Bank employee accused of disclosing customer's sensitive information to third parties

PIPEDA Case Summary #2003-113

[Principles 4.3, 4.7, 4.9, and 4.10.4, Schedule 1; sections 8(3) and 8(5)]

Complaint

An account holder made five allegations against a bank:

(1) that a bank employee had disclosed sensitive personal information about him to a third party;
(2) that the same employee had disclosed, to three third parties, sensitive personal information including the fact that he had complained to the bank about the original disclosures;
(3) that the bank had failed to conduct a thorough investigation into his complaint;
(4) that the bank had failed to protect his personal information with appropriate safeguards in transit, with the result it was disclosed to unauthorized third parties; and
(5) that the bank had exceeded the time limit in providing him with requested documentation.

Summary of Investigation

On the first two counts, it was confirmed that certain items of the complainant's personal information pertaining to his dealings with the bank had indeed been disclosed to third parties, in the sense that these parties had somehow become aware of the information. However, the accused bank employee denied having made the disclosures. Although the veracity of this denial could not be established with any certainty, and despite inconsistencies identified among the testimonies of both the employee and the third parties in question, the Commissioner's Office was no more successful at corroborating evidence that the complainant himself had submitted.

On the third count, the bank acknowledged that its ombudsman had undertaken, but had not completed, an investigation into a complaint lodged by the complainant. However, the bank explained, and the complainant confirmed, that it had suspended the investigation only after the complainant had refused to allow his witnesses to be interviewed unless he was present.

On the fourth count, it was confirmed that the bank had sent the complainant a package of information by courier at his request, that a building security guard had accepted and signed for the package, and that the complainant's father had subsequently taken possession of the package. However, on being informed that the latter would have to be interviewed, the complainant responded that his father wanted nothing to do with the investigation. Nor would the complainant identify any specific information he believed had been disclosed or name any specific party he believed had seen the information.

On the fifth count, two separate items were at issue: a loan application and a letter. In the first instance, the bank had no record of a request for the loan application, and the complainant was unable to identify the date of his request or the means by which he had made it. No other record could be found in which the complainant had made a request that could reasonably be understood as referring to a loan application. In the second instance, the complainant had disputed the bank's initial response to his request for a certain letter, mainly on grounds that the date of the letter received had not corresponded to that of the letter requested. The bank's explanation was that an employee had taken the liberty of electronically redating the letter on file before sending it to the complainant. It was confirmed that the letter sent had been identical in substance to that requested.

Commissioner's Findings

Issued January 21, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information, be given access to that information, and be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Principle 4.10.4 states that an organization must investigate all complaints. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt of the request. Section 8(5) stipulates that an organization failing to respond within the time limit is deemed to have refused the request.

The Commissioner remarked at the outset that this was a case characterized largely by unreliability of testimonial evidence on both sides. Despite the thoroughness of the investigation, very few facts had emerged that could be set out with any certainty.

On the first two counts, he observed that he had no reliable basis on which to make a determination as to whether the bank employee had or had not disclosed the complainant's personal information without his knowledge and consent. The Commissioner was thus unable to find that the bank was in contravention of Principle 4.3.

On the third count, he determined that the bank's suspension of its investigation into the complaint had been due not to any dereliction of responsibility on its own part under the Act, but rather to a refusal on the complainant's part to co-operate in a reasonable manner. The Commissioner found therefore that the bank was not in contravention of Principle 4.10.4.

On the fourth count, he observed that he had been presented with no evidence to substantiate the claim that the package sent to the complainant by the bank had been opened during delivery or that any disclosure of its contents had resulted to any unauthorized third party. The Commissioner therefore had no legitimate basis upon which to find that the bank had not protected the complainant's personal information with adequate security safeguards or was otherwise in contravention of Principle 4.7.

On the fifth count, he was not satisfied, in the first instance, that the bank had ever received from the complainant an information request that could reasonably have been interpreted as referring to a loan application. In the second instance, he was satisfied that, though dated differently, the letter sent initially by the bank was substantially the same as the original requested by the complainant and thus constituted a bona fide response to the request. Since that response had occurred well within the prescribed time limit, the Commissioner found that the bank had met its obligation under section 8(3) and could in no sense be deemed to have refused the request.

The Commissioner concluded that the complaint was not well-founded.