Credit applicant accuses bank of withholding credit reporting information

PIPEDA Case Summary #2002-49

[Principle 4.9 and 4.9.4, Schedule 1; sections 5(1), 8(3), and 8(5)]


An unsuccessful applicant for a credit card complained that the bank had refused him access to the personal information it had collected and used in making the credit decision about him.

Summary of Investigation

In late August 2001, the complainant wrote to the bank requesting access to the credit file the bank had collected and used in its decision to refuse him a credit card. The bank misplaced this letter and was unable to locate it for almost three months. The bank finally responded to the request in mid-December by sending the complainant a copy of the credit agency report it had obtained about him.

The complainant expressed dissatisfaction with this information because it contained codes that he did not understand. The Office of the Privacy Commissioner suggested that the bank supply the complainant with a legend to explain the codes. The bank declined to do so, taking the position that the responsibility for explaining credit reporting information lies solely with the agency that generated it.

Commissioner's Findings

Issued April 30, 2002

Jurisdiction: As of January 1, 2001, the Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.9 of Schedule 1 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. Principle 4.9.4 stipulates that requested information must be provided in a form that is generally understandable - for example, an explanation must be provided for any abbreviations or codes. Section 5(1) states that, subject to sections 6 through 9 (section 9 contains exempting provisions), every organization must comply with the obligations set out in Schedule 1. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt. Section 8(5) states that an organization failing to respond to a request within the time limit is deemed to have refused the request.

The Commissioner determined that the bank's response to the complainant's access request had been 74 days late. He found that the bank had not met its obligations under section 8(3) and was thus deemed under section 8(5) to have refused the request. Since no exempting provision of the Act applied to the refusal, he found also that the bank had not met its obligations under section 5(1) and Principle 4.9. However, he further determined that in its belated response the bank had finally provided the complainant with the information he had requested.

The Commissioner concluded that, with respect to Principle 4.9 and sections 5(1), 8(3), and 8(5), the complaint was well-founded and resolved.

He noted furthermore that Principle 4.9.4 clearly puts the onus on the collecting organization to explain information in understandable terms to the individual and that the Act makes no provision for an organization to refer the individual to another organization for that purpose. Having determined that the bank remained unwilling to provide a legend or otherwise explain the information, the Commissioner found that the bank was also in contravention of Principle 4.9.4.

He concluded that the complaint was well-founded with respect to Principle 4.9.4.

Further Considerations

The Commissioner recommended as follows:

  1. The bank should immediately proceed to comply with its obligations under Principle 4.9.4 by providing the complainant with an explanation in understandable terms of the credit report it had previously released to him.
  2. Pursuant to ongoing compliance with Principle 4.9.4, the bank should collaborate with credit reporting agencies in the initiative of developing understandable, consumer-friendly formats for credit information.

The Commissioner asked that the bank report to him within 60 days on its progress in implementing these recommendations.

Date modified: