The Commonwealth Bank is in hot water with the privacy regulator after one of its external mortgage salesmen monitored a sacked employee’s customer accounts during her unfair dismissal case before the Fair Work Commission.
The Commonwealth Bank has been fined $10,000 and forced to admit it handed Privacy Commissioner Timothy Pilgrim incomplete access logs during his investigation into the alleged abuse of the bank’s CommSee single client view database.
It has blamed the incomplete logs on “an administrative error” that caused some parts of the access report to be “inadvertently missed”.
The external mortgage agency being investigated by Pilgrim was licenced to sell CBA home loans on the bank’s behalf under its ‘Mortgage Innovator’ channel, giving the team access to the CommSee single client view system.
The agency became embroiled in an unfair dismissal case before the FWC in 2011, after one of its staff members - who was also an ongoing CBA customer - was sacked.
Pilgrim castigated the bank for continuing to give the boss of the mortgage agency full access to his former employee’s personal account details in CommSee, even after he notified head office of the potential conflict of interest, and asked for her loans to be taken off his mortgage book.
“It is apparent that the principal continued to access the complainant’s CommSee profile for a further two months from that [notification]," Pilgrim said, with the file subsequently viewed on “numerous occasions” for periods of up to three hours at a time.
The bank has tried to justify the access.
It claims the mortgage salesman had a legitimate reason to look at his former worker’s files, contending he was chasing up “suspected unlawful activity” and “alleged fraud”, as well as ongoing management of unpaid debts in the mortgage agency’s books.
But Pilgrim knocked back the explanation, pointing to whole specialist divisions within CBA dedicated to investigating fraud, on top of the glaring conflict of interest.
“The principal of an external mortgage agency, with whom the complainant in currently involved in a FWC dispute, would not be an appropriate person to conduct such an investigation,” he wrote in his determination.
“Given the apparently acrimonious relationship between the principal and the complainant during the FWC proceedings ... I do not accept that the principal was properly accessing the complainant’s CommSee profile on each occasion during that time.”
However, Pilgrim also said there was no evidence to back the former employee’s claims that her old boss was using the information - and her financial hardship at the time - as leverage to secure a smaller settlement in the FWC.
“In my view it cannot be said that on a common sense approach, the principal’s access to the complainant’s CommSee profile caused her to receive a lesser settlement amount in the FWC proceedings,” he said.
A CBA spokesperson said the bank plans to "fully comply with our obligations" for the ruling.
“Security of our customers’ banking details is a top priority for Commonwealth Bank. We constantly review our policies and processes to ensure we are meeting the needs and expectations of our customers," he told iTnews.
"We apologise for failing to meet our privacy responsibilities in this instance. Where we have done wrong, we will always work to make it right."
CBA will now need to cough up $10,000 and issue a formal apology to the former mortgage agency worker within six weeks.
It will also need to report back to Pilgrim within six months to show how it has tightened up its information handling procedures in response to the case.