Personal information retained after application rejected

PIPEDA Case Summary #2001-6

[Principle 4.5, Schedule 1]

Complaint

A credit card applicant complained that, after turning down her application, a bank had refused her request that the personal information collected for her application be deleted from the bank's records.

Summary of Investigation

The complainant had applied in person for a credit card, but the bank in question had declined her application. The complainant then requested that the personal information she had provided in her application be removed from the bank's computer system. The branch manager replied that he himself did not have the delegated authority to remove the information, and he took no steps to determine whether some other course could be taken.

In fact, the bank's corporate privacy officer and the business manager for the credit cards had the delegated authority for removal of such information on special request, but in this case the complainant's request was not relayed to either of these officials. For credit card applications made in person, the bank's usual practice was to enter the personal information collected immediately into the computer system at the branch and then forward it for adjudication to the host computer system of the bank's central loan processing centre. If the application was declined, the information was not automatically purged. Unless the unsuccessful applicant made a special request for removal, the personal information remained in the bank's computer system and was accessible indefinitely at the branch level.

Commissioner's Findings

Issued July 23, 2001

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.

Application: Principle 4.5, Schedule 1, states that personal information must be retained only as long as necessary for the fulfillment of the purposes for which it was collected.

The Commissioner considered it unreasonable that, after the bank had used the complainant's personal information for the purpose for which it had been collected (i.e., making the decision about the credit card), the information would have remained accessible indefinitely at the branch level had the complainant not insisted on its removal. He found that the bank in this case had contravened Principle 4.5.

However, the Commissioner also noted that the bank had subsequently deleted the complainant's personal information and had confirmed that it had not been communicated to any third party. He also noted that the complainant was satisfied with this resolution.

The Commissioner concluded therefore that the complaint was well-founded and resolved.

Further Considerations

To address the inconsistencies revealed by the Commissioner's investigation, the bank in question has agreed to undertake an extensive review of its current practices for the retention of personal information. The bank has also agreed to implement a communications strategy for educating employees and customers on the bank's privacy complaints process.