Bank shares details on employee’s snooping but, rightly, not discipline

PIPEDA Case Summary #2016-001

February 26, 2016

Lessons Learned

  • Organizations may be in contravention of PIPEDA if their employees access customer information without a valid reason.
  • Individuals have a right to know the details of unauthorized access of their personal information by employees. However, organizations must protect third party personal information, such as the disciplinary action taken against the employee involved in the inappropriate access.

An individual suspected that her neighbour who also worked for her bank had accessed her personal information without authorization.  After the individual alerted the bank, it confirmed that her account was inappropriately accessed by the employee several times. The individual requested further details, including how many times and on what dates the employee had accessed her account, what information was accessed, whether it was disclosed to a third party, and what disciplinary measures were taken. The bank provided details of the unauthorized access, but did not provide information about how the employee was disciplined.

She then referred her concerns to the bank’s Ombudsman, who stated that the individual had been provided with as much information as the bank could give. The Ombudsman noted that the bank had an obligation to protect its employees’ privacy rights, and therefore could only share minimal information regarding the disciplinary measures taken. The individual’s lawyer then took up the matter with the bank’s privacy office, which confirmed what kind of information the employee had accessed, and further stated that appropriate discipline was taken against the employee, but it could not reveal the specific details.

Still dissatisfied, the individual filed a complaint with our Office. During our investigation, the bank provided information regarding its examination of the individual’s concerns. In an interview with Human Resources, the employee stated that she was aware of her obligations under the bank’s ethics code and admitted to accessing the individual’s account without a valid business reason. The employee added that she had not disclosed information to a third party. Further, the bank found no evidence suggesting that the employee had done so. The bank advised us that it had provided the individual with the dates and number of times the employee had accessed her information, and what type of information was accessible. The bank also confirmed that it had taken formal disciplinary measures against the employee, but could not disclose the specific measures taken. This, it said, would infringe on the employee’s privacy rights and contravene PIPEDA.

Given that the employee of the bank accessed the individual’s account without a valid business purpose, and her personal information was therefore used for a purpose other than that for which it was collected, our Office found the unauthorized use aspect of the complaint to be well-founded.

As there was no evidence that the employee disclosed information to a third party, we found the disclosure aspect of the complaint to be not well-founded.

Finally, we found that the bank had provided the individual with information about how her personal information had been accessed and agreed with the bank’s assertion that it was responsible for protecting its employee’s privacy rights. In other words, the individual was entitled to her own personal information (which included details about how it was accessed, which she was provided), but not to the employee’s information (including the specific disciplinary steps taken against her). As such, our Office concluded that the complaint’s access portion was not well-founded.

Date modified: