Bank removed customer's SIN from some, but not all, of its records

PIPEDA Case Summary #2003-189

[Principles 4.3, 4.3.8, 4.9 and section 8(3)]

Complaint

An individual filed two complaints against his bank: (1) that it had failed to remove his social insurance number and driver's licence number from his records despite his request to do so; and (2) that the bank had denied him access to his personal information regarding his account.

Summary of Investigation

The complainant provided his SIN and driver's licence number when he opened an account with the bank. A year later, he asked the bank to remove his SIN from the bank's records. The bank later wrote to inform him that his SIN had been removed from records pertaining to his account.

Shortly afterward, the complainant wrote to the bank and requested access to his personal information. When he received the information, he noticed his SIN on one of the documents. He contacted the bank again, which reviewed his information and fully removed his SIN from its records.

As for his driver's licence number, the complainant claimed that he had written the bank asking that it remove this information from its records. Although it could not be established whether the bank had in fact received such a letter, it nevertheless agreed, at the Office's request, to remove the number from its records.

With respect to the allegations concerning the complainant's access request, the investigation established that he received his personal information 29 days after the request.

The Commissioner's Office reviewed the bank's records pertaining to the complainant and confirmed that his SIN and driver's licence number had been removed, and that the complainant had received all of the personal information to which he was entitled.

Commissioner's Findings

Issued July 22, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Principle 4.3.8 establishes that an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization shall inform the individual of the implications of such withdrawal.

Principle 4.9 stipulates that, upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Subsection 8(3) states that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Regarding the first complaint, the Commissioner determined that, despite the complainant's request to withdraw his consent for the bank to use his SIN, the bank had not fully removed it from its records. He therefore found that the bank contravened Principles 4.3.8 and 4.3. The Commissioner noted, however, that the bank did correct its error. Furthermore, despite the lack of evidence that the bank was aware of the complainant's request to remove his driver's licence number, once it was made aware of the request, it removed the number from its records.

The Commissioner therefore concluded that the first complaint was well-founded and resolved.

Regarding the second complaint, the Commissioner was satisfied that the bank had provided the complainant with the information to which he was entitled, according to Principle 4.9, and that the bank had done so within the 30-day time limit set out in section 8(3).

The Commissioner concluded that the second complaint was not well-founded.