Bank denied individual access to her personal information

PIPEDA Case Summary #2003-229

[Principle 4.9; sections 8(3) and 8(5)]

Complaint

An individual complained when a bank did not provide her with copies of her personal information contained in a file that concerned her former husband's company, as requested in writing on three different occasions.

Summary of Investigation

The bank responded to the complainant within the 30-day time limit, indicating that it had previously provided her with all of the information she requested, save for one document, which it enclosed with its reply. Since the complainant had been discharged of all obligations for the company's indebtedness to the bank, the bank argued that it had no legal obligation to respond to the questions she posed in her correspondence. It also indicated that all other information she had requested was either confidential or not in the bank's possession. Dissatisfied with this response, she filed a complaint with the Commissioner's Office.

The bank expanded on its position in its representations to the Office, contending that since the complainant was not a director of the company, she was not entitled to any information from the file, including any personal information relating to her. Therefore, although it had processed some of the personal information that she had formally requested, it did not review all of the documents contained in the file to determine whether it contained any of her personal information.

The Commissioner's Office conducted a preliminary review of the file and confirmed that it did in fact contain additional personal information about her that the bank had not processed. The bank agreed to review the file in its entirety and provided the complainant with access to all of the personal information that she had requested. The complainant was satisfied with the result.

Commissioner's Findings

Issued September 16, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Subsection 8(3) stipulates that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Subsection 8(5) states that if the organization fails to respond within the time limit, the organization is deemed to have refused the request.

The Commissioner determined that although the bank had written to the complainant and provided her with some of her personal information within the 30-day time limit, it did not provide her with all of the information that she was requesting and to which she was entitled within that timeframe.

While the bank thought it had responded to her appropriately, it was apparent that the bank did not fully understand its obligations under the Act. Whether or not the complainant had been part of the company or was still responsible for any of its debts, the file required review and she was still entitled to her personal information, subject to the provisions of the Act.

In light of this, the Commissioner found that the bank had not fully met its obligations under subsection 8(3), was thus deemed to have refused her request under subsection 8(5), and was therefore in contravention of Principle 4.9 of Schedule 1.

The Commissioner concluded that the complaint was well-founded and resolved.