Playing by the rules: Australia's banks and the privacy reforms

A closer look into how Australia's biggest banks have made changes to their privacy policies to ensure they are compliant with the latest reforms.
Written by Aimee Chanthadavong, Contributor

Now that the reforms of the Privacy Act have come into effect, Australia's big four banks have been forced to provide full disclosure on what information they are collecting about their customers, how it is collected, and how it is being used.

Aside from the usual identity data and contact details, other common personal details the banks are collecting about their customers include gender, marital status, and financial information, such as tax file number.

Commonwealth Bank noted in its privacy policy that online and mobile applications are giving it the ability to also collect location- or activity-based information about its customers. This includes IP address, telephone number, and whether a user has access to third-party sites. It admits that it is sometimes collecting web-based information through cookies.

Also, where applicable, such as for insurance purposes, health information is being collected by all the banks, too.

"We collect information about you from others, such as service providers, agents, advisers, brokers, employers, or family members," CBA wrote in its privacy policy.

"For example, if you apply for credit, we may need to obtain a credit report from a credit reporting body. If you apply for life or income protection insurance, we may collect medical and lifestyle information from you or your health professionals."

Similarly, National Australia Bank said it collects "other information" it deems "necessary".

"Sometimes, we need to collect sensitive information about you, for instance in relation to some insurance applications. This could include things like medical checks, medical consultation reports, or other information about your health," said NAB, which is only able to collect sensitive information about individuals with their consent as part of the new reforms.

The banks are also taking advantage of publicly available information about individuals. For example, from public registers, social media, or any information made available by third parties.

For Westpac and St George, which have the same privacy policy, they have defined personal information as "any information or opinion, about an identified individual or an individual who can be reasonably identified from their information". They also note that they are restricted by the Privacy Act to collect sensitive information about an individual's religion, racial or ethnic origin, political opinions, criminal record, and sexual orientation.

"Generally, we only collect this sort of information if it is necessary to provide you with a specific product or service and you have consented to that collection," Westpac said.

"For example, we may collect health information about you to process a claim under an insurance policy or collect voice biometric information to verify your identity or authorise transactions."

The explanations given by the big four in their privacy policies to help customers understand why they need the above information are relatively similar. They each claim that the information enables them to personally assess and identify suitable products and services for individuals, which will help improve their relationship with their customers, as well as the customers' banking experience.

Both Westpac and St George suggest that if individuals restrict their access to information they request, then they "may not be able to deliver all of those services effectively".

At the same time, the banks justify their information collection for the purpose of managing and using the information to investigate any potential fraud activities, comply with legal obligations as banks, and assist government and law enforcement agencies or regulators.

While the amendments have been designed to give greater rights to individuals, there are some eyebrow raisers as to how the banks have interpreted this.

For example, customers now have the right to request from organisations access to their personal information. But for Commonwealth Bank customers, they can obtain access to "basic information" by visiting a branch, going online or calling them, which often will not incur a fee, but, in some cases, the bank may charge an access fee, depending on the time that is spent on "locating, compiling, and explaining the information" that is requested.

"Generally, the access charge is based on an hourly rate plus any photocopying costs or other out-of-pocket expenses. You'll need to make the payment before we start, unless you've authorised us to debit your account," Commonwealth Bank outlines in its policy.

Additionally, individuals now have the opportunity to opt out of receiving direct marketing communications as part of the privacy reforms. In accordance to this, NAB, for instance, said it will process an individual's request to opt out of its direct marketing, but will do so "as soon as practicable".

Editorial standards