The undertaking follows Commonwealth Bank’s ongoing work to address two separate incidents, one relating to the disposal of data tapes containing customer statements and the other relating to inadequate internal access controls to consumer data.
The incidents were reported at the time to the Office of the Australian Information Commissioner (OAIC) in 2016 and 2018, and the bank has been working to address them since.
OAIC commissioner Angelene Falk said the inquiries into CBA considered an APRA report, which found the bank was reactive in dealing with risk matters.
“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.
“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”
The incident with the tapes was particularly embarrassing for the bank as they admitted to losing track of magnetic tapes, which contained the details of 20 million customers.
CBA announced at the time of the incidents that customers’ personal information had not been comprised and has said in an ASX release that this continues to be the case.
In its undertaking, CBA has committed to review and implement further enhancements in relation to its internal privacy policies and procedures, internal user access controls on systems that hold personal information and privacy risk management, and monitor processes as they apply to service providers.
CBA now has 90 days to develop and submit to the OAIC a work plan and a timetable in which it will meet its obligations that are enforceable in court.
Chief risk officer at CBA Nigel Williams said the bank offered the enforceable undertaking as a demonstration of its commitment to appropriately managing the privacy of customers.
“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers,” he said.
The undertaking will be overseen by an independent external reviewer who will consult and report to the OAIC on the bank’s compliance.
Ms Falk said it was a warning to all organisations regulated under the Privacy Act that they needed to proactively manage their data holdings.
“This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised.”
