Bank accused of withholding information on customer's debt payments

PIPEDA Case Summary #2002-36

[Principle 4.9, Schedule 1; and sections 8(3) and 8(5)]

Complaint

An individual complained that a bank firstly had failed to provide him with all the personal information he had requested and subsequently had failed to respond to his second access request.

Summary of Investigation

The complainant had sent to the bank in question, by registered mail, a letter requesting a copy of a detailed statement of account regarding a certain debt and a copy of a file concerning a court decision. The bank responded by sending him the court decision and a one-page statement showing the balance of the debt. The complainant then sent the bank another letter by registered mail, requesting a detailed statement regarding the debt, including payments and interest, as well as information about an certain investment he had made with the bank. When he still had not received a response to this second request after a month, he filed his complaint with the Office of the Privacy Commissioner.

In the course of the investigation, the bank found a copy of the complainant's second request, but was unable to find the first request or any copy of the bank's response to it, even though by the bank's own policy these documents should have been placed on file. Following the Office's intervention, the bank sent to the complainant a detailed statement, two further court decisions, and information about his investment. The complainant was satisfied that he had received all the information he had requested.

Commissioner's Findings

Issued Issued January 11, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.

Application: Principle 4.9, Schedule 1, states that, upon request, an individual must be informed of the existence, use, and disclosure of his or her personal information and given access to that information. Section 8(3) of the Act states that an organization must respond to a request no later than 30 days of receipt. Section 8(5) states that an organization failing to meet the time limit is deemed to have refused the request.

The Commissioner determined that the bank had not provided all the requested information in its response to the first request and had failed to respond to the second request. He found therefore that the bank was in contravention of Principle 4.9 and sections 8(3) and 8(5). He was satisfied, however, that bank had subsequently given the complainant all the information requested.

He concluded therefore that the complaint was well-founded and resolved.

Further Considerations

The Commissioner noted that the bank's policy regarding access to personal information dated from 1998 and thus contained no reference to the Act. He further noted that the policy did not address certain requirements of the Act, such as time limit and the necessity for an organization to notify an individual of its reasons for refusing access, and also did not conform to the Act's definition of personal information. The Commissioner recommended therefore that the bank revise its policy in accordance with his observations and send him a copy of the revised document.