The Office of the Australian Information Commissioner has announced that the Commonwealth Bank of Australia (CBA) will be required to substantially improve its privacy practices under a court-enforceable undertaking given to the Australian Information Commissioner and Privacy Commissioner.

The EU follows inquiries by the Office of the Australian Information Commissioner (OAIC) into CBA’s handling of personal information in relation to two data incidents:

• the loss of magnetic storage tapes containing historical customer statements for up to 20 million bank customers by a third-party provider to CBA in May 2016;
• inadequate internal access controls to customer data reported to the OAIC in August 2018 related to the sale of CBA’s insurance entity Colonial Mutual Life Assurance Society Ltd when it identified 16 shared applications containing CMLA customer information which may have been accessible to non-CMLA employees of the Bank.

The enforceable undertaking requires CBA to review its privacy policies, procedures and retention standards, and provide staff training to ensure compliance. CBA must also assess its IT services and systems to make sure it takes appropriate steps to control access to customers’ personal information.

The undertaking will be overseen by an independent external reviewer, who will consult with and report to the OAIC on CBA’s compliance.

The OAIC may take court action at any stage if CBA does not fully comply with the terms of the undertaking.