Bank accused of denying access request and disclosing personal information without consent
PIPEDA Case Summary #2003-140
[Principles 4.3 and 4.9; sections 8(3) and 8(5)]
An individual made two complaints against a bank: (1) that it failed to respond to his request for access to his credit report and a listing of all companies to which the bank had disclosed his personal information; and (2) that it continues to disclose his personal information to other companies even though the time period for disclosure after bankruptcy is over.
Summary of Investigation
The complainant declared bankruptcy some years previously and was having difficulty obtaining credit. In October 2001, he wrote to a bank with which he had an outstanding credit card account, outlining his concerns regarding the reporting on this account. In his correspondence, he asked for his credit report and a list of all the companies to which the bank had disclosed information about his credit and other financial information. In December 2001, the bank responded that it was reporting his debt correctly to the credit bureaus.
The bank admitted during the investigation that there had been a delay in responding to the complainant and it agreed that it had not addressed his specific concerns. At the Commissioner's request, the bank wrote to the complainant again, clarifying that it was disclosing the complainant's information to the credit bureaus only and advising him on how to obtain his credit report.
Regarding the second complaint, the bank had no record of any disclosure of the complainant's credit history to any organization other than the credit bureaus, to which it disclosed such information electronically on a monthly basis. The bank noted that such disclosure is part of the normal credit application process and is permitted under the credit card agreement governing the use of credit cards. The bank's position was that, since the complainant had used his credit card, he had consented to such disclosures.
As for the issue of bankruptcy and the time limit on reporting negative information, the bank stated that it was not aware that the complainant had declared bankruptcy, but even if it had known, the non-payment of a debt would still be reported to the credit bureaus. The time limit for a credit bureau's reporting of adverse personal information in the province in which the complainant resides is seven years.
Issued March 10, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and given access to that information; and that the individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receiving it. Section 8(5) states that an organization failing to respond to a request within the time limit is deemed to have refused the request. Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
With respect to the first complaint, the bank did not dispute that it had failed to provide the complainant with his requested personal information within the 30-day time limit set out in section 8(3) of the Act. The Commissioner found therefore that the bank had not met its obligation under section 8(3), was thus deemed under section 8(5) to have refused the request, and had been in contravention of Principle 4.9 of Schedule 1.
He therefore concluded that the first complaint was well-founded.
Regarding the second complaint, the Commissioner determined that there was no evidence to suggest that the bank was improperly disclosing the complainant's personal information. The only organizations the bank disclosed his information to were the credit bureaus. The Commissioner was satisfied that the bank had informed the complainant, by way of the terms of the cardholder agreement, that it would disclose his credit information to credit bureaus, and that it had his consent to do so because he had used the card. He therefore found that the bank had not contravened the requirement for knowledge and consent, stipulated in Principle 4.3.
The Commissioner thus concluded that the second complaint was not well-founded.
Report a problem or mistake on this page
- Date modified: