Bank employee improperly accessed customer's account
PIPEDA Case Summary #2003-212
[Principle 4.5 of Schedule 1]
An individual complained that a bank employee improperly used and disclosed his personal information.
Summary of Investigation
The complainant was involved in an ongoing dispute with his stepson, with whom he had a joint loan. At one point, the stepson told the complainant how much money was in the complainant's bank account and what his income was. The complainant believed that his stepson's spouse, a bank employee at the time, had provided the stepson with this information. To prevent her from accessing his information again, the complainant placed a block on his account. The block is intended to prevent any employee outside the customer's branch (the employee in question did not work at the complainant's branch) from viewing the customer's account numbers or balances. It does not, however, prevent an individual who knows the bank account number from making a deposit into the account. A short time later, a sum of money was deposited into the complainant's account.
The complainant approached the bank with his concerns. The bank conducted a security search, which revealed that this employee had accessed the complainant's main customer profile. The information in the profile included a list of all of his account numbers, balances in the accounts and the transaction history for the accounts. Despite the block, the bank's investigation showed that the employee also managed to deposit money into the complainant's account.
The employee admitted to the bank that she had accessed the account, but denied disclosing any information about it to the stepson.
The bank subsequently reviewed the importance of privacy with the employees at the branch where this incident occurred. Although no specific memorandum was sent regarding the matter, the bank indicated that it did provide its employees with a revised copy of its guidelines for employee conduct. The bank apologized to the complainant and made a settlement offer which he refused.
Issued August 6, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.
Application: Principle 4.5 states that personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
It was undisputed that the bank employee had accessed the complainant's banking information and made a deposit into the account. The employee admitted it and the computer system showed it. Although it was probable that the employee had disclosed the complainant's personal information to the stepson, the Commissioner determined that there was insufficient evidence to support this.
However, as the employee had accessed the complainant's personal information for her own reasons, the Commissioner determined that she had used his personal information for a purpose other than that for which it was collected and without his consent. He therefore found the bank in contravention of Principle 4.5 of Schedule 1.
The Commissioner concluded that the complaint was well-founded.
- Date modified: