Bank not required to publicize detailed privacy policies and procedures

PIPEDA Case Summary #2003-183

[Principles 4.8 and 4.8.2(d)]

Complaint

An individual complained when his bank refused to provide him with detailed information about its policies and procedures to protect personal information from fraudulent uses.

Summary of Investigation

The complainant, a victim of identity theft at the hands of a bank employee, asked the bank for a copy of its policies and procedures for preventing fraud. He had apparently been informed by another bank employee that his case had prompted the bank to revise its policies and procedures. He wanted to compare the "old" and "new" versions of its policies to ensure that the bank had learned from his experience and had improved its fraud prevention methods. The bank refused on the basis that its policies are proprietary information relating to internal operations.

In its representations to the Commissioner, the bank noted that it published its general privacy and information security policies and practices in brochure form and on its web site. While the bank used more specific practices and methods to detect fraudulent activities, it maintained that providing details on these practices would endanger customers because it would give information that could potentially be used to avoid the safeguards and protection processes the bank had developed. Such an action, the bank contended, would render its safeguards ineffective.

Commissioner's Findings

Issued July 10, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.8 states that an organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. Principle 4.8.2(d) specifies that the information made available shall include a copy of any brochures or other information that explain the organization's policies, standards, or codes.

The Commissioner noted that this complaint raised the issue of how an organization strikes a balance between its obligations under the Act to inform the public about its policies and procedures to protect personal information in its care and to ensure the effectiveness of the safeguards it has in place to protect that information.

While the complainant's circumstances prompted him to want specific information showing that the bank had made an effort to prevent his situation from recurring, the Commissioner was of the view that a bank must take a broader view of the consequences of making detailed information about its policies and procedures available. He found it logical that a bank would not want to publicize the specific steps it takes to prevent fraud because to do so would give criminals information about how to circumvent the bank's safeguards. In the Commissioner's view, the bank had struck a balance between the requirement established under Principle 4.8 to inform customers about its information management practices and its duty to protect customers' personal information. He therefore found that the bank had not contravened Principle 4.8 and 4.8.2(d).

The Commissioner concluded that the complaint was not well-founded.