Bank employee discussed customer's personal information with relatives
PIPEDA Case Summary #2003-213
[Principle 4.3]
Complaint
An individual complained that the branch manager of his bank disclosed his personal information to his aunt and mother.
Summary of Investigation
The complainant attended his bank to make a withdrawal and noticed that a large sum of money had been deposited into his account. As he was expecting a settlement, he asked the bank teller to verify whether this money was in fact his. After being informed that it was, he made a withdrawal, and later returned to the bank to take out the rest of the money.
Some time later, the bank discovered that this money had been deposited into the complainant's account in error. The manager called the complainant's home and left a message on the answering machine. While the complainant states that the manager asked for "Mr. or Mrs. X," the branch manager believed he left the message only for the complainant.
The branch manager then called the complainant's aunt, who was listed on the complainant's account application form as a reference. While the manager claimed that he only told the aunt that there were issues with the complainant's account, the aunt stated that the manager said that the complainant was not conducting his account properly. Both agreed that the manager did not provide further details regarding the problem with the account.
The bank's privacy agreement states that it may use references clients provide to verify information. This agreement is included in a number of documents and is provided to customers when they purchase new products or services. In this case, a reference to the Privacy Agreement was also included on the application form that the complainant filled out and signed. Given this, the bank asserted that its contact with the aunt was not a breach of the complainant's confidentiality.
The complainant returned the bank's call on the same day that the message was left and was told that the bank had made an error and that he should return the money or the matter would be referred to authorities. The complainant brought the money back.
As for the complainant's mother, she stated that the message was for "Mr. or Mrs. X." She did not keep the message; therefore, the Office was unable to verify who the intended recipient of the message in fact was. Unaware that her son had already called the bank, she telephoned the bank manager and they discussed the complainant's account information. In hindsight, the manager acknowledges that, despite the fact that the mother initiated the call and knew about the account, he should have obtained the complainant's direct consent before speaking to her, given that the complainant was of legal age.
Commissioner's Findings
Issued August 6, 2003
Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.
Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
There was no dispute that the bank manager discussed the complainant's personal information with the mother without the complainant's consent. As for the conversation with the aunt, while the bank had the complainant's consent to verify with her the information he provided on his application form, the Commissioner was of the view that the manager's comment that the complainant was not conducting his account properly was a disclosure of the complainant's banking information. He thus determined that in both instances, the bank had disclosed the complainant's personal information in contravention of Principle 4.3.
The Commissioner concluded that the complaint was well-founded.
- Date modified: