Wife accuses bank of telling husband about her credit card

PIPEDA Case Summary #2002-108

[Principles 4.3 of Schedule 1]

Complaint

An individual alleged that a bank employee disclosed to her husband information about her credit card account.

Summary of Investigation

The bank representative telephoned the complainant's home during business hours and spoke to her husband, who was not a shared cardholder, whose financial standing was of no consideration when the complainant obtained her card, and who was not even aware that she had the card. The employee revealed to the husband the current outstanding balance, and that the account had been taken off hold and the complainant's payment had been received.

The bank initially denied that its representative had disclosed the complainant's personal information to her husband. However, at the intervention of the Commissioner's Office, the bank admitted that its representative had indeed disclosed this information and that the bank's original position had been taken before a full investigation into the matter had been completed.

The Office reviewed the bank's privacy-related materials and training procedures. These materials cover limiting the release of customer information and identity verification procedures, including telephone scripts to be used when staff call customers. The procedures require that the card member be positively identified before any personal information is released. It was clear that the bank employee who had spoken to the complainant's husband had not followed the correct procedures.

The bank expressed its concern about this incident and reviewed its privacy policy and procedures with both the client representative and the employee who had initially dealt with a letter of complaint the individual had written to the bank. It also indicated that it will be re-examining its privacy-related procedures and training, and will implement all enhancements identified during the review and communicate them to its employees.

The bank apologized to the complainant and offered a monetary "goodwill" gesture, which the complainant accepted.

Commissioner's Findings

Issued December 19, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.3 establishes that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Since it was clear and undisputed that the bank had disclosed the complainant's personal information without her knowledge and consent, the Commissioner found that the bank had contravened Principle 4.3.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner was satisfied that the bank had procedures in place that, when followed, provided adequate safeguards as per Principle 4.7, which states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. In the Commissioner's opinion, this incident was a one-time occurrence and not symptomatic of a widespread problem at the bank.