OAIC finds big four banks are handling consumer data with good privacy practices

The OAIC's first CDR privacy assessment has uncovered while there is still room for improvement, the big four banks have been fairly compliant with the privacy safeguard set out under Australia's CDR.
Written by Aimee Chanthadavong, Contributor

An audit of Australia's big four banks by the Office of the Australian Information Commissioner (OAIC) has found that they have been handling consumer data under the Consumer Data Right (CDR) in an open and transparent way, and have demonstrated good privacy practices as it did not find any areas of high privacy risk.

As part of the first CDR privacy assessment, the OAIC, which is a co-regulator of the CDR, examined ANZ, Commonwealth Bank, National Australia Bank, and Westpac as they were initial CDR data holders.

Each bank was evaluated according to their compliance with privacy safeguard 1, which requires providers to have a CDR policy describing how they manage consumer data and implement internal practices, procedures, and systems to ensure compliance.

There are 13 legally binding privacy safeguards under the CDR that set out consumers' privacy rights and providers' obligations when collecting and handling their data. Privacy safeguard 1 is considered, as the OAIC puts it, the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards.

"Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard," Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

According to the assessment, all banks have good privacy practices in place, as they each developed a CDR policy that outlined how they managed CDR data and their consumer complaint handling process.

It also found the banks were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.

"All banks had appointed senior staff responsible for strategic leadership of the CDR regime and officers responsible for day-to-day management of CDR data," the OAIC audit said.

"Three banks demonstrated good privacy practice in limiting access to CDR systems and data to staff with an operational requirement to have access.

"The banks generally demonstrated good practice by setting practices, procedures and systems to review their CDR policies on a scheduled basis, as well as following legislative and operational changes. They used existing document control frameworks and specific staff were responsible for reviewing their CDR policy."

At the same time, the audit uncovered areas for improvement. For each bank, the OAIC identified at least one medium privacy risk. One bank had four medium privacy risks, two banks had three, and one bank had one. The majority of medium privacy risks were related to the way the banks have implemented internal practices, procedures, and systems to ensure compliance with their CDR obligations.

Off the back of these findings, the OAIC recommended what each bank could do to address the medium privacy risks, such as developing internal practices, procedures, and systems that specifically address compliance with privacy safeguards that diverge from, or are additional obligations to, the Australian Privacy Principles. All banks accepted the OAIC's recommendations.

"Our recommendations and suggestions will assist these data holders and other providers in the system to further embed, review and enhance their privacy practices, so that consumers can continue to use the Consumer Data Right with confidence," Falk said.

On finalising the assessment, the OAIC wrote to the banks outlining its expectation that they respond with a plan for implementing the recommendations. The OAIC will revisit each bank in six months to ensure all the recommendations are fully implemented.

"The Consumer Data Right has a strong regulatory framework to protect consumers' privacy and build confidence in the system," Falk said.

"We are proactively auditing and monitoring providers in the system to ensure these strict privacy safeguards are being upheld, so that consumers can feel confident their data is protected.

Australia's CDR was officially launched on July 1, with the first tranche, an open-banking regime, requiring financial services providers to share customers' data when requested by the customer.

Under CDR, individual customers of the big four banks can request their bank share their "live" data for deposit and transaction accounts and credit and debit cards with accredited data recipients.

Earlier this month, amendments to the CDR were made so it could be expanded to the energy sector.

Under the amendments, from October 2022, energy product information will be shared so consumers can better compare energy plans, and from November 2022, energy consumers will be able to give consent to share their data about their own energy use and connection with a comparison service or fintech app.

"With increased consumer mobility, energy retailers will be encouraged to improve tailoring of services and create better consumer experiences to retain their customers. I'm excited to see this expansion of the CDR across the economy, with telecommunications as the next sector under consideration," Minister for  Superannuation, Financial Services and the Digital Economy Jane Hume said.

Related Coverage

Editorial standards