February 2014

---

This document is intended to provide guidance for organizations to avoid the mishandling of personal account information when multiple household members are involved.

The goal is to foster better understanding of the privacy issues inherent to managing the accounts of family members and to identify some best practices to protect the privacy of individuals.

This guidance document can serve as a reference tool for organizations to supplement employee training.

Overview

Just because people may be related does not mean that they have a diminished expectation of privacy when it comes to their personal information vis-à-vis one another.

Often, organizations may have clients who live together in the same household, are related to each other, or have joint accounts. Our Office has investigated and issued findings on the privacy concerns that arise when organizations do not treat different family member information appropriately.

Many of the problems we have seen could be avoided if organizations were to take additional care in their handling of personal information when they are aware that familial accounts or accounts with multiple account holders are at play.

Businesses should ensure that they maintain and operate accounts of family members in a manner that respects the privacy of their clients. They must take the necessary measures to mitigate the risk of giving out information to the wrong individual, sending information to the wrong address, not obtaining consent of all parties associated with an account, or not accurately updating or maintaining account information.

Organizations need to have a privacy management program that includes governance and technical safeguards to ensure there are the appropriate privacy protections to respect privacy compliance requirements^{Footnote 1}. In addition, employee training on how to manage and deal with the issues specific to these family or household-related accounts is important to protect the privacy of individuals.

10 Tips For Organizations For Managing Family Member/Household Accounts

1: Obtain verified consent from all individuals on an account

In some circumstances, there may be multiple individuals associated with an account. If for example, a credit check has to be done, it is important to get the consent of all individuals on the account before proceeding to obtain a credit report.

As well, it is important to verify the identity of an individual purporting to make changes to an account, including adding other people to an account, in order to guard against possible pretexting schemes.

For more information, please refer to PIPEDA Case #2011-004

2: Information about an account holder should only be sent to that account holder

While family members may share the same address, if they have separate accounts, an organization should ensure that only the authorized individual on an account receives information about that account. It is important to be careful and avoid sending statement account information about one family member to another through clerical error or otherwise.

For more information, please refer to PIPEDA Case #2003-156

3: Make sure updated account information belongs to the correct account holder(s)

Accuracy of information is an important principle of privacy compliance. Updating one account holder's information with another family member's information may lead to an unauthorized disclosure, and possibly negative financial consequences for the relatives involved.

For more information, please refer to PIPEDA Case #2003-150

4: Train and monitor employees to ensure they do not inappropriately access other family member accounts

Employees must not "snoop" on other family members' accounts held by their employer organization. Having a sound, up to date overall privacy management framework in place that includes appropriate policies and practices, training programs for employees, effective oversight, and other safeguards to prevent inappropriate access to client information are key to addressing such problems.

Employee training for front-line employees and organizational policies and procedures on this issue are absolutely critical.

For more information, please refer to PIPEDA Case #2003-212

5: Ensure account information reflects changes in familial relationships

Just because there is an existing familial relationship between customers does not mean their individual account information is or will remain related. IT systems and employee training should be developed to properly manage a change in living circumstances (such as a separation) or a change in accounts (such as closing a joint account), and ensure that individual information about an account to which an individual no longer has access is not given to him or her without consent by the proper accountholder.

For more information, please refer to PIPEDA Case #2003-175

6: When responding to court orders for production of account information, limit disclosure to what is legally prescribed and in the manner prescribed

When responding to court orders, organizations should follow the directions set out in the order and limit the disclosure of personal information to those directions. The personal information disclosed must be limited to that which is specifically requested, released only to the party or parties named and in the manner prescribed. If a court orders an organization to produce a client's account information, the organization shall not disclose the personal information of a joint account-holder who is not involved in the proceedings and not otherwise specified in the order without consent of the joint account-holder.

For more information, please refer to PIPEDA Case #2009-005

See also: X. v. Banque Royale du Canada, 2012 FC 1095.

7: Train staff to be careful when leaving messages

Despite the fact that an individual may have provided an organization with a contact person, that does not mean an organization can divulge all account information to that contact person. For example, leaving a message for an account holder saying that one is calling from the collections department of an organization may reveal more information than is necessary.

For more information, please refer to PIPEDA Case #2003-225

8: Make sure executor and account survivorship are addressed in organizational practices

In the case of a deceased individual's account, information should not be disclosed to simply any relative or family member, but only to an individual who is authorized to administer the estate of the deceased, such as an executor. That said, in the case of a joint account with a right of survivorship, organizations should obtain the consent of the surviving account holder before disclosing information on the account to an executor. It is extremely important for organizations to have policies, procedures, and training for employees in order to address the privacy issues related to executors and survivorship issues.

For more information, please refer to PIPEDA Case Summary #2013-005: Beneficiary's access to estate information is limited to his own personal information under PIPEDA

9: Develop procedures on providing access to representatives

In the case where an individual purports to have authority to access another individual's account by virtue of a power of attorney, an organization may need to review the power of attorney document in its entirety in order to assess any limits of such a claim. An organization should develop formal procedures and associated training materials for employees to deal with claims by representatives to access accounts.

For more information, please refer to PIPEDA Case Summary #2004-278

10: Do not assume family/household member accounts can be joined together

Even though individuals may have a family relationship or share an address, that alone should not be a reason to join or merge their accounts. Disclosing information of one account holder to another when their accounts are not linked is contrary to privacy compliance obligations and can also undermine a customer's trust in an organization's business practices. Before joining accounts, an organization's procedures should include seeking the consent of individuals, and this should be communicated to employees through various training materials.

For more information, please refer to Early resolution case summary #2: Telecommunications firm discloses individual's personal information without consent when it merged two household accounts that shared an address.