The Office of the Australian Information Commissioner (OAIC) has today published its summary report of the determination in the matter of ‘BAM’ and American Express Australia Limited. This follows a process of engagement with the parties regarding the decision and a determination regarding publication.
The Australian Privacy Commissioner Carly Kind found that American Express Australia Ltd (AMEX) interfered with the complainant’s privacy under the Privacy Act 1988 (Cth), by failing to take such steps as were reasonable in the circumstances to protect the complainant’s personal information from unauthorised access, in breach of Australian Privacy Principle (APP) 11.1, and must not repeat or continue such conduct.
These findings conclude a lengthy, detailed investigation and decision-making process, which explored the issue of insider security risk within a financial institution.
The outcome of this investigation confirms that insider security risk remains a significant, yet frequently overlooked, threat to organisations, and to the individuals whose personal information they are entrusted with.
The risk that employees may seek access to personal information on their employer’s systems for improper purposes, including financial fraud, domestic and family violence, or political, military or corporate espionage, is an unfortunate reality. The risk is heightened in sectors that store large volumes of personal information, such as the financial services sector. The OAIC’s investigation found that AMEX failed to adequately mitigate these risks.
Section 33C of the Privacy Act empowers the Privacy Commissioner to release information where doing so is in the public interest, and in this matter, the OAIC has published a summary report rather than the full determination.
During the investigation, both AMEX and the complainant provided the OAIC with sensitive information, over which they made separate confidentiality claims. The OAIC considers the disclosure of this information could cause harm to individuals, present a risk to AMEX’s cyber security, and undermine the OAIC’s investigation processes.
This approach, and the reasons for adopting it, was explained in correspondence to AMEX and the complainant.
Under the determination, for interference with the complainant’s privacy, American Express Australia Limited must:
- pay the complainant specified amounts for economic loss, for non-economic loss caused by the interference with the complainant’s privacy, and for reimbursement of expenses the complainant incurred making the complaint
- issue a written apology to the complainant, acknowledging its interference with the complainant’s privacy, signed by a representative of AMEX with sufficient seniority
- implement technical controls across the relevant systems, to enable AMEX to restrict its employees’ access to specific customer information, including to protect the personal information of vulnerable or high-profile customers
- implement account-level access logging and action logging across the relevant systems to the extent these are still in operation, to create time-stamped log entries when an employee accesses or takes action on a customer’s records.
This determination underscores the important role that ICT systems’ access controls play in ensuring that individuals’ personal information is protected from unauthorised access, and in particular access by employees of an entity.
It is therefore essential that entities which hold personal information, such as those in the financial sector, ensure sufficient controls are in place to protect personal information from the risk of unauthorised access by employees.
Download the OAIC’s Report of investigation into AMEX (PDF, 185 KB) .
Background
- Statement regarding American Express investigation (17 October 2025)
