The Commonwealth Bank of Australia (CBA) has been told to pull its socks up over its lackluster responses to two privacy breaches.

An investigation by the Office of the Australian Information Commissioner (OAIC) raised concerns about CBA’s lax response.

In May 2016, two magnetic storage tapes containing 15 years’ of bank statements belonging to around 20 million customers disappeared.

A third-party provider was transporting the tapes for destruction when they went missing.

CBA notified the OAIC about the incident.

Under the Notifiable Data Breaches scheme, Australian organisations are required to notify the OAIC and affected parties when a data breach is likely to result in harm to those whose personal information was involved in the breach.

Two years later, in 2018, the OAIC checked back with CBA and found that the major bank still lacked the sufficient procedures for destroying or de-identifying personal information.

Later in 2018, CBA notified the OAIC that, during the sale of its insurance entity Colonial Mutual Life Assurance Society (CMLA), CBA found applications containing CMLA customer information that was available to other, non-CMLA bank employees.

Information Commissioner Angelene Falk said Australians expected better privacy protection from financial institutions.

“When an organisation is entrusted with our personal information, access must be limited to a need-to-know basis and the data must not be kept past its use-by date,” she said.

“This matter should send a sharp reminder to all organisations that data holdings must have a clearly defined retention period and should be securely destroyed or de-identified when no longer needed. Failing to do so can increase the risk that personal information will be compromised.

“Our inquiries identified deficiencies in CBA’s management of personal information, specifically its internal access controls and approach to retention and destruction.

“As a result of this work, CBA has committed through a court-enforceable undertaking to substantially improve their privacy practices.”

The court-enforceable undertaking requires that CBA thoroughly review its privacy policies and practices with the help of an independent expert.