A bank exceeded the time limit for responding to an access request and cannot send all the records requested

PIPEDA Case Summary #2004-272

[Principles 4.5.2, and 4.9, subsections 8(3), 8(5) and 8(8)]

Complaint

Further to a credit card application, an individual alleges that the bank did not respond to his request for personal information.

Summary of Investigation

After a credit card application was refused, the individual wrote to the bank requesting access to the personal information gathered about him. The bank stated that it attempted to contact the individual a number of times by telephone and left telephone messages, but never received a reply. The bank sent a written reply to the individual more than 38 days after receipt of the request, indicating that the credit bureau did not have a credit record for this individual.

During the investigation, the bank stated that information from credit bureaus is usually kept for one month if an application is accepted and for three months if it is refused. This information is then destroyed. The bank was therefore unable to provide a copy of what the credit bureau sent since that information was received more than three months before, when the application was being processed.

Moreover, the bank maintained that its telephone calls and messages show that the institution complied with the one-month time limit for responding to the request, although the bank sent its written reply over one month after receipt of the request.

Findings

Issued on April 6, 2004

Jurisdiction : ThePersonal Information Protection and Electronic Documents Act (the Act) has applied to federal undertakings since January 1, 2001 . The Assistant Commissioner had jurisdiction in this matter because a bank is a federal undertaking work or business within the meaning of the Act.

Application : Subsection 8(3) provides that an organization receiving a request shall respond to it with due diligence and in any case not later than thirty days after its receipt. Subsection 8(5) stipulates that if the organization does not reply within this time limit, the organization is deemed to have refused the request, which contravenes principle 4.9 (Individual Access). Subsection 8(8) stipulates that an organization in possession of information that is the subject of a request shall retain the information for as long as is necessary to allow the individual to exhaust the recourse available. Principle 4.5.2 of Schedule 1 of the Act states that personal information used in making a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made.

Regarding the time limit, while the bank attempted to contact the individual by leaving telephone messages, it did not, as stipulated in subsection 8(3) of the Act, “ respond to a request with due diligence and in any case not later than thirty days after receipt of the request . ” To fulfil its obligation under the Act, the bank should have replied in writing within thirty days of receipt of the request. The Assistant Commissioner therefore concluded that the bank infringed subsection 8(3) and is thereby presumed to have refused access pursuant to subsection 8(5) of the Act, which is a violation of principle 4.9 (Individual Access).

The Assistant Commissioner also noted that the bank was unable to send the individual the records initially obtained from the credit bureau to make a decision on the application. The investigation showed that the bank did not retain the record long enough to allow the individual access to it, in violation of subsection 8(8) and principle 4.5.2.

The Assistant Commissioner concluded that the complaint was well-founded.

Further Considerations

The Assistant Commissioner also recommended that the bank change its policy on keeping records from credit bureaus and extend the retention period.