Office of the Privacy Commissioner | Case Note 2448 [1998] NZPrivCmr 2 - Client protests when bank discloses his account details to daughter-in-law
A customer alleged that his bank had sent a printout of his loan account to his daughter-in-law. The printout disclosed the details of a mortgage the customer and his new partner had over a property. The customer found this very embarrassing.
The daughter-in-law and the customer had the same surname and similar but not identical initials. The daughter-in-law, who had a loan with the same bank, requested a printout of her own loan details. A bank employee mistakenly accessed and printed out the complainant's file. The mistake was not noticed and the printout was put in an envelope addressed to the daughter-in-law. This was contrary to the bank's normal practice of using window envelopes for such communications. If a window envelope had been used, the printout would have gone to the complainant.
The complaint raised issues under principles 5 and 11.
Principle 5 requires agencies to take reasonable security safeguards to protect information against unauthorised disclosure. I considered that the financial information at issue required protection by fairly stringent safeguards. I formed the opinion that the bank had not taken reasonable steps to protect the information in this case.
Principle 11 limits the instances in which personal information may be disclosed. The bank agreed that none of the exceptions allowing disclosure seemed to apply, and that the disclosure breached principle 11.
Following some discussion with my office, the bank issued written instructions to all staff concerning correspondence with customers. All correspondence was to be sent in window envelopes. Computer printouts were not to be sent to customers unless they were in a form which could be sent in window envelopes. Staff were instructed to use unique customer numbers to ensure the person requesting information was entitled to it.
I considered this was a satisfactory assurance against the repetition of the actions which led to the complaint. The complainant was pleased with this assurance but considered that financial compensation would be appropriate and suggested the bank make a donation to a charity of his choice. The bank did not consider a financial settlement was appropriate in the circumstances.
I did not consider it appropriate to use further resources on securing a donation by the bank and, in view of the bank's assurance, I discontinued my investigation.
February 1998
Indexing terms: Disclosure of personal information - Bank - Financial information about a client sent to another client - Failure to take precautions - Information privacy principles 5 and 11