Bank accused of withholding audit trail information

PIPEDA Case Summary #2002-74

[Principle 4.9, Schedule1]

Complaint

An individual complained that a bank had refused him access to personal information about inquiries pertaining to his account with the bank.

Summary of Investigation

The complainant had requested access to information about all inquiries made by bank personnel with respect to his account during a three and a half year period. The bank responded providing none of the requested information but suggesting that the complainant retrieve his personal credit file with two credit reporting agencies. The complainant made another request to the bank for the same information. This time, the bank responded that the requested information was not available because the bank does not have mechanisms or audit trails in place to trace inquiries on clients' accounts.

In representations to the Commissioner's Office, the bank acknowledged that it does log all customer- related system activities but the logs are kept for only 52 weeks. Moreover, the logs are difficult to extract. The bank misinterpreted the period covered by the request and argued that the requested information no longer existed. The bank further stated that even if the requested logs did exist, they would not be of any value to the complainant as they are difficult to comprehend.

The investigation confirmed that the more current information the complainant had requested did in fact still exist in the bank's database. It was also determined that additional information had been available in the bank's holdings at the time the initial request was made.

Given the extensive use of codes and abbreviations in the logs, the information is not easily comprehensible to persons not familiar with the bank's computer systems. Nevertheless, the bank agreed to give the complainant access to the logs if he so wishes.

Commissioner's Findings

Issued October 9, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.9, Schedule 1, states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information.

The Commissioner determined that much of the requested information was no longer available at the time the request was made. However, there did exist some information, which the complainant was entitled to access. The Act makes no provision for an organization to deny access to information based on its perceived value to the requester, the difficulty in extracting it or its complexity. The Commissioner therefore found that, in withholding the system logs, the bank was in contravention of Principle 4.9.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner was pleased to note that the bank is looking at improving its system including the extension of the retention period and enhanced search capabilities. He recommended that the bank ensure it take into account its obligation to provide requested information in an understandable format when it develops improvements to its system logging capabilities.