A bank exceeds the time limit for answering an access request

PIPEDA Case Summary #2003-253

[Principles 4.5.2, 4.7.1 and 4.9; Sections 8(3) and 8(5)]

Complaint

An individual alleges that the bank did not answer a request for personal information regarding the individual's application for a credit card.

Summary of Investigation

The individual, after the application for a credit card was refused, wrote to the bank requesting access to the personal information the bank had collected. Almost five months later and after the Office of the Commissioner intervened, the bank answered the request by sending the individual a copy of the submitted application for a credit card and a copy of the credit analyst's notes on the report from the credit office at the time the application was considered. However, the bank could not provide a copy of the credit agency's report because the document had been lost due to computer problems.

Findings

Issued December 17, 2003

Jurisdiction: Since January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) has applied to federal works, undertakings or businesses. The Assistant Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Section 8(3) specifies that an organization must respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Section 8(5) stipulates that an organization failing to respond within the time limit is deemed to have refused the request, which contravenes principle 4.9 (Individual Access). Principle 4.5.2 of Schedule 1 of the Act indicates that personal information that has been used to make a decision about an individual must be retained long enough to allow the individual access to the information after the decision has been made. Principle 4.7.1 stipulates notably that organizations must protect personal information regardless of the format in which it is held.

Concerning the delay, the bank failed to fulfil its obligation to provide the individual with the requested information within thirty days of the request as stipulated in section 8(3) of the Act. The Assistant Commissioner thus concluded that the bank contravened section 8(3) and is therefore presumed to have refused access under section 8(5) of the Act, which contravenes principle 4.9 (Individual Access).

The Assistant Commissioner also noted that the bank could not provide the individual with a copy of the credit report initially obtained from the credit office to make the decision concerning the application. The investigation revealed that the bank did not retain the report long enough to allow the individual to have access to it, which contravenes principle 4.5.2. In addition, the bank did not take the necessary measures to ensure that the record in question was retained, and thus contravened principle 4.7.1 of Schedule 1 of the Act.

The Assistant Commissioner concluded that the complaint was well-founded.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: