The Commonwealth Bank is earnestly examining a potential information break that may have given its staff access to clients’ sensitive medical data.
The issue was found around late July as the bank made arrangements for the $3.8 billion offer of its insurance arm, CommInsure, to the AIA group.Medicinal data provided by an obscure number of clients to CommInsure was made accessible to different arms of the bank, including to staff who choose whether to favor or decline loan applications.
The bank said since the revelation of the potential rupture, it had been scouring records to discover whether the information was “accessed inappropriately” by representatives. The bank also disclosed that it had discovered no proof of staff outside CommInsure getting to the individual information of CommInsure clients.
Be that as it may, it said it had not told its CommInsure clients, as it didn’t believe that a security break had occurred.It likewise did not clear up what number of individuals might be influenced.
Under the notifiable data breaches scheme, the bank would be obliged to educate clients if “there is unapproved access to or unapproved divulgence of individual data, or lost individual data that an entity holds”, and that “this is probably going to result in genuine damage to one or more individuals”.
The bank has held consultancy firm McGrathNicol to supervise the investigation concerning whether information rupture that happened. “We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis,” a spokeswoman for the bank said.
The workplace of the information magistrate affirmed that the bank had informed it about the conceivable breach, and said it had “been asking questions of the Commonwealth Bank of Australia about the incident”, yet would not remark further on a continuous request.
University of New South Wales data privacy expert Katharine Kemp stated, in light of the facts that the Commonwealth Bank had so far uncovered, it was uncertain whether the occurrence comprised a breach under the scheme.
However, she said clients ought to be educated if their data may have been uncovered.
“It’s arguable that making health information accessible to unauthorised recipients is a notifiable breach and that, if it isn’t, I don’t think that’s consistent with community expectations,” Dr Kemp said.
“Whether or not CBA can rely on its interpretation as a matter of law, the community has a reasonable expectation that it would be notified of such a failure in CBA’s governance controls, especially given the sensitive nature of health information.”
She said if the information was gotten to, it turned into an issue of consent.
“Consent is very important here because it goes to the customer’s reasonable expectation about what is going to happen with their information,” Dr Kemp said.