Some financial services institutions have been inadvertently breaching federal privacy laws by releasing client documents to third parties, according to a recent Ontario Court of Appeal case. As a result, lawyers are urging firms and financial advisors to be more vigilant in protecting their clients’ privacy.

A decision released by the Ontario Court of Appeal in early January reaffirms financial services institutions’ obligations under the Personal Information Protection and Electronic Documents Act, or PIPEDA — a 10-year-old federal law regulating the use and disclosure of personal information collected by organizations.

The court has ruled that under the act, financial services institutions are prohibited from disclosing mortgage discharge statements and other documents containing personal information about their clients to third parties without consent — unless a specific exception applies.

“Banks, in particular, and all organizations have obligations of confidentiality with respect to their customer information under the privacy legislation,” explains Barbara McIsaac, senior litigator withBorden Ladner Gervais LLP in Ottawa. “They absolutely cannot disclose personal information about their clients or customers to a third party without either an implicit or implied consent of some kind.”

As financial advisors often collect and use much of this personal information directly, McIsaac says, it’s particularly important for them to understand clearly their confidentiality obligations under the law.

“Before that information is disclosed to anyone, [advisors] have to be certain that they have a consent from their client to do so,” McIsaac says. “[Advisors] should have privacy policies in place and they should have some kind of privacy disclosure that is provided to clients, particularly at the intake interview, so that clients fully understand what [their advisors] may or may not be doing with the personal information.”

The recent Ontario decision, Citi Cards Canada Inc. v. Pleasance, is a lawsuit in which Toronto-Dominion Bank and its subsidiary Canada Trust Co. refused to provide a client’s mortgage discharge statements to a third party, Toronto-based Citi Cards.

Citi Cards had a credit card-related judgment of more than $11,000 against the client and had sought to enforce it through a sheriff’s sale of the client’s home. When TD and Canada Trust refused to provide the mortgage discharge statements necessary for the sheriff’s sale, Citi Cards sought a court order that would compel TD and Canada Trust to produce the statements.

The application judge refused to issue this order in March 2010 on the basis that the mortgage statements contained personal information that’s prohibited under PIPEDA from being disclosed to third parties without client consent.@page_break@In early January, the Ontario Court of Appeal upheld this decision, as explained by Justice Robert Blair of that court: “I also agree with the application judge that the information Citi Cards seeks from the banks is ‘personal information’ of the debtor. This information is collected and used by the banks for purposes of administering the mortgage; it is not collected or used for purposes of facilitating another judgment creditor’s execution on its judgment.”

The implications of this case for financial services institutions extend well beyond mortgage discharge statements. PIPEDA defines personal information very broadly as any document containing “information about an identifiable individual.”

“Pretty much any document that a financial institution holds that can identify an individual would fall under PIPEDA,” says Richard McCluskey, an associate at McMillan LLP in Toronto. “From a financial services institution’s perspective, the case really just serves as a reminder to remain vigilant in protecting its clients’ privacy rights.”

There are certain exceptions to the rule prohibiting disclosure of personal information to third parties without consent. For instance, a firm would not need a client’s consent to disclose information if ordered to do so by a court, or if the disclosure is for the purpose of collecting a debt owed by the individual to that organization, among other exemptions.

In the Citi Cards case, however, the judges had determined that no exceptions applied, underscoring the fact that the exceptions under PIPEDA must be read very narrowly. “In most situations,” says McCluskey, “the safe thing to do would be not to disclose.”

Although McCluskey says that most financial services institutions are prudent in protecting their clients’ personal information, it appears that some haven’t been prudent enough. Justice Blair also noted that some firms have been providing mortgage discharge statements to third parties on request, which represents a breach of their clients’ privacy rights.

This suggests that even though the PIPEDA legislation has been in place for a decade, some firms are still unclear on the specifics of the law. “Not all financial services institutions are recognizing the importance of confidentiality, even in the litigation context,” says McIsaac. “They tend to think that because they’re in litigation that they don’t have any [confidentiality] obligations, but that’s simply not the case.”

Financial services institutions should review PIPEDA and its exceptions, she says, and develop a policy for dealing with third-party requests for information. It’s also important for staff members to be trained in the privacy rules. IE