Improve privacy practices or else, OAIC warns CBA
- 27 June, 2019 11:01
The Commonwealth Bank of Australia (CBA) will be required to review its privacy and data retention policies under threat of court action from the Australian Information Commissioner and Privacy Commissioner.
The binding commitment – known as a court-enforceable undertaking – follows inquiries by the Office of the Australian Information Commissioner (OAIC) into two major data breaches by the bank.
Last year CBA confirmed a May 2016 incident – first reported by Buzzfeed – in which a third-party provider lost magnetic storage tapes containing historical customer statements for up to 20 million bank customers. The tapes included customer names, addresses, account numbers and transaction details from 2000 to early 2016.
In August last year, an OAIC inquiry uncovered inadequate internal access controls to customer data.
The enforceable undertaking requires CBA to review privacy policies, procedures and retention standards, and provide staff training to ensure compliance. CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.
An independent external reviewer will oversee CBA’s handling of the undertaking and report to the OAIC on compliance.
“The OAIC may take court action at any stage if CBA does not fully comply with the terms of the undertaking,” the office said today.
After the 2016 incident was revealed CBA said there was “no evidence of customer information being compromised or suspicious activity” as a result. It had voluntarily notified the OAIC of the data loss.
The OAIC in May last year checked whether the bank had improved data protection practices following the release of a report by the Australian Prudential Regulation Authority (APRA) that raised concerns with CBA’s management of non-financial risks.
The APRA report concluded that "CBA’s continued financial success dulled the senses of the institution" to such risks.
In August CBA voluntarily notified the OAIC that, during the course of data segregation activities for the sale of its insurance entity Colonial Mutual Life Assurance Society (CMLA), it had identified 16 shared applications containing CMLA customer information which may have been accessible to non-CMLA employees of the bank.
The OAIC again investigated, and shared concerns that CBA did not have sufficient controls to log and monitor access to personal information across all areas of its business.
“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Australian Information and Privacy Commissioner Angelene Falk said in a statement this morning.
“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction. As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices,” she added.
CBA has 90 days to develop and submit a plan and timetable of the work it needs to complete to meet its obligations in the enforceable undertaking.
“We have offered this enforceable undertaking as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner,” said Commonwealth Bank group chief risk officer, Nigel Williams.
“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers,” he added.
Falk said the enforceable undertaking “should send a sharp reminder” to all organisations regulated under the Privacy Act 1988 to proactively manage their data holdings.
“Failing to do so can increase the risk that personal information will be compromised. Organisations are also responsible for enforcing these measures when outsourcing to contracted service providers,” she said.