APRA urges 'measured' approach to privacy

The financial regulator has brushed aside recommendations from a federal agency that it remind banks of their privacy obligations when lenders are sending customers' personal data overseas.

By InvestSMART · 4 Sep 2013

By InvestSMART ·
4 Sep 2013

Comments

The financial regulator has brushed aside recommendations from a federal agency that it remind banks of their privacy obligations when lenders are sending customers' personal data overseas.

In a guidance note this week, the Australian Prudential Regulation Authority urged companies to take a "cautious and measured" approach to managing data when offshoring. It did not follow a recommendation from the Australian Privacy Commissioner, Timothy Pilgrim, to draw banks' attention to obligations under the Privacy Act.

After a wave of offshoring in financial services, privacy has emerged as a key flashpoint, causing some state government agencies to restrict what information can be stored overseas.

In a submission to APRA, Mr Pilgrim recommended the regulator refer to the National Privacy Principles - federal rules that restrict how big businesses handle personal information.

The principles require companies to follow domestic rules when they transfer data overseas, and serious breaches can result in multimillion-dollar fines.

However, APRA's guidance note to banks did not mention either "privacy" or "personal information". Instead, it focused on potential risks to the financial system from data management.

"APRA expects a regulated entity to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to," APRA's guidance said. "It is important that a regulated entity is fully aware of the risks involved and makes a conscious and informed decision as to whether the additional risks are within its risk appetite."

The policy does not claim to be a comprehensive guide on offshoring. Even so, customer privacy is a growing concern of unions and some government departments as companies including ANZ, QBE and Westpac send thousands of back-office jobs overseas.

For instance, Victoria's WorkSafe agency does not allow insurance providers to store data relating to employers or injured workers outside Australia.

Finance is the most complained about sector on privacy matters, according to the 2011-12 Australian Information Commissioner annual report. Commonwealth Bank, ANZ and Westpac were among the 10 most complained about organisations.

Go to Google News, then click "Follow" button to add us.

Share this article and show your support

Frequently Asked Questions about this Article…

What did APRA’s recent guidance say about offshoring customer data and privacy?

APRA’s guidance urged companies to take a “cautious and measured” approach when retaining data outside the jurisdiction it pertains to. The note focused on risks to the financial system from data management, but it did not specifically mention the words “privacy” or “personal information.”

Did the Australian Privacy Commissioner’s recommendation to remind banks of Privacy Act obligations get adopted by APRA?

No. The Australian Privacy Commissioner, Timothy Pilgrim, recommended APRA refer to the National Privacy Principles and remind banks of their Privacy Act obligations, but APRA’s guidance did not follow that recommendation and did not reference those privacy obligations explicitly.

What are the National Privacy Principles and why do they matter when banks transfer data overseas?

The National Privacy Principles are federal rules that restrict how big businesses handle personal information. They require companies to follow domestic rules when transferring data overseas, and the article notes that serious breaches under those rules can result in multimillion-dollar fines.

Which banks and insurers have been moving back-office jobs offshore, raising privacy concerns?

The article says companies including ANZ, QBE and Westpac have sent thousands of back‑office jobs overseas, a trend that has contributed to customer privacy concerns and attention from unions and some government departments.

Can state agencies restrict what financial data is stored overseas?

Yes. The article explains some state government agencies have started to restrict overseas storage of certain information. For example, Victoria’s WorkSafe does not allow insurance providers to store data relating to employers or injured workers outside Australia.

How does APRA expect regulated entities to assess the risks of offshoring data?

APRA says a regulated entity should be fully aware of the risks involved and make a conscious, informed decision about whether the additional risks of retaining data offshore are within its risk appetite — applying a cautious and measured approach.

Is privacy a significant source of complaints in the financial sector?

Yes. According to the 2011–12 Australian Information Commissioner annual report mentioned in the article, finance was the most complained-about sector on privacy matters, and organisations including Commonwealth Bank, ANZ and Westpac were among the 10 most complained-about.

Is APRA’s guidance a comprehensive policy on offshoring data?

No. The article notes that APRA’s policy does not claim to be a comprehensive guide on offshoring; it is focused on managing data-related risks to the financial system rather than serving as an exhaustive offshoring rulebook.