Compliance with privacy obligations follow-up inquiry outcomes

Privacy and data security are among the foremost concerns for consumers and, with recent government moves to update and strengthen privacy laws, it is essential that financial institutions manage and protect customer information appropriately.

The Customer Owned Banking Code of Practice (the Code) requires subscribers to comply with the Privacy Act 1988 and the Australian Privacy Principles. With the increasing importance and complexity of these issues, compliance in these areas is critical.

Poor privacy compliance by customer owned banking institutions led the independent Customer Owned Banking Code Compliance Committee (the Committee) that monitors the Code to hold a 2018 Own Motion Inquiry (OMI). This resulted in the creation of a comprehensive privacy compliance checklist and a list of recommendations aimed at improving privacy and data security. A rise in reported privacy-related Code breaches since then prompted the Committee to conduct a follow-up inquiry to determine how subscribers manage privacy and whether they had implemented the OMI recommendations or checklist.

A copy of the follow-up inquiry can be downloaded here.

The Committee collected information from 62 institutions via the 2019 Annual Compliance Statement program and held telephone conferences with 20 subscribers.

The matters considered by the inquiry included privacy policies; staff access to data; document storage and destruction; and privacy and data breaches. Code subscribers were asked to consider how they embed compliance with the privacy obligations in the Code into their risk frameworks; how they review their organisation’s compliance with data and security policies; and how they protect privacy in third-party arrangements.

Analysis of the data enabled the Committee to identify problem areas and to help Code subscribers improve privacy compliance with a series of specific findings made throughout the report.

The information gathered revealed examples of good practice and dedication to compliance, but there were gaps in some areas and the OMI recommendations and checklist had not been taken up fully by all subscribers. More work needs to be done to ensure ongoing compliance.

The report identifies three key areas for improvement: the review of soft and hard copy documents to ensure information is destroyed or de-identified when no longer required; the adoption of formal processes to document informal actions within the institution; and the development of a policy that details the steps required to disclose information to overseas recipients.

The Committee found that while subscribers had displayed a willingness to review policies and processes regularly, ongoing compliance requires continued attention to monitoring, reviews and effective training. The Committee recommended that relevant policies be reviewed at least annually to ensure compliance.

The Committee urges subscribers to use the guidance offered in this report as a practical guide to ensure privacy compliance. The 2018 Own Motion Inquiry and the privacy checklist are also useful resources when privacy policies, processes and practices are reviewed.

The Committee encourages subscribers to share and discuss the findings of this report with Board and Executive Management teams.