Bank released personal information of third parties without their knowledge and consent

PIPEDA Case Summary #2003-129

[Principle 4.5 of Schedule 1]

Complaint

An individual complained that, in response to his access to information request, a bank released the personal information of five other individuals, including their names, account numbers, monies in their accounts and where money had been transferred.

Summary of Investigation

The bank did not dispute that it had disclosed the personal information of other individuals, that it had done so without their consent, and that it had not notified them about the disclosure. Although the employee had received training in the bank's privacy policies, she mistakenly released the personal information of other people to the complainant. The bank reviewed its privacy policies and procedures with the employee and was satisfied that this was an isolated incident.

Commissioner's Findings

Issued March 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

It was clear and undisputed that the bank had disclosed the personal information of individuals without their knowledge and consent for purposes other than those for which it was collected. The Commissioner therefore found the bank in contravention of Principle 4.5.

He concluded that the complaint was well-founded.

Further Considerations

The Commissioner recommended that the bank notify the affected customers of the disclosure and the action taken to prevent further disclosures of their personal information.