Bank accused of non-consensual disclosure to debtor's employer

PIPEDA Case Summary #2003-168

[Principles 4.1.3 and 4.3, Schedule 1]

Complaint

A customer complained that her bank had improperly disclosed to her employer, through an agency collections officer, personal information regarding her outstanding credit card debt.

Summary of Investigation

An officer of a collections agency under contract to the bank made a six-minute call to the complainant's workplace. The officer herself testified that she was put on hold throughout and never spoke with the complainant's employer. The officer also swore an affidavit to the effect that she had never divulged personal information about the complainant to the employer or any other third party.

The complainant alleged that on the day in question the officer had in fact been put through to the employer and had suggested to him, in an aggressive and threatening manner, that his company was covering for the complainant in the matter of the outstanding debt, that he would be sued for his complicity, and that the sheriff would be visiting his premises the next day.

The bank, in conjunction with the agency, conducted an internal investigation into the complaint. This investigation included interviews with the collections officer and her co-workers, but did not include any interview with, or other solicitation of testimony from, the complainant or her employer. The bank concluded that there was no evidence of any disclosure of the complainant's personal information by the officer.

In its own investigation, the Commissioner's Office sought and received testimony from the complainant's employer, who fully corroborated her allegations.

For accounts referred to collections agencies, the bank had set a strict and clear policy regarding the privacy and confidentiality of personal information. Agencies were expressly prohibited from disclosing a debtor's personal information to any third party without the individual's consent. Disclosure to an employer was permissible only in cases of legal action to garnishee wages.

In its investigation report, the bank identified several ways in which the agency had failed to meet its contractual agreement with the bank in respect of its privacy and confidentiality policy. Notably, the agency had not conducted a thorough investigation of the complainant's allegations, in that it had failed to identify the fact that its collections officer had not kept a complete written log of her attempts to contact the complainant at her workplace. It was only at the bank's subsequent insistence that the agency checked its electronic record of telephone calls and ascertained that the officer had indeed made the six-minute call in question.

As a result of the complaint, the bank instituted a number of additional controls to ensure privacy compliance on the part of collection agencies. The bank also implemented punitive measures and subjected the agency to a detailed audit. Likewise, the agency took disciplinary measures with respect to the collections officer.

Commissioner's Findings

Issued April 24, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking, or business as defined in the Act. Although collection agencies do not yet fall directly under the Commissioner's jurisdiction, the agency in question was implicated in the investigation by virtue of its contractual relationship with the bank.

Application: Principle 4.1.3 states in part that an organization is responsible for information in its possession or custody, including information that has been transferred to a third party for processing. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

The central question for the Commissioner was whether the collections officer had in fact disclosed the complainant's personal financial information to her employer.

He noted that, although according to the bank no evidence of such disclosure existed, it appeared that the bank had not looked hard or far enough. The bank's conclusion seemed to have been based mainly on a sworn denial taken at face value and a rather naïve acceptance of the agency's account of events. Given that the bank had not made any inquiry of the person most likely to know for sure, it was small wonder that little evidence of disclosure had presented itself.

The Commissioner considered the testimony of the party to whom the disclosure had allegedly been made - that is, the employer himself - to be not only highly credible, but most compelling. The employer had corroborated the complainant's allegations unequivocally and genuinely, and there was simply no reason to disbelieve him.

The Commissioner was satisfied that the disclosure had indeed occurred and that it had occurred without the complainant's knowledge and consent. The Commissioner found therefore that the bank had been in contravention of Principles 4.1.3 and 4.3.

He concluded that the complaint was well-founded.

Further Considerations

The Commissioner noted that the bank had indicated a willingness to discuss a financial settlement. In view of the acute and unjustified embarrassment the complainant had suffered, the Commissioner remarked that he would consider such a settlement appropriate in the circumstances. He encouraged the complainant to seek compensation in a reasonable amount from the bank.

The Commissioner also expressed his approval of the bank's policy of requiring collection agencies to comply with a very stringent standard of non-disclosure and "need to know" regarding the handling of personal information in matters of debt collection. The policy is consistent with the requirements of the provincial legislation that regulates the activities of collection agencies. He noted in particular that by the bank's policy the only situation in which an employer would need to be made aware of an employee's financial difficulties would be one involving legal action to garnishee the employee's wages. The Commissioner gave notice of his intention to use the bank's standard as a guide in interpreting future applications of section 7(3)(b) of the Act - the disclosure exception relating to debt collection.