The Federal Court issued a PIPEDA judgment today in which it considered an organization’s duty to maintain accurate records of personal information and ordered damages under PIPEDA, both for the first time.
The judgment is about an inaccurate credit report given by a credit reporting agency to a bank. The agency wrongly associated negative credit information with the applicant based on the similarity between his identifiers and the identifiers of the individual to whom the negative information related. The applicant made some inquiries and diagnosed the error in early January 2008. It took the agency about 20 days to confirm the error, amend the applicant’s credit record and send a notice of correction to the bank. The applicant took issue with how forthright the agency was in dealing with the matter, both in its willingness to accept responsibility for the error (as opposed to blaming the collection agency that had supplied it with the negative information) and in notifying the bank.
The Court held that the credit reporting agency:
- failed to keep the applicant’s personal information “as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used” as required by PIPEDA principle 4.6;
- failed to keep the applicant’s personal information “sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual” as required by PIPEDA principle 4.6.1; and
- failed to provide amended information as required by PIPEDA principle 4.9.5 because it simply advised the bank that the applicant’s credit record had been amended without providing a copy of the amended credit record or otherwise indicating that the amendment was in the applicant’s favor.
In upholding the accuracy complaint, the Court rejected the agency’s argument that its use of industry standard matching practices (which contemplate some margin of identification error) and its correction effort rendered it in compliance. The Court was very clear that neither compliance with industry standards nor complying with the duty to correct are valid defences to an accuracy complaint, but did suggest that liability for keeping inaccurate personal information is not absolute. It stated:
PIPEDA does not require that personal information be completely accurate, complete, and up- to-date; rather, it requires that personal information be as accurate, complete, and up-to-date “as is necessary for the purposes for which it is to be used.” Thus, it is the use that the information is put to that dictates the degree of accuracy, completeness, and currency the information must have.
It then suggested that the agency failed to take the reasonable precaution of conducting a manual check prior to issuing its credit report.
The Court awarded the applicant $5,000 in damages for humiliation suffered. While it recognized its recent statement in Randall v. Nubodys Fitness Centres that damages ought to be awarded in “egregious situations” only, it held that damages should be ordered to “uphold the general objects of PIPEDA and uphold the values it embodies,” including by deterring future breaches. In awarding damages in the circumstances, the Court noted the evidence of humiliation, the credit reporting agency’s profit motive and the credit reporting agency’s “failure to take prompt, reasonable steps to correct the record and reverse the situation it had caused.”
There are other aspects of the Court’s judgment of significance, including aspects related to the scope of the Federal Court’s jurisdiction under section 14 and its jurisdiction to make compliance orders under section 16(a).