Information Commissioner rebukes CBA in wake of data loss incidents


The Commonwealth Bank of Australia (CBA) will revamp its data management, retention policies, procedures and controls under a court-enforceable undertaking signed in the wake of two privacy incidents which placed nearly 20 million customer records at risk of exposure.

CBA’s pledge follows inquiries by the Office of the Australian Information Commissioner (OAIC) into the bank’s privacy practices which covered the disappearance of magnetic tapes holding nearly 20 million customer records in 2016, and another incident in 2018 involving unauthorised staff access to systems containing life insurance customers’ private data.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction,” said Angelene Falk, the OAIC and Privacy Commissioner.

In its investigations, the OAIC also factored in a report by APRA which noted CBA’s “reactive” approach in managing risks and compliance issues, which was condemned by Falk as failing to meet community expectations and requirements under the Privacy Act 1988.

“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date,” Falk said.

CBA, Australia’s largest bank by assets, claims it has yet to find evidence suggesting customers’ personal information has been compromised or wrongfully accessed following the two incidents.

Nevertheless, data protection remains a priority for CBA, according to its Group Chief Risk Officer Nigel Williams, who in a statement said the bank’s voluntary undertaking demonstrates its commitment to upholding customers’ privacy.

“We continue to take action to address issues, earn trust and be a better bank for our customers,” Williams said.

“This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers.”

An independent external reviewer will oversee CBA’s binding commitment and ensure future compliance, with input from the OAIC – who may step in at any time the bank is found not fully compliant with the terms of its undertaking.

“This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed,” Commissioner Falk warned, stressing that similar standards must be enforced when outsourcing to external service providers as well.

CBA has 90 days to present a roadmap to the OAIC to meet its contractual obligations. The roadmap should include reviewing policies, procedures, and retention standards, as well as a facility to train staff in enforcing compliance and a process to audit technology systems to safeguard appropriate data access.

The bank’s binding pledge aligns with the OAIC’s manifesto to regulate data handling practices within the financial services industry, which includes enforcing the Notifiable Data Breach (NDB) scheme, implemented last February, which compels organisations to alert the Privacy Commissioner and relevant stakeholders within 30 days of an identified breach.

In the year up to March 2019, the OAIC saw a cumulative 964 data breach notifications – a staggering nine-fold increase in notifications received in the 2016-2017 financial year.