Bank exceeds time limits in responding to an access request

PIPEDA Case Summary #2003-222

[Principle 4.9; sections 8(3) and 8(5)]

Complaint

An individual alleged that a bank, which had rejected his application for a credit card, did not reply to his request for access to his personal information.

Summary of Investigation

After his application for a credit card had been refused, the complainant wrote to the bank requesting access to his personal information regarding the application, as well as the reasons for the bank's decision to refuse him credit. Approximately eight weeks later, and at the Office's request, the bank responded to the complainant and sent him a copy of his application and his letter requesting access. The bank explained that it did not have any information about his credit record with any credit bureau. In fact, the bank did have the credit bureau's response to it but it indicated that it did not have any credit information about the complainant. Again, at the Office's request, the bank sent a copy of this document to the complainant. The bank indicated that it did not send it originally as it did not consider the document to contain any personal information about the complainant.

The bank's explanation for its initial lack of response was that the complainant's request for access was not clear, and did not specify that he was making the request pursuant to the Personal Information Protection and Electronic Documents Act (the Act). When customers request information after their credit card application has been refused, the bank's standard practice is to telephone the customer to offer an explanation regarding the rejection. In this case, the bank was unaware that the complainant was dissatisfied until it received notice of the complaint to the Commissioner.

Commissioner's Findings

Issued September 16, 2003

Jurisdiction: As of January 1, 2001, the Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.9 states that, upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Section 8(3) stipulates that an organization shall respond to a request with due diligence and in any case not later than thirty days after receipt of the request. Section 8(5) states that if the organization fails to respond within the time limit, the organization is deemed to have refused the request.

In response to the bank's argument that the complainant had not made his request pursuant to the Act, the Commissioner noted that the Act did not impose such an obligation on an individual. He also remarked that the bank's own procedures for handling access requests made no mention of such an obligation.

As for response time, the bank had failed to provide the complainant with his requested personal information within the 30-day time limit set out in section 8(3) of the Act. The Commissioner found, therefore, that the bank had not met its obligation under section 8(3) and was thus deemed under section 8(5) to have refused the request. The Commissioner further noted that it was only after his Office's intervention that all of the requested information was provided to the complainant. He thus found that by refusing to grant the complainant access to his personal information, the bank contravened Principle 4.9 of the Act. The Commissioner was, however, pleased that the bank eventually provided all of the requested information.

The Commissioner concluded that the complaint was well-founded and resolved.