Customer’s banking personal information found in a recycling bin

PIPEDA Case Summary #2006-356

[Principles 4.7 and 4.7.5]

When an individual learned that his banking personal information had been found in a recycling bin, he brought the matter to the attention of the Office of the Privacy Commissioner. The Assistant Privacy Commissioner determined that the safeguards in place were inadequate, and recommended that the bank improve them. The bank did so, and the complaint was considered well-founded and resolved.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

The complainant received a letter in the mail from a third party, along with a two-page document. The letter indicated that the document, which contained the complainant’s personal and investment information, had been found in an unattended recycling bin in an underground parking garage. The information on the document included the complainant’s and his wife’s names, address, social insurance numbers, account number and transaction history.

The bank acknowledged that there had been a breach of privacy. The bank traced the documents back to their original source and determined that two employees, who had been given the task of emptying out the desk of a former employee, likely inadvertently placed the documents in a recycling bin, rather than in a shredding bin. The bank reviewed the on-site disposal process for waste, recyclables and shredding, and conducted an on-site inspection of the premises. The bank also interviewed a number of personnel on site. It stated that it plans to review its shredding and recycling process, including the need to more effectively communicate these procedures to a wide range of bank staff. It also indicated that it plans to review its document retention policies.

Findings

Issued October 23, 2006

Application: Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.5 provides that care shall be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

The Assistant Commissioner determined that the bank did not have effective measures in place to ensure that the complainant’s personal information was adequately protected from unauthorized disclosure, contrary to Principles 4.7 and 4.7.5.

She was also troubled that such sensitive documents were left to languish in the desk of an employee who had left the bank one year earlier. She therefore recommended that the bank develop a policy to ensure that when an employee leaves the bank, there is a systematic approach to securing any confidential client information in that employee’s custody.  

The bank confirmed that it has a process in place to manage employee terminations. In addition to this process, certain lines of business may have additional customized processes that align with their specific business. The bank also indicated that an enhanced and more comprehensive protocol for departing employees is under development and is expected to be completed later this year.

Based on this, the Assistant Commissioner was satisfied that the bank had met the recommendations.

She therefore concluded that the complaint was well-founded and resolved.