A refreshing and timely story on the Commonwealth bank accused of misleading the Privacy Commissioner and the Privacy Commissioner cops criticism in handling that deception
December 20, 2017 |
Tonight’s 7.30 program has a story, titled Commonwealth Bank accused of misleading the Privacy Commissioner about a privacy complaint where the sting is the Commonwealth Bank failing to provide proper disclosure of documents. The determination is ‘KA’ and Commonwealth Bank of Australia Limited [2016] AICmr 80 (25 November 2016). KA is Kylie Murden in the 7.30 story. As determinations go it is quite a significant award. But that says not all that much except to highlight the problem with the Privacy Commissioner’s process of deciding an appropriate award. The Privacy Commissioner’s awards range from risible to inadequate. The invariable failure to award aggravated damages is, here, a failure by the Privacy Commissioner to properly exercise his discretion. In this case the behaviour of the Commonwealth Bank was appalling, capricious and deceptive. Even when caught out in providing inadequate documentation the CBA used the totally unbelievable administrative error excuse. An implausible excuse which, unfortunately, worked. The Privacy Commissioner did not press the matter. Weak and wrong. Unfortunately the Privacy Commissioner opts for a very public service play it safe approach to determinations.
Fortunately Ms Murden and Senator Patrick were prepared to lay blame on the Commissioner for his poor handling of the case. There needs to be more of it. At the moment there is little transparency on the process and the conduct of the hearings.
Kylie’s criticism of the Privacy Commissioner was:
“..we also don’t have a regulator that is prepared to stand up to the CBA and say we know those documents aren’t real and you have to provide us with genuine information…”
Senator Rex Patrick is also critical of the Privacy Commissioner saying:
“.. first it took 18 months to resolve this issue, secondly he was presented with information that showed that the bank had misled the Commissioner the Commissioner effectively did nothing. Now that in itself will breed further contempt. “
Could not have said it better myself.
It is refreshing that the anaemic way in which the Privacy Commissioner handles complaints and opts for mild over effective determinations, after a usually ridiculously long delay, has been ventilated by a media organisation. There is poor privacy compliance in Australia for a number of reasons but top of the list is timidity and ineffectiveness of the regulator, the Australian Information Commissioner.
The story is also covered on the ABC news website here where it the 7.30 piece is partially transcribed. In the full report there is some criticism of the Privacy Commissioner in not taking further action on the failure to provide proper disclosure. The Privacy Commissioner has significant powers to obtain documents, section 44, and to enter premises, section 68.
The Commonwealth Bank has been accused of giving misleading evidence to the Privacy Commissioner about the extent of a bank contractor’s access to a customer’s account.
Earlier this year, Privacy Commissioner Timothy Pilgrim ordered the bank to apologise and pay $10,000 in compensation to its customer, Kylie Murden, for breaches of the Privacy Act.
Ms Murden was previously an employee of the bank’s mortgage lending franchise network, now known as Home Lending Solutions, but was sacked without explanation in 2011.
During an unfair dismissal claim, she became suspicious that her former manager had detailed knowledge about her personal finances.
Her former manager operated a Home Lending Solutions business under a franchise contract with the Commonwealth Bank (CBA).
The CBA says about 100 non-bank contractors, including Home Lending Solutions franchisees, have access to its customer management system, CommSee.
With help from a friend working at the bank, Ms Murden secretly took photographs of an access log of her accounts on CommSee, which showed the manager and two of his staff had accessed her personal CBA accounts hundreds of times over several months.
During this time the bank was defending the unfair dismissal claim.
“It was just an absolute goldmine for him to see everything about me financially,” Ms Murden told 7.30.
“He could find out essentially whatever he wanted to about how much I was paying my lawyers because the money was going through my CBA bank account.”
When she confronted the bank about the manager’s access, it brushed aside her concerns.
“Any access … was done in the normal course of … management of your (at the time) non-performing loan accounts with the bank,” the bank’s senior legal counsel Grant Dewar wrote in a letter to Ms Murden in November 2011.
Ms Murden lodged a complaint to the Privacy Commission, claiming the bank had breached her privacy by allowing the former manager to access her accounts.
The Commission ordered the bank to provide copies of her account access log.
But the document the bank sent showed only a fraction of the manager’s accesses revealed in the customer access log Ms Murden had secretly photographed.
Kylie Murden was shocked.
“What would be easier than to just cross out those people’s names and say there’s nothing to see?” she said.
The Privacy Commission demanded an explanation from the Commonwealth Bank for the inconsistencies between its account and Ms Murden’s evidence.
The CBA lawyer handling the case denied the bank was trying to mislead the commissioner, saying omissions were an “administrative oversight”.
“When I was assigned this complaint, I copied and pasted the Client Access Report into a Word document for future reference,” the lawyer wrote in a letter the commission.
“Unfortunately what has occurred is I have inadvertently missed parts of the Client Access Report.”
The bank resubmitted a copy of the client access report, and the Privacy Commission eventually ruled that the bank had breached her privacy.
The bank was ordered to apologise to Ms Murden and pay her $10,000.
She believes the Commission should also have recommended charges against the bank for providing misleading information.
“The determination did not make a finding that the CBA intentionally provided false or misleading information,” the Privacy Commission said in a statement.
“Therefore there was no basis for further investigation or referral of the matter.”
The Commonwealth Bank declined 7.30’s request for an interview.
“The Australian Privacy Commissioner issued a determination in regards to this matter more than a year ago. Commonwealth Bank has fully complied with our obligations as part of this process,” the bank said in a statement.
“Any suggestion that information was provided in a false or misleading manner to the Commissioner is incorrect.”
Ms Murden’s former manager declined 7.30’s request for an interview, but insisted he had not acted improperly in accessing the account.
The manager is now suing the Commonwealth Bank in the Federal Court for lost income after he cancelled his franchise agreement earlier this year.
As part of a statement to the court, the manager said he accessed Ms Murden’s personal accounts because he suspected her of committing mortgage fraud.
“The investigation continued with the encouragement, knowledge and approval of the CBA,” the statement of claim said.
Ms Murden rejected suggestions she had engaged in mortgage fraud.
The Commonwealth Bank also raised historical allegations of mortgage fraud against Ms Murden during the Privacy Commission investigation.
However, the Commissioner dismissed the bank’s claims that her accounts were being accessed as part of a fraud investigation by her former manager.
“I do not accept that the principal accessed the profile for the purpose of investigating alleged fraud,” he wrote in the determination.
“Given that the CBA has its own department for such investigations, I agree with the complainant that it would have been inappropriate for the principal to be involved in such an investigation.”