Enforceable Undertaking accepted by Australian Information Commissioner

The Australian Information Commissioner (Commissioner) has accepted an Enforceable Undertaking (EU) offered by Commonwealth Bank of Australia (CBA).

The EU underpins execution of further enhancements to the management and retention of customer personal information within CBA and certain of its subsidiaries.

The EU follows CBA’s ongoing work to address two incidents; one relating to the disposal of magnetic data tapes containing historical customer statements; and the other relating to internal user access to certain systems and applications containing customer personal information. CBA reported both incidents to the Office of the Australian Information Commissioner (OAIC) in 2016 and 2018 respectively and has since been working to address these incidents.

As previously announced, CBA has found no evidence to date, as a result of these incidents, that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.

CBA’s commitments in the EU announced today include reviewing and implementing further enhancements to:

  • internal privacy policies, procedures and record retention standards;
  • internal user access controls on systems and applications that hold personal information; and
  • the privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries.

The EU provides CBA with 90 days to develop and submit to the OAIC a work plan, and timetable of work that CBA will complete to meet its obligations under the EU.

Commonwealth Bank Group Chief Risk Officer, Nigel Williams, said: “We have offered this EU as a demonstration of our continued commitment to appropriately managing the privacy of customer personal information, and addressing any concerns identified by the Commissioner.

“We continue to take action to address issues, earn trust and be a better bank for our customers. This includes proactively engaging with our regulators to ensure we continue to build better systems, processes and controls to manage the personal information of our customers.”

/Public Release. View in full here.