Office of the Privacy Commissioner | Privacy Commissioner calls on banks to do more to protect privacy
Privacy Commissioner John Edwards welcomes the findings of the review by the Financial Markets Authority and Reserve Bank of New Zealand (FMA-RBNZ) of bank conduct and culture and believes that banks must do more to protect the privacy of their customers.
The FMA-RBNZ review found that banks have many issues that “appear to have stemmed from weaknesses in systems and processes.” It also raised concern about banks’ “lack of proactivity in identifying and remediating conduct issues and risks in their business.”
Mr Edwards shares these concerns, specifically relating to how banks treat cases of employees inappropriately accessing customer information – a practice called employee browsing.
Under the Privacy Act, banks and other agencies need to have reasonable safeguards in place to prevent unauthorised access to and use of the personal information it holds.
The Office of the Privacy Commissioner (OPC) has received seven complaints about employee browsing in banks since the beginning of 2017. In five of those cases, Office investigations found that banks interfered with a person’s privacy.
In one case, a bank employee accessed the personal information of her ex-partner over 500 times within a year and allegedly used it to stalk him. The bank did not at any point advise the ex-partner that its employee was accessing his bank account.
In another case, a bank employee accessed account information belonging to his ex-wife’s new partner. He then used that information to visit the new partner at his home and confront him. The bank had previously caught the employee accessing his ex-wife’s father’s information and did not take appropriate steps to limit or monitor the employee’s access.
Mr Edwards said that banks must acknowledge their shortcomings and be proactive about addressing the risks of employee browsing:
“Banks don’t have to have perfect protections, but they do need to have effective ones. If employees are ignoring codes of conduct and audit systems aren’t catching inappropriate access, banks aren’t meeting their obligations under the Privacy Act.”
“We’ve had numerous complaints about employee browsing in banks, all involving access to information about people who were, or were connected to, ex-partners. This suggests that the banks’ measures to maintain a positive privacy culture are not as effective as they should be,” Mr Edwards said.
The updated Privacy Bill, currently before Parliament, will grant the Privacy Commissioner powers that will help him ensure that banks and other agencies meet their obligations.
ENDS
Notes for editors
Read the Reserve Bank of New Zealand’s media release: FMA and RBNZ report on bank conduct and culture
Media enquiries
Contact: Charles Mabbett 021 509 735