Bank fails to respond to access request within time limit

PIPEDA Case Summary #2003-221

[Principle 4.9; sections 8(3) and 8(5)]

Complaint

An individual alleged that a bank that had denied him a credit card failed to respond to his request for access to his personal information.

Summary of Investigation

After an individual was denied a credit card, he sent a letter to the bank requesting disclosure of the personal information about him that it had collected in processing his application and also the precise reasons for the bank's refusal to give him the card. More than fifteen weeks later, and after our office had intervened, the bank replied to the individual and sent him a copy of his on-line application for enrolment, the information from the credit agency, and a copy of the bank's privacy code. In its reply letter, the bank also informed the individual that his application had been refused because an account that he held in another financial institution had been paid late several times in the past.

The bank explained that its delay in replying had been caused by human error, in that the correspondence had not been forwarded to the department responsible for responding to this kind of request. The bank stated that measures had been taken to prevent such situations happening again in future.

The complainant was still not satisfied, and argued that the information disclosed was not the same information that the bank had used in deciding to deny him a credit card. When the Office of the Commissioner compared the original credit report from the agency with the report disclosed to the complainant, it determined that there were two differences: (1) the report disclosed had been written in plain language and (2) it had been translated into French, the complainant's language preference. The Office of the Commissioner informed the complainant that the reports were otherwise identical and that the two differences set out in the report he had received were consistent with principle 4.9.4 of the Schedule to the Act.

Commissioner's Findings

Issued September 16, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.9 states that upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information. Section 8(3) provides that an organization must respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Section 8(5) states that an organization failing to respond to a request within the time limit is deemed to have refused the request.

Because the bank failed to respond to the request within the 30-day period allowed by the Act, the Commissioner determined that it had failed to comply with section 8(3) and is deemed to have refused the request under section 8(5). The Commissioner found that the bank had also contravened principle 4.9 of the Act by denying access to the individual's personal information. He appreciated, however, that in response to his intervention the bank had disclosed all the personal information requested. He also appreciated that in response to the complaint, the bank had taken steps to ensure that this kind of situation would not happen again in future.

The Commissioner concluded that the complaint was well-founded and resolved.