Couple dismayed at receiving unsealed envelope from bank

PIPEDA Case Summary #2003-154

[Principles 4.7 and 4.7.1, Schedule 1]

Complaint

A husband and wife, after receiving mortgage documentation in an unsealed envelope, complained that their bank had failed to adequately protect their personal information against access by unauthorized parties.

Summary of Investigation

Upon receiving their mortgage renewal documentation in the mail, the complainants were distressed to find that the envelope had arrived unsealed. They were worried that third parties - particularly certain acquaintances employed at the local post office - might have taken the opportunity to gain access to their personal financial information. When the complainants sought redress, the bank initially indicated that it was unwilling to offer anything other than a formal apology.

The envelope in question showed no sign of ever having been sealed. Other than to point out that a postage machine was ordinarily used to stamp and seal envelopes, the bank was at a loss to explain how the complainants' had arrived unsealed. Although the postage machine was found to be functioning properly, it is possible that in the complainants' case two envelopes had passed through it at the same time, with the result that one of them did not get sealed.

There was no evidence that any actual disclosure of personal information had occurred. The complainants themselves received no indication that any authorized person had gained access to their personal information during the mailing process.

As a result of the complaint, the manager of the complainants' branch held a meeting with staff to stress the importance of routinely verifying that envelopes are sealed before mailing. At the complainants' formal request and in recognition of having lost their trust, the bank eventually agreed to waive the standard penalty for the transfer of their mortgage to another institution.

Commissioner's Findings

Issued April 15, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act.

Application: Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 states that security safeguards must protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification and that organizations must protect personal information regardless of format in which it is held.

The Commissioner was satisfied that no unauthorized access or disclosure of the complainants' personal information had occurred, and he accepted the explanation that the unsealed state of the envelope in question had been the result of a rare mechanical error in a normally well-functioning piece of equipment.

Still, the fact remained that an error of some consequence had occurred. Though immediately attributable to mechanical, not human, malfunction, it was nonetheless an error that had gone undetected by human beings who were under an obligation to keep personal information secure. Furthermore, though no actual disclosure appeared to have occurred, it was an error that had created a significant potential for disclosure of exactly the sort the complainants had feared.

In sum, the Commissioner determined that, notwithstanding that its consequences had proved less serious than imagined, it was an inexcusable error that clearly reflected a lack of appropriate safeguards for protecting personal information against unauthorized access. He found therefore that the bank had been in contravention of Principles 4.7 and 4.7.1.

He concluded that the complaint was well-founded.

Further Considerations

Though pleased with the remedial measures taken at the branch in question, the Commissioner did not believe that these went far enough. He observed that, wherever there is reliance on machinery in the processing of sensitive personal information, there must also be reliance on a human element to ensure the security of the information thus processed. He recommended that the bank reinforce, not only at the branch in question but at all branches across Canada, appropriate procedures for verifying that envelopes to be mailed to customers are sealed.