The Commonwealth Bank of Australia (CBA) will "substantially" improve its privacy practices under a court-enforceable undertaking given to the Australian Information Commissioner and Privacy Commissioner (OAIC).
This follows two incidents CBA reported to the OAIC; one relating to the disposal of magnetic data tapes containing historical customer statements in May 2016; the other relating to internal user access to certain systems containing customer personal information reported in August 2018.
CBA stressed it has found no evidence to date that any of those incidents have resulted in the compromise of customers' data.
Australian information commissioner and privacy commissioner Angelene Falk said the inquiries took into account a report from the Australian Prudential Regulation Authority (APRA) which found CBA was reactive in dealing with risks and compliance matters.
"The Australian community expects financial services providers, and indeed all organisations, to be proactive in protecting the personal information they hold," Falk said.
"Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction. As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices."
As part of the court-enforceable undertaking, CBA has committed to review and implement further enhancements to internal privacy policies, procedures and record retention standards; internal user access controls on systems and applications that hold personal information; and the privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries.
CBA has 90 days to develop and submit to the OAIC a work plan and timetable of work for it to complete to meet its obligations.
"We have offered this EU [enforceable undertaking ] as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner," Commonwealth Bank Group chief risk officer Nigel Williams said.
"We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers."
Falk said that organisations should proactively manage their data holdings and that access must be limited to a need-to-know basis and the data must not be kept past its use-by date.
"This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised," Falk said.
"Organisations are also responsible for enforcing these measures when outsourcing to contracted service providers."
As previously reported, Falk said that some companies have failed to notify affected individuals od data breaches but that further regulatory action has been necessary, with Falk issuing a direction to compel notification where a failure to notify individuals had been uncovered.
A total of 1027 data breaches have been notified to the OAIC from February 2018 until May 2019.
