October 25, 2020

Volume X, Number 299


October 23, 2020

Subscribe to Latest Legal News and Analysis

The OAIC Engages in More In-Depth Investigations and Stronger Exercise of its Power

Following two key data incidents concerning how the Commonwealth Bank of Australia (CBA) handled data, the OAIC has successfully taken court action binding the banking heavyweight to “substantially improve its privacy practices”.

As a quick summary of the incidents, the first incident involved the loss of magnetic storage tapes (which are used to print account statements). These contained historical customer data including customer statements of up to 20 million bank customers. In 2016, the CBA was unable to confirm that the two magnetic tapes were securely disposed of after the scheduled destruction by a supplier.

The second incident, which was reported to the OAIC in August 2018, was caused by inadequate internal access controls to customer data. Subsequently, the OAIC investigated further and ultimately took action against the CBA.

As part of the enforceable undertaking that was given, CBA will have to review all its IT services and systems and ensure it’s taking the necessary steps to protect customers’ personal information. This will also include a review of its privacy policy, retention standards and procedures and providing training to its staff to ensure compliance.

An external and independent reviewer will be appointed to oversee the completion of the undertaking and will be reporting back to the OAIC. The OAIC has the power to bring court action at any time the CBA fails to comply with the terms of the undertaking.

The OAIC has exercised its power in this case as part of its power to ensure compliance with the Notifiable Data Breaches Scheme and its regulatory powers over data handling practices in the financial services sector.

Additionally, the OAIC has received a funding boost of an additional $25.1 million over three years. Clearly, with this extra funding, the OAIC is engaging in more in-depth investigations into privacy practices and we can expect to see similar outcomes in the future. Some organisations may need to “substantially improve” their privacy practices!

Contributor: Jacqueline Patishman

Copyright 2020 K & L GatesNational Law Review, Volume IX, Number 179



About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Rob Pulham Corporate Attorney K&L Gates
Special Counsel

Rob Pulham is an experienced corporate advisory and transactional lawyer with an active technology and privacy practice representing companies in the energy, manufacturing, mining, retail, health and financial services sectors, as well as government and not for profit organisations. He has extensive experience advising customers and vendors in the technology industry, with particular focus on software licensing, data privacy and protection, and systems integration projects. In his role as a senior corporate lawyer, Mr. Pulham reviews organisational policies and practices regarding data privacy to identify key risks, develops and implements strategies to mitigate privacy and cybersecurity risks, and advises clients in the investigation of, and response to, data breaches.

Mr. Pulham also serves as a strategic advisor to his clients, regularly advising on large outsourcing and technology procurement matters including negotiating software licensing terms with ERP and CRM vendors such as Oracle, SAP and Salesforce, and on major systems integration transactions. He advises his clients on all facets of their technology practices, procurement and needs, including key technology procurement requirements and licensing issues (acting for both customer and service provider clients), marketing and advertising in compliance with Australian competition and consumer laws, website content and terms of use, and general commercial intellectual property and software licensing matters.