The Privacy Commissioner’s determination

On 15 June 2026, the Privacy Commissioner published a summary of a privacy determination in the matter of “BAM” and American Express Australia Limited (AMEX).

The investigation focused on privacy risks posed by employees having system access to records that they do not have a legitimate business purpose to access. Commissioner Kind’s foreword highlighted that:

Insider security risk remains a significant, yet frequently overlooked, threat to organisations, and to the individuals whose personal information they are entrusted with. Risk arises when individuals with legitimate access to systems and personal information misuse that access in ways that compromise privacy or security.

The Commissioner found that AMEX breached Australian Privacy Principle (APP) 11.1 by failing to take reasonable steps to protect the complainant’s personal information from unauthorised access by an AMEX employee.

The report makes it clear that all regulated entities need to adopt a suite of measures, including appropriate organisational and technical controls, to mitigate insider security risk and protect personal information from unauthorised access.

The OAIC published a summary report rather than a full determination as both AMEX and the complainant had provided sensitive information to the OAIC during the investigation. The OAIC considered that the public interest weighed against publishing the full determination as its disclosure could potentially create cyber risk for AMEX, harm individuals and undermine the OAIC’s investigative process.

Key Takeaways for other APP Entities

The Commissioner summed it up nicely when she said:

Entities that hold personal information must ensure that robust controls are in place to prevent unauthorised internal access. Effective management of insider security risk requires more than organisational policies or staff training – it also requires the implementation of technical controls as appropriate such as access and action logging and an ability to restrict access to specific customer information.

Entities should carefully assess whether their current technical controls are suitable. This will include ensuring that:

·       current system access logging and monitoring is commensurate to the privacy risks associated with holding the personal information; and

·       employee access to customer information is restricted unless the employee has a legitimate business need to access the personal information.

This is especially important for vulnerable customers, high-profile clients or individuals at a heightened risk of harm.

Background

The matter arose from a privacy complaint made against AMEX concerning unauthorised access to the complainant’s personal information by an AMEX employee. The complainant and the AMEX employee had a personal relationship.

The AMEX employee had access to five separate systems that contained the personal information of the complainant. The AMEX employee’s system access enabled them to view a range of information about AMEX’s customers, including customer names, travel and hotel bookings, rewards information and financial transactions.

The complainant alleged that, during the relationship and after its breakdown, the AMEX employee accessed, used and disclosed the complainant's account information, including their personal information, in a range of contexts and for purposes outside of legitimate business purposes.

OAIC has provided clear guidance on how they will approach determining whether an entity has taken reasonable steps to protect personal information from insider threats. Relevantly, the OAIC will consider:

·       the relevant circumstances, which will include (among other things):

o   the amount and sensitivity of the personal information held;

o   the potential harm to individuals of unauthorised access;

o   the size and sophistication of the entity;

o   the current cybersecurity environment and history;

·       the steps that were taken to prevent unauthorised access. This will include both organisational controls (such as policies and training) and technical controls (such as system access logging and monitoring and roll based access controls); and

·       whether the steps taken were, in their totality, commensurate to the insider security risks, in relation to the complainant’s personal information it held.

Importantly, the Commissioner found that where an entity has had prior experience of an insider threat incident, a higher standard of preventative controls will be required. In respect of AMEX, this required:

·       uniform account-level access logging across all relevant systems (this control is significant because system access logging and action logging do not record when an employee accesses a specific customer account within a system – only account-level access logging does);

·       restricting access to certain customer records;

·       implementing just in time access; and

·       prohibiting employee access to the customer accounts of their friends and family.

Lily McCormick (Paralegal) and James Pratt (Special Counsel)

For further information, please contact James Pratt – james.pratt@adaptbl.com.au | 0423 368 823