Privacy lessons from the banks

By Kate McCaffery | April 26, 2005 | Last updated on April 26, 2005
3 min read

(April 26, 2005) Human error is likely behind the most recent privacy faux pas in the Canadian banking sector. In the past two years, four branches of the Bank of Montreal misdialed phone numbers and sent personal client information to a home business in Montreal.

Even with automatic dialers in place and ongoing internal awareness campaigns, the bank has found itself in the unenviable position of investigating just how client information ended up being sent astray less than a week after the federal Privacy Commissioner raked a competitor over the coals for similar improprieties.

Unlike recently reported blunders however, BMO’s missteps are relatively small. Earlier this month the Office of the Privacy Commissioner of Canada released a summary of its investigation into incidents involving misdirected faxes containing the personal information of CIBC customers. The report detailed how the bank systematically faxed personal information like social insurance numbers, bank account numbers and balances, home addresses, telephone numbers and customer signatures over the course of several years to different companies in the U.S. and Canada, despite repeated attempts by the fax recipients to rectify the situation.

Ralph Marranca, spokesperson for BMO Financial Group says in this case, there were about 12 misdirected faxes in total sent to the wrong number during the past two years and the information was limited to that which might appear on a personal check. “It’s a very small number, thankfully,” he says. “That’s not to dismiss the seriousness of it. We don’t want this to happen at any time, so we’ll take this opportunity to review our processes again with our staff and make sure they understand their responsibilities.”

He says roughly 90% of BMO faxing is already done using automatic dialers to eliminate similar problems. The company plans to revisit an internal awareness campaign that the bank started back in December to cover steps staff members need to take when handling client information. “I think that helps to keep it top of mind for staff — the importance of protecting customer information and understanding their role in this,” Marranca says. In the case where an employee needs to manually dial a fax number, for example, “it’s just a matter of taking the time to make sure they’ve entered the right number before they send it.”

Financial advisors can take similar warnings to heart. In creating a financial plan and completing Know Your Client requirements, financial advisors collect a wealth of sensitive personal information that is all protected by federal and provincial privacy laws.

Privacy 101

All personal information collected by companies during the course of commercial activities is subject to the federal Personal Protection and Electronic Documents Act (PIPEDA) unless the province has enacted “substantially similar” laws like those in force in Quebec and British Columbia. (For an advisor’s guide to PIPEDA, please click here.)

According to the Borden Ladner Gervais LLP pension law group, the laws may contain different details, but they are generally based on certain broad principles and have the same requirements.

Personal information, whether it is provided by the individual or developed by an organization, may only be collected and used with the consent of the individual. The type of consent required depends on the sensitivity of the information. For financial information, express consent in the way of a signature is probably the best course of action. Organizations must also protect personal information with safeguards appropriate to the sensitivity of the information.

Organizations should know exactly why they are collecting and using certain information, and should not collect more information than is reasonably needed for those purposes. Once a client has information on file with your organization, the company should provide access to personal information on request and provide an opportunity to correct the information if necessary.

Finally, whether the organization is large or small, at least one employee should be accountable for the firm’s privacy principles and compliance.

Filed by Kate McCaffery Advisor.ca, kate.mccaffery@advisor.rogers.com

(04/26/05)

Kate McCaffery