APRA urges 'measured' approach to privacy
The financial regulator has brushed aside recommendations from a federal agency that it remind banks of their privacy obligations when lenders are sending customers' personal data overseas.
In a guidance note this week, the Australian Prudential Regulation Authority urged companies to take a "cautious and measured" approach to managing data when offshoring. It did not follow a recommendation from the Australian Privacy Commissioner, Timothy Pilgrim, to draw banks' attention to obligations under the Privacy Act.
After a wave of offshoring in financial services, privacy has emerged as a key flashpoint, causing some state government agencies to restrict what information can be stored overseas.
In a submission to APRA, Mr Pilgrim recommended the regulator refer to the National Privacy Principles - federal rules that restrict how big businesses handle personal information.
The principles require companies to follow domestic rules when they transfer data overseas, and serious breaches can result in multimillion-dollar fines.
However, APRA's guidance note to banks did not mention either "privacy" or "personal information". Instead, it focused on potential risks to the financial system from data management.
"APRA expects a regulated entity to apply a cautious and measured approach when considering retaining data outside the jurisdiction it pertains to," APRA's guidance said. "It is important that a regulated entity is fully aware of the risks involved and makes a conscious and informed decision as to whether the additional risks are within its risk appetite."
The policy does not claim to be a comprehensive guide on offshoring. Even so, customer privacy is a growing concern of unions and some government departments as companies including ANZ, QBE and Westpac send thousands of back-office jobs overseas.
For instance, Victoria's WorkSafe agency does not allow insurance providers to store data relating to employers or injured workers outside Australia.
Finance is the most complained about sector on privacy matters, according to the 2011-12 Australian Information Commissioner annual report. Commonwealth Bank, ANZ and Westpac were among the 10 most complained about organisations.