Bank disclosure results in cancelled wedding

PIPEDA Case Summary #2003-200

[Principle 4.3]

Complaint

An individual alleged that an account manager of a bank disclosed personal information about his banking affairs to his then-fiancée, without his knowledge and consent.

Summary of Investigation

The complainant had a line of credit with a bank to help pay for his university tuition. The total was broken down into four annual amounts, which he could not access without first demonstrating to the bank each year that he was continuing his course of studies and submitting a new application. He asked his fiancée to drop off some of this information at the bank, as she worked nearby.

When she gave the document to a bank employee, she was told that the complainant would have to attend the bank in person because additional information was required. The fiancée asked for the name of the person to whom the complainant should speak. She then was introduced to the account manager, who left the complainant's file open on her desk in front of his fiancée. The fiancée, who had no prior knowledge of the details of the complainant's line of credit, could read the file from where she was sitting. The account manager told the fiancée that the complainant had reached his maximum amount for that year and would have to fill out a new application. The manager then gave the fiancée a blank application, as well as a copy of the one that the complainant had submitted the year before. The fiancée stated that as a result of learning of the extent of the complainant's debt, she cancelled the wedding.

The account manager, who had received privacy training, confirmed that she had given the fiancée a copy of the completed application form and indicated what action the complainant need to take. However, she claimed that she thought the fiancée was acting as the complainant's agent, based on a comment made by the fiancée that she was acting as a "go-between." The account manager stated that, in the future, she and other bank employees would ensure that they have a signed document indicating that someone is acting on behalf of another person before discussing any personal information.

Commissioner's Findings

Issued August 6, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The Commissioner determined that, by assuming that the fiancée was acting on behalf of the complainant, the account manager failed to follow the bank's policy of having such authorization in writing. Thus, lacking in documentary evidence, he found that the bank had contravened Principle 4.3.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner noted that the employee had received training in the bank's privacy policies and procedures, that she acknowledged her mistake, and that this was a one-time incident. Nonetheless, he remarked that it was an example of the serious ramifications that privacy disclosures can have on individuals.