Bank uses tape-recording of customer's call for unidentified training purpose; connects another customer to the recording

PIPEDA Case Summary #2003-180

[Principles 4.2.4, 4.3, 4.3.2, 4.3.5, 4.5, 4.7, and 4.7.1, Schedule 1]

Complaint

A couple complained that a bank

1. had failed to protect the husband's personal information with adequate safeguards, with the result that it was disclosed to an unauthorized third party without his consent; and
2. had used a tape-recorded conversation with the husband for a purpose not previously identified and without obtaining his consent.

Summary of Investigation

A customer called the bank to report that, while trying to conduct a banking transaction by telephone, he had been erroneously connected to a tape-recording of someone else's transaction. That someone else proved to be the male complainant. In notifying the husband that his account information had thus been compromised, the bank explained that one of his recent banking calls had been tape-recorded and was being used for training purposes.

The complainants were upset that the bank not only had somehow allowed a third party to overhear the details of the husband's bank transaction, including his client card number, but also appeared to have made the tape-recorded call accessible by telephone in some sort of training exercise. The husband had been notified that his call might be tape-recorded for quality monitoring purposes, but had not taken this to mean use as a training tool. In the complainants' view, the bank had not obtained the husband's consent to using the tape-recording for training purposes and had had no right to use it for such purposes without his consent.

The bank did not dispute the improper disclosure to a third party, but represented it as an isolated incident resulting from a simple error on the part of an employee at one of its service centres. This employee had been trying to transfer a caller to the appropriate department, but had neglected to highlight the appropriate extension line on her computer screen. She had thus inadvertently dialled the default extension, which was that of the last number dialled. The last number the employee had dialled was for an extension that the service centre in question had set up for training purposes. Specifically, the number gave access to a weekly featured example of a good-quality customer service call. The example featured for the week in question had happened to be the husband's recent call.

The bank made a practice of randomly tape-recording customer calls, duly notifying each caller at the outset that the call might be recorded for quality monitoring purposes. The bank's position was that this notification was sufficient to cover uses of the kind that its service centre ultimately made of the husband's recorded call. The bank nevertheless discontinued the training exercise at issue and destroyed the tape-recording in question. It was also determined that the bank had destroyed the tape-recording in question soon after the incident.

Commissioner's Findings

Issued July 10, 2003

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because the bank in question is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.2.4: When collected personal information is to be used for a purpose not previously identified, the new purpose must be identified, and the individual's consent obtained, prior to use. Principle 4.3: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.2: Organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used; for consent to be meaningful, purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.5: In obtaining consent, the reasonable expectations of the individual are also relevant. Principle 4.5: Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Principle 4.7: Personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1: These safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held.

On the first count of the complaint, the Commissioner determined that the bank had indeed improperly disclosed the complainant's personal information without his knowledge and consent to a third party. The Commissioner had no doubt that the disclosure had been simply the result of an error by an employee. However, in setting up a telephone extension for access by employees to tape-recorded personal information of customers, the service centre had not adequately considered the sensitivity of the information, the possibility of disclosure through employee error, and appropriate safeguards to prevent such disclosure. The Commissioner found therefore that the bank had contravened Principles 4.7 and 4.7.1.

On the second count of the complaint, the Commissioner considered the bank's contention that it did have consent to the purpose for which the personal information was ultimately used. He deliberated as follows:

• The bank was arguing in effect that, by proceeding with his call after he was told that it might be recorded for quality monitoring purposes, the complainant had implied consent to a use such as the service centre ultimately made of the recording - that is, consent to the practice of making such recordings generally available as training tools to employees. The question was what "quality monitoring" could reasonably be taken to mean.
• Although the question may well be regarded as one of mere semantics, the Act contains two provisions, Principles 4.3.2 and 4.3.5, that put an onus on the organization, in formulating statements of purpose, to anticipate and respect the reasonable individual's understanding of common terminology.
• Referring to Principle 4.3.5, the Commissioner commented that, if he himself were to agree to let a bank record a call of his for quality monitoring purposes, he might well expect that a supervisor would listen to the tape-recording to assess the performance or competency of the employee who took the call. He might even expect that the supervisor and the employee would listen to the recording together in a coaching situation, with a view to generating constructive criticism and performance improvement.
• Where his own sensitive personal information was concerned, however, he, like the complainant, would not expect the meaning of "quality monitoring" to extend to integrating a personal conversation of his, verbatim and unanonymized, into a training program by storing it at a special telephone extension accessible to all employees.
• Referring to Principle 4.3.2, the Commissioner commented that an organization is obligated to make a reasonable effort towards enabling individuals to understand how their personal information will actually be used. If an organization intends to use tape-recorded customer calls as part of a general training exercise, it should say so in terms that a customer can reasonably understand. The complainant not only had not understood, but had been given no reasonable way of understanding, from the bank's statement of purpose, that his personal information would end up as a training "feature of the week" at one of the bank's service centres.

In sum, the Commissioner determined that that this had been a distinct use constituting a distinct purpose, requiring specific identification and specific consent. The bank had not distinguished this use, in reasonably understandable terms and in accordance with the complainant's reasonable expectations, as a purpose for the collection of his personal information. The bank therefore could not be said to have obtained his consent to the purpose at the time of collection. Nor had the bank at any later time undertaken to identify the use as a new purpose and seek the complainant's specific consent to it. The Commissioner found therefore that the bank had been in contravention of Principles 4.3.2, 4.3, 4.2.4, and 4.5.

He concluded that the complaint was well-founded.

Further Considerations

The Commissioner noted that he was pleased that the bank had voluntarily discontinued the practice at issue. Nevertheless, he also made a point of noting that the bank's destruction of the tape-recording had been done without the complainant's knowledge and consent and therefore might well have constituted grounds for further complaint under Principle 4.3. Though the complainant would have preferred to be consulted in the matter, he was on the whole relieved that the possibility of further unauthorized disclosure had thus been eliminated and was satisfied that the bank had allowed him to hear the recording before it was destroyed. He had therefore decided against pursuing the matter as a complaint.