Alleged disclosure of account information and denial of access to records

PIPEDA Case Summary #2003-240

[Section 2]

Complaint

An individual complained that her bank had

1. improperly disclosed her account information to two separate individuals; and
2. denied her access to records concerning her account.

Summary of Investigation

A former client of the complainant's small company revealed the complainant's bank account balance in front of several witnesses during court mediation proceedings and stated that she had seen it on a computer screen at a branch of the complainant's bank. Subsequently, the complainant was informed that her former landlord and business competitor had said that he had been shown her account information, including her balance, on a computer screen by a bank employee. The landlord later denied this.

In the course of this Office's investigation, it came to light that the information that had been allegedly disclosed, as well as the account information being sought, pertained solely to the complainant's business account. The complainant was the sole director of the private, registered corporation; however, her name did not appear on her business account, which listed only the name and registration number of her company.

Findings

Issued December 4, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act (the Act) applies to any federal work, undertaking or business. The Assistant Privacy Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Section 2 of the Act states that personal information is information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

As the complainant's company was incorporated, the Assistant Commissioner determined that the information in question was not personal information for the purposes of section 2. Given this, the provisions of the Act did not apply.

The Assistant Commissioner concluded that the complaints were not well-founded.

Further Considerations

During the investigation, the former client confirmed that she had seen the complainant's account information on a computer screen at the bank. The Assistant Commissioner noted that had the information been personal rather than business information she would have concluded that the bank had not met the requirements of Principle 4.7 of Schedule 1 to the Act which stipulates that personal information must be protected by appropriate safeguards. She therefore recommended that the bank review its informational security policy and procedures and take appropriate measures to ensure that access to any computers whereby customers' personal information might be obtained be restricted to authorized bank employees.