Customer finds bank's collection, use and disclosure of personal information excessive in order to open a personal deposit account, considers bank's purposes vague

PIPEDA Case Summary #2003-256

[Principles 4.3.2 and 4.3.3; section 5(3)]

Complaint

An individual complained that a bank was demanding, as a condition of opening a new personal deposit account, that applicants consent to the collection, use and disclosure of personal information beyond that required to fulfil explicitly specified and legitimate purposes. The complainant's main objection centred on the bank's requirement for a credit check to open the account, even though she was not requesting credit of any kind and was willing to have limitations placed on her account. In addition, she also questioned:

• the collection of the applicant's date of birth and social insurance number (SIN), as well as several other items of personal information, including address and employment-related information;
• the disclosure of her personal information to other financial institutions; and
• the retention and disclosure of personal information to credit bureaus and other financial institutions after the customer/bank relationship had ended, without explaining how long and why this information would be retained and/or disclosed.

In sum, she objected to the bank's collecting and disclosing her personal information without providing any details on why such information was needed and how it would be used.

Summary of Investigation

The portion of this complaint concerning the credit check is the same as that discussed in Case Summary #2003-219, and involves the same bank. A detailed description of the bank's position and the Office's investigation results regarding the credit check requirement can be found at the above link.

Regarding the collection of personal information, the bank collects the applicant's date of birth for two reasons: to comply with the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations and to determine the applicant's eligibility for special banking services related to age.

The Regulations require financial institutions to ascertain the identity of a person by referring to the person's birth certificate, driver's licence, provincial health insurance card (where such use is not prohibited by provincial law), passport or any similar record. The bank must refer to the original document and record the date of birth on the application form.

As for the age-related banking services, the application form in use at the time of the complainant's inquiry did not mention this purpose. The revised form, however, now does.

The bank collects the SIN for two purposes: to report income to the Canada Customs and Revenue Agency (CCRA), where the individual has an income-generating account, and to help identify the client with credit reporting agencies, but only to ensure the accurate matching of credit history files. The bank's position is that the provision of the SIN is voluntary in both instances and that an individual can simply refrain from providing it to the bank.

However, the box on the application form the complainant was asked to complete has a box for the SIN but it is not marked optional. According to the bank, it does not indicate that provision of the SIN is optional given the requirements of the Income Tax Act, which stipulates that banks must request the SIN of a new account applicant for the purpose of revenue reporting. However, neither the previous nor the new application form clearly indicates this purpose, and in fact, the language mixes this obligatory requirement with an optional use (ensuring an accurate credit history file match). Although the bank's policy is that providing the SIN for the latter purpose is optional, this is not clear on the application form. Furthermore, the bank's policy that providing the SIN for revenue reporting is optional is inconsistent with the requirements of the Income Tax Act.

As for the other information requested of the applicant, the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations require the bank to keep a record of the name, address, and occupation of an account holder, as well as account operating agreements and various banking transactions. Although the bank collects additional information which it then uses to confirm the identity of the applicant through a disclosure to the credit bureaus, it does not specify on the application form which identifiers are mandatory and which are not.

As for disclosures of the applicant's personal information to other financial institutions, the bank's application forms and privacy policy do not provide much detail regarding the purposes for such disclosure. In its representations to the Office, the bank clarified that it will verify the availability of funds on cheques presented for payment at the offices of other financial institutions, provided the institution is on the bank's approved list of organizations. It will also provide credit-related information in cases where the inquirer has been unable to obtain information from a credit bureau. The bank will also confirm the customer's name, home address, date of birth, last known employer, and credit card, loan and mortgage account numbers. However, the investigation revealed that while the bank requests consent to disclose this information, it does not explain the purposes for the disclosure on the application form or in its privacy policy.

With regard to the bank's retention and disclosure practices for former clients, the bank discloses information to credit bureaus as per the guidelines of provincial consumer reporting legislation, which allows financial institutions to report information adverse to the consumer for a specific period of time following the last payment activity. The Office called the bank's toll-free number and was told that it retains customer personal information for seven years after the bank's relationship with the customer ends. However, neither the privacy brochure nor the policy provides any information about the bank's retention practices or the rationale for them. The bank does not specify a purpose for the disclosure of information to the credit reporting agencies. The application form provides a number of options for the applicant who wishes to find out more information (call the toll-free number, request a copy of bank's privacy policy, or visit the bank's web site).

Commissioner's Findings

Issued October 1, 2003

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to any federal work, undertaking, or business. The Commissioner had jurisdiction in this case because a bank is a federal work, undertaking or business as defined in the Act.

Application: Principle 4.3.2, emphasizing that the individual's knowledge, as well as consent is required, states that organizations must make a reasonable effort to ensure that the individual is advised of the purposes for which information will be used; for consent to be meaningful, purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Principle 4.3.3 states that an organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes. Section 5.3 states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

The Commissioner deliberated as follows:

• The bank's primary purpose for collecting, using and disclosing customer personal information is to verify the individual's identity in order to determine whether the individual poses a risk to the bank. It is reasonable and appropriate then, as a matter of due diligence, and particularly given the bank's legislated obligations (to comply with anti-money laundering regulations and to provide banking card services to any account holder), for a bank to collect, use and disclose limited personal information of deposit account applicants for the purposes of verifying the individual's identity and determining whether the individual has a history of illegal or fraudulent use of a personal deposit account. The Commissioner deemed such purposes legitimate in reference to Principle 4.3.3.
• The bank also collects, uses and discloses personal information to comply with various legislative requirements, such as those provided under the Income Tax Act and provincial consumer reporting legislation. Again, the Commissioner considered such purposes legitimate in respect of Principle 4.3.3.
• However, he also determined that, at the time of the complainant's inquiry, the bank did not make a practice of expressing these purposes in such terms and did not otherwise explain in a reasonably understandable manner, in accordance with Principle 4.3.2, why it required all of the information it requested and what it was planning to do with it. Specifically,
  1. the bank did not indicate that it is required to ask applicants to provide their name, address, date of birth, occupation, and, in the case of income-generating accounts, their SIN;
  2. the bank did not clearly describe how it uses personal information to offer additional products and services;
  3. with respect to the SIN, the language on the application form mixes an obligatory requirement (compliance with the Income Tax Act) with an optional use (ensuring accurate credit history file match);
  4. while the bank requests consent for disclosure to other financial institutions, the application form did not clarify what information is disclosed, to which institutions it might be disclosed, and under what circumstances. Similarly, the bank did not explain the purpose for the ongoing disclosure to the credit bureaus;
  5. while retention of information is mentioned, the bank provides no explanation of its retention policies for former clients; and
  6. the bank did not explain the purpose and nature of the "credit check."
• In light of this, the Commissioner determined that the bank could not be said to have satisfied the condition of "explicitly specified" purposes under Principle 4.3.3.
• With specific reference to the credit check, the Commissioner also determined that, despite the bank's subsequent representations to the contrary, the credit bureau verifications in question do involve a type of credit check, in that the verification system automatically checks the applicant's credit information to determine eligibility for an overdraft limit with the bank. While the Commissioner acknowledged that many customers do favour and seek credit facilities and willingly submit to credit checks in order to qualify for them, he believes it highly unlikely that any reasonable person would consider the bank's policy of mandatory credit checks appropriate in circumstances such as the complainant's, in which she was not seeking, and was willing to do without, credit facilities of any type. Furthermore, given the bank's ability and willingness to customize its account opening procedures in certain specific situations, the Commissioner considered it unreasonable for the bank to refuse to do likewise for individuals who simply do not wish to have a credit relationship with the bank and are willing to forgo any facility that would represent a credit risk to the bank.
• Thus, the Commissioner did not consider the bank's policy of mandatory credit checks even where credit is neither sought nor wanted to be an appropriate purpose under section 5(3) of the Act.
• Finally, the evidence indicated that the bank was collecting more information than necessary for the purpose of identity verification, in contravention of Principle 4.3.3. The information regarding current and previous employers and length of employment is only used in the event that the bank receives a warning message from the credit bureau. The Commissioner noted that this information should be clearly identified as optional.

The Commissioner concluded that the complaint was well-founded.

Further Considerations

With respect to the bank's personal deposit application forms, the Commissioner recommended that the language be changed to indicate that:

1. the collection of the name, address, date of birth and occupation of the account holder are required by law;
2. the presentation of documentary evidence to prove identity is required by law;
3. participation in special programs based on age is optional;
4. the provision of the SIN for revenue reporting purposes is obligatory; however, the provision of the SIN for credit history file matching is optional; and,
5. the provision of information regarding employer, previous employer, and length of time with each employer is optional.

Regarding the credit check, the Commissioner made the following recommendations:

1. the bank should not make inquiries into an account applicant's eligibility for credit facilities unless it has determined that the applicant is interested in having such facilities;
2. in cases where the applicant has expressed interest in obtaining credit facilities attached to a personal deposit account, the bank should obtain a separate consent to the collection of credit information (such as the number of credit bureau inquiries and a recommended overdraft limit);
3. except where consent has been granted for such credit inquiries, the bank should modify the software program used to confirm the account applicant's identity with the credit bureau, so as to remove the fields that report on the number of credit bureau inquiries within the last 60 days and the recommended overdraft limit;
4. the bank should implement procedures whereby individuals who wish to open a personal deposit account without submitting to a credit check may do so by accepting risk-reducing conditions such as a hold period on deposited cheques; and
5. the bank should clarify, in the explanatory material accompanying its application form for deposit accounts, that the "verifications" in question are to be conducted through a credit reporting agency.