Bank issues new guidelines and educates employees after customer information is faxed to the wrong individual

PIPEDA Case Summary #2006-332

(Principles 4.3 and 4.7.1 of Schedule 1)

A customer reported that his bank faxed to him the account numbers and summaries of other customers on two occasions. He also claimed that when he attempted to report these incidents to the bank, it closed his account and refused to serve him. The bank admitted that faxes were sent in error to the complainant on one occasion; the Office, however, was unable to find any evidence that this occurred a second time, as the complainant alleged, nor did it substantiate his claim that the incident resulted in the bank closing his account.

Following the incident, the bank consolidated its guidelines into one document, which was then distributed to all employees. The Assistant Privacy Commissioner concluded that the complaint was well-founded and resolved.

The following is an overview of the details of the investigation and findings.

Summary of Investigation

The bank acknowledged that the personal information of two customers was faxed to the complainant in error. The incident occurred because several sheets of paper had been stacked together in preparation to be faxed and then were not separated correctly when they were processed. Upon learning of the incidents, the bank took steps to secure the individuals’ accounts and inform them of the disclosures.

The bank noted that, during a series of calls between the complainant and the bank, the complainant suggested that the bank could avoid a privacy complaint to this Office if it was willing to reach a settlement on his account, which was past due at that point. The bank indicated to him that it would not consider such a settlement. The bank informed him in writing that the information he received was confidential and was not intended for him. He was directed to destroy it immediately, which he did not do since he provided this Office with a copy of the information.

According to the bank, it could find no evidence that any information was faxed to the complainant a second time. The Office asked him to provide documented proof that the bank faxed him the personal information of other customers as he alleged. He did not provide any proof to support his allegation.

At the time, the bank had guidelines in place regarding the faxing of customer information. Subsequent to this incident, the bank provided additional education to employees who send faxes. The bank also undertook a review of all practices related to outgoing fax communications. Various departmental guidelines were analyzed and consolidated into one bank-wide document. These faxing guidelines were distributed to employees for implementation.

The guidelines in question state that faxes should only be sent when there is a demonstrated urgent need or when it is the standard method of communicating with a third party. When possible, employees are to offer to send items by mail, as this is a more secure method, particularly when sending personal information to customers. The fax guidelines also direct employees to:

  • Verify that the fax number dialed matches the intended number
  • Verify that the documents attached to the coversheet are actually intended for the recipient listed and that they match the description of items being sent
  • Check the fax confirmation sheet to ensure that the transmission was successful
  • Ensure customer account is documented with a description of items faxed.

As for the closure of the complainant’s account, this occurred prior to the faxing incident and was unrelated to the matter under investigation.

Findings

Issued April 12, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.7.1 stipulates that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

In making her determinations, the Assistant Commissioner deliberated as follows:

  • There was no dispute that the bank faxed the personal information of two other customers to the complainant, as a result of human error on the part of an employee. There was no evidence to support the complainant’s allegation that the bank faxed the personal information of other customers to him a second time.
  • It was clear that the bank did not appropriately protect customer personal information, as stipulated under Principle 4.7.1, and as a result disclosed the information of two other customers without their knowledge or consent, in contravention of Principle 4.3.
  • The Assistant Commissioner noted that the bank took appropriate steps to address the situation with respect to the customers whose information was disclosed. It also has since modified its faxing guidelines and educated staff on proper procedures.

Accordingly, she concluded that the complaint was well-founded and resolved.

Date modified: