Bank improperly discloses customer's personal information to ex-husband

PIPEDA Case Summary #2003-175

[Principle 4.3]

Complaint

An individual complained when her bank disclosed her account balance to her former husband, without her knowledge and consent.

Summary of Investigation

The bank acknowledged that one of its employees mistakenly released the complainant's account information to her ex-husband. The ex-spouse had attended one of the bank's branches and produced documentation that showed that the account was "in trust" for his and the complainant's son, that his name (and the complainant's) was originally on the account, and that he was a custodian of the son. The branch manager was not in at the time and could not be consulted; therefore, based on this documentation, the employee released the information, despite the fact that the former husband's name was no longer listed on the account portfolio on the computer. After the complainant contacted the bank to protest the disclosure, the manager reviewed the documentation produced by the ex-husband and concluded that the information should not have been released. The bank formally apologized to the complainant and offered her a monetary "goodwill" gesture, which she declined. Bank officials also contacted the former husband to clarify that the account was not his to control and that they would not release any additional information to him about it.

The bank was of the view that the disclosure was the result of human error and was not symptomatic of a systemic problem in the organization. When new employees are hired, they are provided with documentation regarding the bank's privacy policies and procedures, as well as an agreement that they are required to sign, which includes a clause requiring them to maintain the confidentiality of information. In its opinion, the disclosure occurred because the employee failed to properly apply standard bank procedures to verify the validity of the ex-spouse's documentation.

The bank reviewed its privacy policy with the employee in question. It also discussed the details of the incident, why the bank's policy is important, and how to prevent a similar occurrence from happening again.

Commissioner's Findings

Issued May 12, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Since there was no dispute that the bank had disclosed the complainant's personal information without her knowledge and consent, the Commissioner found that the bank had contravened Principle 4.3.

The Commissioner therefore concluded that the complaint was well-founded.

Further Considerations

While the Commissioner was aware that the bank had formally apologized to the complainant for the incident and had offered her a monetary "goodwill" gesture, he was of the view that the amount proposed was wholly inadequate given the serious repercussions of the privacy breach. He therefore strongly encouraged the bank to significantly increase its offer and to do so on an urgent basis.