Commonwealth Bank giving personal information to Roy Morgan Research

It’s very rare I actually go into a bank to conduct any transactions, as most of my banking is done over the internet, via a phone app, or via my cards. So I was most surprised after visiting a branch to make a cash deposit into my savings account,the other week, when I received an email from Roy Morgan Research a few days later asking me if I’d like to do a survey about my recent experience.

Of course the email goes on to say that the Commonwealth Bank respects my privacy, blah, blah and they’d never give out my account number, blah, blah, but they did manage to let Roy Morgan Research know exactly which day I went to the bank, exactly which branch I was in, and my personal email address which is a part of my Bank contact details. Plus, even though the email is from Roy Morgan Research, it’s been made to look like it’s from the Bank itself. I chose to ignore the email.

Today, however, I’ve received another email from Roy Morgan Research, telling me that I haven’t done the survey yet and giving me another opportunity to hit the button and answer all of their questions. This time I scrolled down and found an Opt Out link.

So, the first email said the following:

How was your recent service experience at CommBank?
Roy Morgan Research cba@roymorgan.com
Tell us about your experience

Dear Mr Steele,

At CommBank your opinion matters to us. Listening to the feedback of people, businesses and communities ensures we continuously improve the experience for our customers.

That’s why we’re keen to hear about your recent visit to the ROSNY PARK branch on Thursday 9 May, 2019.

If you did not visit this branch you may have received this email if:

• Someone else recently deposited money into your account at the named branch or,
• There are multiple account holders or authorised parties transacting on your account(s)
  If this is the case please disregard this survey invitation.

To ensure we uphold the highest standards of privacy, CommBank has partnered with independent company Roy Morgan Research to conduct this survey. Please be assured that we have not provided your financial details to Roy Morgan Research and you do not need to disclose any personal or financial details in this survey. In fact, CommBank will never send an email that asks you to provide your log in or password details.

To start the survey, please click on the link below. If you need a more accessible version of this survey, including for customers using a screen-reader, there is an alternative link further down this email:

The survey should take around 3 minutes to complete.
Start now

Thank you for your time and participation. Please note that this survey will expire in 7 days.

Yours sincerely,

The Commbank Team

About the Survey

Your email address was provided to Roy Morgan Research, an independent survey company for market research purposes only.

To view our Privacy Policy, please go to -
Group Privacy Statement - CommBank

To view Roy Morgan’s Privacy Policy, please go to -
Privacy Policy - Roy Morgan Research

If you no longer wish to receive email invitations to take part in CommBank Customer Experience surveys, please Unsubscribe

For any questions, comments regarding this survey please call 1800 062 403 between 8am-8pm AEST Monday to Friday.

If you have any queries or concerns about this email, please visit:
Customer experience survey verification - CommBank

The second email, received today contained the following:

Dear Mr Steele,

We noticed that you have not yet had the opportunity to share your feedback about your recent visit to the ROSNY PARK branch.

At CommBank your opinion matters to us. Listening to the feedback of people, businesses and communities ensures we continuously improve the experience for our customers.

That’s why we’re keen to hear about your recent visit to the branch on Thursday 9 May, 2019.

It then proceeded to ramble on about privacy and such like the first email did.

Personally, While I’m happy they’re not giving out my bank details, I don’t think the bank should have any right to contact any organisation to give them information concerning when I’ve been to the bank, which branch I’ve been in, and what my personal contact details are without asking for my consent first. This is all being done on an opt out basis instead of an opt in one.

Anyways, I’ve hit the bugger off button and hopefully this will now go away. Not happy with the breach of privacy to begin with though.

Here is their privacy policy.

Some of it borders on the insulting since the more one reads it the more it shows as mostly window dressing rather than privacy. However, among the BS there is a link whereby you might be able to turn off some preferences and effectively ‘opt out’.

Yes, nice of them to give you the option to opt out AFTER they’ve let you know your info has been passed on to someone else.

You think that is bad check out ‘Whats App’! (Uploads full contacts regularly, they own said data once it leaves your phone, can’t be ‘deleted’ and they can give/sell it to whoever … that’s not your info that’s anyone/everyone else you’ve interacted with etc).

Then there’s all the medical apps and the like. 24 of the (albeit British) top medical based apps (33 of 36 mental health apps) … these include those ‘magical’ cloud services too …
Majority shared data most likely without users knowledge or by contradictory means. Of what the researchers seemingly have been able to ascertain its a 50/50 whether that medical info basically just fully detailed/identifiable/track-able too as opposed to properly denormalised/secured.

At least with CBA its just a Roy Morgan because they outsourcing their customer feedback/polling (medical ones meant to be 3rd/4th party ‘groups’). It’s not great and hopefully they’ll do better.

Oh I am a software engineer so I’ve no foil attire and am a big proponent of tech/apps etc when they’re done right!

Yeah they could really do a better job of not hiding the opt out when you sign up. (It’s there if you go looking for it).

I bought a car recently and the Ford salesperson was shocked when I did not tick the boxes saying I want Ford’s marketing spam (well after asking for a new page that they hadn’t ticked those for me trying to be ‘helpful’).

Perhaps we should all be appreciative of the opportunity to opt out?

In reading the T&Cs of many online or connected services two things stand out to me.
Firstly you are being reassured about the way your personal data will be managed. (A CYA to ensure they appear to comply with legislation and maintain confidentiality).
Secondly having lulled you into feeling they are trustworthy the following many pages of fine print talk about data sharing with other organisations. And offer a series of warm fuzzy phrases that ultimately say it is impossible to ensure data is 100% secure.

There is only the option to opt in.

The alternative is to not use the business or service!

So be it, there are many things I will only do first hand with a business or service face to face. It is not getting any easier.

Having had 40 years in ICT from hardware and OS development to senior management, I trust we both know neither of us can confirm that any app is ‘done right’ unless we personally did it, or at least took part in an audit of it (directly or indirectly to know what the audit actually did). Trust is a big part of it, as well as reports from hackers, as well as people accidentally discovering it or actually reading (OMG!) the privacy statements, that are once again, largely based on trust as to the reality behind the curtains.

I trust companies to honour privacy about as much as I expect our government to honour its commitments to govern for the benefit of all Australians, not just for itself and its donors. Some of it is unintended but if a dollar in a pocket can be attributed or attached to something, that dollar usually trumps everything else.

You should lodge a formal complaint with CommBank.

They are begging you to give feedback about your recent experience with them. Give them what they want.

It may not necessarily be a breach as it is in accordance with their privacy statement, namely:

• Legitimate interests: We need to process your personal information for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal information which overrides these legitimate interests.

Notwithstanding this, privacy is covered in Australia by the Privacy Act 1988. This Act states as a object ‘to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities’.

I would expect that the Commonwealth Bank would rely on this object and also their Privacy Policy and state that the carrying out of a customer survey (by a third party) is essential for the ongoing functions and/or activities associated with the bank.

It is also worth noting that the Office of the Australian Information Commissioner outlines what is personal information…

If the same information was released to the public or a party not engaged by the bank, then using the information on the OAIC it could constitute a breach of privacy.

The OAIC also has a complaint process should one strongly believe their privacy has been breached. The complaint process can be found here:

https://www.oaic.gov.au/individuals/what-happens-to-my-complaint

Knowing that the banks corporate lawyers would would have been all over the privacy risks before engaging Roy Morgan for the customer satisfaction surveys, one needs to think is it really a battle worth fighting along with the stress associated with such battles.

It is also worth noting that emails and names are the two primary identifiers used when conducting any activities with any online business.

The alternative argument is that if we don’t fight the good fight nothing will ever change. Making a complaint is hardly fighting a battle. Being persistent is not necessarily waging a war?

Worse still, those with interests contrary to our own best will continue to increase their influence and thus scope.

It might be worth observing nature for examples of this. How selfless is a worker bee or ordinary ant compared to the health of the hive or nest? Neither complain and look what they achieve. Collectively or as individuals. Of course in the human example some are more capable of occupying a special place in the community.

The comment was made as there are many service companies which are contracted by businesses to performs functions on their behalf. Arguing against potentially a relatively beign case is unlikely to be successful when there are examples of:

1. businesses/governments which outsource payroll functions (contact details, employment information, banking details as well as financial information are shared)
2. companies which use stockbroker service providers to manage shareholdings within the company (sharing contact information, financial information, banking details etc)
3. financial institutions and other creditors including government which share information with credit reporting service providers (all personal information, financial information etc)
4. Businesses/government which use mailing services and share billing information, contact details etc
5. and the list goes on.

Taking on such a case is unlikely to be successful. If it was, it would have major ramifications for all those service companies which support businesses and businesses would be pushed into carrying out all functions in-house. Such would have significant impact on the costs of the primary service to the customer.

By all means lodge a complaint, but before doing also must think the likelihood of its success.

If privacy breaches are taken as seriously as electoral breaches (re 87 validated electioneering issues) the soft words to do better in future will surely cause a rethink. Surely they will.

There are laws and then there are supposed to be but rarely are penalties to deter from breaking them, past and future. The result as expected, it is easy to apologise and usually costs nothing. Deterrent? Reinforcement?

Our history focuses on education rather than penalising (excepting for ‘safety’ cameras and a few assorted technicalities easy to prosecute), but see how well that has gone. It is easy to quote laws, but more difficult to show they are effective. No need for any Royal Commissions the system works so well?

Lodging a complaint is giving them feedback, which they are specifically seeking. Likelihood of ‘success’ (defined as immediate change of behaviour by the bank) is very low. However if you don’t give them feedback then they can say that they didn’t know and indeed they did not know.

Banks might even be just a little bit more receptive to negative feedback after a mauling in the Royal Commission.

Noone is talking about taking it in court all the way to the High Court! No stress. No drama. Just lodging a complaint - so that it is on record that one customer said this, and then if enough “one customers” do that, they may see a pattern.

It is a breach of privacy. It just isn’t a breach of the “privacy statement” or of the Privacy Act.

Where possible you should have multiple email addresses so that if one email address escapes into the wild (as in this case), other email addresses are not automatically ‘compromised’ in this way - and so that when an email address is compromised, you can identify the likely source of the compromise (although that is not required in this case). In the extreme you would have a unique email address for each organisation or person that you deal with.

I haven’t done this myself yet but plan to do so when I get some time. (This works better if you do it from Day 1. Otherwise you end up trying to change organisations over from the original single address to their specific address, which may involve contacting the organisation or using their web site or recreating accounts - so, multiplied by the number of organisations, ends up being something of a time commitment.)