The OAIC engages in more in-depth investigations and stronger exercise of its power
By Cameron Abbott, Rob Pulham and Jacqueline Patishman
Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.
As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.
The second incident, which was reported to the OAIC in August 2018, was caused by inadequate internal access controls to customer data. Subsequently, the OAIC investigated further and ultimately took action against the CBA.
As part of the enforceable undertaking that was given, CBA will have to review all its IT services and systems and ensure it’s taking the necessary steps to protect customers’ personal information. This will also include a review of its privacy policy, retention standards and procedures and providing training to its staff to ensure compliance.
An external and independent reviewer will be appointed to oversee the completion of the undertaking and will be reporting back to the OAIC. The OAIC has the power to bring court action at any time the CBA fails to comply with the terms of the undertaking.
The OAIC has exercised its power in this case as part of its power to ensure compliance with the Notifiable Data Breaches Scheme and its regulatory powers over data handling practices in the financial services sector.
Additionally, the OAIC has received a funding boost of an additional $25.1 million over three years. Clearly, with this extra funding, the OAIC is engaging in more in-depth investigations into privacy practices and we can expect to see similar outcomes in the future. Some organisations may need to “substantially improve” their privacy practices!