Bank accused of assigning inaccurate credit ratings
PIPEDA Case Summary #2002-70
[Principles 4.9, 4.9.4, and 4.9.5, Schedule 1; and section 8(3)]
An individual complained that a bank
- had initially exceeded the prescribed time limit for giving him access to information pertaining to his loan account and had subsequently refused him access to part of the information he had requested;
- had demanded an unreasonably high fee for access to information it was withholding; and
- had recorded inaccurate information about him, specifically credit ratings, and shared it with a third party, specifically credit reporting agencies.
Summary of Investigation
The complainant was involved in a dispute with the bank over loan payments and the accuracy of credit ratings relating to them.
On July 25, 2001, he wrote requesting that the bank either remove the ratings from its report to credit reporting agencies or, "in the event of' refusing to do so, give him access to all information pertaining to his loan account. In a response of August 15, the bank notified him that it was refusing his request for removal, provided him with a rationale for its decision, enclosed a copy of his loan history statement, and advised him that his information access request had been forwarded to its privacy team.
On September 11, 2001, the bank wrote in response to the access request, enclosing account memos that its collection staff had written to track its conversations with the complainant over the period of the dispute. This letter also informed the complainant that archived information dating further back was available to him at a cost of $200 for capturing the data. He was asked to advise the bank if he wanted this additional information and would accept the cost of obtaining it. The complainant wrote back to inquire what he would get for his $200. The bank replied that he would get account memos dating back to the time his loan had first been declared delinquent. A few days later, the complainant filed his complaint with the Commissioner's Office.
The Office advised the bank that seeking to recover costs in such an amount appeared to contravene Principle 4.9.4 of Schedule 1 to the Act. Upon review, the bank decided to release the rest of the complainant's personal information to him without charge.
The Office confirmed that the complainant had ultimately received all the personal information to which he was entitled. Though unable to reconcile the complainant's account of events with the bank's records regarding loan payments, the Office did also confirm that the bank's report to credit reporting agencies, including the disputed credit ratings, was an accurate reflection of the complainant's loan payment history.
Issued September 4, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information, be given access to that information, and be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Principle 4.9.4 states in part that an organization must respond to an individual's request at minimal or no cost to the individual. Principle 4.9.5 states in part that, when an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the organization must amend the information as required and, where appropriate, transmit the amended information to third parties having access to it. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt of the request.
On the question of the fee, the Commissioner found that though the bank asserts that it was only trying to recover its costs, that it was nonetheless in contravention of Principle 4.9.4. Nevertheless, he was mindful that the bank had subsequently heeded the advice of his Office, withdrawn the demand, and in the end provided the complainant free of charge with all the personal information to which he was entitled.
On the question whether the bank had exceeded the response time limit, the Commissioner determined as follows:
- Although the complainant had submitted his first letter of request on July 25, that letter in fact had contained two separate information requests, the first for correction of information (i.e., removal of credit ratings) and the second for access to information.
- The wording of that letter had made it clear that the access request was contingent upon the bank's decision regarding the prior correction request.
- Since the complainant had specified that the access request was to follow "in the event" of the bank's refusal to remove the credit ratings, it would not be reasonable to expect the bank to have begun processing the second request until it had considered the first, made its decision to refuse that request, and officially notified the complainant of that decision.
- The complainant's access request thus should not be deemed to have taken effect until August 15, the date on which the bank had given such notification.
- The bank's response of September 11 was thus within the prescribed 30-day time limit.
- As for the allegation of refused access to some information, it would not be reasonable to interpret anything in the contents of the September 11 letter as a refusal. Rather, that letter provided the complainant with the information that the bank had considered to be of immediate and central concern to him, had informed him that other personal information existed and was available to him, and had asked him whether he wished to have it at a cost.
- In the circumstances of this case, the bank's attempt to recover its costs was not an attempt to delay or deny the complainant his legitimate right to obtain access to his personal information.
The Commissioner found therefore that the bank had been in compliance with section 8(3) and Principle 4.9.
On the question of accuracy, the Commissioner was satisfied that the complainant's credit ratings as shown in the bank's credit report were an accurate reflection of the loan payment history. Moreover, the complainant had not succeeded in demonstrating to the Commissioner's satisfaction the inaccuracy of the credit ratings or other items of the personal information in question. On the documentary evidence available, he had no reason to find that the bank had failed to meet obligations under Principle 4.9.5.
The Commissioner noted that although in this case he concluded that the bank's attempt to collect fees was not an attempt to delay or deny access, this does not mean that in other circumstances he may not conclude otherwise.
- Date modified: