Bank requires piece of identification before responding to request for access to personal information

PIPEDA Case Summary #2006-334

(Principles 4.9, 4.9.2, 4.8.1 and 4.8.2 of Schedule 1 and subsection 8(3) of the Act)

In his complaint the individual alleged that, after making an access request, the bank sent him a form indicating how to fill out a request for access to personal information and asking for a piece of identification in order to process such a request. The individual filed a complaint with our office, claiming that the obligation to fill out this type of form for an access request was contrary to the Act, which requires a response within 30 days of receipt of such a request.

Summary of Investigation

During the investigation, the bank indicated that the purpose of the access request form was to obtain proof of identity by requiring the individual to provide a copy of a piece of valid identification, such as a driver’s license, birth certificate, passport or citizenship certificate. The bank maintained that, under principle 4.9.2 of the Act, it could check the identity of the requestor before providing any requested documents. The bank therefore considered the 30-day timeframe not to have started until it received the missing piece of identification, when it then had the complete request.

The individual claimed that the response time to his request should have begun the moment the bank received the initial request. He submitted that, by not taking into account this initial date, the bank did not meet the deadline set out by the Act.

The bank informed us that the purpose of the form was to facilitate the access request, but that using it was not mandatory. Had the requester included a copy of the required piece of identification with the request, without filling out the form, the bank would have responded to the access request.

Findings

Issued February 21, 2006

Application: Subsection 8(3) of the Act states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Principle 4.9 of Schedule 1 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Principle 4.9.2 states that an individual may be required to provide sufficient information to permit an organization to provide an account of the existence, use and disclosure of personal information. The information provided shall only be used for this purpose. 

Principle 4.8.1 stipulates that organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. Principle 4.8.2 sets out, among other things, that the information made available shall include (b) the means of gaining access to personal information held by the organization. 

The Assistant Commissioner found that principle 4.9.2 allowed the bank to request a piece of identification. She found it was reasonable to require the requestor to identify himself before his access request was processed and before his personal information was disclosed to him. Furthermore, the Assistant Commissioner said she believed that the 30-day timeframe began upon receipt of a complete request, as deemed by the organization. Otherwise, the organization could be held responsible for not meeting the 30-day deadline if a requestor failed, for instance, to send the missing information within a reasonable period of time.

As for the process to access personal information, the bank indicated during the investigation that it would make changes to its Web site to outline the steps necessary to make an access request. These changes have now been incorporated into the site.

The Assistant Commissioner found that the complaint was not well-founded with regard to the deadline and resolved with regard to the description of means to access personal information.