Privacy Daily is a service of Warren Communications News.
Subscriber Login

Australian Watchdog Charges Bank for its Third-Party Data Vendor's Actions

May 28, 2025 |Asia Pacific

Businesses that outsource their consumer data rights (CDR) obligations to a third party must understand that the buck stops with the outsourcing company, the Office of the Australian Privacy Commissioner (OAIC) wrote Wednesday.

Sign up for a free preview to unlock the rest of this article

Start My Free Preview

Most organizations rely on third-party service providers to help them meet their obligations, but that reliance introduces risks that businesses must manage, the OAIC said.

Liability for actions of third-party providers was a key issue in the OAIC's first CDR determination, published Wednesday. The office found that Biza, the third-party service provider for Regional Australia Bank (RAB), was wanting on several privacy safeguards.

The CDR system is designed to keep data secure and protect consumers’ privacy, the OAIC wrote. Its "bedrock" privacy safeguard requires data holders to proactively consider, plan and address how to ensure compliance with CDR obligations. They also must ensure the accuracy of the information they disclose, either personally or through a third-party service provider.

The incident involved the commingling of CDR data of up to 197 consumers, the watchdog wrote. That created a risk that RAB would give inaccurate information to other participants in the CDR system about an affected consumer, which then had the potential to influence information and decisions about the consumer, such as whether they were approved for credit.

The issue was the result of a fault in Biza’s software that was provided as a service to multiple clients. Biza implemented a software patch for clients to remediate the issue but failed to identify that RAB, which was in the process of transitioning to the software platform, would be affected. The problem was identified only when an accredited data recipient raised an incident where a consumer had transactions in their banking history that did not belong to them, the OAIC said.

Biza addressed the issue quickly when made aware of it. However, the OAIC said, it believed an investigation was important to identify the cause and make sure it was not repeated, and to support trust in the privacy safeguards in the CDR system.

While RAB took reasonable steps to comply with the privacy safeguards, Biza didn't, the office said. Biza's activities were undertaken on behalf of RAB, making RAB liable for failings by Biza, even if the bank wasn't aware of them and or in a position to address or prevent them, it said.

The OAIC determination "should inform decisions about governance arrangements when engaging third-party service providers," it added.