Help & support
The Australian Information Commissioner (Commissioner) has accepted an Enforceable Undertaking (EU) offered by Commonwealth Bank of Australia (CBA).
The EU underpins execution of further enhancements to the management and retention of customer personal information within CBA and certain subsidiaries.
The EU follows CBA’s ongoing work to address two incidents; one relating to the disposal of magnetic data tapes containing historical customer statements; and the other relating to internal user access to certain systems and applications containing customer personal information.
CBA reported both incidents to the Office of the Australian Information Commissioner (OAIC) in 2016 and 2018 respectively and has since been working to address these incidents.
As previously announced, CBA has found no evidence to date, as a result of these incidents, that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.
CBA’s commitments in the EU announced today include reviewing and implementing further enhancements to:
There is no action required for our customers as a result of this EU.
We recognise the importance of data privacy and our crucial role in appropriately managing the information our customers entrust us with.
CBA has found no evidence to date that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.
The security of our customers’ personal information is a key priority for Commonwealth Bank, and we are committed to improving, on an ongoing basis, our processes and controls that relate to data privacy, as well as educating our customers.
An enforceable undertaking is a written agreement between CBA and the Information Commissioner in which CBA agrees to perform certain actions which are enforceable against CBA in the Federal Court.
There is no action for our customers.
If you wish, customers can contact us and ask to view their information that we hold. They can do this by visiting a branch or calling us on 13 22 21, or in some instances filling out a request form.
CBA has no found no evidence to date that our customers’ personal information was compromised, or that there have been any instances of unauthorised access by CBA employees or third parties.
The security of our customers’ personal information is a key priority for Commonwealth Bank, and we are committed to improving, on an ongoing basis, our processes and controls that relate to data privacy.
Following both incidents, we took immediate steps to conduct comprehensive investigations, engage external experts to provide independent oversight, and engage proactively and cooperate fully with the OAIC.
The work we are doing as part of this EU will ensure all relevant policies, systems, processes and procedures are reviewed and built to better protect our customers and their data.
The Commissioner has acknowledged the significant work we have done, and continue to do, to prevent future data incidents.
Security of our customers’ personal information continues to be our top priority.
You can read a high-level summary of the work plan and timetable of work that CBA will complete to meet its obligations under the EU.