Big 4 complying with bedrock CDR privacy safeguard

  • By Zilla Efrat

The big four banks are generally handling consumer data under the Consumer Data Right (CDR) openly and transparently with good privacy practices in place, an audit by the Office of the Australian Information Commissioner (OAIC) has found.

The OAIC’s first privacy assessment examined how the initial CDR data holders are complying with Privacy Safeguard 1, which requires providers to have a policy describing how they manage consumer data and to implement internal practices, procedures and systems to ensure compliance.

“Our privacy assessment found the big four banks are generally complying with the bedrock Consumer Data Right privacy safeguard,” says Australian Information Commissioner and Privacy Commissioner, Angelene Falk.

The OAIC did not identify any areas of high privacy risk. But for each bank, it identified at least one medium privacy risk. One bank had four medium privacy risks, two banks had three and one bank had one medium privacy risk.

Most of the medium privacy risks related to the way the banks had implemented internal practices, procedures and systems to ensure compliance with their CDR obligations.

OAIC recommended what action each bank should take to address the medium privacy risks. All banks accepted its recommendations.

OAIC also suggested what each bank could do to improve their privacy compliance in at least one area of low privacy risk. A total of six areas of low risk were identified.

OAIC has used the findings of this assessment to update its guide to developing a CDR policy and inform future updates to the CDR Privacy Safeguard Guidelines.

“Our recommendations and suggestions will assist these data holders and other providers in the system to further embed, review and enhance their privacy practices so that consumers can continue to use the CDR with confidence,” says Falk.