The big banks have some work to do to get their Consumer Data Right privacy safeguards up to best practice, according to a review of their performance.
The Office of the Australian Information Commissioner has released an assessment of how the big banks are complying with CDR privacy safeguard 1, which requires CDR entities to have a policy describing how they manage CDR data, and to maintain internal practices, procedures and systems to ensure compliance.
The OAIC, which regulates the privacy aspects of CDR, said it did not identify any areas of “high privacy risk” which would likely lead to a breach of legislative obligations.
However, it identified at least one medium privacy risk for each bank – and four risks in one case. These are defined as risks that could possibly lead to a breach of legislative obligations.
The majority of these risks related to the way the banks had implemented internal practices, procedures and systems to ensure compliance with their CDR obligations.
The OAIC said all four banks had developed a CDR policy distinct from their other privacy policies, and each bank’s CDR policy was available and accessible free of charge.
It said the banks were taking steps to promote “a culture that respects privacy and good information handling practices” and had senior staff providing leadership of their CDR programs.
Among the areas for improvement, the OAIC said three banks did not provide sufficient detail about their complaints processes.
It recommended that three banks advise customers that they can access all their CDR data and have any errors corrected.
The internal practices, procedures and systems of one bank did not include sufficient detail about CDR related requests customers can make of data holders.
One bank did not demonstrate that it provided CDR training to all relevant staff members before they handled CDR data.