Customer receives banking information of other clients

PIPEDA Case Summary #2006-335

(Principles 4.3 and 4.7 of Schedule 1)

A bank customer was taken by surprise when he opened a package of documents, prepared for him by the bank at his request, which contained his information as well as that of over a hundred and sixty other account holders.  Once notified, the bank took numerous measures to notify affected customers and improve its safeguards to prevent a recurrence.  The Assistant Privacy Commissioner concluded that the complaints were well-founded and resolved.

The following is an overview of the investigation and the findings.

Summary of Investigation

The complainant had attended a local branch of the bank in question to request a copy of his transaction activities on one of his accounts for a two-year period.  Shortly afterward, the branch teller, to whom the complainant had made the request, contacted the complainant to inform him that the package was ready to be picked up. 

When the complainant opened the package, he found that it contained not only his personal information, but also that of other account holders.  The complainant contacted the Office, returned the information to us, and we in turn handed it over to the bank in question.  The complainant stated that he did not retain a copy of the information.

The information contained the partial names of over 160 account holders, their bank account numbers, and the amounts held in the accounts.  Some information included the date that the accounts were last active.

The bank contacted the affected individuals to inform them of the privacy breach.  Some accounts had been closed and the bank had no follow-up information that it could use to contact those customers.  The bank stated that there were no “account takeovers” with respect to the affected accounts.

The teller who provided the information was not supposed to provide customers with transaction activity reports as it was not part of his normal duties.  Such requests are typically handled by the supervisor.  The teller confirmed that he prepared a balance report for the complainant and that he was not familiar with this type of request.  He placed the order via his computer.  The request was then sent to the bank’s records area, which normally processes requests for records. 

When the teller received the package, he noted that there were many pages.  However, he did not look carefully enough at the documents to determine that there was extensive information pertaining to other customers.  When service requests are entered by name and account number, the computer screen calls up all account holders for the dates requested.  The employee is then responsible for “cutting and pasting” the information so that the report is formatted to contain only the customer’s information.  The teller did not do this.

The teller was given additional training regarding privacy issues.  Employees were reminded of proper procedures with respect to transaction activity reports, and a notice is now attached to each report in order to remind employees to remove information about other clients before sharing the report.  It also formalized the quality control and verification steps.

The bank was reviewing the report process to provide only one customer’s information, thus eliminating the need to black out the information of other customers.

Findings

Issued June 27, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.7 stipulates that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• There was no dispute that the bank had improperly disclosed the personal information of other clients when it sent the complainant a report containing the partial names, account numbers, and dates of last activity of other account holders.  The teller did not verify that only the complainant’s personal information was provided to him, and thus did not ensure that the other customers’ information was appropriately safeguarded. 
• Consequently, the Assistant Commissioner found the bank in contravention of Principles 4.3 and 4.7.
• The bank reacted appropriately by contacting those customers that it could, addressing the issue with the employee in question, and issuing a number of reminders to staff.  It also took steps to change its processes to avoid a recurrence of this situation.  Such measures appeared satisfactory.

Therefore, the Assistant Commissioner concluded that the complaints were well-founded and resolved.

On a final note, the Assistant Commissioner commented that, while the bank had taken appropriate steps to minimize the possibility of a recurrence, it was nevertheless extremely disappointing that such a disclosure occurred in the first place.  She stressed the importance of employees taking their privacy responsibilities seriously in their everyday handling of customer personal information and the importance of the organization in ensuring that it is done.