Bank accused of withholding personal information related to fraud investigation

PIPEDA Case Summary #2002-68

[Principles 4.3 and 4.9, Schedule 1; sections 2, 7(1)(b), 8(3), 8(4), 8(5), and 9(3)(c.1)]

Complaint

An individual complained that a bank

  1. had refused to provide him with access to certain personal information that he had requested;
  2. had been late in providing access to other requested personal information; and
  3. had exceeded its authority in collecting information about him for purposes of conducting a fraud investigation.

Summary of Investigation

The complainant and a numbered company over which he presided had been the focus of a fraud investigation conducted by the bank's regional security manager over a period of several months. In December 2001, the complainant wrote to the bank requesting access to his personal information pertaining to his dealings with the bank over the last two years. He specified that the information should include copies of allegedly fraudulent faxes indicating his corporate name and copies of letters and correspondence between the regional security manager and specified others.

The bank responded 18 days later with notification that it would require an additional 30 days for processing, owing to the nature of the request, the need to consult various internal departments, and the fact of the holiday season. In the same letter, the bank also advised the complainant of his right to complain of the delay to the Privacy Commissioner.

Fifty-nine days after the original request, the bank wrote to the complainant again, providing him with copies of three faxes indicating the numbered company and all the information it held on file pertaining to his personal banking during the period he had specified. The bank noted that it had provided the requested copies of faxes voluntarily, even though technically they were not the complainant's personal information. The bank informed the complainant that there had been no letters or correspondence between the regional security manager and the specified others. The Commissioner's Office confirmed that the bank did not have any such letters or correspondence on file.

The bank also admitted the existence of an investigation report pertaining to the complainant. However, the bank declined to give him access to this report, contending that it was subject to the exemption provided under section 9(3) of the Personal Information Protection and Electronic Documents Act. In effect, the bank was relying upon the exempting provisions in sections 7(1)(b) and 9(3)(c.1) of the Act, applying to personal information collected for reasonable purposes of investigating a contravention of the laws of Canada. On invoking section 9(3)(c.1), the bank so informed the Commissioner in writing, as is required under section 9(5).

Among the complainant's allegations was that the regional security manager had not had the authority to conduct an investigation into a possible Criminal Code matter.

Commissioner's Findings

Issued August 30, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Section 2 defines personal information to be ".information about an identifiable individual.". Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Section 7(1)(b) exempts an organization from the requirement for the individual's knowledge and consent if the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of a law and if it is reasonable to expect that the individual's knowledge and consent would compromise the availability or the accuracy of the information. Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information, must be given access to that information, and must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Section 9(3)(c.1) exempts an organization from the requirement to give access to personal information if the information was collected under section 7(1)(b). Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt. Section 8(4) states that, provided a notice of extension be sent within 30 days of the request date, an organization may extend the time limit for a maximum of 30 days if meeting the limit would unreasonably interfere with the activities of the organization or if the time required for any necessary consultations would make the time limit impracticable to meet. Section 8(5) states that an organization failing to respond within the time limit is deemed to have refused the request.

The Commissioner determined firstly that the faxes requested by the complainant did not name him or otherwise identify him as an individual and thus did not fall under the section 2 definition of personal information.

Regarding the investigation report withheld from the complainant, the Commissioner was satisfied that the personal information in the report had been collected for reasonable purposes related to investigating a contravention of the laws of Canada and that the complainant's knowledge and consent in the matter could have compromised the availability or the accuracy of the information. Moreover, he found nothing in the language of section 7(1)(b) to suggest that investigative authority must be granted under other legislation or otherwise to specify who may conduct an investigation. He determined that the bank's regional security manager's authority as an investigator sufficed for purposes of the section.

The Commissioner found therefore that it had been appropriate in the circumstances for the bank to rely upon sections 7(1)(b) and 9(3)(c.1) as exemptions to the usual requirements under Principles 4.3 and 4.9.

Regarding the personal information disclosed to the complainant, the Commissioner determined that the bank had made its initial response well within the time limit set out in section 8(3). He was also satisfied that the bank's stated requirement for a 30-day extension was legitimate and reasonable in the circumstances. He further determined that the bank had given the complainant access to all the information to which he was entitled within the extended time limit of 60 days.

The Commissioner found therefore that the bank had been in compliance with sections 8(3) and 8(4) and thus with Principle 4.9.

He concluded that the complaint was not well-founded.

Date modified: