Contacting customer’s employer a breach of privacy

Privacy & confidentiality,
Leon got into arrears with his credit card. He was living overseas but had a New Zealand address on file with the bank. The bank emailed him to say his credit card debt was overdue. Leon replied that he would make a payment “very soon”. He didn’t, and the bank made further attempts to contact him, at which point Leon said he told the bank he was in financial hardship.
April 2020

The bank engaged a debt collection agency to recover the $10,000, to which it added collection costs of $2,000.

The collection agency twice sent mail to Leon at his employer overseas, apparently obtaining the address by looking at Leon’s social media profile. Because of the nature of his work, Leon was meant to tell his employer if he was in arrears with any lending. His employer opened the letters and only learned of his outstanding debt this way. This caused employment difficulties for Leon.

Leon contacted the bank to say he was in arrears because he was working for a start-up company and was not being paid. He said he phoned the bank about his hardship, but the bank said it could find no record of the call. Without any record, it said, it could not investigate his complaint.

The collection agency listed a default on Leon’s credit file.

Our investigation

We concluded the bank breached Leon’s privacy by sending mail to him at his employer without his permission, and he should be compensated for this. However, we could not compensate him for any employment consequences stemming from the breach of privacy, because he was meant to tell his employer about the arrears anyway.

We also concluded the bank had not tried to work with Leon to help him out of his financial hardship, which was contrary to the Responsible Lending Code. Equally, however, Leon had not tried to work with the bank.

We considered the collection costs were in line with industry standards. We also found that the default listing had been validly made, because the debt had been outstanding for more than 30 days and Leon had been notified about this.

We recommended the bank pay Leon $1,200 for breaching his privacy and failing to adhere to the Responsible Lending Code. We also recommended that Leon and the bank work together to reach a suitable repayment arrangement that would see his debt repaid within a reasonable time.


Leon accepted this offer.

Print this page