The bank should cease collecting dates of birth as a mandatory condition for the opening of accounts until such collection becomes an actual regulatory requirement.
- The bank should identify and document the purposes for which it collects personal information from account applicants, in accordance with Principles 4.2 and 4.2.1.
- The bank should implement measures to specify to individuals, at or before the time of collection, its purposes for collecting personal information, in accordance with Principle 4.2.3. Where the online application form is concerned, one such measure might be the inclusion of electronic "pop-up" boxes to explain the purpose for collecting each item of information requested.
- Specifically for account applications by telephone, the bank should provide its operators with proper instruction in explaining purposes, pursuant to Principle 4.2.5. This principle stipulates that persons collecting personal information should be able to explain to individuals the purposes for which the information is being collected.
The Commissioner requested that the bank report to him within 60 days on its progress in implementing these recommendations.
- Date modified: