OAIC finds big four banks are handling consumer data with good privacy practicesNovember 22, 2021
An audit of Australia’s big four banks by the Office of the Australian Information Commissioner (OAIC) has found that they have been handling consumer data under the Consumer Data Right (CDR) in an open and transparent way, and have demonstrated good privacy practices as it did not find any areas of high privacy risk.
As part of the first CDR privacy assessment, the OAIC, which is a co-regulator of the CDR, examined ANZ, Commonwealth Bank, National Australia Bank, and Westpac as they were initial CDR data holders.
Each bank was evaluated according to their compliance with privacy safeguard 1, which requires providers to have a CDR policy describing how they manage consumer data and implement internal practices, procedures, and systems to ensure compliance.
There are 13 legally binding privacy safeguards under the CDR that set out consumers’ privacy rights and providers’ obligations when collecting and handling their data. Privacy safeguard 1 is considered, as the OAIC puts it, the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards.
“Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.
According to the assessment, all banks have good privacy practices in place, as they each developed a CDR policy that outlined how they managed CDR data and their consumer complaint handling process.
It also found the banks were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.
“All banks had appointed senior staff responsible for strategic leadership of the CDR regime and officers responsible for day-to-day management of CDR data,” the OAIC audit said.
“Three banks demonstrated good privacy practice in limiting access to CDR systems and data to staff with an operational requirement to have access.
“The banks generally demonstrated good practice by setting practices, procedures and systems to review their CDR policies on a scheduled basis, as well as following legislative and operational changes. They used existing document control frameworks and specific staff were responsible for reviewing their CDR policy.”
At the same time, the audit uncovered areas for improvement. For each bank, the OAIC identified at least one medium privacy risk. One bank had four medium privacy risks, two banks had three, and one bank had one. The majority of medium privacy risks were related to the way the banks have implemented internal practices, procedures, and systems to ensure compliance with their CDR obligations.
Off the back of these findings, the OAIC recommended what each bank could do to address the medium privacy risks, such as developing internal practices, procedures, and systems that…