Misdirected faxes

Incident Summary #3

In the spring of 2005, the Office of the Privacy Commissioner of Canada conducted two investigations into incidents involving misdirected faxes in the banking sector. The incidents in question, which were reported in the Montreal Gazette in December 2004 and April 2005, involved two banks.

In each case, the recipients of the faxes contacted the banks on numerous occasions, to little effect. Echoing the comments made in an earlier incident investigation involving another bank’s faxes going astray, the Commissioner expressed concern about the effectiveness of these banks’ privacy policies and practices. It was clear that the employees of these banks did not recognize the privacy implications of misdirected faxes and act accordingly, and that the banks’ privacy officials only became aware of the problems after the incidents became public.

The cases below are yet more examples of the need to ensure that all members of an organization are attuned to privacy issues and can respond to problems when they arise. The cases also illustrate the public’s responsibility to return any personal information received in error to the sender, and not to destroy such information. The following is a summary of what happened with respect to each bank and the Office’s recommendations.

Summary of Incident – Bank 1

The incident in question involved facsimiles originating from the bank’s branches that were sent in error to a Montreal resident.

The recipient estimated that she had received over a hundred faxes since 1998, when she installed a fax machine in her home. While she shredded many of these, she kept approximately 50. Our Office received a copy of 43 faxes sent between 1998 and 2003 that the bank had obtained from the recipient in which the affected clients could be identified. All of the documents concerned mortgage loans, and most of the faxes were sent without a cover page.

The recipient would transmit the faxes to the correct number or back to where they came from. She contacted the head office of the bank twice, in 1998 and 2002. One of the employees she spoke to asked her to send the faxes to the bank, and indicated that he would ensure that a note was sent to all branches highlighting the matter. After this call, the number of faxes dropped, but she still continued to receive some.

She also frequently contacted the branches where the faxes originated, but no follow-up was done until after the article appeared in the press. A bank official came to her home to collect the faxes in her possession. The bank also conducted an investigation to determine the root of the problem and the source of the faxes. The investigation revealed that the faxes came from different branches of the bank and were intended for the mortgage centre, whose fax number was similar to the recipient’s. The people that she contacted in 1998 and 2002 believed that it was an isolated event, namely, a keying error on the part of the sender, and did not escalate the matter to upper management.

The bank stated that, following the misdirected faxing incidents involving another bank, it sent out a reminder and warning to all employees regarding the transmission of confidential information by fax in December 2004. After the article appeared about its own faxing issues, the bank took the following additional measures to ensure that what happened did not reoccur:

• It changed the fax number for the mortgage centre;
• It sent instructions to branches to pre-program numbers to minimize keying errors;
• It sent a letter of apology to the recipient; and
• It contacted the recipient to keep her up to date about the steps the bank was taking.

The bank developed two other measures to prevent faxes from being misdirected and for dealing with problems should they arise. One concerns the bank’s policy on personal information protection, which includes standards governing the use of faxing. It outlines the specific steps that must be taken by an employee when faxing and reporting problems. The second measure involves the complaint process for dealing with allegations that the bank has contravened a principle under the privacy policy.

The bank contacted the affected customers. It apologized to them, and informed them that it collected the documents from the recipient and obtained confirmation from her that the documents were never used or disclosed to anyone else.

Summary of Incident – Bank 2

An individual in the Montreal area stated that he received a number of facsimiles from a bank between 1997 and 2001. Although he destroyed some of the faxes he received, he kept approximately 15. The majority of faxes did not have a cover page and were lengthy. They mainly consisted of computer print-outs of various credit applications, and contained the names, addresses and social insurance numbers of approximately 24 customers.

The recipient attempted to contact some of the branch employees who had sent the faxes, sometimes leaving messages informing them that he had received a fax from them in error and asking them to contact him. His calls were not returned. After the story appeared in the media, a manager for a bank branch came to his home to collect the faxes.

The bank confirmed that the individual’s facsimile number and that of the bank’s loan centre differed by one digit. After being informed of the matter, the bank called 19 of the 24 clients whose personal information had been disclosed (the five not called were no longer clients and the bank did not have up-to-date contact information for them). The clients were informed of the error and of the measures taken by the bank. The bank also took the following steps to avoid a recurrence:

• It sent a circular to its branches requiring that a general meeting be held with staff to ensure a clear understanding of faxing guidelines;
• It provided specific guidelines on such matters as programming fax machines and the use of cover pages; and
• A review team that regularly visits branches incorporated a review of fax guidelines into its standard review checklist.

Conclusion

The Personal Information Protection and Electronic Documents Act requires organizations to safeguard personal information in their care to prevent it from being inappropriately disclosed. In each of these cases, it was clear that proper care was not taken to ensure that the documents in question were adequately protected, and as a result, the information was disclosed to the wrong person.

The Act also requires organizations to implement policies and procedures to give effect to the principles of fair information practices. As the OPC publicly indicated in relation to another faxing incident, it is not merely a matter of publishing a privacy policy in a brochure or on a web site. The entire organization must be aware of the policy and must ensure that its employees are adhering to it, bringing problems to the attention of the right people, and acting on it. It was clear that this did not happen in any of these incidents until the matter became public.

Recommendations made to both banks

While the Office was pleased that the banks had taken steps to address the issue of safeguarding personal information and generally ensuring compliance with the principles of fair information practices, the Assistant Commissioner also recommended the following:

• that each bank fully implement their planned measures to improve the internal communication of privacy breaches;
• that the banks commit to notifying all affected customers whenever there is a privacy breach;
• that the banks examine their processes for confirming that information sent via fax is correctly transmitted; and
• that the banks implement measures to ensure that any customer information that has been erroneously transmitted be recovered.

Both banks have fully implemented all of the recommendations. Bank 1 has revised its existing privacy policy and procedures to incorporate the recommendations. Many of the changes that Bank 2 has made are included in its new privacy policy. When personal information is disclosed, each bank notifies customers if appropriate. Both banks made many modifications to the process of sending faxes. They also established a series of measures to recover faxes that are sent erroneously, and explained why there may be some situations in which it could be difficult to recover them.  New guidance on the use of fax cover sheets has been made available to each bank’s staff.