Commonwealth Bank must make urgent changes to its practices around selling aged debts and disclosing personal information, including the engagement an independent auditor.The sale to Credit Corp in 2003 of a $3065 credit card debt and repeated sharing of out of date information with other lenders leaves CommBank addressing another compliance headache.Incorrect records held by the bank remain active for more than 10 years after CBA sold the debt and the bank failed to purge aged data from the credit files of Veda (now Equifax).Angelene Falk, the Australian Information Commissioner and Privacy Commissioner, in a ruling a few days ago found that CBA "interfered with the complainant's privacy by using and disclosing personal information about the complainant which was inaccurate, out-of date and/or incomplete, in breach of the Australian Privacy Principles."Falk directed that CBA must "within 60 days, issue a written apology [and]  pay the complainant $15,000 for non-economic loss."The Privacy Commissioner gace CBA 90 days to "undertake changes to its policies and operation processes and procedures, establishing reasonable steps to ensure that financial information about a person that CBA uses or discloses to other entities for the purpose of providing a credit reference is accurate, complete, up-to-date and relevant."The bank must also "engage an independent auditor to assess its practices to determine the effectiveness of its amended policies and operation processes."The audit must be completed within two months of the independent auditor's engagement and the bank must provide the  Privacy Commissioner with a copy of the independent auditor's assessment findings within two weeks of receiving them.The complainant, dubbed "QP" in the public version of the ruling, made a series of home loan applications, all which were turned down "because the complainant had failed to disclose a debt on his applications," Falk said in her ruling.The complainant made a complaint to CBA about their records on his credit card debt. In response to the complaint, CBA advised the complainant that the credit card debt "has been noted as a sold account on CBA systems since 15 November 2013", and that he would need to approach the credit providers that turned hin down for a home loan "to confirm what outstanding debt they were referring to."For example, in early 2015 CBA disclosed to Pepper that the complainant had a credit card with a $7,000 limit and a $3,000 balance.