Bank alleged to have unnecessarily collected and improperly disclosed personal information

PIPEDA Case Summary #2003-245

[Section 5(3) and Principles 4.3.3 and 4.7, Schedule 1]

Complaint

An individual complained that a bank had

  1. collected too much personal information when he attempted to make a withdrawal; and
  2. disclosed his personal information to others in the course of examining and verifying his identification.

Summary of Investigation

The complainant had a personal account at a bank and attempted to make a withdrawal at another branch. The teller asked him to sign a withdrawal slip and, since he was not a customer of that branch, to provide identification so that she could verify his signature in accordance with the bank's internal procedures. The teller felt that the identification provided by the complainant was not sufficient to prove his identity and referred him to a financial services representative, who also examined his documents.

The financial services representative was seated at a reception desk in an open area. The complainant was concerned that other customers might have seen his personal documents at this desk; however, the representative stated that the desk had a raised barrier at chest level and that a person would have had to stand directly behind her and look over her shoulder in order to see any documents that she was examining. There was no one standing behind her at the time.

After she, too, had determined that the complainant's identification was insufficient, the representative took him into her office so that she could call his home branch. The office had floor-to-ceiling glass walls on three sides, a half-door, and was about twenty feet from the nearest customer. The representative telephoned the branch, and asked for a fax of the complainant's signature card so that she could compare signatures. She also mentioned the complainant's name and account number. The complainant felt that she disclosed this information to people outside her office by speaking too loudly. The representative stated that she may have raised her voice slightly because the complainant was speaking to her simultaneously. Several bank employees who had been in the vicinity indicated later that they did not overhear any part of the conversation between the complainant and the representative. The home branch employee who had been telephoned also stated that the representative spoke in a normal tone of voice.

After the faxed card had been checked, the complainant was allowed to make the withdrawal. He subsequently complained to the bank which, although apologizing for the frustration and inconvenience he had experienced, advised him that, in its view, the staff had acted properly and that there had been no improper disclosure of his personal information.

Findings

Issued December 3, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Section 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

With respect to the first complaint, the Assistant Commissioner deliberated as follows:

  • A reasonable person would consider it appropriate for a bank to confirm the identity of an account holder who is unknown to the branch in question and who wants to withdraw money.
  • It therefore follows that the bank would require sufficient information to achieve that purpose.
  • Since the identification provided did not confirm the complainant's identity to the satisfaction of branch personnel, it was reasonable to ask his home branch for a copy of his signature card.
  • In questioning the complainant's identification, bank employees were adhering to the bank's internal procedures for confirming identity.
  • The bank's procedures and practice in this case were not excessive and were carried out for legitimate purposes.

On this basis, the Assistant Commissioner determined that the bank was in compliance with section 5(3) and Principle 4.3.3.

She concluded that the first complaint was not well-founded.

With respect to the second complaint, the Assistant Commissioner deliberated as follows:

  • She found that there was no evidence to support the complainant's allegation that reception desk customers saw his personal documents.
  • She found that there was no evidence that the financial services representative's mention of the complainant's name and account number were heard outside her office.
  • The complainant's allegations were contradicted by several bank employees who denied hearing any part of the conversation.
  • The home branch employee stated that the representative spoke in a normal tone of voice.

Given the lack of evidence to support the complainant's allegation that his personal information was disclosed, the Assistant Commissioner determined that the bank did not contravene Principle 4.7.

She concluded that the second complaint was not well-founded.

Date modified: