Individual alleges that a bank forced him to provide personal information
PIPEDA Case Summary #2002-95
[Principle 4.3 of Schedule 1]
An individual alleged that a bank collected his personal information without his voluntary consent by harassing, threatening and abusing him over a period of several months. Specifically, the complainant alleged that the bank forced him to provide information to prove that he was not reselling products bought with his credit cards, an action that was prohibited by the bank.
Summary of Investigation
The complainant held two credit card accounts, one for personal use and the other, a small business account, with the bank. The bank monitors small business accounts carefully because they do not have a credit limit. When such an account holder reaches a level of spending that is deemed risky, the bank's client service representatives talk to the holder. The bank may suspend the account until a payment is made. The monitoring of the client's purchasing history is specifically permitted in the small business account agreement form. Also included in this form is a prohibition against the reselling of goods purchased with the credit card. The bank will only allow the resale of goods if the account holder provides a letter of credit or other security to cover the risk of the transaction.
In this instance, the complainant's accounts were monitored simultaneously and treated as one. The account was always current. There was no issue of failure to pay or poor credit. However, it was suspended twice in a three-month period because spending patterns were out of the norm and exceeded the risk threshold. The bank increased this threshold after the complainant paid the account down. There were several conversations between the bank and the client regarding the pattern of spending and the total charges that had exceeded the approved spending limit. Bank representatives also reminded the complainant that the resale of goods was not permitted.
Following an incident unrelated to the accounts in dispute, the complainant contacted the bank and spoke to an individual with whom he had never dealt and who had no prior knowledge of the monitoring of his other accounts. At the conclusion of this call, the complainant forwarded to the bank several pages of information, some of which the bank already had on file, regarding the charges on the account.
Issued December 3, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The bank agreed that it contacted the complainant with respect to spending patterns that were out of the norm and exceeded his risk threshold but pointed out that this action was clearly spelled out in the small business account agreement, which the complainant had signed. The Commissioner considered the monitoring activities legitimate inquiries and ones that could be reasonably expected given the nature of the accounts.
As for specific pressure to release his personal information, the Commissioner considered the circumstances just prior to the complainant's release of his personal information, namely, the telephone conversation between the bank and the complainant. On the evidence, the Commissioner was satisfied that the bank had not applied any specific pressure on the complainant to release his personal information. The Commissioner found that the complainant had provided this information voluntarily and that the bank had not contravened Principle 4.3.
He therefore concluded that the complaint was not well-founded.
The bank indicated that it would destroy the information that the complainant had sent once the Commissioner made a determination in this matter.
Report a problem or mistake on this page
- Date modified: