Banks get CDR privacy ‘bedrock’ tick from regulator


Joseph Brookes
Senior Reporter

Australia’s privacy watchdog found no areas of high privacy risk in an assessment of the Big Four banks’ Consumer Data Right policies and practices but did identify at least one “medium” risk each.

The medium risks mainly relate to the banks’ internal procedures and complaints processes, and means there is a chance they would be in breach of their obligations under the legislated data portability scheme.

But a breach was not deemed likely, and Australia’s privacy tsar on Tuesday said the results showed compliance was generally on track.

The regulator found no major privacy risks in the Big Four banks’ CDR practices. TK Kurikawa / Shutterstock

“Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard,” Australian Information Commissioner and privacy commissioner Angelene Falk said.

“Our recommendations and suggestions will assist these data holders and other providers in the system to further embed, review and enhance their privacy practices, so that consumers can continue to use the Consumer Data Right with confidence.”

On Tuesday the Office of the Australian Information Commissioner (OAIC) published a summary of its findings from the first Consumer Data Right (CDR) assessment of the scheme’s 13 legally binding privacy safeguards.

The assessment focused on Privacy Safeguard one, which is considered the “bedrock” of CDR privacy compliance, requiring entities to have a policy describing how they manage CDR data, and to maintain internal practices, procedures and systems to ensure compliance.

The assessment examined only Australia’s Big Four banks, which were the initial data holders under the CDR scheme and are required to share customers’ data in a secure, machine-readable way when requested.

The OAIC did not identify any areas of “high” privacy risk at CBA, ANZ, NAB or Westpac.

The regulator did find at least one medium privacy risk at each bank, but the summary results did not identify individual entities and the OAIC declined to share the full assessment.

One bank had four medium privacy risks, two banks had three and the other bank had one.

The risks mostly relate to how the banks had implemented internal practices, procedures and systems to ensure compliance, the regulator said, with policy wording and the information provided to consumers identified as areas for improvement.

Each bank accepted the regulator’s recommendations to address the risks. The findings will also be used to update the watchdog’s official guidance on developing and implementing CDR policy.

CDR has been applied to the banking sector but will hit the energy sector next year and is planned to eventually apply economy wide.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories