CBA to review privacy under OAIC undertaking

The Commonwealth Bank of Australia (CBA) has entered into an enforceable undertaking (EU) with the Office of the Australian Information Commissioner (OAIC), under which it will review and “enhance” internal privacy policies, procedures and record retention standards. 

CBA had referred itself to the privacy watchdog last year due to two data mishandling incidents in 2016 and 2018, one involving the loss of magnetic data tapes containing historical statements of 20 million customers, and the other relating to poor internal user access controls to systems containing personal information about life insurance customers. 

“As previously announced, CBA has found no evidence to date, as a result of these incidents, that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties,” the major bank stated.

CBA has 90 days to develop and submit to the OAIC a work plan and a timetable of work that it will complete to meet its obligations under the enforceable undertaking.

These obligations include conducting a review of and improving CBA’s:

• Privacy policies, procedures, and record retention standards
• Privacy impact assessment process
• Internal user access controls on systems and applications that hold personal information
• Privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries

Angelene Falk, the Australian Information Commissioner and Privacy Commissioner, said the office’s inquiries, which took into account APRA’s final report of the Prudential Enquiry into Commonwealth Bank of Australia, showed that the big four bank had taken a reactive approach to risk management and compliance matters.

“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Ms Falk said.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction. 

“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”

Commenting on the EU, Commonwealth Bank’s group chief risk officer, Nigel Williams, said: “We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the commissioner.

“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers.”

[Related: Reactive approach led to recurring misconduct: CBA]