Consumer Data Right Information Sharing Plan

1.1 This Information Sharing Plan has been developed in accordance with clause 4.2 of the Consumer Data Right (CDR) Memorandum of Understanding (MOU) between the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC) (together, the Parties).

1.2 The CDR is co-regulated by the ACCC and the OAIC. The ACCC is currently responsible for making the CDR Rules, accrediting potential data recipients, establishing and maintaining a Register of Accredited Persons, monitoring compliance and taking enforcement action where necessary, recommending future sectors to which the CDR should apply, and communicating with and educating consumers and other stakeholders about their rights and obligations under the CDR. The OAIC is primarily responsible for complaint handling and for strategic enforcement relating to the protection of privacy and confidentiality, including conducting investigations into breaches of the privacy safeguards receiving and handling notifications of eligible data breaches relating to CDR data and conducting assessments in relation to the management of CDR data.

1.3 This Information Sharing Plan sets out the basis on which the Parties can share with each other CDR-related information, that may include personal information, in accordance with section 157AA of the Competition and Consumer Act 2010 (Cth) (the CCA) and section 29 of the Australian Information Commissioner Act 2010 (Cth).

2.1 As joint regulators of the CDR, there are multiple areas where the Parties are likely to need to share information. The development of the CDR regime is ongoing and the Parties will need to design, test and review additional rules, standards, technical systems and processes at various stages of CDR implementation.

2.2 As the CDR is a new regime, there may be other CDR-related areas in which the Parties may need to share information, in accordance with the CCA or the Australian Information Commissioner Act 2010 (Cth). This Information Sharing Plan does not limit either Party’s information sharing powers, and may be updated from time to time, as necessary.

2.3 The parties are likely to need to share information for the following topics:

2.4 To review compliance with accreditation obligations: The CDR rules require all accredited data recipients to meet ongoing accreditation obligations, including the ‘fit and proper person’ criteria and compliance with the requirements of specified Privacy Safeguards. In order for the ACCC to discharge its functions as Data Recipient Accreditor, it may be necessary for the Parties to share information about applications for data recipient accreditation, and information about data recipients or associated persons.

2.5 For enforcement related activities: The Parties each have responsibilities under the CCA and the CDR rules to take enforcement action where appropriate and are developing a joint audit and assessment programme in relation to CDR audit and assessment functions. Given this, the Parties will at times need to share information about the conduct of CDR participants, and information about audits and assessments, investigations and litigation (noting that there may be legal impediments to sharing this information).

2.6 To triage CDR matters appropriately: The Australian Government has a ‘no wrong door’ policy for CDR complaint handling. This policy aims to provide a seamless experience for consumers by ensuring complaints are managed by the appropriate Party. To facilitate this, the Parties are developing an internal complaint handling system for automatic triage and allocation. However, the Parties may still need to transfer to each other complaints and reports that have been misdirected or have been received via alternate channels.

2.7 To issue guidance and communications: As joint regulators of the CDR, the Parties will need to issue guidance and communications that are coordinated and consistent. The OAIC also has specific obligations under the CCA to promote compliance with the privacy safeguards. To assist the Parties to meet their obligations the Parties aim to share information about proposed communications, guidance, processes, and educational materials.

3.1 The Parties anticipate sharing the following types of CDR-related information when the information is relevant to fulfilling their CDR-related roles, functions and powers:

1. emerging CDR issues and trends with implications for the Parties
2. information relevant to accreditation-related decisions
3. information relevant to coordination of audits under the CDR rules, and audit findings
4. information relevant to coordination of assessments under section 56 ER of the CCA, and assessment findings
5. information about CDR compliance and enforcement risks, including reports of potential breaches from individuals, businesses, and any risk assessments the parties make, based on information obtained through their CDR functions.
6. information about proposed investigations, closure of investigations, enforcement action, progress of ongoing investigations, litigation or potential litigation (noting that there may be legal impediments to sharing this information) to avoid unintended concurrent regulatory action
7. complaints and reports of potential breaches that may need to be transferred to the other Party
8. information about development and modification of complaint or report handling processes and infrastructure
9. proposed communications, guidance and educational information
10. any other relevant information, as required.

4.1 Should either Party make a request of the other:

1. the request need not be in writing but should be confirmed in writing where it requires a written or detailed response, and
2. where possible, the Parties will provide each other at least five business days to respond to an information sharing request.

4.2. The Parties may meet periodically to discuss matters of mutual interest, including but not limited to CDR-related intelligence, policy issues, investigations, or decisions.

5.1 The following officers are the first point of contact for consultation between the Parties in matters related to this plan: