It could be that the Privacy Commissioner suggested one type of notification and the bank thought another type of notification might have been more appropriate. Sometimes there is a different point of view.
On January 30th, 2007. See this statement in context.