Individual alleged bank sent personal information in unsealed envelopes

PIPEDA Case Summary #2003-197

[Principles 4.7 and 4.7.1, Schedule 1]

Complaint

An individual alleged that her bank had sent her copies of applications for investments in two unsealed envelopes. As a result, she was concerned about the protection of her personal information.

Summary of Investigation

The complainant claimed that she had received two unsealed envelopes, containing copies of her financial information, from her bank. She was particularly distressed that third parties might have seen these documents and might obtain a job using her personal information. She was also concerned about the penalties she might incur if they did so. The complainant did not keep the envelopes.

The bank confirmed that it had mailed two transactions to the complainant but in one envelope, not two. It explained that mail leaving the branch was sealed and stamped at its offsite facility. Envelopes were fed through a sealing machine simultaneously and, according to the bank, it was possible but rare that an unsealed envelope could leave the system. The bank has a quality assurance process in place that involves inspecting a number of processed envelopes before they are mailed. The bank also stated that its machinery was working correctly at the time in question and that it had not received any other complaints of unsealed envelopes.

As for the complainant's concerns about the safety of her personal information, it could not be determined whether there had been any disclosure to third parties.

As a result of the complaint, the bank reminded its employees to check processed envelopes carefully to make sure that they were sealed and stamped correctly. According to the bank, in the course of several telephone conversations, its representatives apologized to the complainant and offered to change her account numbers. The complainant is considering this offer.

Commissioner's Findings

Issued August 1, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification and that organizations must protect personal information regardless of the format in which it is held.

In a similar case involving a different bank, the envelope in question was made available to the Office of the Commissioner and therefore could be examined to verify the condition of the seal and glue. It was not possible in this case to verify the state of the seals, since the complainant did not keep the envelopes. Therefore, there was insufficient evidence for the Commissioner to conclude that the bank failed to properly safeguard the complainant's personal information as per its obligations under Principles 4.7 and 4.7.1.

He concluded that the complaint was not well-founded.

Further Considerations

Although there was insufficient proof to determine whether the envelope(s) were unsealed when they were sent to the complainant, the potential nevertheless existed. The Commissioner therefore recommended that the bank institute a policy that all mail be sealed prior to leaving the branch and being transported to the offsite mailing facility. In his view, if staff at the outside facility also continue to check the seals on outgoing envelopes, the safeguarding of clients' personal information will be significantly improved.