Bank refuses credit applicant access to credit reporting information
PIPEDA Case Summary #2002-47
[Principle 4.9, Schedule 1; sections 5(1), 8(3), and 8(5)]
An unsuccessful applicant for a credit card complained that the bank had refused him access to the personal information it had collected and used in making the credit decision about him.
Summary of Investigation
Partly on the basis of information collected from a credit reporting agency, the bank had turned down the complainant's application for a credit card. The complainant subsequently requested access to the personal information used in making the decision. One hundred and five days after receiving the request, the bank responded by sending him only the information he himself had provided on his credit application form. Even though the complainant had specified that he wished to exercise his right to receive directly from the bank all the information it had collected about him, the bank merely referred him to the agency for access to his credit reporting information.
The bank offered three arguments in support of its policy of refusing to disclose information it collects from credit reporting agencies:
- By contractual agreement with the agency in question, the bank is prohibited from disclosing credit reporting information directly to any individual, except where disclosure is required by law.
- There would be significant expense involved in training and certifying bank employees to review credit reporting information with consumers, in accordance with provincial legislation. This expense would have to be passed on to consumers in the form of higher banking fees.
- Forcing banks to disclose credit reporting information would amount to unnecessary duplication of service. Credit reporting agencies already have employees trained and certified in compliance with provincial legislation and are willing and able to give access in compliance with the Act.
Neither the bank nor the agency argued that any of the credit reporting information constituted confidential commercial information exempt under the Act. Nor did the bank invoke any of the Act's other exempting provisions.
In the interest of resolving the complaint, the bank was initially willing to release the credit reporting information to the complainant if the agency agreed. The agency initially said it would support the release, with the exception of two credit scores included in the information. As grounds for this specific refusal, the agency cited a non-disclosure clause in its licensing agreement with the firm whose standardized credit scoring models it had used to generate the scores.
On further review, the bank in consultation with the agency decided not to release any of the credit reporting information to the complainant, but still chose not to rely on any exempting provision under the Act. The bank requested that the matter be referred to the Commissioner for adjudication.
Issued April 29, 2002
Jurisdiction: As of January 1, 2001, the Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.9 of Schedule 1 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. Section 5(1) states that, subject to sections 6 through 9 (section 9 contains exempting provisions), every organization must comply with the obligations set out in Schedule 1. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt. Section 8(5) states that an organization failing to respond to a request within the time limit is deemed to have refused the request.
Regarding the bank's first argument, the Commissioner was pleased to note that the non-disclosure agreement between the bank and the credit reporting agency duly made an exception for disclosures required by law. He pointed out that the Act is in fact law and does require disclosure of an individual's personal information on request by the individual.
The Commissioner found the bank's second argument invalid, noting that the Act makes no provision to absolve organizations from compliance on consideration of costs. He also found the third argument invalid, noting that the Act does not limit the number of organizations from which an individual may collect personal information and does not provide for an organization to refuse access on grounds that the individual could obtain the same information elsewhere.
The Commissioner considered the Act to be clear and unequivocal on the issue: by Principle 4.9 and section 5(1), unless any of the section 9 exempting provisions applies, an organization must give access on request to personal information it has collected about an individual. He noted that in this case the bank had not even invoked an exempting provision. He determined that the bank had been clearly obliged to give the complainant access to all the personal information he had requested, including the agency's credit report and the credit scores contained in it, and had had no reason under the Act to refuse access to any of it. He found therefore that the bank was clearly in contravention of Principle 4.9 and section 5(1).
The Commissioner further determined that the bank's response to the complainant's access request had been 75 days late. He found therefore that the bank had also failed to meets its obligations under section 8(3) and therefore was deemed under section 8(5) to have initially refused the request.
He concluded that the complaint was well-founded.
The Commissioner recommended as follows:
- The bank should immediately proceed to comply with its obligations under Principle 4.9 and section 5(1) by giving the complainant access to all information previously withheld from him, including the two credit scores in question. Furthermore, in keeping with its obligations under Principle 4.9.4, which states that requested information must be made available in a form that is generally understandable, the bank should also prepare to provide the complainant with whatever assistance and explanations he may require in understanding the credit reporting information about him.
- Pursuant to ongoing compliance with Principle 4.9.4, the bank should collaborate with credit reporting agencies in the initiative of developing understandable, consumer-friendly formats for credit reporting information.
The Commissioner asked that the bank report to him within 60 days on its progress in implementing these recommendations.
In response to the bank's warning that costs would have to be passed on to consumers, the Commissioner commented as follows:
I am not in the least persuaded that the expense involved in attending to the requirements of Principle 4.9 need be nearly as significant as [the bank] purports. Provincial credit reporting legislation does indeed require competence on the part of persons who review credit information with consumers, but it does not set specific requirements regarding the training and certification of such persons. Having personally examined the format of [the agency's] credit reports, I can well understand that a requester may initially find them somewhat difficult to decipher and require some guidance in understanding them. I cannot believe, however, that [the bank's] employees would themselves require much instruction in reviewing credit reports with consumers. I suspect that many employees may already be familiar enough with the codes and symbols in question and competent enough as instructors to provide any necessary guidance. In any case, I do not see where extensive and expensive training would be required.
Moreover, it occurs to me that attaching a simple legend would suffice to explain the format in most cases and would thus obviate much of the need for [bank] employees to review reports with consumers. It also occurs to me that, if the bank is truly concerned about the potential expense of training employees in the mysteries of credit report formats, it might be better advised to take the much simpler and cheaper route of demystifying the formats. From a customer relations standpoint, it would seem sensible as well as economical for [the bank] and credit reporting agencies to collaborate in making credit reports easier for the consumer to understand.
- Date modified: