Bank adopts sweeping changes to its information collection practices

PIPEDA Case Summary #2002-97

[Principles 4.3, 4.3.2, and 4.4, Schedule 1]

Complaint

An individual complained that the language of a bank's credit card application form asked him to consent to the collection of 'other' information, without specifying what 'other' meant, and to sharing it with unidentified 'third parties'. It also collected information about a spouse's income, without asking for the spouse's consent to its collection.

Summary of Investigation

The bank readily agreed that the language of its consent clauses needed to be updated to reflect the requirements of the Personal Information Protection and Electronic Documents Act. It contacted the complainant and met with staff of the Office of the Privacy Commissioner. Upon review, the bank undertook the following:

  • It amended all of its documentation to remove the reference to spousal income on its application forms. Instead, the forms ask for 'household' income, if the applicant wishes this information to be considered in the context of an application for credit.
  • It agreed to make substantive changes to the language of its consent clauses. Its consent clauses will be redrafted to (a) clarify and more narrowly define the types of information collected, (b) identify the nature of the businesses within the bank, including subsidiaries, with whom information will be shared, and (c) provide information about the bank's direct marketing and sharing of information practices, as well as a toll free 1-800 telephone number if consumers don't wish to receive direct marketing materials and/or don't want the bank to share their information with subsidiaries for marketing purposes.
  • It advised that it would take approximately one year to implement the changes, as it needed to reconcile different technology systems, and assure appropriate policy development and staff training. The bank agreed to report back to the Office of the Privacy Commissioner once the changes had been implemented.

Commissioner's Findings

Issued September 30, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principles 4.3, 4.3.2, and 4.4, Schedule 1.

The Commissioner found that the bank had been in violation of Principle 4.3, in collecting spousal information without that individual's consent. He also found that the bank's stated purposes for the collection of information were vague, contrary to the requirement in Principle 4.3.2 that they be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. He found that the bank was in violation of Principle 4.4, which requires that organizations limit the collection of personal information to that which is necessary for its stated purposes.

He commended the bank, however, for its prompt response to the complainant's concerns, and for agreeing to implement changes that went beyond the issues raised in the complaint itself.

The Commissioner concluded that the complaint was well-founded and resolved.

Date modified: