OAIC commends big four for CDR data handling practices

Audit OAIC Banks

Australia’s big four banks (CBA, Westpac, ANZ, and NAB) have all received passing grades by the Office of the Australian Information Commissioner (OAIC) for their data handling practices under the Consumer Data Right regime, following a recent audit.

“Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard,” said OAIC Commissioner Angelene Falk in a statement.

Further, the OAIC said the big four were handling CDR data “in an open and transparent way with good privacy practices in place”. The privacy regulator also said it found no areas of “high privacy risks”.

The OAIC’s first privacy assessment examined how the initial CDR data holders are complying with Privacy Safeguard 1, which requires providers to have a policy describing how they manage consumer data, as well as to implement internal practices, procedures and systems to ensure compliance.

However, the big fours’ privacy records were not without blemish.

For each bank, the OAIC identified at least one medium privacy risk, with one bank alone found to have had four medium privacy risks.

The OAIC notes that ‘medium risks’, which sits in the middle of its three risk categories, “are those that would possibly lead to a breach of legislative obligations, or meet some (but not all) requirements of a specific obligation”.

The majority of these medium privacy risks identified by the OAIC related to deficiencies in the banks’ CDR complaints policies, as well as lack of detail for consumers on their privacy rights – requirements necessary to comply with prescribed CDR rules.

In one instance, one bank (all of which were anonymised in the audit) was found not to have fully addressed three out of the nine information requirements under Rule 7.2(6), which relate to participants’ internal dispute resolution processes. This requires accredited CDR participants to clearly indicate where, how and when a CDR consumer complaint can be made, as well as options for consumer redress.

The OAIC, nevertheless, overall praised the banks’ efforts to “establish and promote a culture that respects privacy and good information handling practices when managing CDR data.”

It noted that all audited banks had appointed dedicated senior staff responsible for strategic leadership of the CDR regime as well as officers responsible for day-to-day management of CDR data.

It also singled out three of the four banks for demonstrating “good privacy practice” by “limiting access to CDR systems and data to staff with an operational requirement to have access”.

CDR scheme participants are bound by 13 legally binding privacy safeguards setting out consumers’ privacy rights and the obligations on providers collecting and handling their data.

In addition to the open and transparent management of data as part of the initial audit, they also include a consumer’s right to anonymity and pseudonymity, as well as the requirement for accredited businesses to notify consumers, “through [their own] consumer dashboard”, when the data of a consumer is collected.

The OAIC, as co-regulator of the CDR scheme, is tasked with “proactively assessing privacy practices to ensure providers are meeting their obligations” (a point, the OAIC said, that should also be made clear to consumers by CDR participants).

“We are proactively auditing and monitoring providers in the system to ensure these strict privacy safeguards are being upheld, so that consumers can feel confident their data is protected,” Falk said.

Falk stressed that the assessment program is an important part of the privacy framework for the Consumer Data Right.

“The Consumer Data Right has a strong regulatory framework to protect consumers’ privacy and build confidence in the system.

“We are proactively auditing and monitoring providers in the system to ensure these strict privacy safeguards are being upheld, so that consumers can feel confident their data is protected.”

The OAIC has outlined their expectation to the banks to address all identified risks and said it would confirm implementation after six months.