Organizations must respond within 30 days to requests about how personal information is used and disclosed
PIPEDA Case Summary #2015-012
November 10, 2015
Lessons Learned
- A request made by an individual to an organization about how their personal information is used or disclosed by the organization is covered under Principle 4.9 of PIPEDA. The organization must, therefore, respond to it within 30 days of receiving it, unless an extension is applied.
- In general, a request that asks why a credit inquiry has been made about the individual is considered a request to be informed of the use and disclosure of their personal information and to be given access to that information, made under Principle 4.9 of PIPEDA.
Complaint
An individual made several allegations about a bank in his complaint that he filed with our Office.
One of these was how the bank had allegedly not responded within 30 days to a request he had addressed to its privacy officer. In his request, he had asked why the bank had a credit reporting agency perform a credit check on him.
Summary of Investigation
The individual had been a client of the bank for two decades when it decided to end their banking relationship. About one year afterward, the individual noticed that the bank had made an inquiry about him to a major credit reporting agency. The inquiry turned out to be a “soft hit,” which doesn’t result from a new request for credit and has no impact on someone’s credit rating with the credit reporting agency.
Nonetheless, the individual questioned whether the bank had a valid reason to make such an inquiry given the end of their relationship. He then sent a written request to the bank’s privacy officer asking why it happened.
The bank provided its reply 38 days later. The individual then complained to our Office that the bank had gone over the time limit to reply, which PIPEDA specifies as 30 days for access to personal information requests.
For its part, the bank claimed that it did not consider the individual’s request to be one of access to personal information, meaning, it saw no obligation to respect the 30-day limit.
After carefully examining the request, our Office took the opposite view.
Outcome
We observed that the individual asked the bank why it had used his personal information to make a credit inquiry on a specific date. Further, he addressed his request to the bank’s privacy director, who he identified by name and title.
Principle 4.9 of PIPEDA states that, upon request, an individual must be informed of the existence, use, and disclosure of their personal information and must be given access to that information. Further, subsection 8(3) states that the organization must reply to requests made under Principle 4.9 within 30 days after receiving them, unless a delay can be accorded under subsection 8(4).
Our Office has found previously that when an organization makes an inquiry about an individual with a credit reporting agency, this constitutes a use and disclosure of the individual’s personal information.
When informed of our decision, the bank promised that, in the future, it would respect the 30-day limit for responding to requests of this nature.
In light of the actions taken by the bank, we determined this particular matter to be well-founded and resolved.
- Date modified: