subscribe to our newsletter

CBA to review privacy under OAIC undertaking

Commonwealth Bank has committed to overhauling its privacy policies and procedures under an enforceable undertaking it has entered into with the Australian Information Commissioner.

The Commonwealth Bank of Australia (CBA) has entered into an enforceable undertaking (EU) with the Office of the Australian Information Commissioner (OAIC), under which it will review and “enhance” internal privacy policies, procedures and record retention standards. 

CBA had referred itself to the privacy watchdog last year due to two data mishandling incidents in 2016 and 2018, one involving the loss of magnetic data tapes containing historical statements of 20 million customers, and the other relating to poor internal user access controls to systems containing personal information about life insurance customers. 

“As previously announced, CBA has found no evidence to date, as a result of these incidents, that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties,” the major bank stated.

CBA has 90 days to develop and submit to the OAIC a work plan and a timetable of work that it will complete to meet its obligations under the enforceable undertaking.


These obligations include conducting a review of and improving CBA’s:

  • Privacy policies, procedures, and record retention standards
  • Privacy impact assessment process
  • Internal user access controls on systems and applications that hold personal information
  • Privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries

Angelene Falk, the Australian Information Commissioner and Privacy Commissioner, said the office’s inquiries, which took into account APRA’s final report of the Prudential Enquiry into Commonwealth Bank of Australia, showed that the big four bank had taken a reactive approach to risk management and compliance matters.

“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Ms Falk said.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction. 

“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”


Commenting on the EU, Commonwealth Bank’s group chief risk officer, Nigel Williams, said: “We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the commissioner.

“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers.”

[Related: Reactive approach led to recurring misconduct: CBA]

CBA to review privacy under OAIC undertaking

Tas Bindi

Tas Bindi is the features editor on the mortgage titles and writes about the mortgage industry, macroeconomics, fintech, financial regulation, and market trends.  

Prior to joining Momentum Media, Tas wrote for business and technology titles such as ZDNet, TechRepublic, Startup Daily, and Dynamic Business. 

You can email Tas on: This email address is being protected from spambots. You need JavaScript enabled to view it.



Latest News

Lenders have begun offering disaster relief packages for customers impacted by Tropical Cyclone Seroja in Western Australia. ...

Boutique lender Apickle has launched new finance product for SMEs using eftpos that enable them to borrow up to $200,000 without an asset se...

The federal government said it is pleased that higher confidence levels have led to a strong housing market but said that it is “keeping a...


Join a group of highly informed brokers.

Broker Pulse, a community-driven knowledge base of lender performance Reveal exactly which lenders are making life easiest for brokers and their clients by taking this monthly survey and joining a group of highly informed brokers who leverage these insights every month.


LATEST PODCAST: Tackling the home deposit challenge

Do you expect to see strong uptake of the HomeBuilder scheme?

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.