Individual complains that bank used personal information for purpose other than that for which it was collected

PIPEDA Case Summary #2002-93

[Principles 4.3 and 4.5 of Schedule 1]

Complaint

An individual complained that when he applied for a business account, the bank requested his driver's licence and then subsequently derived his date of birth from it, without the complainant's consent. The individual also complained that this information was then used to run a credit check without his knowledge and consent.

Summary of Investigation

When the complaint was lodged, the bank's standard practice was to ask individuals opening accounts to provide sufficient information for the bank to satisfy itself as to the identity of the individual. It was required to do so by the Proceeds of Crime (Money-Laundering) Regulations of 1993. The bank requested two pieces of documentation, such as a driver's licence, birth certificate or passport.

The bank employee involved noticed that information was missing from the complainant's application forms. The employee discussed this with the complainant. To the best of the employee's recollection, the complainant filled in the missing information. The employee denied using the driver's licence to obtain the date of birth.

The application forms in question were examined. The method of writing the date was different in the date of birth portion from that used in the signature block section. The penmanship appeared to be the same, as well as the ink, throughout the forms. While the complainant agreed that the difference in the method used for dating was odd, he initially acknowledged that the penmanship appeared to be his. He later decided, however, that he had not filled in this information and that the bank employee had done it.

The bank requires a credit check even though a line of credit may not be attached to a corporate business account because funds from deposited cheques may be accessed prior to them being cleared from another financial institution. It uses the credit check to assess its potential exposure to fraud, or the insolvency of the account holder. These factors are especially important in the case of a sole applicant.

The application forms used by the bank clearly indicate that the applicant's personal information can be disclosed to a credit reporting agency and credit bureaus. By signing the forms, the signatory is agreeing to the bank's use of this information. The complainant acknowledged that he had read and signed the application forms.

Commissioner's Findings

Issued November 28, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

On the matter of knowledge and consent to disclose personal information, it was clearly outlined on the application forms that the personal information contained on them could be disclosed to a third party for credit verification purposes. As the complainant acknowledged that he had read the forms and signed them, the Commissioner was satisfied that he had consented to the use of his personal information. The bank therefore had complied with Principle 4.3.

The Commissioner found that there was insufficient evidence to conclude that the bank employee had used the complainant's driver's licence to determine the date of birth and then enter it on the form. The Commissioner could not attribute a motive for doing so and he noted that the complainant's recollection of events was not clear either. In the absence of more compelling evidence, the Commissioner found that the bank used the complainant's driver licence solely to confirm his identity, consistent with Principle 4.5.

The Commissioner concluded that the complaint was not well-founded.

Further Considerations

In May 2002, the new Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations came into force. The Regulations specify that date of birth is required to ascertain the identity of a new account applicant.