Bank accused of requiring an account applicant to agree to the indiscriminate collection of personal information

PIPEDA Case Summary #2002-76

[Principles 4.3.3, 4.4, and 4.4.1, Schedule 1]


An individual complained that the language of a bank's credit card application form asked her to consent to the collection of 'other' information, from 'any other source' without specifying what 'other' meant.

Summary of Investigation

The bank had previously assured the complainant that it only collected financial and credit related information, and not other information of a personal nature, or health related information. The complainant challenged the bank to change its consent language to that effect. The bank initially refused, stating that it had to reserve the right to contact any other source, to track down clients who moved without notifying the bank of a forwarding address.

Subsequent to discussions with the Office of the Privacy Commissioner, the bank agreed to change the language of its consent clause, although it did not admit that the existing language was inconsistent with the requirements of the Personal Information Protection and Electronic Documents Act. The bank agreed to the following changes:

  • The phrase "We can obtain financial and other information about you" would be modified to read "We can obtain financial and other financially-related information about you".
  • The phrase "any other source' would be modified to read "references you have provided to us in support of your application".

Commissioner's Findings

Issued October 10, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principles 4.3.3, 4.4, and 4.4.1, Schedule 1.

The Commissioner found that the bank had been in violation of Principle 4.3.3, in requiring the individual to consent to such broad collection practices as a condition of being a cardholder. He also found that the bank was in violation of Principles 4.4 and 4.4.1, which require that organizations limit the collection of personal information to that which is necessary for its stated purposes, and not collect personal information indiscriminately.

He was pleased that the bank had agreed to make changes in the language of its consent clause, and noted that the complainant was pleased with its response.

The Commissioner concluded that the complaint was well-founded and resolved.

Date modified: