Banks have a legal duty to protect the confidentiality of existing and former customers. Banks also have obligations under the Privacy Act 2020, which contains 13 privacy principles about personal information. In the banking sector, these principles govern:

  • banks’ collection and storage of customer information
  • customers’ rights to access and correct information about themselves
  • the disclosure of personal information.

We can consider complaints about breaches of privacy and duty of confidence. Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office. An example would be if a customer sought compensation that exceeded our limit. 

Concepts similar, but not the same

A duty of confidence and the legal obligation to protect privacy are similar, but not the same. The former applies to information about individuals and businesses, the latter to information about individuals only (and that includes bank staff). If a complaint requires us to look into the behaviour of a staff member, we can ask the bank to tell us what systems or process changes it has put in place to correct a problem, but we cannot seek information about any disciplinary or other action the bank may have taken against that individual.

Disclosing confidential information

There are four broad situations in which a bank can lawfully disclose confidential information:

  • When the law compels it to: Banks sometimes have to give evidence about a customer’s affairs in court. Banks can also be required to give information to the Inland Revenue Department (under the Tax Administration Act 1994), to the Ministry of Social Development (under the Social Security Act 1964) and to a company liquidator (under the Companies Act 1993). Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).  
  • When it has a public duty to: This applies when there is a danger to the state or when the wider public needs protection against crime. A bank needs to balance the public interest with respecting a customer’s right to privacy when it considers providing information about that person to a third party.
  • When a bank must disclose information to protect its interests: This applies when a bank takes legal action against a customer (such as to recover a debt), or defends an action from a customer and needs to provide information about the customer’s affairs.
  • When a customer agrees: A bank can disclose customer information if the customer agrees. A bank must ensure the information is correct and within the scope of the customer’s consent. A customer may, for example, agree to the bank’s disclosure of information about one account only. If the bank releases information about other accounts, it has breached its duty of confidence.

When a bank breaches confidentiality or privacy

If we consider a complaint about breach of confidence or privacy to be valid (whether accidental or deliberate), we assess whether this has resulted in a direct financial loss to the customer and, if so, award compensation. If the breach is continuing, we can also require the bank to cease its conduct.

We will look at whether the customer has suffered distress, embarrassment or inconvenience. We must be satisfied any distress, embarrassment or inconvenience warrants a compensation payment. Sometimes customers submit substantial claims for minor frustration or inconvenience. We are unlikely to award compensation for minor mistakes that have little or no harmful effects. Banks are also required to report suspicious transactions to Police (under the Financial Transactions Reporting Act 1996 and Anti-Money Laundering and Countering Financing of Terrorism Act 2009).

Sometimes we refer a privacy complaint to the Office of the Privacy Commissioner if we consider it would be better dealt with by that office.

deskladyFlower1

Updated December 2024