Court-enforceable undertaking to drive better privacy practices at Commonwealth Bank

27 June 2019
Tags: media release

The Commonwealth Bank of Australia (CBA) will be required to substantially improve its privacy practices under a court-enforceable undertaking given to the Australian Information Commissioner and Privacy Commissioner.

The binding commitment follows inquiries by the Office of the Australian Information Commissioner (OAIC) into CBA’s handling of personal information in relation to two data incidents:

  • the loss of magnetic storage tapes containing historical customer statements for up to 20 million bank customers by a third-party provider to CBA in May 2016
  • inadequate internal access controls to customer data reported to the OAIC in August 2018.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the inquiries took into account a report from the Australian Prudential Regulation Authority (APRA) which found CBA was reactive in dealing with risks and compliance matters.

“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Commissioner Falk said.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.

“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”

Commissioner Falk said all organisations regulated under the Privacy Act 1988 should proactively manage their data holdings to protect people’s personal information.

“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date,” she said.

“This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised.

“Organisations are also responsible for enforcing these measures when outsourcing to contracted service providers.”

The enforceable undertaking requires CBA to review its privacy policies, procedures and retention standards, and provide staff training to ensure compliance. CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.

The undertaking will be overseen by an independent external reviewer, who will consult with and report to the OAIC on CBA’s compliance. The OAIC may take court action at any stage if CBA does not fully comply with the terms of the undertaking.

The enforceable undertaking is part of the OAIC’s ongoing work in regulating data handling practices in the financial services sector, including compliance with the Notifiable Data Breaches scheme.

Media contact:            Zoe Allebone            0407 663 968            media@oaic.gov.au

Background

An enforceable undertaking is a legally enforceable agreement between the Commissioner and an organisation or agency that creates a binding commitment to take steps to ensure privacy compliance.

2016 data loss incident

In May 2016, a third-party provider to CBA lost two magnetic storage tapes during their transport for destruction. The tapes primarily contained customer statements for the period from 31 May 2000 to 19 January 2016 belonging to approximately 20 million bank customers.

At the time CBA voluntarily notified the OAIC of the data loss, the OAIC undertook inquiries to ensure that the CBA had in place measures to monitor for any unauthorised access and to prevent reoccurrence. The tapes were unable to be found and an independent report commissioned by CBA concluded that the most likely scenario was that they had been disposed of.

In May 2018, the OAIC made further inquiries with CBA to establish whether it had improved its practices to ensure adequate protection of customers’ personal information. The OAIC took into account the release of a report by the Australian Prudential Regulation Authority which raised concerns with CBA’s management of non-financial risks.

These additional inquiries by the OAIC indicated that CBA was not clearly identifying retention periods for its personal information holdings across CBA banking services, and lacked sufficient systems and procedures to destroy or de-identify personal information once no longer needed and to ensure compliance by its contractors.

2018 data access issue

In August 2018, CBA voluntarily notified the OAIC that, during the course of data segregation activities for the sale of its insurance entity Colonial Mutual Life Assurance Society Ltd (CMLA), it had identified 16 shared applications containing CMLA customer information which may have been accessible to non-CMLA employees of the Bank.

In response to the OAIC’s inquiries, CBA advised the OAIC of remedial action it was taking to segregate the CMLA customer information within the 16 applications and implement appropriate access controls. CBA confirmed it has an ongoing investigation overseen by an independent expert to determine whether any personal information was subject to unauthorised access. To date, no evidence of unauthorised access has been reported.

The OAIC identified concerns that CBA did not have sufficient controls to review, log and monitor access to personal information across all areas of its business.