Bank discloses a customer's personal information without consent
PIPEDA Case Summary #2003-158
[Principle 4.3, Schedule 1]
A customer alleged that a bank teller had disclosed information to her uncle about deposits made to her account over a period of several months, without her consent.
Summary of Investigation
The complainant's uncle periodically loaned her money in instalments of $500. He would ordinarily transfer that amount from his own account at a branch of the bank, to the complainant's personal account, located at another branch of the same bank. When the complainant advised her uncle that she wanted to repay the debt, he reviewed his records and concluded that he had forgotten to obtain a few receipts. He asked a teller at the branch where he holds his account if she could "fill in the blanks" for four specific months where he did not hold receipts. His recollection is that the teller searched for information about the months in question. She told him that $500 had been deposited into his niece's account in some of those months, but she couldn't verify that he was the one who made the deposits.
The bank ordinarily enters a record of a transfer on the account of the person transferring the money. The record indicates the dollar amount, the activity (i.e., a 'transfer to'), and the destination (i.e., the name of the account holder to whom the money is being transferred). The receiving bank enters a corresponding entry on the account into which the money is transferred. The entry indicates the dollar amount, the activity (i.e., a 'transfer from'), and the origin of the transfer (i.e., the name of the account holder who transferred the money). According to the teller with whom the uncle spoke, she compared the entries in the complainant's account with those of the uncle, and simply confirmed that transfers from the uncle's account matched transfers into the complainant's account. She denied disclosing any information about 'unattributed' deposits.
The account records revealed that there were in fact two months where the complainant's account received deposits in the amount of $500.00. There was nothing in the records to indicate who had made them.
Issued April 16, 2003
Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.
The Commissioner accepted the uncle's statement that he had received information about deposits into the complainant's account, in the amount of $500, that could not be attributed to him and were not recorded as transfers from his account.
The Commissioner concluded that the complaint was well-founded.
The Commissioner could not accept that the teller at the uncle's branch had simply compared the 'transfer to' entries in the uncle's account with the 'transfer in' entries in the complainant's account, and confirmed that they matched. He noted that if that were all that the teller had done, there would be no breach of the Act, since such entries are both the personal information of the complainant and of her uncle.
Report a problem or mistake on this page
- Date modified: