Bank relies on call display to identify customer and access account information

PIPEDA Case Summary #2003-155

[Principles 4.3 and 4.7]

Complaint

An individual alleged that a bank representative accessed her account information without first confirming her identity.

Summary of Investigation

The complainant called a branch of the bank with a question of a general nature. She assumed that, because she had not identified herself and she had an unpublished telephone number, her identity would remain anonymous. However, during the course of her conversation, the bank representative addressed the complainant by her name. The complainant asked how the representative knew to whom she was talking and was told that the name and number appeared on the bank's call display screen. The bank representative confirmed that she then accessed the complainant's account information, but that she did so with the intent of providing good customer service.

The complainant asserted that the bank should not rely on its telephone call display screen to verify the identity of its customers, that individuals should be able to remain anonymous when calling for general information, and that bank representatives should not access account information without consent.

The bank states that if bank representatives are not completely certain that the individual to whom they are speaking is the account holder, they are not to provide any confidential information to that individual. The bank's policy requires that its representatives verify the identity of customers over the phone using certain procedures.

In this case, the representative did not verify the complainant's identity as she was calling for general information. The bank states that the only information that was disclosed was the complainant's name and home branch - information that the representative did not think was highly confidential.

Commissioner's Findings

Issued April 15, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

While the bank had procedures in place that appeared to satisfy the requirements of Principle 4.7, it was clear that they were not followed in this case. Although the bank representative thought she was speaking to the right person because the complainant had not corrected her, and, in any case, no highly confidential information was disclosed, the Commissioner stated that bank employees are required to protect the confidentiality of customer account information by following established procedures, not by process of elimination, to verify a customer's identity. He noted that if they did not, the bank runs the risk of disclosing highly personal information to the wrong people. The Commissioner therefore found that by relying solely on the information on the call display screen instead of following the bank's procedures to verify the complainant's identity, the bank contravened Principle 4.7.

On the issue of consent, the Commissioner took into consideration the complainant's stated expectations when she called the bank. It was clear, by the nature of her question and the fact that she did not intentionally identify herself, that she was not anticipating that a bank representative would call up her account. Had she called regarding a specific issue related to her account, the act of calling could be construed as implied consent, and once she was properly identified, her account could have been accessed. As it stood, however, her identity was not verified, and her question, even by the bank's own admission, was a general one - one which the Commissioner thought would not likely merit accessing the account. In the Commissioner's view, if the representative called up the account for the purpose of providing good customer service, she should have extended that service by seeking the complainant's consent before accessing the account. He therefore found the bank in contravention of Principle 4.3.

The Commissioner therefore concluded that the complaint was well-founded.

Further Considerations

While the Commissioner was satisfied that this was an isolated incident and that the bank has procedures in place to verify the identity of individuals calling the bank, he nevertheless recommended that the bank remind its staff of these processes and request that they refrain from accessing individuals' accounts to respond to general inquiries.