Bank cites exemption to deny former employee access to personal information

PIPEDA Case Summary #2002-84

[Principles 4.3 and 4.9, Schedule 1; sections 7(1)(b), 9(3)(c.1) and 9(5)]

Complaint

A former employee complained that a bank had refused him access to his personal information, specifically the file pertaining to an internal investigation that the bank had conducted in his regard.

Summary of Investigation

The complainant, a former branch manager with the bank, had been dismissed for cause following an internal investigation. On the day of his dismissal, he put in a written request for access to the investigation file and his personnel file. The bank responded that his personnel file was available to him, but that the investigation file would not be part of it. The bank did not inform him of its reasons for refusing him access to the investigation file or of any recourse available to him to challenge the refusal.

The bank's position was that its collection of the complainant's personal information without his knowledge and consent pursuant to its internal investigation was in conformity with section 7(1)(b) of the Personal Information Protection and Electronic Documents Act and that its subsequent refusal of access to the investigation file was likewise in conformity with section 9(3)(c.1) of the Act. These are provisions that exempt organizations from the requirement to provide access to personal information collected in the course of conducting investigations into breaches of agreements. Section 9(5) of the Act requires that an organization relying upon section 9(3)(c.1) to withhold personal information so inform the Commissioner, but in this case the bank did not do so.

The complainant's position was that a section 9(3)(c.1) exemption is valid only during the investigation itself and that, once the investigation is concluded, the organization no longer has discretion to refuse access to personal information in the investigation file. He contended that, since the information he had requested pertained to a concluded investigation, the bank should have resumed its obligation under the Act to give him access.

Commissioner's Findings

Issued October 10, 2002

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Section 7(1)(b) exempts an organization from the requirement for the individual's knowledge and consent if the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of a law and if it is reasonable to expect that the individual's knowledge and consent would compromise the availability or the accuracy of the information. Principle 4.9 states that upon request an individual must be informed of the existence, use, and disclosure of his or her personal information, must be given access to that information, and must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Section 9(3)(c.1) exempts an organization from the requirement to give access to personal information if the information was collected under section 7(1)(b).

The Commissioner was satisfied that the bank's collection of the complainant's personal information had been for reasonable purposes related to an investigation into a breach of an employment agreement and that the complainant's knowledge and consent in the matter could have compromised the availability or the accuracy of the information. He found therefore that it had been appropriate for the bank to rely upon section 7(1)(b) to collect the information without the complainant's knowledge and consent.

The Commissioner determined furthermore that there was nothing in the language of section 9(3)(c.1) that limited an organization's discretion to withhold information collected under section 7(1)(b). Since the Act did not explicitly require the resumption of the obligation to provide access once an investigation was concluded, an organization had discretion to cite section 9(3)(c.1) both during and after an investigation. The Commissioner found therefore that, even after the investigation in question had been concluded, it had been appropriate for the bank to rely upon section 9(3)(c.1) in refusing the complainant access to his personal information in the investigation file.

The Commissioner concluded that the complaint was not well-founded.

Other Considerations

Despite having found that the bank had properly invoked the exemption provisions at issue in the complaint, the Commissioner expressed concern that the bank had been clearly non-compliant in respect of certain other provisions of the Act. Specifically, the bank had not informed the complainant in writing of its reasons for refusing him access or of the recourse available to him under the Act. Nor had the bank notified the Commissioner in writing of its decision to deny access on the basis of section 9(3)(c.1).

The Commissioner recommended therefore that the bank

1. henceforth exercise due diligence in advising individuals of the reasons for denying them access to their personal information and of their right of recourse under the Act, in accordance with section 8(7); and
2. that it notify him in future as required by section 9(5) when it has decided to withhold personal information on the basis of section 9(3)(c.1).