Bank accused of withholding information on former employee's dismissal

PIPEDA Case Summary #2002-50

[Principle 4.9, Schedule1; sections 8(3), 8(5), 9(1), and 9(3)(c)]

Complaint

A former employee complained that a bank (1) had refused his request for access to information in his employment file and (2) on finally responding to the request had denied him access to certain information to which he was entitled.

Summary of Investigation

The complainant had been dismissed from the bank's employ some years before on the grounds of harassment, but had never been given details of the allegations made against him at that time. Seeking resolution and closure to the incident, he submitted a formal request under the Personal Information Protection and Electronic Documents Act for access to his employment file with the bank.

The bank took 41 days to respond, finally sending him the contents of the file, but exempting certain records on the basis of section 9(1) of the Act, which permits the severing of information about third parties. The Office of the Privacy Commissioner, on reviewing the exempted records, determined that they did indeed refer to third parties who had made allegations, but could not be said to be about those parties for purposes of the Act; rather, the records were about no one other than the complainant. The bank was so advised.

The bank then questioned the complainant's motives in seeking information about his dismissal so long after the fact. Fearing for the employees who had given statements about the complainant, the bank cited section 9(3)(c) of the Act, which permits information to be excluded if its release could reasonably be expected to threaten the life or security of another individual. However, the bank did not provide any evidence that such an expectation was reasonable, nor did the investigation turn up any such evidence. On being advised that their reliance on section 9(3)(c) was untenable, the bank initiated a meeting with the complainant, with a view to settling the matter.

At this meeting, the bank did not release all the records, but rather provided him with a typed copy of five comments that the complainant had allegedly made while employed with the bank. Though the comments were unattributed, the complainant was able to recognize some of them as his own and to put them in context. The bank also advised the complainant that its own records showed the reason for his dismissal as being simply "for cause", and suggested on that account that he might in future reasonably cite "inappropriate comments" rather than harassment on any official form requiring him to give a reason for once having been fired from a job. The complainant was pleased with the outcome of this conference and considered his complaint resolved.

Commissioner's Findings

Issued May 10, 2002

Jurisdiction: As of January 1, 2001, the Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt. Section 8(5) states that an organization failing to respond to a request within the time limit is deemed to have refused the request. Section 9(1) states that an organization must not give access to personal information if doing so would likely reveal personal information about a third party and that the organization must sever third-party information from a record if it is severable. Section 9(3)(c) stipulates that an organization is not required to give access to personal information if to do so could reasonably be expected to threaten the life or security of another individual. Principle 4.9 of Schedule 1 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. The individual must also be allowed to challenge the accuracy and completeness of the information and have it amended as appropriate.

Regarding the first complaint, the Commissioner determined that the bank had exceeded the time limit specified in section 8(3) by 11 days, in responding to the complainant's initial request for access. He found therefore that the bank was deemed to have denied the complainant access to his personal information, as per section 8(5) of the Act.

Regarding the second complaint, the Commissioner determined that neither of the exempting provisions cited by the bank had been valid. The bank had been wrong to apply section 9(1) to information that merely referred to third parties and was not actually about those parties. As well, the bank had no good reason to expect that giving the complainant access to the excluded documents would have threatened the life or security of another individual. As a result the bank was not in compliance with sections 9(1) and 9(3) and Principle 4.9.

However, following the intervention of this office, the bank and the complainant came to a satisfactory resolution when the complainant obtained information he was seeking.

Accordingly, the Commissioner concluded that the complaints were well-founded and resolved.