Office of the Privacy Commissioner | Case Note 203856 [2009] NZPrivCmr 12 : Bank teller improperly accesses customer account information
A bank discovered that a teller had accessed a couple's joint bank account without authorisation 58 times over two months. The teller also disclosed information about their accounts to a third party, a former partner of one of the couple.
The bank contacted the couple to let them know what had happened. It set up a meeting between the couple and an area manager to discuss the situation and appropriate compensation. However, the bank and the couple were unable to settle the matter.
Principles 5 and 11
Principle 5 of the Privacy Act provides that an agency must protect personal information by such security safeguards as are reasonable in the circumstances to take against loss, access, use, modification or disclosure, and other misuse.
Agencies such as banks must therefore take reasonable steps to ensure that their employees do not inappropriately access customer information. These reasonable steps will include having good policies, procedures and training in place. They should have systems that record when a person has accessed information.
Principle 11 provides that an agency that holds personal information must not disclose the information unless the agency believes on reasonable grounds that one of the exceptions contained within principle 11 applies.
We did not need to investigate to see whether principles 5 or 11 had been breached as the bank accepted that it had breached the Privacy Act. Instead, our focus was on working with the parties to find what would be a satisfactory resolution of the complaint.
A major consideration was the level of harm that the couple had suffered as a result of the teller accessing their account and disclosing information to the former partner. They had to change bank accounts and had suffered considerable stress from finding out what the teller had done.
On the other side, it appeared that the teller had not looked at their account details in depth, and they had not been contacted by the former partner.
We helped the parties to reach a settlement. This consisted of a one-off cash payment of several thousand dollars. Both parties were happy with this result and we closed our file.
May 2009
Security of personal information -disclosure of personal information - bank - security breach - employee browsing - settlement - Privacy Act 1993, principles 5 and 11