Bank customer objects to being surveyed by private firm

PIPEDA Case Summary #2002-35

[Principles 4.1.3 and 4.3, Schedule 1; and section 5(3)]

Complaint

A customer complained that her bank had improperly collected, used, and disclosed to a third party, specifically a market research firm, her personal information without her consent.

Summary of Investigation

The complainant had received a call from an interviewer with a market survey firm. The interviewer identified the complainant as customer of the bank in question and asked her to participate in a survey. The complainant declined and asked how the interviewer had come to know she was a customer of the bank. He replied that the information was in his database. The complainant subsequently contacted her bank's local branch manager, who acknowledged that the bank did sometimes hire private firms to gather information on its behalf. The complainant's main concerns were how much of her personal information the bank had disclosed to a third party, and whether the information had been sold.

The bank had contracted with a certain market research firm to conduct a study related to future provision of products and services to customers. That firm in turn had subcontracted the telephone survey portion of the study to another research company. The personal information disclosed by the bank had not been sold, but rather provided for research purposes. It had consisted only of customer numbers, full names, addresses, home telephone numbers, and preferred language.

The bank had been doing business with the contracting firm for more than 10 years, and there was a confidentiality agreement between the two. However, although the bank believed that the subcontracting firm would be covered under the same agreement, in fact there was no specific confidentiality agreement between the contracting firm and the subcontracting firm. On completion of the survey and the study and in accordance with the existing confidentiality agreement, both firms destroyed the information that the bank had originally provided. The study report that the contracting firm eventually submitted to the bank contained only aggregated data and did not refer to individual customers.

The bank's practice of disclosing customer information to, and receiving information from, external parties for purposes of maintaining the banking relationship and offering products and services was stated in a document that the complainant would have received and signed on opening her account. The bank had also outlined the practice in various disclosure documents, including a privacy brochure that the complainant likewise would have received on opening her account.

Before 2001, customers could opt out of the bank's marketing campaigns and surveys, but the procedure was not well-advertised, and no 1-800 was provided for the purpose. With passage of the Personal Information Protection and Electronic Documents Act on January 1, 2001, the bank notified all its customers of an opting-out procedure, including a 1-800 number. The bank intends to phase-in a process of seeking express written consent.

As for the complainant, the bank asked her directly whether she would like be excluded from future marketing campaigns and surveys and has complied with her request to opt out. The bank has also issued an apology to the complainant.

Commissioner's Findings

Issued January 10, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. Principle 4.1.3 states that an organization is responsible for personal information it its possession or custody, including information transferred to a third party for processing, and must use contractual or other means to provide a comparable level of protection while the information is being so processed.

The Commissioner determined that the bank had provided the complainant with written notification of its practices regarding the collection, use, and disclosure of her personal information at the time she had opened her account. He also determined that the collection, use, and disclosure at issue in the complaint were consistent with the bank's stated practices. Moreover, he was satisfied that the stated purpose - i.e., obtaining the customer's opinion on products to be offered - had been one that a reasonable person would have considered appropriate in the circumstances. Finally, considering that the information in question had been limited, bound by confidentiality agreement, not sold, and duly destroyed after use, he determined that express consent from the complainant had not been required. He found therefore that the bank had been in compliance with Principle 4.3 of Schedule 1 and section 5(3) of the Act.

The Commissioner concluded that the complaint was not well-founded in respect of these two provisions.

However, he also determined that the confidentiality agreement between the bank and the contracting firm was deficient in that it made no provision for subcontracting. In this regard, therefore, he found that the bank was in contravention of the Act

The Commissioner concluded that the complaint was well-founded in respect of Principle 4.1.3.

Further Considerations

The Commissioner recommended that the bank amend its confidentiality agreement with the contracting firm so as to include a specific provision to cover cases of subcontracting.