Privacy Act audit

Posted By: rexinaudit

Privacy Act audit - 08/27/02 06:47 PM

Has anyone found that their bank's annual Privacy Act mailing was not sent to all customers?

In our bank's recent mass mailing of the annual Privacy Notices, the customer relationship management software was used to produce one mailing address per "household". This caused a problem in that we have some households [persons with same mailing address] with multiple adults who have separate accounts. Only one Privacy Notice was mailed to just one of the persons in these households. We discovered this during the Privacy Audit.

What is the proper corrective action? Should we send more Privacy Notices to account holders missed in the first mailing?

Or, should we merely correct the procedures to be used next year to prevent a repeat problem?
Posted By: Anonymous

Re: Privacy Act audit - 08/27/02 08:43 PM

In my opinion, you still have the "twelve consecutive month" period to mail your privacy policy for 2002, so you still have time in which to do so. If it easily ascertained who was missed in the mailing, I would correct it this year. As my experience as an auditor and compliance officer, you don't want technical violations in your workpapers where the examiners can see that you were made aware of the problem and did not fix it. (especially since you still have the time). And then of course, next year you would be able to adjust your automated system accordingly.
Posted By: Maria

Re: Privacy Act audit - 08/28/02 05:27 PM

I have not had your situation happen to me since I request report copies of the customer mailing list used which is to be pulled by name not address. I would think your bank was very pleased that you found it especially in the year that it occurred. If it were me, I would send out the notices asap to all that did not originally receive it and keep excellant documentation to reflect the correction. I would also have documented procedures to reflect that it would not happen again. I would think that an examiner would be less "hard" if they saw it corrected and procedures to keep it from happening again. And I am sure your bank is not the first, and won't be the last to accidently make the mistake.

Opinions are mine not my employer.
Posted By: Ted Dreyer

Re: Privacy Act audit - 09/05/02 03:53 PM

I agree with Anonymous above. There is no requirement that your annual privacy notices be sent out all at once. You only have to send one out in each 12 consecutive month period. Depending on what 12 month period your institution selected you may still be in the allowable time frame for this year's notices.