09 February 2004
The duty of confidentiality, which applies to banks, also applies to non-bank financial institutions. When considering the scope of the duty of confidentiality, it is important for non-bank financial institutions to also take into account the provisions of the Commonwealth Privacy Act 1988 and any relevant code of practice.
In Tournier v National Provincial and Union Bank of England  1 KB 461, the English Court of Appeal held that, subject to certain exceptions, it is an implied term of the contract between a banker and a customer that the banker will not disclose personal details of the customer's account. The existence of this duty of confidentiality has been recognised by Australian courts.
But are non-bank financial institutions (such as credit unions and building societies) bound by this duty? In Bodnar v Townsend  TASSC 148, the Supreme Court of Tasmania had to answer this question.
Ms Townsend was charged with knowingly obtaining a number of payments in breach of the Commonwealth Social Security (Administration) Act 1999. The payments were made electronically to her account with the Island State Credit Union. At her trial before a magistrate, the prosecutor called an officer of the credit union as a witness. The prosecutor sought to tender account statements that the officer had voluntarily brought to court. As the credit union had not been compelled to produce the statements (by, for example, the issuing of a subpoena), the magistrate refused to allow them to be admitted as evidence. The Commonwealth Director of Public Prosecutions applied to the Supreme Court for a review of this and other rulings made by the magistrate.
Before the Supreme Court, Ms Townsend submitted that because a credit union owes its customers a similar duty of confidentiality as a bank owes its customers, the witness was obliged to refuse to produce the statements unless legally compelled to do so.
The duty does apply to credit unions
The court commented that there did not appear to be a reported case which had decided whether or not the duty of confidentiality applied to non-bank financial institutions. Justice Blow observed that the services provided by the credit union to Ms Townsend in this case seemed to have been very similar, if not identical, to the services routinely provided by Australian banks to their customers and continued:
"I see no reason for distinguishing Tournier from the facts of this case, nor for holding that it applies only to banks, and not other institutions providing similar services to members of the public. The reasons for a credit union to keep its information about its customers' affairs confidential are just as compelling as those that gave rise to a banker's duty of confidentiality as discussed in Tournier. Subject to any express term to the contrary, the contract between a credit union and its depositor/customer must include an implied term that the credit union will not divulge to third persons, without the consent of the customer express or implied, either the state of the customer's account, or any of the customer's transactions with the credit union, or any information relating to the customer acquired through the keeping of the account, unless the credit union is compelled to do so by legislation or an order of a court …
As Ms Townsend had not consented to the production of the statements and the credit union was not legally compelled to produce them, the credit union was obliged by its contract with Ms Townsend not to produce the statements.
Implications for non-bank financial institutions
In reaching its decision, the court does not appear to have considered the Credit Union Code of Practice. Island State Credit Union has adopted the Code and is bound by the Code's provisions. Clause 12.1 states:
"A Credit Union acknowledges that, in addition to its duties under legislation, it has a general duty of confidentiality towards a Member except in the following circumstances:
(i) where disclosure is compelled by law;
(ii) where there is a duty to the public to disclose;
(iii) where the interests of the Credit Union require disclosure; or
(iv) where disclosure is made with the express or implied consent of the Member."
Clause 2.2 of the Code makes the provisions of the Code part of the contract between the credit union and its member. Nevertheless, nothing turns on whether or not the Code was considered, because all clause 12.1 does is set out the rule in Tournier.
A review of the Credit Union Code of Practice is currently taking place and consideration is being given to the desirability of a single code of practice for credit unions, banks and building societies.
Privacy and confidentiality issues are dealt with in clause 11 of the Building Society Code of Practice. Clause 11.1 states that in addition to a building society's duties under legislation such as the Privacy Act 1988, a building society and its staff will take reasonable steps to maintain the confidentiality of a customer's account details. In circumstances where, among other things, a customer has impliedly or expressly consented to the disclosure of account details, or if the building society is compelled or authorised under law to disclose account details, the Building Society will be entitled to disclose them. Clause 11.2 specifically permits the disclosure of customer information to a related body corporate of a building society. Clause 2.2 of the Code incorporates the provisions of the Code into the contract between building society and customer. Accordingly, when the Code applies, the provisions of clause 11 are incorporated into the contract between building society and customer, in place of the rule in Tournier.
The Credit Union Code of Practice and the Building Society Code of Practice apply only when the member or customer receiving the product or service is an individual or individuals. As a result, in the absence of an express term in the contract between (for example) a business customer and a credit union or building society, the duty of confidentiality set out in Tournier continues to apply.
The Commonwealth Privacy Act 1988 may limit the disclosure of personal information by non-bank financial institutions. The relevant information privacy principle provides:
"A record-keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless:
(b) the individual concerned has consented to the disclosure;
(d) the disclosure is required or authorised by or under law; or
(e) the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue."
Clause 12.2 of the Credit Union Code of Practice states that a credit union will comply with the National Privacy Principles in the Privacy Act and that a credit union that is exempt from the Act because it is a small business will, pursuant to section 6EA, notify the Privacy Commissioner that it has elected to be treated as an organisation to which the Act applies.
In summary, Bodnar v Townsend is significant because it may be the first time that an Australian court has decided that the rule in Tournier extends to non-bank financial institutions. But when considering the scope of the duty of confidentiality, it is important for non-bank financial institutions to also take into account the provisions of the Commonwealth Privacy Act 1988 and any applicable code of practice.
Perhaps the final word should go to Lord Justice Scrutton, a member of the Court of Appeal in Tournier, who put forward an interesting explanation for the lack of previous decisions by the courts regarding the duty of confidentiality. Scrutton observed "It is curious that there is so little authority as to the duty to keep customers' or clients' affairs secret … The absence of authority appears to be greatly to the credit of English professional men, who have given so little excuse for its discussion."