Bank accused of withholding information on former employee

PIPEDA Case Summary #2002-44

[Principle 4.9, Schedule1; sections 8(3), 8(5)]

Complaint

A former employee complained that a bank had twice refused her request for access to information in her employment file.

Summary of Investigation

The complainant, by her own account, had sent the bank a letter in November 2000 and a fax in January 2001, requesting a copy of her personal employment file. Still having received no response in July 2001, she filed her complaint with the Office of the Privacy Commissioner.

The bank at first could not find any entry for either request in its computerized system, but did acknowledge that the fax number the complainant had identified was the correct one. On making a second search, the bank found additional information showing that it had indeed received the second access request but, because of a human error, had not replied to it.

The bank then sent the complainant a copy of her employment file. However, the complainant believed certain documents were missing and, attaching copies of the documents in question, so notified the Office. Further investigation confirmed that the bank in fact had not sent the complainant all the information to which she was entitled. At a subsequent meeting on bank premises, an official allowed the complainant to examine her original employment file and gave her copies of the documents that had not previously been sent to her. The investigation also confirmed that the bank branch where the complainant had been employed no longer retained any information about her.

Commissioner's Findings

Issued April 8, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act. However, his jurisdiction did not extend to the complainant's first access request of November 2000, since the Act had not been in force at that time.

Application: Principle 4.9 of Schedule 1 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information and must be given access to that information; also the individual must be allowed to challenge the accuracy and completeness of the information and have it amended as appropriate. Section 8(3) states that an organization must respond to a request with due diligence and in any case not later than 30 days after receipt. Section 8(5) states that an organization that does not meet this time frame is deemed to have refused the request.

The Commissioner determined that the bank had received the access request of January 2001 but had not responded to it within 30 days of receipt. He found therefore that the bank had clearly not been in compliance with Principle 4.9 and section 8(3) of the Act. He also deemed that pursuant to section 8(5) the organization had refused the request. Furthermore since the bank had not given the complainant access to all of her personal information with its first response, he also found that the bank did not respect the provisions of Principle 4.9. Therefore, the complaint was well-founded. However, given that the bank had subsequently provided to the complainant all the information she had requested, the Commissioner considered the complaint resolved.

He concluded that the complaint was well-founded and resolved.