Due diligence must be exercised and documented when applying exemptions to disclosing personal information without consent

PIPEDA Report of Findings #2014-018

December 22, 2014

---

A customer of a Canadian bank complained that the bank, without his consent, disclosed his personal financial information to another financial institution at which he was employed at the time. The complainant alleged that the information disclosed by the bank, namely a listing of direct deposits and cheques received by the complainant from a third-party financial services organization, led to his dismissal from his job at the other financial institution.

The bank stated that that the complainant's personal information was disclosed to the other financial institution for the purposes of investigating a breach of a contract relative to the complainant's employment, and was permitted under paragraph 7(3)(h.2) of PIPEDA. This section states that the disclosure of personal information without knowledge and consent is permitted if the disclosure is "made by an investigative body and the disclosure is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province."

In justifying its application of this exemption, the bank noted that both it and the other financial institution are members of the Canadian Bankers Association's Bank Crime Prevention and Investigation Office (BCPIO), an organization recognized as an "investigative body" under PIPEDA. As well, at the time the information was exchanged, the employees of both the bank and the financial institution involved in the exchange of the complainant's personal information were designated as BCPIO security officers. The bank also indicated that the information was disclosed for the purpose of an investigation into allegations the complainant was in breach of his employment agreement with the other financial institution.

Our Office accepted that both the bank and the other financial institution were members of a recognized investigative body and that the underlying purpose for which the bank disclosed the complainant's personal information to the other financial institution was for the other financial institution's internal investigation relating to the complainant's employment.

However, the bank failed to provide any direct evidence to show what it had done to establish that the request for this highly sensitive personal information was reasonable or necessary. The bank did not properly document the purposes for which the information was disclosed and failed to undertake demonstrable due diligence to ascertain itself of the reasonableness of the disclosure -rather it appeared the bank simply took the other financial institution's word for it when it requested the information.

This investigation underscores the view of the Office of the Privacy Commissioner that an investigative body cannot simply invoke the exemption pursuant to paragraph 7(3)(h.2) without exercising the proper due diligence to ensure that a request for information is reasonable-and equally, without documenting the steps it has taken to substantiate its belief that the disclosure is reasonable.

Notwithstanding the lack of documented evidence, the Office was able to satisfy itself that the bank's disclosure in the circumstances was made by an investigative body recognized under PIPEDA and was reasonable for a purpose related to the investigation of an alleged breach of an agreement.

Based on these findings, the Office determined that the complaint against the bank was not well-founded.

REPORT OF FINDINGS

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”) or “PIPEDA”

Summary of Investigation

1. The complainant alleged that the Bank disclosed his personal information to his then employer, the Other Financial Institution, without his knowledge and consent. According to the complainant, the disclosure occurred without due diligence and oversight, and for purposes that were inappropriate in the circumstances. The complainant alleged that the disclosure ultimately resulted in his dismissal from the Other Financial Institution.
2. The complainant also lodged a complaint with our Office in respect of the same matter against the Other Financial Institution, alleging that it had collected his personal information without his knowledge and consent. However, because the Other Financial Institution's activities as they relate to securities is regulated under applicable provincial legislation, our Office was of the view that we did not have jurisdiction to investigate that complaint under PIPEDA. The focus of this report is the disclosure of the complainant's personal information by the Bank to the Other Financial Institution in the circumstances of this complaint.
3. During our investigation, the Bank argued that it disclosed the complainant's personal information for purposes related to an internal investigation by the Other Financial Institution into whether the complainant had violated his employment contract and the Other Financial Institution's code of conduct, and that it was permitted to do so under the Act.
4. The complainant was hired by the Other Financial Institution in December 2008 as a manager in the sale and marketing of personal life insurance products. At the time he was hired, the complainant submitted a declaration, mandated by the Other Financial Institution, where he indicated related commercial activities and employment in which he was engaged.
5. Nearly two years later, the Other Financial Institution advised the complainant that he was the subject of an internal administrative investigation in relation to his professional activities. Following the results of that investigation, the complainant was dismissed from his employment. The reason given for the dismissal was that the complainant had been in receipt of commissions from a third-party financial services organization. In the Other Financial Institution's view, this contravened the terms and conditions attached to his employment.

The Disclosure

6. Prior to the complainant's dismissal, by way of email dated October 4, 2011, an investigator at the Other Financial Institution requested from the Bank a listing of direct deposits and cheques received by the complainant from the third-party financial services organization since 2008 (The complainant was a customer of the Bank). The request was made by an investigator at the Other Financial Institution designated as a member of the BCPIO, and received by a Senior Investigator at the Bank, also designated as a member of the BCPIO.
7. The BCPIO is the investigative body of the Canadian Bankers Association, and both the Bank and the Other Financial Institution are member organizations of the BCPIO.
8. In an email response dated October 5, 2011, the Bank's senior investigator provided the Other Financial Institution with a listing of financial transactions between the third-party financial services organization and the complainant as recorded in the complainant's personal accounts at the Bank for the period January 1, 2008, through October 5, 2011. The information disclosed included transaction dates, amounts and the payor.
9. The Bank provided our Office with copies of the email exchange, which did not identify the complainant or the accounts for which financial information was being requested. Instead, the email refers to "the account" and whether there had been any direct deposits or cheques from the third-party financial services organization (named) since 2008. For that matter, the requesting email to the Bank did not include a description or summary of the employer's investigation in support of the request for information. According to the Bank, that information was communicated between the Bank and the Other Financial Institution by telephone only.
10. The complainant ultimately filed the current complaint against the Bank with our Office, which we accepted on May 23, 2013.

The Bank's Position

11. During our investigation, the Bank submitted that the complainant's personal information was shared with third parties pursuant to paragraphs 7(3)(d) and 7(3)(h.2) of PIPEDA, as well as in accordance with BCPIO procedures.
12. In the Bank's view, the BCPIO procedures allow designated employees of BCPIO member organizations to collect, use and disclose personal information in the prevention and investigation of criminal and dishonest activity, including the breach of an employment agreement.
13. Further, the Bank stated that the BCPIO procedures stipulate that matters of honesty, integrity, ethics, conflicts of interest, and contravention of the employment code of conduct are all investigable. The Bank added that these matters include taking part in outside employment or activities that may interfere, or appear to interfere, with the independent exercise of one's best judgment regarding the best interest of the bank (i.e., the employer) and its clients.
14. In the case at hand, the Bank informed us that it had been asked by the Other Financial Institution for the complainant's personal information in support of an investigation into a possible breach of the complainant's employment agreement and a violation of the employer's code of conduct. The Bank claimed that the complainant's employer was concerned that the complainant was also employed by the third-party financial services organization.
15. The Bank also stated to us that it believes the request it received to provide the complainant's personal information was prima facie reasonable and related to the employer's investigation.

The Bank Crime Prevention and Investigation Office (BCPIO) and "Investigative Bodies"

16. According to the Canadian Bankers Association, the purpose of the BCPIO is to "protect bank customers against financial crime, including credit card and debit card fraud, bank robbery, counterfeiting, cyber-crime, money laundering, the use of forged documents and more". The BCPIO was created to enable financial institutions to investigate "all aspects of criminal activity affecting them and their clients". Further, it "provides a controlled and secure environment in which information about fraud or crime can be quickly and safely exchanged between BCPIO members to maintain the security and integrity of [Canada's] banking system".
17. In 2001, the BCPIO was granted "investigative body" status under PIPEDA and it is listed as an investigative body in the Regulations Specifying Investigative Bodies (the "Regulations") for the purposes of paragraphs 7(3)(d) and 7(3)(h.2) of PIPEDA.
18. According to the Canadian Bankers Association's submission in seeking to obtain investigative body status for the BCPIO in 2000, the BCPIO consists of Director and staff of the Canadian Bankers Association's security office, the senior security officers of the member banks, a limited number of designated bank security personnel and the senior security officer of financial agencies with whom banks have contractual arrangements.
19. According to the BCPIO User Guide (the "Guide"), BCPIO individual members are security officers who regularly conduct investigations related to internal and external criminal activities affecting the organizations and regularly interact with security personnel in other organizations, with law enforcement agencies as allowed by law, and provide information for investigations. Both the Bank and the Other Financial Institution are BCPIO member organizations, and our investigation revealed that the respective employees who disclosed or received the personal information at issue in this case were designated BCPIO security officers, and the points of contact for each organization with respect to BCPIO matters.
20. The Guide provides that the members have the right to share information about individuals suspected to be involved in criminal activity without obtaining permission from the individual. It also states that BCPIO membership "is not a mechanism to conduct due diligence".

The investigative disclosure form (the "disclosure form")

21. The Guide states that a BCPIO member disclosing an individual's information must file a disclosure form with the Canadian Bankers Association's Security and Intelligence Office within seven business days.
22. In the context of this complaint, the same day that the Bank made the disclosure to the Other Financial Institution on October 5, 2011, the Bank completed and submitted a disclosure form in relation to the complainant. Our Office was provided a copy of the disclosure form to review.
23. The disclosure form submitted by the Bank contains minimal information. On it, the Bank describes the type of investigation conducted by the complainant's employer as one of "defalcation". The Bank also provided a brief description of the disclosure.
    
    

    [The Other Financial Institution] … is investigating one of their employee [sic] in a case of Ethic [sic]. They requested details of transactions processed by … [the third-party financial services organization] … in PDA … [account number] since January 1st, 2008 to date.
    
    Information provided to … [The Other Financial Institution]

24. On July 17, 2014, our Office issued a preliminary report of investigation to the Bank in which we examined the issues raised in the complaint and requested that the Bank respond to our recommendations. What follows is the result of our analysis of the evidence obtained during our investigation.

Application

25. In making our determinations, we applied Principle 4.3 of Schedule 1 and paragraph 7(3)(h.2) of Part 1 of the Act.
26. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
27. Under paragraph 7(3)(h.2), an organization may disclose personal information without an individual's knowledge or consent, where the disclosure is made by an investigative body and the disclosure is reasonable for purposes relating to the investigation of a breach of an agreement or a contravention of the laws of Canada or a province.

Findings

28. There is no dispute that the Bank disclosed the complainant's personal information to the Other Financial Institution without his knowledge and consent. At issue is therefore whether the exemption under paragraph 7(3)(h.2) applies in the circumstances. As for sub-paragraph 7(3)(d)(i), the Bank appears to have withdrawn its reliance on this exemption, which our Office does not consider applicable to this case since the disclosure was not made on the Bank's initiative.
29. Our overall view is that an entity designated as an "investigative body" pursuant to the Regulations is not given carte blanche to collect, use or disclose personal information without the knowledge and consent of the individual concerned simply because the entity has been so designated. The entity must also exercise due diligence and care in assessing whether it is permitted to disclose personal information without knowledge and consent.

Was the disclosure by the Bank to the Other Financial Institution in the circumstances permitted under paragraph 7(3)(h.2) of the Act?

30. 30. For this to be permitted under paragraph 7(3)(h.2), the disclosure must have been:
    1. made by an investigative body; and
    2. reasonable for purposes related to the investigation of a breach of an "agreement" or a "contravention of the laws of Canada or a province"

a) Was the disclosure made by an "investigative body"?

31. In the context of this complaint, both the Bank and the Other Financial Institution are BCPIO member organizations. Moreover, at the time at which the information was exchanged, both employees involved in the exchange of the complainant's personal information were designated as BCPIO security officers.
32. Based on the above, in our view, the disclosure of the complainant's personal information by the Bank to the Other Financial Institution in the circumstances of this complaint would qualify as a disclosure by an investigative body. The disclosure in question was made by a designated BCPIO security officer at the Bank, authorized to perform investigative functions in advancing the mandate of the BCPIO, to another BCPIO security officer at the Other Financial Institution.

b) Was the disclosure reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province?

33. Our investigation did not reveal any evidence available at the time of the disclosure that the Other Financial Institution's investigation related to the contravention of the laws of Canada or a province.
34. Accordingly, our analysis focusses on the question of whether the disclosure was reasonable for the purpose of investigating the breach of an agreement.
35. Given the sensitivity of the personal information requested, and since our investigation did not reveal any direct evidence that the Bank had written documentation demonstrating that it had performed some sort of due diligence in determining the reasonableness of the disclosure of the complainant's personal information, we were of the preliminary view that the disclosure by the Bank to the Other Financial Institution in the circumstances was not reasonable for the purposes of paragraph 7(3)(h.2) of the Act.
36. Thus, in our preliminary report of investigation, we recommended that the Bank do the following:
    1. Develop and document protocols for the disclosure or sharing of personal information with other BCPIO members; and
    2. Establish guidelines to assist BCPIO Security Officers in assessing and recording what constitutes a reasonable disclosure of personal information under the auspices of the BCPIO without knowledge and consent.
37. We received responses from the Bank and the Canadian Bankers Association, both dated August 28, 2014.
38. The Bank stated that when the Bank employee designated as a BCPIO member first received the request from the Other Financial Institution, the employee of the Bank conducted due diligence by verifying that the caller was a BCPIO member on an approved list of current BCPIO members. In addition, the Bank's BCPIO designated employee then telephoned the BCPIO member from the Other Financial Institution to clarify the request and confirm that the information was being sought within the scope of the BCPIO program. The Bank claims that the Other Financial Institution then confirmed that the Other Financial Institution was investigating the breach of a contract in relation to an individual's employment and that it concerned payments the employee may have been receiving from the third-party financial services organization.
39. The Bank maintains that the Bank's BCPIO disclosure of the complainant's personal information to the Other Financial Institution was justifiable, reasonable on its merits and in compliance with PIPEDA. However, the Bank also stated to us that there were the Bank BCPIO processes that can be improved when disclosing information pursuant to a BCPIO request. The Bank admitted that its BCPIO member did not document on the disclosure form that the matter related to a breach of an agreement.
40. The Bank stated that the issues with the current complaint rest with the documentation processes that the Bank BCPIO member completed when disclosing the information to the Other Financial Institution (i.e., the issues do not rest with the merit or basis for disclosing the information).
41. As for the types of information disclosed, the Bank stated that these were limited and relevant to the request and consisted of the following: the transaction date along with the amount and payor of seven transactions to the complainant during the time period specified in the Other Financial Institution's request.
42. In summary, the Bank believes that its actions were in accordance with the requirements of paragraph 7(3)(h.2).
43. The response from the Canadian Bankers Association generally echoes the Bank's statements above^{Footnote 1}. The Association also asserts that the Other Financial Institution's investigation of the breach of the complainant's employment agreement is consistent with the purposes for which paragraph 7(3)(h.2) was enacted. The Association states that the Other Financial Institution's investigation is also consistent with the BCPIO's mandate, policies and procedures since the BCPIO was established to protect the security and integrity of the financial system through the prevention and investigation of criminal or dishonest activities.
44. Of note, the Canadian Bankers Association considers that the requirements that need to be satisfied under paragraph 7(3)(h.2) are separate and distinct from an organization's assessment of its ability to rely on this exemption. It explains that there is nothing in the wording of paragraph 7(3)(h.2) that requires an organization to substantiate and document a link between the information to be disclosed and the purposes in order to qualify for the exception. In the Association's view, if the necessary requirements to exempt consent under paragraph 7(3)(h.2) have been satisfied, the organization is permitted to disclose the information.
45. We are of the view that the Bank did not provide any evidence that it properly documented the purposes for which the information was disclosed or undertook any demonstrable due diligence to ascertain itself of the reasonableness of the disclosure. However, as a result of our investigation, we are satisfied that the evidence demonstrates that, notwithstanding the Bank's failure to properly document, the underlying purpose for which the Bank disclosed the complainant's personal information to the Other Financial Institution was for the Other Financial Institution's internal investigation relating to the complainant's employment agreement.
46. While we make no determination as to whether the Other Financial Institution's investigation was ultimately founded, we find that the Bank's disclosure of information was reasonable for that purpose in the circumstances.
47. Accordingly, we conclude that the matter is not well-founded.

Other

48. That being said, we reiterate our view that the Bank failed to properly document the purpose for which the information was disclosed and failed to properly document the steps it took to be able to demonstrate, prospectively, that it undertook the necessary due diligence to ensure that the disclosure was reasonable and for an appropriate purpose under subsection 7(3)(h.2) of PIPEDA.
49. During our investigation, the Bank provided the relevant email correspondence between the Other Financial Institution's BCPIO officer and the Bank BCPIO officer regarding the disclosure of the complainant's transaction information. In its initial email requesting that the Bank provide the information at issue, the Other Financial Institution's BCPIO officer marked the request as being urgent and did not provide any purpose for which the information was sought. The following day, the Bank BCPIO officer provided the information sought by email, stating that he would prepare a "BCPIO" (i.e. an disclosure form).
50. In its representations to our Office, the Bank stated that the Bank BCPIO employee conducted additional due diligence by telephoning the Other Financial Institution's BCPIO member to clarify the request and confirm that the information was being sought within the scope of the BCPIO program, and that on that particular phone call, the Other Financial Institution's BCPIO member conveyed to the Bank BCPIO member that the basis for the request was the Other Financial Institution's investigation of a breach of a contract in relation to an individual's employment. However, there is no mention of this telephone conversation in the email sent by the Bank BCPIO employee to the Other Financial Institution in which the complainant's personal information is disclosed. Furthermore, the Bank BCPIO member described the Other Financial Institution's internal investigation as a matter of "defalcation" and related to "Ethic" (sic) in the disclosure form that he prepared.
51. Ultimately, the Bank did not provide us with direct evidence that it undertook any sort of analysis in assessing or establishing the actual reason for the request, the reasonableness of the request, whether the information sought was necessary, or whether there were other sources apart from the Bank from which such information could be collected. Indeed, it appears to us that the Bank employee simply "took the word" of the staff member at the Other Financial Institution as to the nature of the investigation and the pertinence of the personal information requested for that investigation.
52. In our view, properly substantiating the reasonableness of a disclosure is a necessary corollary to the exception under paragraph 7(3)(h.2). Properly documented evidence is essential to demonstrate that, at the time of the disclosure, the organization undertook the proper due diligence analysis to satisfy itself that a disclosure falls within the bounds of paragraph 7(3)(h.2).
53. In response to the recommendations we made in our preliminary report, the Bank states that it has taken this matter very seriously.
54. With regard to the first recommendation, the Bank pointed out the existence of relevant Bank BCPIO procedures and provided our Office with excerpts of these procedures for our review. Concerning our second recommendation, the Bank will review its BCPIO procedures and training for the disclosure or sharing of personal information with other BCPIO members and update these procedures and training to clarify how BCPIO disclosure forms should be completed, including the requirement to provide an appropriate description of the basis for the disclosure. The Bank also states that it will do the following: (i) review and update its BCPIO procedures and training to facilitate appropriate documentation of discussions between BCPIO members; (ii) communicate these updated procedures and training to its BCPIO members and (iii) conduct training on these updated procedures with its BCPIO members.
55. Our Office is satisfied with the Bank's response to our recommendations, and we believe that it will effectively and appropriately address how the Bank documents disclosures made under paragraph 7(3)(h.2) of PIPEDA. Given the relevance of such actions for ensuring and enhancing the due diligence procedures of other financial institutions, this issue will also be raised with the Canadian Bankers Association.

Footnotes