What happened

The Australian Information Commissioner (Commissioner) has accepted an Enforceable Undertaking (EU) offered by Commonwealth Bank of Australia (CBA).

The EU underpins execution of further enhancements to the management and retention of customer personal information within CBA and certain subsidiaries.

The EU follows CBA’s ongoing work to address two incidents; one relating to the disposal of magnetic data tapes containing historical customer statements; and the other relating to internal user access to certain systems and applications containing customer personal information.

CBA reported both incidents to the Office of the Australian Information Commissioner (OAIC) in 2016 and 2018 respectively and has since been working to address these incidents.

As previously announced, CBA has found no evidence to date, as a result of these incidents, that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.

CBA’s commitments in the EU announced today include reviewing and implementing further enhancements to:

  • internal privacy policies, procedures and record retention standards;
  • internal user access controls on systems and applications that hold personal information; and
  • the privacy risk management and monitoring processes that apply to service providers to CBA and certain subsidiaries.

What you should know

There is no action required for our customers as a result of this EU.

We recognise the importance of data privacy and our crucial role in appropriately managing the information our customers entrust us with.

CBA has found no evidence to date that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.

The security of our customers’ personal information is a key priority for Commonwealth Bank, and we are committed to improving, on an ongoing basis, our processes and controls that relate to data privacy, as well as educating our customers.

Frequently Asked Questions

What is an EU?

An enforceable undertaking is a written agreement between CBA and the Information Commissioner in which CBA agrees to perform certain actions which are enforceable against CBA in the Federal Court.

Do I have to do anything?

There is no action for our customers.

If you wish, customers can contact us and ask to view their information that we hold. They can do this by visiting a branch or calling us on 13 22 21, or in some instances filling out a request form.

Are my details safe?

CBA has no found no evidence to date that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.

The security of our customers’ personal information is a key priority for Commonwealth Bank, and we are committed to improving, on an ongoing basis, our processes and controls that relate to data privacy.

What steps has CBA taken to ensure this does not happen again?

Following both incidents, we took immediate steps to conduct comprehensive investigations, engage external experts to provide independent oversight, and engage proactively and cooperate fully with the OAIC.

The work we are doing as part of this EU will ensure all relevant policies, systems, processes and procedures are reviewed and built to better protect our customers and their data.

The Commissioner has acknowledged the significant work we have done, and continue to do, to prevent future data incidents.

Security of our customers’ personal information continues to be our top priority.

Timeline of program of work

The EU provides CBA with 90 days to develop and submit to the OAIC a work plan, and timetable of work that CBA will complete to meet its obligations under the EU.

Once available, the work plan will be published here.