CBA to 'substantially' overhaul privacy under OAIC undertaking

The Office of the Australian Information Commissioner (OAIC) has accepted a court-enforceable undertaking from the Commonwealth Bank of Australia (CBA) in the wake of investigations into issues with the bank’s handling of customer data.

The smack on the nose for Australia's largest bank comes after the CBA referred itself to the privacy watchdog last year over a pair of issues including the 2016 loss of magnetic storage tapes containing historical statements for 20 million customers, and other inadequate internal access controls.

Last year, data access issues related to the sale of CBA’s Colonial Mutual Life Assurance Society (CMLA), where during the course of data segregation activities, it was found that 16 shared applications containing CMLA customer information may have been accessible to non-CMLA employees at the banking group.

As part of the undertaking, CBA now has 90 days to develop and submit to the OAIC a work plan and timetable of work to meet address its privacy obligations, including a review of its policies, procedures and data retention standards, while also providing staff training to ensure compliance.

“CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information,” the OAIC said.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the office’s inquiries into the issues, which also took into account a report from the Australian Prudential Regulation Authority, showed the bank had only been reactive in dealing with risk and compliance matters.

“The Australian community expects financial service providers, and indeed all organisations, to be proactive in protecting the personal information they hold,” Falk said.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction. As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”

Falk also took the chance to reiterate that all organisations regulated by the Privacy Act 1988 should be proactively managing their data holdings to protect personal information, such as by only granting access on a need-to-know-basis and securely destroying or de-identifying data when no longer needed.

CBA group chief risk officer, Nigel Williams, said in a statement the bank is continuing to address privacy issues by engaging with regulators like the OAIC to build better systems, processes and controls.

“We have offered this [enforceable undertaking] as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner,” he said.

The bank also said it has yet to find evidence of data being misused as a result of the incidents in 2016 and 2018, however, the magnetic tapes containing backup data from 2000 to early 2016 still haven’t been found or confirmed destroyed.