Alleged improper disclosure of credit card number to third party
PIPEDA Case Summary #2003-144
[Principle 4.3 of Schedule 1]
An individual alleged that his bank disclosed his new credit card number, without his knowledge and consent, to an organization that had his previous card number.
Summary of Investigation
A number of years ago, the complainant joined an organization and arranged to have his membership fee charged against his credit card account. The following year, the organization contacted him to renew his membership; the complainant declined, but his account was debited anyway. The complainant contacted his bank, which credited his account. A short time later, the complainant cancelled his credit card and obtained a new one from the same bank. Some months afterward, the same organization approached the complainant to renew his membership. He again refused, but his new credit card account registered a debit for the amount of the membership fee.
Having concluded that the bank had disclosed his new credit card number to this organization, the complainant contacted the bank to complain about the disclosure and the unauthorized debit. The bank agreed to refund the charge and explained that, as a service gesture, it links old credit card accounts to new ones in order to facilitate certain pre-authorized payments that the client may have registered against the previous card and that the client would want the bank to honour until such time as the client notifies the merchant of his or her new number. The bank stated that it did not disclose the complainant's new account number to the organization.
The complainant also contacted the organization to complain about it processing the unauthorized payment. The organization agreed to refund the complainant, but, as it did not have the new credit card number on file, it asked him for it, which he provided.
The complainant questioned whether the bank in fact linked the accounts as it claimed since he was required to authorize payments to his Internet service provider every month. The bank explained that certain companies choose to obtain pre-authorized approvals from the bank before processing any payments, regardless of the payment frequency. Companies that choose this method of checking in advance must have the current account number against which to verify the payment capability of the cardholder. Old and new cards are not linked in such a process.
Issued April 1, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
The Commissioner determined that the process of linking old and new accounts did not result in the disclosure of personal information to the organization posting the charge. The organization is not informed that there is a new account. In this instance, the complainant contacted the organization regarding the charge.
The Commissioner therefore found that the bank had not disclosed the complainant's personal information and that there had been no contravention of Principle 4.3.
The Commissioner concluded that the complaint was not well-founded.
- Date modified: