Volume I

Issue : 8: October 16, 2003

• Privacy Commissioner Rules on Three PIPEDA Complaints Filed Against Banks
• U.S. Court of Appeals Finds Right to Domain Name Contingent on Ongoing Conduct
• BC Supreme Court Finds Exchange of Emails Sufficient To Form Binding Contract
• U.K. House of Lords Rejects Common Law Tort of Invasion of Privacy
• BC Supreme Court Finds Election Gag Law Unconstitutional
• Web Radio Royalty Fees Upheld
• Two U.S. Court of Appeals Release Judgments on the Scope of the Immunity Provided to ISPs Under CDA
• U.S. Regulators to Take Action Against Online Pharmacies
• Ontario Court of Appeal Overturns Internet Libel Finding

Home > Volume I > Issue 8: October 16, 2003 > Privacy Commissioner Rules on Three PIPEDA Complaints Filed Against Banks

Privacy Commissioner Rules on Three PIPEDA Complaints Filed Against Banks

The Privacy Commissioner of Canada recently issued the following three decisions with respect to complaints filed by customers under the Personal Information Protection and Electronic Documents Act against their banks:

In Case #183, the complainant alleged that the bank had breached Principle 4.8 of PIPEDA when it refused to provide him with detailed information about its privacy and information security policies and procedures. In response, the bank submitted that general information about such policies and procedures was available to customers in brochure form and on its website, and that if it publicized any further details, this might give criminals information about how to circumvent the bank's safeguards and thereby render them ineffective. The Privacy Commissioner agreed with the bank and concluded that the complaint was not well-founded. In its view, the bank had struck an appropriate balance between the requirement under Principle 4.8 to inform customers about its information management policies and practices and its obligation to protect customers' personal information.

In contrast, in Case #180, a bank was found to be in violation of PIPEDA Principles 4.3.2, 4.3, 4.2.4 and 4.5 for using a tape-recording of a customer's call that had been made for quality monitoring purposes for a separate and distinct purpose (that of employee training), without the customer's consent. The bank was also found to be in breach of Principles 4.7 and 4.7.1 for disclosing the customer's personal information when an employee inadvertently connected another customer to a training session in which the tape-recording was being played back.

Another bank was found to be in breach of Principle 4.7 of PIPEDA in Case #177, where an employee computer terminal located in an open area of the bank was left unattended so that anyone could access customers' sensitive personal information without a password. Although the bank had taken remedial steps to raise employee awareness about security measures and had installed a new computer system with password-protected screen-savers that activate automatically if the keyboard remains untouched for 15 minutes, the Privacy Commissioner held that such remedial measures did not constitute appropriate safeguards.

For a copy of the decision in Case #183, visit:

http://www.privcom.gc.ca/cf-dc/2003/cf-dc_030710_03_e.asp

For a copy of the decision in Case #180, visit:

http://www.privcom.gc.ca/cf-dc/2003/cf-dc_030710_02_e.asp

For a copy of the decision in Case #177, visit:

http://www.privcom.gc.ca/cf-dc/2003/cf-dc_030605_e.asp

For a copy of PIPEDA, visit:

http://www.privcom.gc.ca/legislation/02_06_01_e.asp