Wife accuses bank of telling husband about her credit card
PIPEDA Case Summary #2002-108
[Principles 4.3 of Schedule 1]
An individual alleged that a bank employee disclosed to her husband information about her credit card account.
Summary of Investigation
The bank representative telephoned the complainant's home during business hours and spoke to her husband, who was not a shared cardholder, whose financial standing was of no consideration when the complainant obtained her card, and who was not even aware that she had the card. The employee revealed to the husband the current outstanding balance, and that the account had been taken off hold and the complainant's payment had been received.
The bank initially denied that its representative had disclosed the complainant's personal information to her husband. However, at the intervention of the Commissioner's Office, the bank admitted that its representative had indeed disclosed this information and that the bank's original position had been taken before a full investigation into the matter had been completed.
The Office reviewed the bank's privacy-related materials and training procedures. These materials cover limiting the release of customer information and identity verification procedures, including telephone scripts to be used when staff call customers. The procedures require that the card member be positively identified before any personal information is released. It was clear that the bank employee who had spoken to the complainant's husband had not followed the correct procedures.
The bank apologized to the complainant and offered a monetary "goodwill" gesture, which the complainant accepted.
Issued December 19, 2002
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Since it was clear and undisputed that the bank had disclosed the complainant's personal information without her knowledge and consent, the Commissioner found that the bank had contravened Principle 4.3.
The Commissioner concluded that the complaint was well-founded.
The Commissioner was satisfied that the bank had procedures in place that, when followed, provided adequate safeguards as per Principle 4.7, which states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. In the Commissioner's opinion, this incident was a one-time occurrence and not symptomatic of a widespread problem at the bank.
- Date modified: