Estate executor disappointed in search for safety deposit box information

PIPEDA Case Summary #2001-16

[Principles 4.5, 4.9, Schedule 1; and Section 8(7)]

Complaint

An estate executor complained that a bank had refused his request for personal information relating to the safety deposit box of his deceased aunt.

Summary of Investigation

The complainant suspected that a certain unauthorized person had, with help from the estate's lawyers, gained access to the deceased aunt's safety deposit box and removed items of value. The complainant had obtained a piece of evidence (i.e., a negative reply by fax from one branch of the bank) strongly suggesting that the bank had received at least one independent inquiry from the lawyers concerning the bank holdings of the deceased. In his capacity as estate executor, the complainant asked the bank for access to the signature card for the safety deposit box and to any correspondence between the bank and the estate's lawyers. The bank responded that it could locate neither the card nor any such correspondence. An exhaustive search of the bank files, involving the bank's own ombudsman, the Canadian Banking Ombudsman, and the Office of the Privacy Commissioner, proved unsuccessful in locating any of the information sought by the complainant.

Normally, the bank keeps safety deposit box signature cards for seven years. All the safety deposit boxes had been transferred from one branch of the bank to another eight days after the aunt's death, but appropriate security measures had been taken during the transfer. It was not bank policy for a branch to keep records of an account, an investment, or a safety deposit box once transferred to another branch. Nor was it bank policy for a branch to keep requests for information pertaining to a file it no longer held.

Commissioner's Findings

Issued October 12, 2001

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.9, Schedule 1, states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. Section 8(7) states that an organization that responds within the time limit and refuses a request shall inform the individual in writing of the refusal, setting out the reasons and any recourse that they may have under this part.

The Commissioner determined that the information the bank could not produce should have been retained in accordance with Principle 4.5 or should not have been lost. He therefore found that the bank had not complied with Principle 4.9. He also found that the bank's response constituted a refusal under section 8(7).

The Commissioner concluded therefore that the complaint was well-founded.

Further Considerations

The Commissioner recommended that the bank revise its practices concerning the destruction of documents containing personal information and develop a written policy on the retention of such documents in conformance with the relevant provisions of the Act.