Australian Information Commissioner accepts enforceable undertaking offered by CBA
The enforceable undertaking concerns two incidents: one relating to the disposal of magnetic data tapes containing historical customer statements; and the other relating to internal user access to certain systems and applications containing customer personal information.
The Australian Information Commissioner has accepted an Enforceable Undertaking (EU) offered by Commonwealth Bank of Australia (CBA), the bank has announced.
The EU follows CBA’s ongoing work to address two incidents. The first one relates to the disposal of magnetic data tapes containing historical customer statements. The second one relates to internal user access to certain systems and applications containing customer personal information. CBA reported both incidents to the Office of the Australian Information Commissioner (OAIC) in 2016 and 2018 respectively and has since been working to address these incidents.
CBA notes that it has found no evidence to date, as a result of these incidents, that its customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties. There is no action required from CBA’s customers as a result of the EU.
CBA’s commitments in the EU announced today include reviewing and implementing further enhancements to:
- internal privacy policies, procedures and record retention standards;
- internal user access controls on systems and applications that hold personal information; and
- the privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries.
The EU provides CBA with 90 days to develop and submit to the OAIC a work plan, and timetable of work that CBA will complete to meet its obligations under the EU.
Commonwealth Bank Group Chief Risk Officer, Nigel Williams, said: “We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner.
“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers.”