CBA pledges to improve privacy practices after security incidents

CBA pledges to improve privacy practices after security incidents

OAIC says Australians expects financial services to be proactive not reactive

The Commonwealth Bank of Australia (CBA) will "substantially" improve its privacy practices under a court-enforceable undertaking given to the Australian Information Commissioner and Privacy Commissioner (OAIC).

This follows two incidents CBA reported to the OAIC; one relating to the disposal of magnetic data tapes containing historical customer statements in May 2016; the other relating to internal user access to certain systems containing customer personal information reported in August 2018.

CBA stressed it has found no evidence to date that any of those incidents have resulted in the compromise of customers' data.

Australian information commissioner and privacy commissioner Angelene Falk said the inquiries took into account a report from the Australian Prudential Regulation Authority (APRA) which found CBA was reactive in dealing with risks and compliance matters.

"The Australian community expects financial services providers, and indeed all organisations, to be proactive in protecting the personal information they hold," Falk said.

"Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction. As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices."

As part of the court-enforceable undertaking, CBA has committed to review and implement further enhancements to internal privacy policies, procedures and record retention standards; internal user access controls on systems and applications that hold personal information; and the privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries.

CBA has 90 days to develop and submit to the OAIC a work plan and timetable of work for it to complete to meet its obligations.

"We have offered this EU [enforceable undertaking ] as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner," Commonwealth Bank Group chief risk officer Nigel Williams said.

"We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers."

Falk said that organisations should proactively manage their data holdings and that access must be limited to a need-to-know basis and the data must not be kept past its use-by date.

"This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised," Falk said.

"Organisations are also responsible for enforcing these measures when outsourcing to contracted service providers."

As previously reported, Falk said that some companies have failed to notify affected individuals od data breaches but that further regulatory action has been necessary, with Falk issuing a direction to compel notification where a failure to notify individuals had been uncovered.

A total of 1027 data breaches have been notified to the OAIC from February 2018 until May 2019. 

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.




Join key decision-makers within Environmental, Social, and Governance (ESG) that have the power to affect real change and drive sustainable practices. SustainTech will bridge the gap between ambition and tangible action, promoting strategies that attendees can use in their day-to-day operations within their business.

EDGE 2023

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.


ARN has celebrated gender diversity and recognised female excellence across the Australian tech channel since first launching WIICTA in 2012, acknowledging the achievements of a talented group of female front runners who have become influential figures across the local industry.

ARN Innovation Awards 2023

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

Show Comments