A credit agency is accused of disclosing personal information to a company without consent

PIPEDA Case Summary #2003-188

[Principle 4.3 and 4.10.4, Schedule 1; Subsection 5(3)]

Complaint

An individual complained that a credit agency disclosed the individual's personal information to a telecommunications company even though the individual told the company not to do a credit check.

Summary of Investigation

An individual applied for services to a telecommunications company. On the application form, the individual clearly indicated that no credit check was to be done. Approximately one month later, the individual discovered that a credit company had disclosed personal information about the individual's credit to the company.

The investigation revealed that the service agreement between the credit agency and telecommunications company states that the company must obtain consent from the consumer before any information request is made to the credit agency.

Commissioner's Findings

Issued July 10, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business and any business under provincial jurisdiction that discloses personal information outside the province for consideration. The Commissioner had jurisdiction in this case because the credit agency is a business that disclosed, in this case, personal information outside the province for consideration.

Application: Principle 4.3, Schedule 1 of the Act, states that all individuals must be informed of any collection, use or disclosure of their personal information and consent to it, except where appropriate. Principle 4.10.4 indicates that an organization shall investigate all complaints and take appropriate measures, if necessary. Subsection 5(3) states that an organization can collect, use or disclose personal information only for purposes that a reasonable individual would consider appropriate under the circumstances.

The Commissioner believed the evidence collected during the investigation shows that the credit agency complied with Principle 4.3 of the Act since the telecommunications company is responsible for obtaining the consumer's consent to use personal information. It was also proven that the credit agency did not know of the consumer's objection to a credit check. The Commissioner also found that the credit agency did not breach the provisions of Principle 4.10.4, Schedule 1 of the Act.

Following the investigation, the Commissioner indicated that it was reasonable for the credit agency to obtain the consumer's consent through its client businesses and not directly, given the large number of information requests it receives daily and the considerable amount of work this type of procedure could involve.

The Commissioner found that the complaint was not well-founded.