Individual claims that bank collected unnecessary information and retained it for too long
PIPEDA Case Summary #2003-139
[Principles 4.4 and 4.5 of Schedule 1]
An individual complained that a bank improperly collected information from him and then retained it for too long a period.
Summary of Investigation
A bank representative contacted the complainant, whose daughter had applied for a student line of credit, and asked him detailed questions about his personal and business finances. The complainant provided this information, though he deemed it excessive, in the intended role of co-signatory to his daughter's application. The complainant was not a customer of the bank in question.
Two days after the complainant supplied this information, the daughter was denied the loan on the basis of her credit rating alone. The complainant immediately contacted the same bank representative to request that all the information he supplied be deleted. The complainant was initially told that his records could not be deleted because of retention schedules and audit requirements. He was later informed that his information would be erased but not until after RRSP season was over. Over two months after it was collected, the complainant's personal information was erased.
The bank admitted it made an error in asking for the complainant's personal information. The bank employee should have realized that the daughter's application would not have been granted, even with a co-signor, and therefore should not have asked for the information. It provided training to the employee involved to prevent a reoccurrence.
As for retention policies, the bank keeps on file an individual's credit application (and co-signatory's information) according to the time limits outlined in the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its Regulations, as well as according to provincial time limits after which courts would entertain no cause of action. The bank indicated that it also retains this information in case it has to respond to queries that may be made in relation to the application and any reference to it that may appear in an individual's credit report.
Notwithstanding this, the bank agreed to delete the complainant's information since it was collected in error. As for how promptly the information was removed, the bank maintained that it could not have deleted this information until operational constraints resulting from RRSP season had eased.
Issued March 6, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.4 states that the collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Principle 4.5 establishes that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
The Commissioner determined, and the bank did not dispute, that it had collected unnecessary information from the complainant. He thus found the bank in contravention of Principle 4.4.
Given that the information was not collected for a proper purpose and that the bank was aware of this almost immediately after collecting it, well before RRSP season began, the Commissioner determined that the complainant's personal information was retained for too long a period and the bank was in contravention of Principle 4.5 of Schedule 1.
He therefore concluded that the complaints were well-founded.
- Date modified: