Financial institution originally misuses confidential commercial information exemption to withhold personal information
PIPEDA findings #2017-011
March 31, 2017
A complainant alleged that a financial institution refused to respond to his access to personal information request. In its initial response to the access request, the financial institution advised the complainant that the documents relevant to the request were correspondence between the financial institution and the merchant’s bank. This correspondence was considered to be confidential commercial information to be withheld under section 9(3)(b) of PIPEDA. In the course of our investigation, we reviewed the documents and determined that the exemption claimed was inappropriate. Where the records did not fall under the purview of section 9(3)(b), additional representations from the financial institution allowed our Office to determine that the information in question was not the personal information of the complainant. Thus, the complainant was not entitled to it under the Act.
- The standard for justifying the withholding of personal information because it would reveal confidential commercial information under paragraph 9(3)(b) of PIPEDA is very high. Providing access to personal information upon request is the rule and withholding such information is the exception.
- For additional information, organizations can consult our Office’s Interpretation Bulletin on Access to Personal Information.
Report of findings
Complaint under the Personal Information Protection and Electronic Documents Act (“PIPEDA”)
- The complainant disputed a transaction from a merchant appearing on his credit card statement, so he sought access to his personal information from the financial institution.
- The financial institution provided the complainant with copies of account statements, correspondence, account services notes and transcripts of telephone calls. However, the financial institution stated that pre-arbitration documents are correspondence between the financial institution and the merchant bank, and as such are confidential commercial information and therefore not personal information. The financial institution relied on the disclosure exemption under paragraph 9(3)(b) of PIPEDA, to withhold information from an access request as the information is considered confidential commercial information.
- We examined the documents over which the financial institution was claiming the confidential commercial exemption and it was unclear why the financial institution was citing this exemption. Despite our requests, the financial institution provided no meaningful representations to support the application of this PIPEDA exemption that it had invoked.
- Following our Office’s issuance of a Preliminary Report of Investigation with recommendations, the financial institution provided additional information about the redacted information. We then determined that it was not the personal information of the complainant. Thus, the complainant was not entitled to it under the Act.
- Accordingly, because of the delay in the financial institution responding to the complainant’s request, we concluded that the matter is well-founded and resolved.
Summary of Investigation
- The complainant was a client of the financial institution and held a credit card issued by the financial institution. In 2014, the complainant disputed a transaction from a merchant appearing on his credit card statement.
- Originally, the financial institution advised the complainant that it would commence a chargeback request with the merchant’s bank to dispute the transaction as a “service not rendered.” However, the merchant declined participating in the “pre-arbitration” process as requested by the financial institution since the merchant believed that the service had been rendered. Thus, the financial institution informed the complainant that the financial institution was re-applying the disputed charges to his credit card account, despite the complainant’s protests.
- The complainant then submitted a request to the financial institution for access to his personal information. In his request, addressed to the president and CEO of the financial institution, he sought the following:
- “…a comprehensive and completed page by page photo exhibit within the personal records pertaining to myself that are in the custody and control of the financial institution and or their affiliate offices that are in relationship with my credit card account now closed [due] to a fraudulent transaction.”
- A compact disc of telephone recordings “made by respondents or their affiliated offices also known as Client Care Specialists in particular to the affixed letter by an employee of the financial institution.
- Following receipt of this request, the financial institution responded to the complainant’s access request. The financial institution apologized for the delay in responding later than the 30-day time limit imposed by PIPEDA, claiming that it was unable to contact the complainant to clarify the scope of his request and that his request was received by the financial institution’s client care specialist nearly two weeks after it was written.
- The financial institution provided the complainant with copies of the following: account statements, correspondence and account servicing notes. At the same time, the financial institution informed the complainant that the transcripts of the telephone calls he requested would be mailed within two weeks.
- Accordingly, in a subsequent letter, the financial institution provided the complainant with a written transcript of one telephone call made in 2014 and invited the complainant to visit a local branch of the financial institution to listen to the recording. He was also provided with the service notes and file annotations from a second call made in 2014, as well as two calls made on the same day in 2015. The financial institution noted that it was unable to provide him with access to two automated letters sent to him in 2014 and 2015 because the financial institution does not retain copies of automated letters.
- In response, the complainant sent a letter to the financial institution, returning the one written telephone call transcript he had received as he deemed it inaccurate. He also questioned why he had not been provided with any information pertaining to the disputed credit card transaction, specifically the following documentation.
- Documents to “support the charge ascertained by you”;
- Recording of calls with two dispute specialists;
- Documentation “to support a letter of pre-arbitration”;
- Merchant letter of pre-arbitration; and
- Merchant letter declining pre-arbitration.
- The financial institution responded to this letter, stating that the financial institution did not have call recordings pertaining to the two calls with the dispute specialists (item b above) since not all calls are recorded. As for the documents sought relative to pre-arbitration (items c to e above), the financial institution stated that pre-arbitration documents are “correspondence between the financial institution and the merchant bank, and as such are commercially confidential and therefore not your personal information. This information is exempt from disclosure in response to an access request under [paragraph] 9(3)(b) of PIPEDA, as the information is considered confidential commercial.”
- Our Office obtained and examined a copy of the documents redacted by the financial institution. The documents pertain to the credit card dispute filed by the complainant against the merchant. The information includes an “Acquirer Representment Form”, which had been completed by the merchant and indicates the merchant’s response to the disputed transaction as well as the supporting documentation that the merchant provided to support the charge. The merchant had therein indicated that it was “providing documents to prove Chargeback conditions were not met.” The financial institution also provided us with screenshots of the complainant’s account and his transaction history with the merchant.
- Our Office also examined “Pre-Arb Questionnaires” as well as Chargeback questionnaires completed by the bank, outlining the complainant’s allegations.
- When we questioned why transactional information about the complainant had been redacted from these documents, the financial institution explained that there had been an error in advising which documents were to be redacted and that the transactional information did belong to the complainant. Accordingly, the financial institution stated that the transactional information had already been provided to the complainant. However, the date the information had been provided preceded the complainant’s request for access to his personal information.
- As for the communications between the financial institution and the merchant, which nevertheless remained redacted, the financial institution explained to our Office that the financial institution and the merchant are bound by the credit card company’s operating regulations and that these are questionnaires that reflect the process of chargebacks. As such, according to the financial institution, they relate to the confidential arrangement among the participants. Furthermore, the financial institution deemed that the Acquirer Representment Form and the Chargeback Questionnaire are:
… commercial confidential as it is not the personal information of the client, but rather the confidential process in which the financial institution can assist the client in obtaining a refund from the merchant. Furthermore, it should be noted that all the information that is part of the chargeback process has already been provided by the client and the client would be deemed to already have this information…therefore, it is our interpretation that the above two documents are commercial confidential.
- In a subsequent letter, the financial institution provided the complainant with, “…information that has been transposed onto a document containing your personal information…”. Specifically, the financial institution transferred to a separate document what it understood to be the complainant’s personal information from the Acquirer Representment Form and Chargeback Questionnaire as opposed to providing the complainant with his personal information in a redacted format.
- Subsequent to the financial institution issuing the above noted letter, we sent to the financial institution our Preliminary Report of Investigation in which we advised the financial institution of our Office’s recommendation and asked for a response.
- In analyzing the facts, we applied Principle 4.9 from Schedule 1 of PIPEDA, as well as subsections 8(3), 8(4) and 9(1) and paragraph 9(3)(b) of PIPEDA.
- Principle 4.9 states that upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information.
- Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.
- Subsection 8(4) states in part that an organization may extend the time limit for a maximum of 30 days but that the organization must, no later than 30 days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.
- Subsection 9(1) states than an organization shall not give an individual access to personal information if doing so would likely reveal information about a third party. However, if the information about the third party is severable from the record containing the information about the individual, the organization shall sever the information about the third party before giving the individual access.
- Paragraph 9(3)(b) states that despite the note that accompanies Principle 4.9 of Schedule 1, an organization is not required to give access to personal information only if to do so would reveal confidential commercial information.
Analysis and Findings
- At issue is whether the complainant has received full access to his personal information in accordance with his access request. In that request, he was seeking access to his personal information pertaining to his credit card account with his financial institution, as well as certain telephone recordings related to a dispute involving a transaction on his credit card account.
- Firstly, it is clear that the financial institution did not respond to the complainant within the 30 days required by subsection 8(3) of PIPEDA, nor did the financial institution send him a notice of extension within 30 days of the date of his request, as required by subsection 8(4).
- Secondly, it has been established that the complainant has received partial access to the information he requested, notwithstanding the fact that he returned a telephone conversation transcript to the financial institution, alleging it was inaccurate and choosing not to listen to the transcript’s source recording at a branch of the financial institution. Further, we accept that recordings or transcripts of certain telephone calls between the complainant and the financial institution cannot be provided because the calls were not recorded.
- However, we continue to have misgivings over the financial institution’s withholding of certain documents pertaining to the disputed transaction and the chargeback process. The financial institution has argued that the information is exempt because it is confidential commercial information. Specifically, we challenge the application of paragraph 9(3)(b) to exempt the complainant’s right of access to these documents.
- With regard to what constitutes “confidential commercial information”, an Interpretation Bulletin on Access to Personal Information issued by the our Office notes that in one case investigated by us, the Privacy Commissioner of Canada determined that:
Information generated by a financial institution’s investigation of alleged credit card fraud can be considered to be confidential commercial information, where commercial interests of the organization could suffer irreparable harm if the information is released and preservation of confidentiality constitutes a sufficiently important interest. (Emphasis added)
- Further, in a recent Federal Court of Canada decision into a matter investigated by our Office, Bertucci v. Royal Bank of Canada, the Court noted at paragraph 39 of the decision that “the standard for justifying the withholding of information under paragraph 9(3)(b) of the Act is very high.”
- In our view, and despite the representations of the financial institution and our entreaties to the financial institution over the matter at hand, we have not been provided with a compelling explanation regarding why or how the information being withheld from the complainant meets this very high standard. The credit card operating regulations referred to by the financial institution do not support its position of confidentiality, especially since the financial institution claims that it advised the complainant verbally of the merchant response.
- We find the reasons advanced by the financial institution for not disclosing the information unconvincing and unsubstantiated. It remains unclear to us how either the financial institution or the merchant would suffer irreparable harm [if] said information were released to the complainant.
- In our letter and Preliminary Report of Investigation, we recommended that the financial institution provide the complainant with access to all his personal information, including the Acquirer Representment Form, the Pre-Arb Questionnaire and the Chargeback Questionnaire that had not been provided to him and that had been specifically requested by the complainant.
- The financial institution responded to our recommendations:
- The financial institution provided clarification about the information that had been redacted from the Acquirer Representment Form, the Pre-Arb Questionnaire and the Chargeback Questionnaire. Specifically, the financial institution advised that the information in question is not considered the personal information of the complainant and such information is being redacted pursuant to subsection 9(1), which pertains to third party information;
- The financial institution provided the complainant with his personal information contained in the Acquirer Representment Form, the “Pre-Arb Questionnaire” and the Chargeback Questionnaire.
- After reviewing the documents in question, our Office determined that the financial institution had erroneously relied on the exemption for confidential commercial information under paragraph 9(3)(b) to redact certain information. However, after careful analysis, we conclude that the forms have since been correctly redacted in accordance with subsection 9(1). The complainant is not entitled to the information redacted under this exemption.
- Although we are satisfied that the complainant now has received access to the personal information that he is entitled to from these documents, we view the protracted time interval taken by the financial institution to apply the correct exemption and to meet its obligations in fulfilling the complainant’s access request, as wholly unnecessary in the circumstances. We would encourage the financial institution to ensure that responsiveness, timeliness and quality stand as priorities in dealing with access requests.
Conclusion and recommendations
- Accordingly, we conclude that the matter is well-founded and resolved.
Report a problem or mistake on this page
- Date modified: