Insights / July 23rd, 2019

CBA are not alone! Enforceable undertakings for data handling practices

Late-June saw the Commonwealth Bank of Australia (CBA) offer the Office of the Australian Information Commissioner (OAIC) an enforceable undertaking following two data security-related incidents in 2016 and 2018.


In a widely reported incident, magnetic data tapes containing historical CBA customer financial information and account statements were lost in 2016 after being passed to a private contractor for destruction. The contractor was unable to confirm that they had destroyed the tapes and a subsequent investigation found that while the most likely scenario was that the tapes had been destroyed – this could not be definitely determined.

The 2018 incident related to internal data management and security measures. Data collected by CBA’s life insurance subsidiary; Colonial Mutual Life Assurance Society Ltd (CMLA), was accessible through a number of CBA Group software applications – allowing sensitive personal information to be potentially accessed by individuals not necessarily employed by CMLA but who were part of the CBA Group of companies. CBA and CMLA instigated remedial action following the discovery. It was stated that internal investigations had not identified any instances of data being accessed by unauthorised persons.


Although the consequences of both incidents appear to have been contained with no fraud or damage associated with the above incidents, the OAIC still expressed concern regarding CBA’s ongoing compliance with Australian Privacy Principles (APPs) 1.2 and 11.

APP 1.2 requires all entities subject to Australian privacy laws to ‘take such steps as are reasonable in the circumstances to implement practices, procedures and systems’ to ensure the entity’s compliance with the APPs. APP 11.1 requires those subject to the APPs to take steps reasonable in the circumstances to protect personal and sensitive information from misuse, interference, loss, and unauthorised access, modification or disclosure. APP 11.2 also requires entities to destroy information that is no longer needed by the company and is not subject to other legal requirements to hold the information.

Although the enforceable undertaking does not go into detail about the substance of the OAIC’s concerns, the document is indicative of the steps the OAIC recommends to ensure compliance with Australian privacy laws.

The document details extensive requirements for data access logging, recording who has accessed personal information, ensuring that there are sufficient contractual obligations in place to ensure that contractors and third parties protect personal and sensitive information, ensuring that there are sufficient monitoring programs in place to confirm contractors and third parties dealing with data are acting in accordance with the relevant privacy laws, and ensuring that information is securely destroyed once it is no longer needed.

Data Breaches and Protections

CBA are not the only company to be the victim to data breaches. In early-June, it was reported that the Australian National University (ANU) had been the subject of a malicious and intentional data breach whereby approximately 200,000 ANU staff, students and contractors’ personal information was compromised. Similarly, Westpac announced that the personal information of nearly 100,000 Australians – not just customers of Westpac - may have had their banking information stolen or unlawfully accessed following a cyberattack. The majority of the information related to the recently implemented New Payments Platform and PayID programs that replaces account information with customer phone numbers or email addresses.

964 data breaches were notified to the OAIC between April 2018 and March 2019 – the equivalent of just over 5 data breaches every 2 days. To be a reportable breach, the data breach must be likely to cause serious harm to those who the data accessed is about.

Data Protection

While data breaches and malicious attacks remain a continuing risk to personal information, all entities subject to the APPs are required to implement reasonable measures to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure.

In a number of instances, the OAIC has indicated that this requires entities to implement physical, technological, and organisational safeguard to protect personal information. The full extent of this obligation varies based on an entities circumstances, capabilities and the personal information it handles.

Methods of complying with this requirement include employing encryption to protect information, securing physical records in a safe location, limiting employee access to personal information to legitimate business purposes, and implementing internal compliance plans to manage how entities and employees handle personal information.

Regulatory guidance suggests that the most effective mechanism to prevent data breaches is to ensure that there are strong and appropriate data protection measures implemented.

If you have any inquiries regarding your privacy law or data protection obligations, please Contact Us.