Bank agrees to modify automated message
PIPEDA Case Summary #2004-270
[Section 2; Principle 4.3, paragraph 7(3)(b)]
An individual alleged that her bank improperly disclosed her personal information when it left an automated message on her answering machine stating that she was behind on making a payment on her credit card. She stated that she had not given her consent for the bank to leave a message that anyone in her family or a visitor could hear, and objected to this disclosure of her financial status in an unsecured and non-private forum.
Summary of Investigation
The complainant missed a payment on her credit card. Approximately two weeks after it was due, the bank left an automated digital message on her home telephone number, which she had provided on her credit card application form. The message indicates who is calling, that the credit card holder is slightly behind in making his/her minimum payment, and provides a toll-free number. The cardholder's name is not mentioned.
The bank stated that since the message does not name the cardholder and does not disclose any financial information other than the fact that the cardholder is slightly behind in making his or her minimum monthly payment, no personal information was disclosed. Consequently, there was no contravention of the consent provisions.
The bank added that, should this argument not be accepted, any disclosure of personal information in this instance was permitted under paragraph 7(3)(b), which allows for the disclosure of personal information without consent for the purpose of collecting a debt. The bank was of the view that by not disclosing an individual's name, it was taking an approach in its collection calls that was in keeping with previous findings made by the Office in relation to paragraph 7(3)(b), namely, that this provision does not confer a carte blanche upon an organization to disclose however much information it wishes in pursuing a debt.
The bank does not notify its customers when they apply for a credit card (or thereafter) that they may be contacted in this fashion. The credit card application form does note that the bank may use any of the information provided by the customer for the ongoing maintenance and operation of the account.
According to the bank, the automated digital message performs a positive customer service function because it reminds customers to pay their account or, for customers who have paid, to let them know that their payment has not been received. In addition to reminding customers that remitting regular monthly payments helps to maintain a strong credit rating, interest is calculated on the basis of the average daily balance in the cardholder's account. As a result, if a customer has forgotten to make a payment, prompt notification by the bank could reduce the amount of interest incurred by the individual cardholder. In addition, the bank states that for customers who have remitted payment, but the payment has not been received by the bank, the notice serves the purpose of alerting the customer to the possibility that the payment has gone astray.
While the complainant did not hear the automated message, her husband did. Given that she was the only member of the household with a credit card from this bank, the husband was concerned and paged the complainant at work. The disclosure caused some tension in the household for a number of days.
The complainant owns an answering machine, and does not have an internal answering system. The call is automatically broadcast, and the complainant does not have to pick up the receiver to hear it. As a result, other family members or friends could have heard the call if they had been in the room at the time it came in. The complainant believed it was inappropriate for companies to leave such messages on answering machines and that they should contact the individual directly. In her view, it was similar to leaving a personal message in public.
Issued May 4, 2004
Application: Section 2 defines personal information as "information about an identifiable individual"; and Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. An exception to this requirement is provided under paragraph 7(3)(b), which states that an organization may disclose personal information without the knowledge and consent of the individual only if the disclosure is for the purpose of collecting a debt owed by the individual to the organization.
The Assistant Privacy Commissioner rejected the bank's contention that the information at issue was not personal information, as defined under section 2. She noted that although the message did not name the complainant, it was sent to her telephone number, which she had provided to the bank. The Assistant Commissioner noted that an individual does not have to be named for something to constitute his or her personal information; rather, as the Act says, he or she has to be simply "identifiable." In the same way that removing the name of a person from a description of an event does not render the person unidentifiable if other people know the circumstances of the event, the fact that the complainant was the only credit card holder (of this bank) in the household made her identifiable as the individual for whom the message was intended. Thus, the Assistant Commissioner concluded that the information at issue was the complainant's personal information.
In considering the exception to consent cited by the bank, the Assistant Commissioner deliberated as follows:
- The bank used the complainant's personal information to collect a debt, but it did not intend to disclose this information to her husband.
- The disclosure, therefore, was inadvertent, and not done for the purpose contemplated in paragraph 7(3)(b). Consequently, the Assistant Commissioner determined that the exception provided under paragraph 7(3)(b) did not apply.
- The Assistant Commissioner noted that the statement contained in the message to the effect that the cardholder is slightly behind in making a payment does reveal sensitive financial information.
- While the Assistant Commissioner found it reasonable to alert customers to a problem, she was of the view that this could be done in a more privacy-conscious manner.
- The bank acknowledged this, and agreed to review the wording of its message with a view to mitigating the privacy implications, while still alerting customers to a potential issue with their accounts.
- The Assistant Commissioner was pleased with the bank's undertaking, and its active pursuit of options. The complainant indicated that she was also satisfied with this result.
Accordingly, the Assistant Commissioner concluded that the complaint was resolved.
The Assistant Commissioner asked the bank to report back to her on its progress in changing the message.
- Date modified: