One of Australia's biggest banks has apologised after documents containing confidential personal information from its customers was found dumped in a Perth skip bin.
Key points:
- The sensitive documents were found in a skip in Perth's south-east
- ANZ has apologised and says is it investigating the incident
- One expert says it is a "clear breach of the Privacy Act"
Scott Collins was walking to his car after work near Armadale Shopping Centre in the city's southeast, when he came across the discarded documents.
"There was paper floating down the street, and I looked down, and it was transaction statements, there was people's names [and] phone numbers," he said.
"And then I went to look in the skip bin that had more paper, and it was just everywhere."
The documents contained transaction information, personal details, mortgage loan rates and internal banking procedures.
Mr Collins believes they were thrown out with teller machines and desks, also found in the skip bins, after the local ANZ branch closed its doors.
While he's not an ANZ customer himself, the 26-year-old said anyone who banks with the organisation should be upset.
"I would be angry if that was my data," he said.
"Data is our most precious resource at the moment, and it's just been thrown out in the bin."
Mr Collins said the bank "hadn't learnt anything" from recent data breaches involving Optus and Medibank.
"They should learn to keep it private, to keep it safe [and] to keep it secure. That needs to be the priority above everything else, but I feel like making money is their priority," he said.
In a statement, ANZ apologised for the incident, saying it was "urgently investigating to understand what happened".
The bank said it took the security of its customers information seriously, as well as its obligations under the law.
Data loss a 'clear breach'
It explained that it had "strict processes in place" to securely dispose of documents when a branch is closed and that those processes were closely supervised by staff.
However, Curtin Law School senior lecturer Anna Bunn said what had happened was a "clear breach of the Privacy Act".
As an ANZ customer herself, she told ABC Radio Perth she was shocked to hear about the incident.
"You just don't expect that kind of thing to happen at all … and [for] banks of all institutions to be handling personal information in that way," Dr Bunn said.
"And I think particularly in light of some of the recent data breaches that have been so much in the public eye, it really beggars belief."
Dr Bunn said banks had obligations to take reasonable steps to protect personal information and when that information was no longer needed, to destroy or de-identify it.
She said if a complaint was made to the Office of the Australian Information Commissioner or the breach was deemed to be serious, ANZ may be ordered to pay a fine.
She said the Information Commissioner could also award compensation to individuals who have suffered any loss or damage as a result of their personal information being accessed, such as through identity theft.
"If there is any indication that this is the result of a systemic failure of practice, then the commissioner can also enter into an enforceable undertaking with the bank to try and prevent this kind of thing happening again," she said.
That's what Scott Collins is hoping for.
"I want a spokesperson to come out in person and apologise … and say that they will never let this happen again," he said.
"Their statement was just a copy and paste statement that all these companies do and they're not sorry.
"And I think Australia has had enough of these statements where they're just trying to sweep it under the carpet."