Response To Privacy Breach Complaint – National Australia Bank Ltd.
Assessment of the Complaint
1. Company: National Australia Bank
SUB: Response to Privacy Breach Complaint
Dear Sir/Madam,
This letter is in regard to the complaint that you filed on 5th November 2018. Your complaint has been filed as 5/11/2018/NAB/001.
We have registered your complaint in the above complaint number. We are assessing all the information you have given to us and investigation is going on. We may have to disclose the information provided by you for investigations purpose, if necessary. It there is any requirement to disclose the information overseas, we will discuss with you first. The privacy policy is helpful to describe the process of collecting as well as using personal information. The access to and utilize of the process consisting of personal information.
Community services policies and procedures is one of the organizational policies followed by the employees of an organization. Under the policy, there is a clearly defined procedure to detect and updating the Community Resource Index so that the employees are aware of the services that are available. However, it is important to provide a guideline for the case referencing and referral protocols consisting of the process that the referrals need to be developed and the type of information, which can be shared with the services as well as ongoing roles and responsibilities of the services with the client. In addition, a policy for the extent of client information can be kept after the clients. These are involved with service. For instances, multiple governments generate outline of the legal demands for the employees related to storing as well as maintaining information.
Generally, when a private security breach occurs, an employee or the complaint needs to send a complaint to the concerned organization which has been laid down by the office of OAIC(office of the Australian Information Commissioner) which is guided by “The Privacy Act 1988” and other legislation of the Government of Australia. The privacy policy has outlines the process of managing personal information as well as safeguard privacy pursuant to the Privacy Act 1998 as well as Australian Privacy Principles. The policy can provide an easy process of understanding the summary of personal information and the projects. After filling, there is a waiting period of 30 days for the action and reply of the organization after which you can directly take your complaint to the OAIC.
As of now, you will have to wait for further communication. I would also like to appreciate your gesture of communicating with us on behalf of our Bank.
Community services policies and procedures
Thanking You
Policy Department.
2. After referring to the privacy policy of the National Australian Bank, it has come to my notice that, this kind of information leaking out was not thought about while formulating the policy. Legally speaking, there was a breach of bylaws was against public viewing of the appraisal report of any employees of the bank. Interested people can also use the employment record of the employees for evil intent. It was also important for the Bank to secure this information. More than breach, it has been a loss of oversight from the policy formulation committee’s side.
The Australian Privacy Principles are contained in the Privacy Act 1998 that can outline of the process of managing personal information as well as safeguard privacy pursuant to the act. The policy provides an east way for understanding the summary of the type of personal information collected. In addition, the process of holding personal information needs to be amended. On the other hand, evaluating and correcting personal information is important for the privacy policy. All the details that have been retrieved by the USB that you have submitted have been forwarded to our security experts and other related departments. Many new rules regarding data security have to be made in order to prevent further lapses. Steps have to be taken the Bank management in the implementation of the cyber laws of Australia more effectively such that future breaches could be avoided. There might be a concern for the entire employee who is currently working for the bank for their private details like financial and physical being leaked.
3. SUB: Regarding Privacy Breach Complaint
Dear Mr. Edward Powell (Facilitator),
I am writing this letter to discuss about the complaint that we have received on 5th November 2018 about a potential security breach in the premises of the National Australia Bank Ltd. The concerned complaint number is 5/11/2018/NAB/001.
After investigating the concerned USB drive, there was any confidential report of the employees of our bank that on wrong hands could have proven to be disastrous for the concerned individual. Along with that, the USB that was submitted also contained employees some financial details that breach our “Credit sharing policy”.
Distribution of the employees needs to be passing out of written or printed materials. The leaflets as well as handbills are providing information regarding the union as well as containing different campaign propaganda. Usually, a solicitation is differentiated from the process of distribution as the oral as opposed to the written. On the other hand, there is an exception for union authorization card. The policy needs to be communicated to the staffs at commencing of the employment where the employer needs to ensure that the staffs sign and acknowledge that have received the policy.
Privacy Policy and Australian Privacy Principles
I would also like to extend my invitation to a formal meeting related to this security lapse in our organization. This would allow all the related department to work in a coordinated manner. Your presence would be really appreciated.
Thanking You
Policy Department
Encl: USB Drive Information
4. The USB seems to be not exited our Bank premises, internal investigation of the USB should be taken to comment of anyone did sent or copied this information. The network forensic experts could be able to then determine from which system the USB had been linked or use. The culprit in the organisation must be named and shamed to prevent any future attempt to sabotage the privacy policy of our Bank. We should really take it as a warning and re-evaluate our company’s privacy policy, as soon as possible, keeping in mind all the latest cyber-related threats that have been developing in Australia. In addition, new work procedure and development as well as handing out the feedback, new work procedure is required to implement through proper planning. The employees need to follow the organizational policy and privacy policy. Controlling the USB flash drives within the environment is required to develop in the form of written policy. The policy is acceptable for portable storage devices. Most of the organizations require the acceptable use policy that necessarily defines the users to utilize internet, telephones as well as network resources. The users need to read and agree abiding the AUP. It is official document, which need approval as well as support of the legal and human resource department.
It could damage the brand value of the company, and for this reason, strict policies should be implemented for USB as well as other storage devices in which system should detect any unauthorized data downloading in any system and immediately report that to the network administrator. Furthermore, it is unethical for any organization to not being able to protect their employees’ information that is submitted to the Bank.
5. Company: National Australia Bank
Complaint Number: 5/11/2018/NAB/001
Complainant: Matthew Hoggard
Date: 5th November 2018
A USB was found in the parking lot of the National Australian Bank and was submitted by the complainant. The essential investigation revealed that the USB contained sensitive information like the employees’ name, resume and appraisal reports, etc.
- Response Letter sent to the complainant on 7th November can neither what will be done to remedy the situation and thanking him for bringing this breach to our notice.
- A meeting was then conducted to investigate the security breach an to verify whether the complaint was true.
- Meeting of the Privacy Policy committee to decide what should be done now that the security breach is verified.
- Addition of policy in Privacy Policy so that this kind of security breach does not occur in the near future.
- The employees of HR department can access information about employees but can neither copy, edit or send any information.
- The ability to edit or copy is only with the head of the HR department, CEO of the National Australian Bank and the Board of Trustees. If any such kind of attempt is noticed, provision of inbuilt warning system to nab the culprit should be initiated at once.
- Further, any stakeholders, like 3rd party recruiting agency has to sign privacy agreements before working with National Australian Bank in any capacity.
To make it even foolproof, feedback forms have been circulated to know the effectiveness of the change in policy. After the feedback procedure, another clause has been added in the Privacy Policy that while accessing private information employees will not be carrying any type of storage devices nor mobile phones, camera, etc.
Presiding Member: XYZ
Verdict: Complaint Closed.