31 Mar 2015
Confidentiality is a cornerstone of the bank-customer relationship. The Code of Banking Practice says banks “have a strict duty to protect the confidentiality of all our Customers’ and former Customers’ affairs”. This is known as a bank’s duty of confidence.
Banks also have obligations under the Privacy Act 1993. The Privacy Act has 12 privacy principles about personal information which govern:
We are able to consider complaints about a bank breaching its duty of confidence. We can also look at allegations of a breach of privacy. In such cases we may consult with the Office of the Privacy Commissioner. Sometimes we refer the complaint if we consider it would be better dealt with by the Privacy Commissioner.
The two are similar, but not the same. The bank’s duty of confidence applies to all types of bank customers, including business customers, and to all customer information held by a bank.
However, the Privacy Act 1993 applies to personal information held about individuals only. It does not apply to information about a bank’s business customers. Banks must comply with the Privacy Act 1993 in dealing with personal information held about their customers.
This also applies to staff personal information. We can ask banks to reveal what systems and process changes a bank may have put in place to address issues but we cannot require information about any disciplinary or other action the bank may have taken against an individual staff member.
This applies when a bank officer must give evidence about a customer’s affairs in court. A bank may also be legally required to provide specific information about a customer. For example:
This applies when there is a danger to the state or when the wider public needs protection against crime. A bank needs to balance the public interest with respecting a customer’s right to privacy when it considers providing that customer’s information to a third party.
This applies when a bank takes legal action against a customer, or defends an action from a customer. For example, where a bank pursues a customer debt through court action it will need to provide information about the customer’s affairs.
It is acceptable for a bank to disclose customer information if the customer agrees. A bank must ensure the information is correct and within the scope of the customer’s consent. For example, a customer may agree to it disclosing information about one of their bank accounts. If the bank discloses information about other accounts, it has breached its duty of confidence.
If a bank shares customer information it shouldn’t have, even accidently, it has breached its duty of confidence and possibly also the Privacy Act. If we establish that a breach has occurred, we assess whether the customer has suffered a direct financial loss as a result. We also look at whether the customer has suffered distress, embarrassment or inconvenience.
If the customer has suffered direct financial loss, we will award compensation for that. If the customer has suffered distress, embarrassment or inconvenience, we look at the impact of this on the customer. We must be satisfied any distress or inconvenience suffered warrants a compensation payment. Sometimes customers who have experienced minor frustration or inconvenience submit substantial claims. We are unlikely to award compensation for minor mistakes that have little or no harmful effects.
Mrs C bought a life insurance policy with death and terminal illness benefits through her bank. Eight years later, she was diagnosed with a serious illness and lodged a terminal illness benefit claim.
During its assessment of the claim, the bank asked Mrs C to authorise the release of medical information which she did. The bank asked her doctors for full medical records going back two years. After assessing Mrs C’s records the bank declined her claim because though she had a serious illness she wasn’t terminally ill.
Mrs C complained about the bank’s collection of two years of medical records. She had thought it would only collect information about the diagnosed condition. She did not believe the bank needed the other medical information for her claim, and thought it had “over-collected” personal information. She felt embarrassed and humiliated.
The bank explained its standard practice was to seek information covering a period of time. It needed to discover pre-diagnosis events to assist its claim assessment.
We considered Mrs C’s complaint in light of the Privacy Commission’s 2009 review of insurers’ medical notes collection. Its report noted the tension between insurers’ legitimate need for detailed medical information to make claims decisions, and an individual’s right to privacy.
We looked at:
We were not satisfied Mrs C had authorised the collection of full medical notes. We felt from the bank’s authority form that an insured person could reasonably understand that the information collected would be relevant to the condition claimed for. The bank accepted our finding on this, and undertook to review its information requirements.
Regarding the collection of full medical notes, we were not satisfied it was necessary in this particular case. We appreciated there may be relevant medical information for an insurer in the period leading up to the diagnosis, but in this case we considered this could be obtained via an information request for medical notes about the condition claimed for, including pre-diagnosis investigations and symptoms notes. The bank did not accept our finding on this issue but did not provide its reasons.
We accepted submissions that Mrs C had been shocked and upset at the discovery of the scope of the bank’s information collection and recommended a compensation payment of $850. After a further exchange of correspondence, both parties accepted the recommendation.
Mrs K’s ex-husband was in a relationship with a woman who worked at Mrs K’s bank. Mrs K asked the bank if that particular employee was viewing her banking details. It confirmed the employee had done so a number of months earlier.
The bank undertook disciplinary action against its staff member, but could not disclose what steps it had taken as this would breach the employee’s privacy. The bank offered Mrs K a financial settlement in recognition of the stress caused by the breach. Mrs K considered the offer was too low because she had had recent fears for her safety.
In consultation with the Privacy Commission, we considered the bank’s offer of $550 was reasonable in the circumstances. The breach had happened some months earlier, before she had shifted. The compensation would have been greater if Mrs K’s safety had been compromised as a result of the breach. Mrs K accepted the offer.
Mrs J’s bank accidentally sent her savings account statements to her old address. Mrs J’s friend lived there and opened them. Mrs J was embarrassed as she had recently told her friend she did not have enough money to give him a loan but the statements showed otherwise. Mrs J contacted us seeking financial compensation from the bank for damage to the relationship with her friend.
We explained to her that although the bank had sent her bank statement to an incorrect address, it was her friend who had acted inappropriately by opening and reading her mail. Under the Postal Services Act 1998, it is an offence if a person wilfully, and without reasonable excuse, opens mail not addressed to them.
The bank offered Mrs J $500 compensation in recognition of stress and inconvenience caused by its failure to send the statement to the correct address. We suggested Mrs J accept this offer as it appeared to be reasonable in the circumstances. Mrs J did so.