The importance of explaining the reasons for collecting personal information

PIPEDA Case Summary #2007-369

[Principles 4.2 and 4.4.1 of Schedule 1]

One bank customer was concerned when a teller attempted to collect his personal information about a financial transaction that he wanted to make. As he would not respond to her questions, the Assistant Privacy Commissioner determined that there was no inappropriate collection of the complainant’s personal information. She did stress, however, to the bank that although the questions the teller was alleged to have posed may have been legitimate, no rationale for the questions was given. Had there been a collection, it would likely have been inappropriate. The Assistant Commissioner suggested to the bank to incorporate the incident into its employee training to illustrate the importance of explaining purposes and limiting collection of personal information.

The following is an overview of the investigation and the Assistant Commissioner’s deliberations.

Summary of Investigation

The complainant went to a branch of his bank to withdraw $6,000, in $100 bills. His friend had transferred this amount to him by telephone the same day. The teller informed the complainant that there were not enough $100 bills in the bank, but that a special request would be made and he could return the next day to obtain them.

The next day, he returned to the same branch. He alleged that the teller with whom he spoke asked him personal questions; specifically, he stated that she asked where the money came from and what he intended to do with it. The complainant responded that it was none of her business and did not answer the questions. He withdrew $4,000 that day because there were not enough $100 bills. He later went to a different branch and obtained the rest of the money.

The bank stated that it was not the bank’s practice to question customers on the use of money that is being withdrawn. However, a particular transaction may suggest to a teller that there is an opportunity to offer a different service to a client, such as a bank draft, instead of withdrawing large sums of money.

According to the bank, the teller relied on the principles of “Know Your Customer” and “Know Your Transactions” to determine the course of action to follow during the transaction with the complainant.

The Office contacted two other banking institutions to determine what they do in similar cases. Both indicated that it may be appropriate to pose these types of questions to a client if the teller feels the transaction is suspicious. Both referred to the rules put in place by the federal government under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

The Office also contacted a representative of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), who stated that banks are obliged to file a FINTRAC report during a transaction, whatever that transaction may be, that appears fraudulent. FINTRAC does not prescribe the process to be used by banks for detection, nor the questions that could be posed.

The teller in question told us that she met with the complainant approximately three times. She confirmed that she asked him where the $6,000 came from. She stated that she did not think the transaction was fraudulent; rather, her intention was to find out whether the amount had been deposited by cheque because, if so, it could be frozen for a number of days. She indicated that she could have found this information out through the computer system but chose to ask the complainant instead, to save time. She denied that she asked him what he intended to do with the money. Had she asked such a question and had the complainant accepted a bank draft instead of a withdrawal, then she would have asked to whom the money was being transmitted in order to fill out the draft properly.

She also confirmed that, even with the “Know Your Customer” “Know Your Transaction” policy, personal questions about where the money came from or how it will be used are never posed.

Findings

Issued January 12, 2007

Application: Principle 4.2 states that the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. Principle 4.4.1 stipulates that organizations shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified.

In making her determinations, the Assistant Commissioner deliberated as follows:

• The teller in question admitted to asking the complainant where the money came from, but denied that she questioned where it was going. It could not be determined therefore whether the latter question was in fact posed.
• In any event, as the complainant did not respond to either question, his personal information was not collected by the bank. The Assistant Commissioner therefore could not find that there was any inappropriate collection of his personal information.

Accordingly, she concluded that the complaint was not well-founded.

Other Considerations

What if the complainant had answered the teller’s questions and the bank therefore had collected his personal information? The Assistant Commissioner considered whether such a collection would have been inappropriate under the Act.

Although some questions may appear legitimate within the context of applying the Proceeds of Crime (Money Laundering) and Terrorist Financing Act or when trying to save time by not using the computer system, the Assistant Commissioner stated that it is still essential that, in such cases, the teller explain the reason for asking the question as well as the context in which the question is posed.

Principle 4.2 requires organizations to identify their purpose for collecting personal information, and Principle 4.4.1 obliges them to limit their collection to the stated purpose. In the Assistant Commissioner’s opinion, the teller in this case ought to have explained her reason for asking the one question we know she did ask. Had the complainant responded, his personal information would have been collected inappropriately.

The Assistant Commissioner therefore strongly suggested that the bank incorporate the events outlined in this finding into its privacy training for employees.