Woman accuses bank of telling her mother about her bank account

PIPEDA Case Summary #2002-100

[Principles 4.3 and 4.7 of Schedule 1]

Complaint

An individual alleged that a bank employee disclosed information about her bank account to the complainant's mother.

Summary of Investigation

The bank representative telephoned the complainant's home during business hours. At the time, the complainant was living with her mother, who shares the same last name as the complainant. The bank employee did not ask for the individual by her full name but only by her last name. The complainant and her mother hold bank accounts at the same branch. The mother responded that she was that individual and the conversation continued, with the bank employee disclosing the amount of money in the bank account. The mother then realized that the employee had the wrong person. She informed the bank representative of the error, and the telephone call was terminated.

The Commissioner's Office reviewed the bank's procedures for identifying customers during telephone conversations. The bank confirmed that the employee had received training in these procedures but had not followed them when she called the complainant's residence.

The complainant considered the disclosure accidental and that there were adequate policies and procedures in place to protect her personal information. Nevertheless, the complainant felt that the bank had not fully appreciated the adverse effect the disclosure had on her life, nor had it adequately addressed her concerns.

Commissioner's Findings

Issued December 19, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Since it was clear and undisputed that the bank had disclosed the complainant's personal information without her knowledge and consent, the Commissioner found that the bank had contravened Principle 4.3.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner was satisfied that the bank had procedures in place that, when followed, provided adequate safeguards as per Principle 4.7, which states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. In the Commissioner's opinion, this incident was a one-time occurrence and not symptomatic of a widespread problem at the bank.