The Customer Owned Banking Code Compliance Committee has published its report on whether subscribers have improved compliance with privacy obligations under the Customer Owned Banking Code of Practice.

The Report follows up recommendations made in the Committee’s 2018 Report.

The Committee concluded that the recommendations and privacy checklist provided in the 2018 Report have not been fully implemented by all Code subscribers. Processes and procedures are in place, but ongoing monitoring, review of processes and ensuring that staff are effectively trained need continued focus.

It said that privacy and data security policies should be proactively maintained and reviewed at least annually, and many subscribers would benefit from formally documenting processes in key areas of their business that may have an increased risk of privacy breaches.

The Committee confirmed that Code subscribers should:

• ensure that recording consents/authorities and notifications are well embedded in business processes to mitigate the risk of privacy breaches.
• review staff access levels to the banking system and internal documents at least annually to ensure consistency with job descriptions.
• Audit physical access controls and system access controls at all locations (especially where personal information is held).
• ensure that document retention, destruction, and archiving procedures and processes are implemented to demonstrate compliance with privacy obligations to take reasonable steps to destroy or de-identify personal information that is no longer required.
• review incident and breach registers to identify breach trends and reduce recurrence.
• ensure that all privacy training material is reviewed to include data breach notification, promote awareness of potential breaches, and include procedures that show staff how to report data breaches.
• review their risk framework and ensure privacy compliance is incorporated in their practices to prevent breaches.
• adopt and monitor clean desk policies and do common area checks, such as shared printer facilities and unsecured bins.
• conduct shadow shopping as a way of measuring compliance with privacy obligations by frontline staff.
• ensure the privacy notification and policy remains easily accessible when website upgrades occur.
• continue reviewing tax file number (TFN) retention processes and access restrictions. Access should only be available to staff members who require it as part of their role.
• conduct a complete review of third party contracts that involve the handling of personal information prior to execution or renewal to ensure privacy and data breach reporting standards are maintained.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.