Customer owned banks have some work to do to bring their privacy and data security practices up to the standard required by their industry code.
The Customer Owned Banking Code Compliance Committee has called on code subscribers to be more proactive in maintaining their privacy and data security processes, including more regular reviews.
It also wants them to audit physical access to data and to review their breach registers to identify trends that need fixing.
In 2018, the COBCCC conducted an inquiry into members’ compliance with privacy and security commitments under the code.
It made a number of recommendations after that inquiry and, in its latest report, has followed up to see how its recommendations have been implemented.
The committee found that all code subscribers had reviewed their privacy and data security policies in the past 18 months.
However, “while code subscribers told us they are committed to meeting their obligations, the recommendations and privacy checklist provided in 2018 have not been fully implemented by all code subscribers.”
Processes and procedures are in place but ongoing monitoring, review of processes and ensuring that staff are effectively trained need continued focus.
COBCCC said privacy and data security policies and procedures should be proactively maintained and reviewed at least annually.
Many subscribers would benefit from formally documenting processes in key areas of their business that may have an increased risk of privacy breaches.
Code subscribers should ensure that methods of communication in recording consents, authorities and notifications are well embedded in business processes to mitigate the risk of privacy breaches.
Almost all code subscribers indicated that staff access levels are reviewed regularly. However, the CONCCC said it was concerned that 23 per cent of subscribers have not incorporated an audit relating to physical access at all locations into their review framework.
Overall there is good document storage and destruction practice.
When it came to privacy and data breaches, the COBCCC found that most subscribers focused on staff awareness and training to prevent privacy breaches.
However, it recommended that organisations review their incident and breach registers to identify trends and reduce recurrence.