Former employee encounters delays in accessing personal information

PIPEDA Case Summary #2003-201

[Principles 4.1.4 and 4.9; sections 8(3), 8(4) and 8(5)]

Complaint

A former bank employee complained when his ex-employer did not respond to his request for access to his personal information.

Summary of Investigation

The bank's initial response to the complainant's written request for access to his personal information referred him to his local branch. It did not identify him as an ex-employee, despite the reference in his request to his personnel file. He received no personal information.

A number of letters followed between the complainant and the bank. The complainant provided additional information in response to the bank's requests for clarification. Approximately seven weeks after the initial request, the bank notified the complainant that it needed an additional 30 days to process his request. The bank subsequently sent him portions of his information on two occasions, 10 days and two weeks after the deadline.

In response to the complainant's concerns that some of the documents were illegible, of poor quality, incomplete and selective in nature, the bank provided him with new copies of documents. The bank also discovered additional information, which it provided to him.

The bank explained that the initial delays were caused by the bank's need to clarify whether it was customer or employee information that the complainant was seeking. It believed that once it received this information from the complainant, it responded to his request as expeditiously as possible, given the circumstances.

Commissioner's Findings

Issued August 1, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.9 states that upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Subsection 8(3) stipulates that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request.

Subsection 8(4) states that an organization may extend the time limit

1. for a maximum of thirty days if
   1. meeting the time limit would unreasonably interfere with the activities of the organization, or
   2. the time required to undertake any consultations necessary to respond to the request would make the time limit impracticable to meet; or
2. for the period that is necessary in order to be able to convert the personal information into an alternative format.

In either case, the organization shall, no later than thirty days after the date of the request, send a notice of extension to the individual, advising them of the new time limit, the reasons for extending the time limit and of their right to make a complaint to the Commissioner in respect of the extension.

Subsection 8(5) states that if the organization fails to respond within the time limit, the organization is deemed to have refused the request.

Principle 4.1.4 establishes that organizations shall implement policies and practices to give effect to the principles, including

1. implementing procedures to protect personal information;
2. establishing procedures to receive and respond to complaints and inquiries;
3. training staff and communicating to staff information about the organization's policies and practices; and
4. developing information to explain the organization's policies and procedures.

The bank had already exceeded the 30-day time limit when it notified the complainant that it required an additional 30 days to process his request. It then failed to meet this deadline as well. Over the course of several months, it eventually provided the complainant with the information to which he was entitled. Given this, the Commissioner found that the bank did not meet its obligations under sections 8(3) or 8(4), was thus deemed under section 8(5) to have refused the request, and was therefore in contravention of Principle 4.9. The Commissioner was, however, satisfied that, based on the investigation results, the complainant had received all of the personal information to which he was entitled.

While the bank contended that the request required numerous clarifications on the complainant's part, the investigation revealed problems with the handling of this matter from the beginning. There were deficiencies in the search process as a result of a lack of formalized procedures in all departments and branches of the bank. The Commissioner therefore found that the bank did not fully meet all of its requirements under Principle 4.1.4.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

The Commissioner recommended that the bank undertake improvements to its procedures for handling access requests. He encouraged it to develop formal policies and practices to be followed by all departments and branches in responding to access requests and conducting searches for records. Such policies and practices, he advised, must also be communicated to staff.