Financial institution discloses individual’s sensitive health information to credit reporting agency

PIPEDA Report of Findings #2015-017

July 6, 2015

---

An individual was alarmed upon discovering that her sensitive medical information was included on her personal credit report maintained by a credit reporting agency.

Not understanding the need to include this sensitive medical information in her file, she lodged a complaint with our Office. Our initial inquiry revealed that it was the individual’s own financial institution that provided her medical information. When requested by our Office, the credit reporting agency agreed to remove the reference to the sensitive medical information. The complaint against the credit agency was consequently resolved and closed.

The complainant subsequently filed a complaint against the financial institution. We learned that the individual’s sensitive medical information was collected upon applying for a loan with her financial institution. During an interview, an employee took notes, including information provided by the individual about her unemployment and sensitive medical information.

The financial institution first advised our Office that its employee subsequently submitted all notes to the credit reporting agency. Later, however, the financial institution explained that the employee had recorded the sensitive medical information directly into the loan application’s employment field before submitting it. The employee then admitted in an interview with our Office that the job training she had received was insufficient and she had not understood that information in completed loan applications would be directly disclosed to a credit reporting agency.

Further, the financial institution’s standard practice was to record “Disability” in the employment field of the loan application (when this descriptor was applicable). We disagreed with this practice since it constitutes a disclosure of sensitive personal information about the applicant that is simply not required for credit reporting purposes. Also in our view, it constitutes a disclosure of personal information beyond what is covered in the financial institution’s form used to obtain consent for the collection, use and disclosure of personal information.

After discussions with our Office, the financial institution agreed to cease disclosing “Disability” or any other sensitive medical information to a credit reporting agency. The financial institution also agreed to implement other recommendations from our investigation. These included: reviewing its credit-information handling practices; implementing amendments to these practices including a comprehensive privacy framework to ensure compliance with PIPEDA; obtaining a third-party audit to review its credit information handling practices to ensure PIPEDA compliance; and submitting the third-party’s audit report to our Office, once completed.

We found the complaint to be well-founded and conditionally resolved, contingent upon the institution implementing all of our recommendations by no later than 90 days after receipt of the Report of Finding.

Update: The financial institution implemented all four of our Office’s recommendations and provided us with a third-party audit report and action plan, as agreed. As the organization has fully complied with our recommendations, no further follow-up is needed.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Complaint

1. The complainant alleges that a financial institution offering a wide range of financial services disclosed her personal health information without her consent by posting her sensitive medical information on her credit report with a credit reporting agency under the “Current Employment” heading.
2. The complainant further alleges that the financial institution continued to report, to the credit reporting agency, activity on a line of credit account, long after it was closed.
3. Our investigation also revealed certain gaps in the respondent’s privacy accountability framework which are addressed in this report.

Summary of Investigation

Background

4. The complainant initially submitted a complaint to our Office against the credit reporting agency, relating to the issue outlined in paragraph 1, above. That complaint was resolved once both our Office and the complainant were informed by the credit reporting agency that the information about the complainant’s sensitive medical information had been provided by the financial institution. The credit reporting agency also confirmed that the “Current Employment” section of the complainant’s credit file had been modified, such that the reference to the sensitive medical information had been removed.
5. The complainant subsequently filed the subject complaint against the financial institution.

Disclosure of Sensitive Health Information

6. Our Office informed the financial institution that the credit reporting agency had identified it as the party responsible for disclosing the complainant’s sensitive medical information on her credit report.
7. The financial institution responded to our Office’s questions regarding the alleged disclosure. It indicated that internal notes were inadvertently submitted to the credit reporting agency as part of a credit application. Specifically, the respondent represented that during a loan application process on the telephone with a financial institution employee, the complainant discussed events that took place at her previous place of employment which contributed to her sensitive medical information. The financial institution stated that the medical information was volunteered by the complainant. It provided our Office with a copy of the internal notes, which included among other information, the following reference: “cannot work due to [the sensitive medical information]”. The submission further indicated that the financial institution staff member had realized the mistake a short time after and made a correction. In its initial response to our Office, the financial institution offered its apologies to the complainant for the error and indicated that deliberate steps would be taken in the future to avoid a similar mistake.
8. Our Office identified three apparent inconsistencies between the financial institution’s explanation of the disclosure and the results of the credit reporting agency’s investigation, which had been shared with us in response to the complaint referenced in paragraph 4, namely:
   1. The credit reporting agency’s investigation confirmed that the employment details were provided online by the financial institution on May 9, whereas the date on the internal notes was May 10;
   2. the language in the internal notes was inconsistent with the language that appeared on the credit report, and
   3. The credit reporting agency explained that the “Current Employment” field, for online reporting, is limited to a certain number of characters (including spaces). Therefore, if the number of characters submitted by a company exceeds that number of characters, the entry would be truncated and any information displayed on the credit report would be limited to the first specified number of characters provided. The information contained in the internal notes referencing the sensitive medical information, which the financial institution represented it had submitted to the credit reporting agency, appeared after the specified number of character limit and as such, would not have appeared in the credit file.
9. Our Office therefore did not accept the financial institution’s submission that the disclosure of the complainant’s medical information resulted from an accidental disclosure of internal notes. A meeting was scheduled with the financial institution to discuss the discrepancies.
10. The financial institution explained that their understanding of the cause of the disclosure had changed; they now believed that while on the phone with the complainant completing an application, a financial institution employee may have recorded the sensitive medical information in the employment field and submitted the request to the credit reporting agency.
11. Our Office interviewed the employee, who indicated that the training they received had been insufficient, and they did not understand that the information included in the loan application system would be disclosed externally.
12. The financial institution’s audit trails confirmed that an “Inquiry” was submitted to the credit reporting agency on May 9.

    The financial institution also provided our Office with a document, which the complainant had signed, that obtained her consent to collect, use or disclose her personal information.

13. In addition, the financial institution provided our Office with a Code of Conduct which includes a section on “Sensitive Information”.
14. The employee that submitted the application also brought an additional issue to our attention. Namely, the employee indicated that it was standard practice to enter “Disability” in the employment section of the loan application system if that was the reason for unemployment. Our Office informed the financial institution that this represented an unnecessary disclosure of personal information. The financial institution indicated that it was their intent to continue to use “Disability”, given that financial risk is a factor to be considered when reporting any form of income for its members. That said, they also indicated that they were open to recommendations from our Office in this regard.
15. The credit reporting agency’s Privacy Policy states that the credit reporting agency only records and retains information that is relevant to credit history and sufficient to identify clients with their credit file. It further states that its credit database does not include information about health or lifestyle.

Reporting of Closed Line of Credit

16. As indicated above, the complainant alleged that the financial institution continued to report to the credit reporting agency activity on a line of credit account long after it had been closed. The complainant informed our Office that the account had been closed around October 2012, yet she continued to see updates on her credit report under the heading of the financial institution. Specifically, the “Date of Last Activity” and “Date Reported” continued to be updated on the credit report. The complainant provided our Office with a copy of her credit report to evidence the updates.
17. According to the financial institution, in August 2011, a collections officer was helping the complainant to increase her limit on an existing line of credit account. It was not typical for the collections employee to process such a request. As such, they did not have a comprehensive understanding of the financial institution’s loan systems. Typically when an increase is authorized, a financial institution employee would close the old account and open a new account with the new limit; however the complainant’s increase was not completed properly. A “closed date” was not attached to the original line of credit and as a result, the original line of credit was left “in limbo”, i.e., it was not reflected in the financial institution’s systems as an active account but continued to be reported to the credit reporting agency.
18. According to the financial institution, there are typically reviews that take place, on dormant or inactive accounts, where such accounts are vetted to ensure that they have been properly handled. However, the financial institution represented that such procedures had been overlooked in this case, due to various organizational challenges and role changes over a period of several years, which it described to our Office.
19. As a result, the financial institution acknowledged and corrected the complainant’s line of credit issue when our Office brought it to their attention.

Application

20. In making our determinations, we applied Principles 4.1.4(a) and (c), 4.3, 4.3.4, 4.3.5, 4.6 and 4.6.1.
21. Principle 4.1.4 provides, in part, that organizations shall implement policies and practices to give effect to the principles, including: (a) implementing procedures to protect personal information; and (c) training staff and communicating to staff information about the organization's policies and practices.
22. Principle 4.3 stipulates that the knowledge and consent of the individual are required for the collection, use or disclosure of information. Principle 4.3.4 states, in part, that the form of the consent sought by the organization may vary, depending on the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information. Principle 4.3.5 further states, in part, that in obtaining consent, the reasonable expectations of the individual are also relevant.
23. Principle 4.6 states that personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Principle 4.6.1 indicates that the extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.

Analysis

Disclosure without Consent

24. At issue in the first place is whether the financial institution disclosed the complainant’s personal health information without her knowledge and consent. As indicated above, the complainant’s sensitive medical information was listed on her credit reporting agency credit report under the heading “Current Employment”.
25. We accept that the complainant’s personal health information was uploaded to the credit reporting agency by the financial institution on May 9.
26. The information at issue was highly sensitive, being personal health information, which could affect the complainant’s eligibility for credit and/or cause distress.
27. When the complainant signed the financial institution’s “Disclosure and Consent to the Collection, Use and Disclosure of Personal Information” document, in our view, it would not have been within her reasonable expectations that such information be disclosed because: (i) it was highly sensitive in nature; (ii) the sensitive medical information was not her “employer”, as it was reported to the credit reporting agency; (iii) the disclosure was made contrary to the financial institution’s own Code of Conduct; and (iv) it was contrary to the credit reporting agency’s published privacy policy.
28. We therefore find that the financial institution disclosed the complainant’s sensitive personal information without adequate consent, and therefore, contravened Principle 4.3 of Schedule 1 of the Act.
29. The credit reporting agency removed reference to the sensitive medical information from the complainant’s credit file upon learning of this reporting error.
30. With respect to the standard practice of entering “Disability” in the employment section of the loan application system, if that was the reason for unemployment status, we are of the view that this also represents a disclosure of sensitive personal information. Furthermore, the "Current Employment” section of the credit report is broken down by “Employer” and “Occupation”; “Disability” does not correspond to either “Employer” or “Occupation” and therefore, represents a disclosure of more information than necessary for the purposes of credit reporting, and is a disclosure for which the respondent did not have adequate consent.
31. While the financial institution initially indicated that it would continue identifying and disclosing such information as “employment” for credit reporting purposes, during the course of this investigation, the financial institution committed to cease the practice of disclosing “Disability”, or any other sensitive medical information, when reporting to a credit bureau.

Inaccurate Reporting

32. With respect to continued reporting of a line of credit that had been closed, the financial institution acknowledged that its employees and systems failed to ensure that the line of credit was no longer reported to the credit reporting agency.
33. Information reported to credit agencies will be used by other creditors to determine eligibility of individuals for credit, which could have a substantial impact on individuals’ well-being (financial and otherwise). As such, it is important that reported credit information be highly accurate, complete and up-to-date.
34. We find, therefore, that in failing to maintain the accuracy of such information, the financial institution contravened Principle 4.6 of Schedule 1 of the Act.
35. When the financial institution became aware of the error, following our Office’s intervention, they corrected it.

Accountability

36. During the course of our investigation, we also identified certain gaps in the respondent’s privacy accountability program which clearly contributed to: (i) its disclosure of the complainant’s sensitive health information without her consent; (ii) its general practice of reporting “Disability” as employment information contrary to the credit reporting agency’s privacy policies and its own Code of Conduct; and (iii) its inaccurate reporting of the complainant’s closed line of credit.
37. More specifically, the evidence demonstrates that the complainant’s personal information was inappropriately disclosed as a result of the employee's lack of training on the loan application software. Following interactions with our Office, the financial institution provided training on the loan application system to all sales staff and management. In addition, the employee in question was required to repeat an online privacy course entitled “It’s a Matter of Privacy”.
38. Further, with respect to the general practice of disclosing “Disability”, when that was the reason for unemployment, our investigation uncovered that this practice was contrary to the financial institution’s own Code of Conduct as well as the credit reporting agency’s policies. The financial institution agreed to cease this practice.
39. Finally, the financial institution acknowledged that its continued reporting of the complainant’s closed line of credit account resulted from: (i) the failure of its employee, who was not fully trained with respect to use of the loan application system, to follow company procedures; and (ii) the company’s failure to implement its existing standard file review procedures. It has fully committed to carry out such procedures to ensure that such errors are identified and remediated proactively in future.
40. In our view, the financial institution did not have adequate procedures, training or monitoring in place, and therefore contravened Principles 4.1.4(a) and (c).
41. Furthermore, given the sensitivity of the personal information collected and reported by financial institutions, and the potential impact that inaccurate reporting or over-reporting can have on the well-being, financial and otherwise, of individuals, it is, in our view, of utmost importance that the financial institution have in place: (i) documented procedures to ensure appropriate handling (i.e., compliant with privacy and other laws) of personal information via its credit reporting process; (ii) adequate training to ensure that staff are informed of and understand such procedures; (iii) ongoing compliance monitoring to ensure compliance; and (iv) processes and procedures to provide for proactive remediation of privacy issues as they are discovered.
42. While we are pleased that the financial institution has, as outlined above, implemented certain changes to address the specific concerns identified during this investigation, given the breadth of the issues our Office uncovered, we lack sufficient confidence in the financial institution’s privacy management framework to determine that it is currently in compliance with its Accountability obligations under the Act. To that end, we requested, and the respondent agreed, to undertake further actions as outlined below.

The Financial Institution’s Commitments

43. With a view to adequately protecting against disclosure of individuals’ sensitive or inaccurate personal information via its credit reporting process in future, the financial institution has agreed to, by no later than 90 days after receipt of this report:
    1. conduct a thorough review of its credit information handling practices;
    2. implement amendments to such practices, including a comprehensive privacy management framework to ensure compliance with PIPEDA, i.e., providing for: (i) policies and procedures; (ii) training and communication; (iii) monitoring for compliance; and (iv) proactive remediation in the event of non-compliance;
    3. obtain a third-party audit to review its credit information handling practices and opine on whether they are PIPEDA-compliant; and
    4. submit the third-party’s audit report to our Office for review and acceptance.
44. To assist with the implementation of the above recommendations, we have suggested that the respondent refer to our Office’s guidance document: Getting Accountability Right with a Privacy Management Program.

Conclusion

45. Based on the changes which the respondent has already implemented and those which it has committed to implement, we find this complaint to be well-founded and conditionally resolved.
    
    We remain interested in the financial institution’s compliance with the commitments it has made to our Office, as outlined in this report, and we will continue to follow-up with the respondent to ensure that those changes are adequately implemented within the agreed upon timeframes. At the appropriate time, we will gauge whether the financial institution has fully complied with our recommendations and, if necessary, we will address any outstanding concerns in accordance with our authorities under the Act.