CommonWealth Bank Accused of Misleading Privacy Commissioner

The Commonwealth Bank has been accused of giving misleading evidence to the Privacy Commissioner about the extent of a bank contractor’s access to a customer’s account.

Earlier this year, Privacy Commissioner Timothy Pilgrim ordered the bank to apologise and pay $10,000 in compensation to its customer, Kylie Murden, for breaches of the Privacy Act.

Ms Murden was previously an employee of the bank’s mortgage lending franchise network, now known as Home Lending Solutions, but was sacked without explanation in 2011.

During an unfair dismissal claim, she became suspicious that her former manager had detailed knowledge about her personal finances.

Her former manager operated a Home Lending Solutions business under a franchise contract with the Commonwealth Bank (CBA).

The CBA says about 100 non-bank contractors, including Home Lending Solutions franchisees, have access to its customer management system, CommSee.

‘A goldmine to see everything about me financially’

A friend photographed Kylie Murden's Client Access Report

With help from a friend working at the bank, Ms Murden secretly took photographs of an access log of her accounts on CommSee, which showed the manager and two of his staff had accessed her personal CBA accounts hundreds of times over several months.

During this time the bank was defending the unfair dismissal claim.

“It was just an absolute goldmine for him to see everything about me financially,” Ms Murden told 7.30.

“He could find out essentially whatever he wanted to about how much I was paying my lawyers because the money was going through my CBA bank account.”

When she confronted the bank about the manager’s access, it brushed aside her concerns.

“Any access … was done in the normal course of … management of your (at the time) non-performing loan accounts with the bank,” the bank’s senior legal counsel Grant Dewar wrote in a letter to Ms Murden in November 2011.

Ms Murden lodged a complaint to the Privacy Commission, claiming the bank had breached her privacy by allowing the former manager to access her accounts.

The Commission ordered the bank to provide copies of her account access log.

But the document the bank sent showed only a fraction of the manager’s accesses revealed in the customer access log Ms Murden had secretly photographed.

Omissions an ‘administrative oversight’

Kylie Murden goes through her financial statements

Kylie Murden was shocked.

“What would be easier than to just cross out those people’s names and say there’s nothing to see?” she said.

The Privacy Commission demanded an explanation from the Commonwealth Bank for the inconsistencies between its account and Ms Murden’s evidence.

The CBA lawyer handling the case denied the bank was trying to mislead the commissioner, saying omissions were an “administrative oversight”.

“When I was assigned this complaint, I copied and pasted the Client Access Report into a Word document for future reference,” the lawyer wrote in a letter the commission.

“Unfortunately what has occurred is I have inadvertently missed parts of the Client Access Report.”

The bank resubmitted a copy of the client access report, and the Privacy Commission eventually ruled that the bank had breached her privacy.

The bank was ordered to apologise to Ms Murden and pay her $10,000.

She believes the Commission should also have recommended charges against the bank for providing misleading information.

“The determination did not make a finding that the CBA intentionally provided false or misleading information,” the Privacy Commission said in a statement.

“Therefore there was no basis for further investigation or referral of the matter.”

‘Investigation continued with the knowledge and approval of the CBA’

Commonwealth Bank sign on a corner at traffic lights

The Commonwealth Bank declined 7.30’s request for an interview.

“The Australian Privacy Commissioner issued a determination in regards to this matter more than a year ago. Commonwealth Bank has fully complied with our obligations as part of this process,” the bank said in a statement.

“Any suggestion that information was provided in a false or misleading manner to the Commissioner is incorrect.”

Ms Murden’s former manager declined 7.30’s request for an interview, but insisted he had not acted improperly in accessing the account.

The manager is now suing the Commonwealth Bank in the Federal Court for lost income after he cancelled his franchise agreement earlier this year.

As part of a statement to the court, the manager said he accessed Ms Murden’s personal accounts because he suspected her of committing mortgage fraud.

“The investigation continued with the encouragement, knowledge and approval of the CBA,” the statement of claim said.

Ms Murden rejected suggestions she had engaged in mortgage fraud.

The Commonwealth Bank also raised historical allegations of mortgage fraud against Ms Murden during the Privacy Commission investigation.

However, the Commissioner dismissed the bank’s claims that her accounts were being accessed as part of a fraud investigation by her former manager.

“I do not accept that the principal accessed the profile for the purpose of investigating alleged fraud,” he wrote in the determination.

“Given that the CBA has its own department for such investigations, I agree with the complainant that it would have been inappropriate for the principal to be involved in such an investigation.”