Bank properly redacted information related to credit card fraud probe

PIPEDA Report of Findings #2011-010


The complainant requested access to her personal information relating to the respondent bank’s investigation into the alleged fraudulent use of her credit card. The respondent bank provided her with redacted information, and the complainant complained to our office that she had been denied access.

Our Office found that the respondent bank properly redacted the personal information of other individuals as well as the computer system commands used during the investigation and the information generated by the investigation into the alleged fraud.

We also found that the information redacted could be described as confidential commercial information. We agree that if the information redacted were to be released, the commercial interests of the respondent would suffer irreparable harm. The disclosure would be a breach of the respondent’s contractual obligations of confidentiality and, further, it could put at risk merchants with which the bank had contractual confidentiality obligations.

Our Office concluded that the complaint was not well-founded.

Lessons Learned

  • Information generated by a bank’s investigation of alleged credit card fraud can be considered to be confidential commercial information and therefore exempt from access under paragraph 9(3)(b) of PIPEDA. As well, the information may contain third-party information that, under paragraph 9(1), should not be provided to the requester. In these cases, redaction may be appropriate.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the Act)

1. The complainant claims that the respondent bank (the “respondent”) denied her access to her personal information relating to its investigation into the alleged fraudulent use of her credit card.

Summary of Investigation

2. The complainant holds a credit card from the respondent. On November 6, 2008, the respondent’s Fraud Response Centre called the complainant about potential fraudulent use of her credit card one year earlier and to inform that her card would be cancelled for that reason. The respondent then began an investigation into the potential fraudulent activity.

3. The complainant pursued the matter with the respondent’s Customer Care Centre and later with its Ombudsman’s office. She was advised that the respondent does not divulge information about possible compromises of credit card accounts to cardholders and that the bank’s investigation was ongoing.

4. In response to the complainant’s dissatisfaction and as a service gesture, the respondent credited the complainant’s account with $100.00.

5. The complainant continued to be dissatisfied with the outcome of her complaints to the respondent. On July 18, 2009, the complainant made an access request to the respondent’s Privacy Officer in order to obtain all documents pertaining to the fraudulent use of her credit card and the ensuing cancellation of it. She specifically requested the name of the merchant where the alleged fraud occurred.

6. On August 13, 2009, the respondent provided the following information to the complainant:

  • A copy of a screenshot from the respondent’s internal computer system, dated August 11, 2009, showing details of her credit card account (1 page), and;
  • A copy of the contents of the respondent’s complaints log, dated July 31, 2009, pertaining to the complainant’s credit card account for the period November 21 to December 12, 2008 (4 pages).

7. In the information provided to the complainant, the respondent redacted certain information to protect the personal information of other individuals or the respondent’s employees who may not be known to the complainant. It also redacted a number of the respondent’s information-technology system commands.

8. Unsatisfied with the information she received, the complainant filed an access complaint against the respondent with this Office, which we received on October 27, 2009.

9. In its representations to this Office, the respondent defended its redaction of the names of individuals or employees, stating that its actions were consistent with the exemption available under subsection 9(1) of the Act.

10. The respondent also informed that its own internal investigation report did not include the name of the merchant (i.e., the “potential point of compromise”) where the incident may have occurred. It added that even if the report had contained that information, it could not be released since the respondent considered it confidential commercial information subject to the exemption provided by paragraph 9(3)(b) of the Act. According to the respondent, this type of information is collected to manage fraud risk both within the bank and the entire credit card industry.

11. Our Office reviewed un-redacted versions of the information that the respondent had provided the complainant. We also reviewed a copy of the internal report produced by the respondent’s internal investigation team following the alleged credit card fraud incident.

Application

12. In making our determinations, we applied Principles 4.9 and 4.9.1 of Schedule 1, subsections 2(1), 9(1), and paragraph 9(3)(b) of the Act.

13. Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his personal information and shall be given access to that information.

14. Principle 4.9.1 provides that organizations are encouraged to indicate the source of this information.

15. Subsection 2(1) defines “personal information” as information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

16. Subsection 9(1) states that an organization shall not give an individual access to personal information if doing so would likely reveal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.

17. Paragraph 9(3)(b) provides that an organization is not required to give access to personal information, only if to do so would reveal confidential commercial information.

Findings

February 21, 2011

18. At issue is whether the respondent refused to grant the complainant access to her personal information to which she was entitled, in accordance with the Act.

19. Our investigation revealed that the respondent provided the complainant with information about her credit card account as well as information from the respondent’s complaints log that pertained to her credit card account. We established that the information had been redacted, in part in accordance with subsection 9(1), in order to protect third-party information contained therein. Upon reviewing an un-redacted version of the information, we established that some of the redacted information was comprised of third-party names and employee-identifying numbers.

20. In our view and as a result of our careful analysis, this third-party information has been correctly redacted in accordance with subsection 9(1). As a result, the complainant is not entitled to the redacted information.

21. With regard to other redacted information, we deem that the information-technology system commands fall outside the purview of her access request for her personal information. Accordingly, it has correctly been withheld from her because these commands cannot be considered her personal information. If anything, it could be described as confidential commercial information, subject to the exemption under paragraph 9(3)(b).

22. There does remain some unreleased information about the complainant, her credit card account and the respondent’s investigation into alleged fraudulent use of that account.

23. In such cases, the respondent would be remiss if it did not take steps to investigate and mitigate the risk of compromised credit accounts of its customers. The respondent would therefore have legitimate reasons not to reveal details of such investigations, especially when they are ongoing.

24. It is our view that that information can also be described as confidential commercial information, subject to paragraph 9(3)(b). The commercial interest at stake here relates to the objective of preserving contractual obligations of confidentiality. If such information were released, the commercial interests of the respondent could suffer irreparable harm. Furthermore, the disclosure of this information could also put at risk merchants with which the respondent has contractual obligations of confidentiality (i.e., including the potential point of compromise in this case). The preservation of confidential information constitutes a sufficiently important commercial interest.

Conclusion

25. Accordingly, the matter is not well-founded.

 

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: