Alleged inappropriate disclosure of personal information to a third party

PIPEDA Case Summary #2003-181

[Sections 2, 7(3)(a) and 7(3)(b); Principle 4.3]

Complaint

An individual alleged that his bank inappropriately disclosed his personal information to a third party.

Summary of Investigation

The complainant, the owner/operator of a small business, had personal and corporate accounts with the bank. In addition to being a customer, he held contracts with the bank to provide services. In late 2001, a dispute arose regarding the complainant's contract and the bank was represented by an outside law firm in the matter.

At the same time, the complainant was having difficulty paying down debts associated with his corporate account. In February 2002, his corporate account was transferred to the bank's special loans group. The complainant alleged that the account manager in the special loans group worked closely with the law firm handling the contract dispute, and that the manager had told him that she had been in contact with the lawyer dealing with the dispute. Shortly afterwards, the complainant was offered a settlement, in which the amount offered closely matched the amount he owed. The complainant believed that his personal banking information was disclosed to the law firm and then used to determine a settlement offer in the contract dispute.

The account manager in the special loans group dealt only with corporate loan accounts that were in arrears. In accordance with the bank's standard practice, she sent the account information to the law firm, which advises the bank on methods of recovering funds from delinquent corporate accounts. She stated that she did not make any special notations or give any particular instructions on his file. The account manager indicated that she only knew about the contract dispute because the complainant told her. She denied having any knowledge of the specifics of the settlement discussions. She stated that she would speak to the complainant about possible loan repayment dates, and then would confirm, in general terms only, with the bank's in-house legal department (not the outside law firm) on the status of the dispute. She denied discussing the complainant's personal or corporate information with anyone at the law firm.

Commissioner's Findings

Issued July 10, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Section 2 defines personal information as information about an identifiable individual. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Exceptions to this principle are provided under sections 7(3)(a) and 7(3)(b), which state that an organization may disclose personal information without the knowledge and consent of the individual only if

  • 7(3)(a) the disclosure is made to, in the Province of Quebec, an advocate or notary or, in any other province, a barrister or solicitor who is representing the organization; and
  • 7(3)(b) the disclosure is for the purpose of collecting a debt owed by the individual to the organization.

The first issue considered was whether the information in question was personal or corporate information. The bank argued that it was not personal information, since it concerned the complainant's corporate account. The complainant, however, asserted that his corporate and personal information was tied together and, therefore, all information relating to his corporate account was his personal information. Bank documents listed the corporate account in the business's name, followed by the complainant's and his wife's names. His house was collateral for his corporate line of credit. Furthermore, there were instances when the bank advised him to return money from his personal account because he had paid himself too much from his corporate line of credit.

Given the extraordinary nature of the complainant's dealings with the bank, the Commissioner was of the view that it would be extremely difficult to separate the complainant's personal information from his business information. Thus, he determined that the information at issue in this particular case was personal information for the purposes of section 2 of the Act.

As for the disclosure, it was clear that the bank had disclosed the complainant's personal information to the law firm without his knowledge and consent. However, the Commissioner was satisfied that the law firm was representing the bank and that the account manager disclosed this information as per standard banking practice when collecting a debt. He further noted that there was no evidence that she was in any way involved with the settlement or the negotiations. He thus found that the exceptions provided under sections 7(3)(a) and 7(3)(b) applied, and that the bank was not required to obtain the complainant's consent.

The Commissioner therefore concluded that the complaint was not well-founded.

Date modified: