Bank erroneously e-mails employees’ personal information to client

PIPEDA Case Summary #2006-360

[Principles 4.3, 4.7, 4.7.1, 4.10.4]

A bank discovered that employee information, which was intended for one of the bank’s consultants, was erroneously e-mailed to one of its clients.  The bank notified the affected employees and alerted this Office of the problem. The customer who had inadvertently received the personal information subsequently deleted it from her computer.

One of the bank’s employees filed a complaint with this Office. 

The following is an overview of the investigation and the Assistant Commissioner’s findings.

Summary of Investigation

An individual received a phone call from her employer, a bank, notifying her that it had inadvertently e-mailed her personal information, which was held on an employee database, to one of its clients.

Our Office established that a bank customer sent an e-mail to the bank’s Ombudsman, informing him that a privacy breach had occurred.  As a result, the bank discovered that an employee had sent a series of e-mails to what the employee thought was the e-mail address of one of the bank’s consultants.  The consultant’s e-mail address was very similar to that of one of the bank’s customers, and the employee mistyped the address.  Thus, the customer received the e-mails that were intended for the consultant.

The personal information contained in the e-mails included the individual’s name, employee number, branch location, salary and bonus paid, birth date, performance rating and information to be used in case of severance.

After becoming aware of the privacy breach, the bank phoned the employees whose personal information had been disclosed, and notified them of the situation.  The bank also alerted our Office. 

The customer who inadvertently received the personal information deleted it from her computer and confirmed to the bank that she had not disclosed, copied or otherwise used the information.

Findings

Issued November 14, 2006

Application: Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.  Principle 4.7 compels an organization to protect personal information by security safeguards appropriate to the sensitivity of the information.  Under Principle 4.7.1, the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.  Organizations shall protect personal information regardless of the format in which it is held.  Principle 4.10.4 states that an organization shall investigate all complaints.  If a complaint is found to be justified, the organization shall take appropriate measures, including, if necessary, amending its policies and practices.

In making her determinations, the Assistant Privacy Commissioner deliberated as follows:

• The bank did not dispute that it sent the employee’s personal information to an incorrect e-mail address, thus disclosing her information without her knowledge and consent, in contravention of Principle 4.3.  The bank took immediate steps to notify her of the disclosure, inform her of the steps it was taking to rectify the situation, and outline possible recourses open to her.  This was followed by a letter of apology.

• The bank’s safeguards against the improper disclosure of personal information clearly proved to be inadequate.  As such, the bank failed to meet the requirements of Principles 4.7 and 4.7.1. The Assistant Commissioner noted that the bank has since taken further steps to make its safeguards more stringent.  The bank has improved its employee training with respect to the handling of employee personal information, established new e-mail protocols and strengthened procedures for dealing with sensitive information.

• The Assistant Commissioner also took into consideration that the bank investigated the complaint and took measures to ensure that a similar incident does not recur.  She was satisfied that the bank had met its obligations under Principle 4.10.4.  Furthermore, the complainant’s personal information was deleted from the computer that it had been sent to in error, and the recipient affirmed that she had not disclosed, copied or otherwise used the information.

Accordingly, the Assistant Commissioner concluded that the complaint was well-founded and resolved.