Introduction

• This Guide outlines key privacy obligations for data holders in the Consumer Data Right (CDR) system, and should be read in conjunction with the CDR Privacy Safeguard Guidelines.[1]
• This Guide focuses on data holder privacy obligations for CDR data that is not SR (shared responsibility) data. For further information about primary data holder obligations in relation to SR data, see Appendix A.[2]
• Data holders should read this Guide together with the full text of Division 5 of Part IVD of the Competition and Consumer Act 2010 (Competition and Consumer Act), the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules) and the Competition and Consumer Regulations 2010 (Competition and Consumer Regulations).
• Chapter B (Key concepts)of the CDR Privacy Safeguard Guidelines contains guidance on general matters, including an explanation of key concepts that are used throughout this Guide.
• The Guide focuses on the key privacy obligations of data holders. For detailed guidance on other data holder compliance obligations under the CDR Rules and Consumer Data Standards, see the compliance guides for data holders in the banking and energy sectors issued by the Australian Competition and Consumer Commission (ACCC) and guidance issued by the Data Standards Body (DSB).
• This Guide is not legally binding and does not constitute legal advice about how an entity should comply with the CDR Rules and/or the privacy safeguards. Entities may wish to seek independent legal advice where appropriate.

Key points

• In the CDR system, a data holder must comply with various privacy obligations, including obligations relating to:
  • the privacy safeguards
  • consumer data request services
  • managing disclosure options for joint accounts
  • disclosure of CDR data
  • authorisation
  • consumer dashboards
  • notification of consumers, and
  • maintaining and providing access to certain records.
• In the banking sector, an example of a data holder is an authorised deposit-taking institution (such as a bank). In the energy sector, an example of a data holder is an energy retailer.
• A data holder discloses CDR data to an accredited person where required or authorised to do so in response to a consumer data request.
• A data holder must ask a consumer to authorise the disclosure of their CDR data to an accredited person (unless an exception applies).
• For a data holder that is also subject to the Privacy Act 1988 (Privacy Act), the Australian Privacy Principles (APPs) will apply to CDR data that is also personal information, with some exceptions.[3]

Who is a data holder?

• In the banking sector, an example of a data holder is an authorised deposit-taking institution (such as a bank).[4] In the energy sector, an example of a data holder is a retailer.[5]
• In the CDR system, a data holder discloses CDR data to an accredited person where required or authorised to do so in response to a consumer data request.[6]
• A person is a ‘data holder’ of CDR data if:
  • the CDR data falls within a class of information specified in the designation instrument for the relevant sector[7]
  • the CDR data is held by (or on behalf of) the person on or after the earliest holding day[8]
  • the CDR data began to be held by (or on behalf of) the person before that earliest holding day, is of continuing use and relevance, and is not about the provision of a product or service by (or on behalf of) the person before the earliest holding day[9]
  • the person is not a designated gateway for the CDR data, AND
  • any of the following three cases apply:[10]
    • the entity is specified as a data holder in the designation instrument — the person belongs to a class of persons specified in a designation instrument, and the CDR data was not disclosed to the person under the CDR Rules
    • reciprocity — the CDR data was not disclosed to the person under the CDR Rules, and the person is an accredited data recipient of other CDR data, or
    • as enabled by the CDR Rules — the CDR data was disclosed to the person under the CDR Rules, and the person is an accredited person who meets conditions set out in the CDR Rules.[11]
• For further information on when a person will be a ‘data holder’ of CDR data, see Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

What privacy obligations in the CDR system apply to data holders?

• In the CDR system, a data holder must comply with privacy obligations relating to:
  • Privacy Safeguards 1 (open and transparent management of CDR data), 10 (notifying of the disclosure of CDR data), 11 (quality of CDR data) and 13 (correction of CDR data)[12]
  • providing consumer data request services
  • managing disclosure options for joint accounts, including by providing a disclosure option management service to joint account holders
  • disclosing CDR data in response to consumer data requests
  • asking consumers to give or amend authorisations
  • managing authorisations, including by providing consumer dashboards
  • notifying consumers of certain matters in relation to their data sharing arrangements, and
  • providing access to copies of records where requested by consumers.
• Several of these privacy obligations require actions to be taken in accordance with the data standards. The data standards are available on the Consumer Data Standards website.[13]
• A data holder should also be aware that they have other, non-privacy related obligations under the CDR Rules. For example, the requirements relating to product data requests.[14] These are not covered in this Guide. For information on these obligations, see the ACCC’s compliance guides for data holders in the banking and energy sectors.

Does the Privacy Act apply to data holders?

• Where a data holder is an APP entity,[15] they must continue to comply with the Privacy Act.
• The APPs will apply to CDR data held by data holders (where it is also personal information), with the exception of APP 10 (quality of personal information) and APP 13 (correction of personal information).
• These APPs are replaced by Privacy Safeguard 11 (quality of CDR data) and Privacy Safeguard 13 (correction of CDR data) once the data holder is required or authorised to disclose the CDR data under the CDR Rules.[16]

Privacy Safeguards

• A data holder must comply with the following privacy safeguards:
  • Privacy Safeguard 1 (open and transparent management of CDR data)
  • Privacy Safeguard 10 (notifying of the disclosure of CDR data)
  • Privacy Safeguard 11 (quality of CDR data), and
  • Privacy Safeguard 13 (correction of CDR data).
• Information about how to comply with these privacy safeguards is available in Chapters 1, 10, 11 and 13 of the CDR Privacy Safeguard Guidelines.

Services to make and manage consumer data requests

• The CDR Rules require data holders to provide particular services to accredited persons and consumers to assist in making and managing consumer data requests. The services required depend on the nature of the consumer and account type as outlined further below.

Consumer data request services

• A data holder may be required to disclose CDR data at the request of a consumer. The request is known as a ‘consumer data request’ and can be made to the data holder by an accredited person, on the consumer’s behalf.[17]
• A data holder must provide an ‘accredited person request service’ to allow accredited persons to make consumer data requests, on behalf of consumers, to the data holder.
• This service must comply with the requirements in subrule 1.13(1)(b) of the CDR Rules.
• A data holder must also provide the following services, depending on the nature of the consumer or account. These services can be provided online, but are not required to be:[18]
  • For each non-individual consumer, and each consumer who is a partner in a partnership[19] – a service that allows the consumer to nominate one or more individuals (known as ‘nominated representatives’) who may give, amend and manage authorisations to disclose CDR data on the consumer’s behalf, and also allows the consumer to revoke such nominations.[20]
  • For each account in relation to which a person has account privileges[21] – a service that allows the account holder to make a secondary user instruction, [22] and withdraw that instruction.[23]

Joint accounts – disclosure options management

Disclosure options for joint accounts

• There are specific rules that apply to consumer data requests relating to joint accounts.
• Where joint account holders are ‘eligible consumers’,[24] data holders must allow them to choose what disclosure option applies to the joint account.[25] The options are:
  • Pre-approval option : this option is the least restrictive sharing preference and allows data on the joint account to be independently shared by all requesting joint account holders (without approval from other joint account holders). This option applies by default and must be offered on joint accounts.[26]
  • Co-approval option : this option is a more restrictive sharing preference and requires all joint account holders to approve the disclosure of joint account data before it may be shared.
  • Non- disclosure option : this option is the most restrictive sharing preference and means that joint account data cannot be disclosed under the CDR Rules.
• Data holders must offer the pre‑approval option and non‑disclosure option on joint accounts. Data holders may offer the co‑approval option but are not required to.

Disclosure option management service

• Data holders must provide an online disclosure option management service to each joint account holder who is an eligible CDR consumer.[27] The disclosure option management service must allow the joint account holder to:[28]
  • change the disclosure option that applies to the account to a more restrictive option[29]
  • propose to the other joint account holders to change the disclosure option that applies to a less restrictive option,[30] and
  • respond to a proposal by another joint account holder to change the disclosure option.
• The disclosure option management service must meet the requirements set out in rule 4A.6 of the CDR Rules.[31]

Changing the disclosure option to a more restrictive option

• Data holders must allow each joint account holder to change to a more restrictive disclosure option using the disclosure option management service at any time, without needing the agreement of the other joint account holders.[32]
• That is, if the pre‑approval option applies to a joint account, a joint account holder may at any time choose that the co‑approval option or non-disclosure option will apply to the joint account. If the co-approval option applies, a joint account holder can use the disclosure option management service to apply the non-disclosure option.
• If a joint account holder applies a more restrictive disclosure option, the data holder must provide the other joint account holders with the information outlined in subrule 4A.7(3) of the CDR Rules.[33]

Obtaining agreement to change to a less restrictive disclosure option

• One joint account holder may use the disclosure option management service to propose a less restrictive disclosure option to the other joint account holders. The other account holders need to agree before that disclosure option will apply.
• That is, if the non-disclosure option applies, a joint account holder can use the disclosure option management service to propose the co-approval option (if offered by the data holder) or pre-approval option. If the co-approval option applies, a joint account holder can use the disclosure option management service to propose the pre-approval option. [34]
• Where a joint account holder makes a proposal to change to a less restrictive disclosure option, the data holder must provide the other joint account holders with the information outlined in subrules 4A.8(2) to 4A.8(3) of the CDR Rules.[35]

Disclosing CDR data to accredited persons

• An accredited person may request that a data holder disclose a consumer’s CDR data to them (following a request to do so from that consumer).[36] This is a ‘consumer data request’ by an accredited person on behalf of a consumer. [37]
• The consumer data request must be made using the data holder’s accredited person request service, in accordance with the data standards.[38]
• Before a data holder can disclose CDR data to an accredited person, the consumer must first authorise the data holder to disclose the particular data to that accredited person.[39]
• A data holder is required to disclose CDR data in response to a consumer data request from an accredited person where:
  • the consumer has authorised the disclosure of some or all of the required consumer data,[40] and
  • the request relates to ‘required’ consumer data.[41]
• The following sections of this Guide outline:
  • when a data holder must seek authorisation
  • how that authorisation must be sought
  • circumstances where a data holder may refuse to disclose required consumer data
  • how authorisations must be managed, and
  • additional authorisation requirements for joint accounts.

Authorisation

When to seek an authorisation, or an amendment to an authorisation

• A data holder must seek a consumer’s authorisation for the disclosure of CDR data where the data holder:[42]
  • receives a consumer data request from an accredited person (on behalf of an eligible CDR consumer),[43] and
  • does not already have a current authorisation to disclose the CDR data.[44]
• A data holder must invite a consumer to amend their authorisation where:
  • the data holder is notified by the accredited person that the relevant consent has been amended,[45] and
  • the authorisation is current.[46]
• The data holder must seek authorisation, and amendments to authorisation, in accordance with Division 4.4 of the CDR Rules and the applicable data standards.[47]
• When a data holder receives a consumer data request from an accredited person in relation to a joint account:[48]
  • if the pre-approval option applies to the joint account, the data holder must process the request as it would any other request on a non-joint account in accordance with rules 4.5 to 4.7 of the CDR Rules. That is, the data holder must comply with the rules for seeking authorisation and disclosing consumer data in response to a consumer data request.[49] If one account holder requests a disclosure of data, the other account holders are treated as having approved disclosing the data relating to the joint account and the data holder must make the requested disclosure.
  • if the co-approval option applies, the data holder must seek the requester’s authorisation[50] and if this is given, invite the approval of the relevant account holders before disclosing data from the account[51]
  • if the non-disclosure option applies, the data holder must refuse to disclose the requested CDR data.
• The following flow chart demonstrates the role of authorisation in the key information flow between a consumer, data holder(s) and an accredited person (including in relation to SR data requests, which are dealt with in Appendix A to this Guide). For flow charts that show key information flows involving CDR representative and sponsorship arrangements, see Chapter C of the Privacy Safeguard Guidelines.

Situations where a data holder may refuse to seek an authorisation

• A data holder may refuse to seek an authorisation in the following circumstances outlined in rule 4.7 of the CDR Rules:
  • where the data holder considers this to be necessary to prevent physical, psychological or financial harm or abuse[52]
  • where the data holder has reasonable grounds to believe that disclosing some or all of the CDR data would adversely impact the security, integrity or stability of the Register of Accredited Persons or the data holder’s ICT systems[53]
  • where the CDR data relates to an account that is blocked or suspended, or
  • where provided for in the data standards.[54]
• Where the data holder refuses to seek an authorisation for a reason outlined above, they must inform the accredited person of the refusal in accordance with the data standards.[55]

Situations where a data holder is not required to seek an authorisation

• A data holder would not be required to seek an authorisation (and therefore would not disclose CDR data in response to that specific consumer data request) in the following circumstances:
  • where the consumer data request relates to a non-individual CDR consumer or partnership account, but there is no nominated representative[56]
  • where the person who makes the request has account privileges, but the account holder has not provided a secondary user instruction for that person (or the account holder has provided a secondary user instruction for the person, but has subsequently withdrawn it),[57] or
  • where the consumer data request relates to a joint account and the non-disclosure option applies to the account.[58]

Requirements for seeking or amending an authorisation

General processes

• A data holder’s processes for asking a consumer to give or amend an authorisation must:
  • accord with the data standards, and
  • be as easy to understand as practicable, including by using concise language and, where appropriate, visual aids.[59]
• In ensuring processes are easy to understand, a data holder must also have regard to the Consumer Experience Guidelines.[60]

Information to be provided

• When asking a consumer to give or amend a current authorisation, a data holder must provide the consumer with the following information as required by rule 4.23 of the CDR Rules:
  • the name of the accredited person that made the consumer data request, or provided notification of the relevant consent having been amended
  • any information held by the Register of Accredited Persons in relation to the accredited person that is specified as information that must be provided to a consumer when seeking or amending an authorisation
  • the period of time to which the CDR data relates (noting this may be affected by the earliest holding day in the relevant sector)[61]
  • the types of CDR data that will be disclosed (the data holder must use the Data Language Standards to describe the CDR data)[62]
  • whether the authorisation relates to a ‘one-off’ disclosure, or an ongoing disclosure over a period of time (no more than 12 months)[63]
  • if authorisation is being sought for an ongoing disclosure — what the time period is (no more than 12 months)[64]
  • a statement that the authorisation can be withdrawn at any time, and
  • instructions for how the authorisation can be withdrawn.

Restrictions on seeking or amending an authorisation

• Rule 4.24 of the CDR Rules provides that when asking a consumer to authorise the disclosure of CDR data, or to amend a current authorisation, the data holder must not:
  • add any requirements to the authorisation process aside from those set out in the data standards and the CDR Rules
  • provide or request additional information beyond those specified in the data standards and the CDR Rules
  • offer additional or alternative services, or
  • include or refer to other documents.
• The above practices are not permitted, because they may make authorisation harder for consumers to understand and have the potential to undermine the voluntary nature of the authorisation.

Obligations upon receiving an authorisation

• Generally, once a data holder has received authorisation, or an amendment to authorisation, from the relevant consumer/s, the data holder:
  • must disclose the required consumer data (subject to rules 4.6A and 4.7 of the CDR Rules),[65] and
  • may disclose the relevant voluntary consumer data (subject to rule 4.6A of the CDR Rules).[66]
• Additional requirements apply if the account is a joint account and the co-approval option applies.[67] In these circumstances, the data holder will only be required or authorised to disclose the relevant CDR data if the requester has authorised the disclosure and each relevant joint account holder has approved the disclosure.[68]
• The data holder must disclose the data via its accredited person request service, and in accordance with the data standards.[69]
• A data holder must not charge a fee for the disclosure of required consumer data.[70]

Approval from relevant joint account holders

• As explained above, one disclosure option for joint accounts is co-approval.[71] If the co-approval option applies and the requesting joint account holder authorises the disclosure of CDR data, the data holder must ask all relevant account holders for their approval to disclose that data.[72] The data holder must not disclose the data unless all relevant account holders have given their approval.
• When seeking approval, the data holder must use its ordinary means of contacting each relevant account holder.[73] The data holder must ask each account holder to approve or not approve the disclosure,[74] and provide the following information required by rule 4A.11 of the CDR Rules:
  • that an accredited person has requested the disclosure of CDR data that relates to the joint account on behalf of the requesting joint account holder
  • that the requesting joint account holder has authorised disclosure of the joint account data (under Division 4.4 of the CDR Rules)
  • the information referred to in paragraphs 4.23(1)(a)-(e) of the CDR Rules, in so far as they relate to the request[75]
  • the time by which the data holder needs an approval, and the fact that the joint account data will not be disclosed if the approval is not received by that time, and
  • that any relevant account holder may withdraw their approval using the consumer dashboard at any time (and the effect of removing the approval).
• If all relevant account holders give their approval, the data holder must comply with rules 4.6 to 4.7 of the CDR Rules in relation to disclosing the joint account data.[76]
• Approvals generally last for the same period as the associated authorisation to disclose CDR data.[77] However, any relevant account holder may withdraw their approval at any time using their consumer dashboard.[78]

Situations where a data holder may refuse to or must not disclose CDR data once an authorisation is received

• Despite having received an authorisation (and where necessary, approval), or an amendment to authorisation, a data holder may refuse to disclose required consumer data in the following circumstances as outlined in rule 4.7 of the CDR Rules:
  • where the data holder considers this to be necessary to prevent physical, psychological or financial harm or abuse[79]
  • where the data holder has reasonable grounds to believe that disclosing some or all of the CDR data would adversely impact the security, integrity or stability of the Register of Accredited Persons or the data holder’s ICT systems[80]
  • where the CDR data relates to an account that is blocked or suspended, or
  • where provided for in the data standards.
• Where the data holder refuses to disclose CDR data for a reason outlined above, they must inform the accredited person of the refusal in accordance with the data standards.[81]
• A data holder must not disclose CDR data that relates to a particular account if:
  • the request was made on behalf of a secondary user of the account, but the account holder has indicated through their consumer dashboard that they no longer approve of CDR data being shared to that accredited person in response to requests by or on behalf of that secondary user, [82] or
  • a Schedule to the CDR Rules provides that the CDR data must not be disclosed.[83]
• In addition, a data holder must not disclose CDR data that relates to a non-individual CDR consumer account or partnership account for which there is no nominated representative.[84]Where a data holder has received a temporary direction from the Accreditation Registrar to refrain from processing consumer data requests, the data holder must not disclose CDR data in response to a consumer data request contrary to this direction. [85]

How authorisations must be managed

Consumer dashboards

• A consumer dashboard is an online service which data holders must offer (and in most circumstances provide) to a consumer, following receipt of a consumer data request from an accredited person (on behalf of that consumer).[87]
• The purpose of the consumer dashboard is to help the consumer to manage and view the authorisations that they, or a secondary user, have given to disclose their CDR data.
• A data holder must provide a consumer dashboard to a CDR consumer in the circumstances specified in the relevant sector schedule to the CDR Rules:[88]
  • In the banking sector, when a data holder receives a consumer data request from an accredited person on behalf of an eligible CDR consumer, it must provide a consumer dashboard.
  • In the energy sector, when a data holder receives a consumer data request from an accredited person on behalf of a CDR consumer who:
• has online access to the relevant account, it must provide a consumer dashboard, or
• does not have online access to the relevant account, it must offer the CDR consumer a consumer dashboard and provide it if the CDR consumer accepts.[89]
• The general requirements for the dashboard are contained in subrule 1.15(1) of the CDR Rules and outlined below.
• Additional requirements apply where the consumer is a secondary user or non-individual, or where the CDR data requested relates to a partnership or joint account. These are outlined further below in this section.
• Where a consumer dashboard is provided to a consumer, it should be provided as soon as practicable after the data holder receives the relevant consumer data request.[90]
• The consumer dashboard must contain the following details for each authorisation:[91]
  • the CDR data to which the authorisation relates
  • the date on which the consumer gave the authorisation
  • the period for which the consumer gave the authorisation
  • if the authorisation is current — when it will expire
  • if the authorisation is not current — when it expired
  • the information required to notify the consumer of the disclosure of their CDR data, being:
    • what CDR data was disclosed
    • when the CDR data was disclosed, and
    • the accredited data recipient for the CDR data, and[92]
  • if the CDR data was disclosed in response to a request under Privacy Safeguard 11 for the data holder to disclose corrected CDR data – a statement of this fact.[93]
• The consumer dashboard must have a functionality that allows the consumer to withdraw authorisation at any time. This functionality must: [94]
  • be simple and straightforward to use, and prominently displayed,[95] and
  • as part of the withdrawal process, display a message outlining the consequences of withdrawing authorisation in accordance with the data standards.
• The consumer dashboard must also contain any information that has been specified as information for rule 1.15 of the CDR Rules in the data standards or on the Register of Accredited Persons.[96]
• A data holder must update a consumer’s dashboard as soon as practicable after the information required to be contained on the dashboard changes.[97]

Non-individuals and partnership

• For non-individual consumers, or where the requested CDR data relates to a partnership account, a data holder must ensure the dashboard allows only nominated representatives to manage authorisations.[98]

Secondary users

• Where the consumer is a secondary user,[99] in addition to providing the secondary user with a dashboard, the data holder must also ensure the dashboard for the relevant account holder:[100]
  • contains the details listed above about each authorisation given by that secondary user
  • allows the account holder to indicate that they no longer approve CDR data being shared with a particular accredited person on behalf of that secondary user [101]
  • allows the account holder to withdraw the secondary user instruction
  • is simple and straightforward to use,[102] and prominently displayed
  • is no more complicated to use than the processes for giving the authorisations or instructions, and
  • as part of the withdrawal process, displays a message outlining the consequences of withdrawing a secondary user instruction, in accordance with the data standards.
• Where the data holder has not already provided a dashboard for the relevant account holder,[103] the requirements listed above can be provided via an online service. [104]

Joint accounts

• Data holders must provide all relevant account holders with a consumer dashboard for managing approvals to disclose CDR data in relation to their joint account. This requirement applies where either the co-approval option or the pre-approval option applies, or has applied, to the joint accounts.[105]
• The consumer dashboard must meet the requirements for individual account dashboards outlined above.
• Where a data holder already provides a consumer dashboard for a relevant account holder because that consumer is sharing CDR data from another account, that existing dashboard must be used.[106]
• All joint account holders should be able to view the same details about each approval as the requesting account holder.[107]

Consumers may withdraw authorisation

• A consumer who has given authorisation for a data holder to disclose their CDR data may withdraw the authorisation at any time.[108]
• Where a consumer withdraws authorisation, the data holder must give effect to the withdrawal as soon as practicable, and in any case within 2 business days after receiving the withdrawal.[109] The data holder must also notify the accredited person of the withdrawal in accordance with the data standards.[110]
• A data holder must allow a consumer to withdraw authorisation by:
  • using the data holder’s consumer dashboard, or
  • using a simple alternative method of communication made available by the data holder.[111]

• The functionality to withdraw authorisation on the consumer dashboard must:
  • be simple and straightforward to use
  • be prominently displayed
  • be as easy to use as the process for giving an authorisation, and
  • display a message outlining the consequences of withdrawing authorisation. This message must accord with the data standards.[112]
• The alternative method of communicating the withdrawal of authorisation must be simple.[113] In addition, it:
  • should be accessible and straightforward for a consumer to understand and use, and
  • may be written or verbal. Where it is written, the communication may be sent by electronic means (such as email) or non-electronic means (such as by post).
• A data holder may wish to ensure their alternative method of communication is consistent with existing channels already made available to its customers,[114] for example through their telephone helpline.

Effect of withdrawing authorisation

• The main consequence of withdrawing an authorisation is that the authorisation expires, and CDR data can no longer be shared with the relevant accredited person.[115] Information about when authorisation expires is contained in the following section of this Guide.
• If a consumer withdraws authorisation using the data holder’s consumer dashboard, the withdrawal is immediately effective.[116]
• If a withdrawal is not communicated over the consumer dashboard, the data holder must ‘give effect’ to the withdrawal as soon as practicable, but not more than 2 business days after receiving the communication.[117]
• The test of practicability is an objective test. In adopting a timetable that is ‘practicable’ a data holder can take technical and resource considerations into account. However, the data holder must be able to justify any delay in giving effect to the consumer’s communication of withdrawal.
• ‘Giving effect’ to the withdrawal includes updating the consumer dashboard to reflect that the authorisation has expired,[118] as required by rule 4.27 of the CDR Rules.[119]

When an authorisation expires

• Upon an authorisation expiring, CDR data can no longer be shared with the relevant accredited person. Rule 4.26 of the CDR Rules provides that authorisation expires in the following circumstances:
  • If the authorisation is withdrawn
    • If a withdrawal notice is given via the consumer dashboard, the authorisation expires immediately. Where withdrawal is not given through the consumer dashboard, the authorisation expires when the data holder gives effect to the withdrawal, or 2 business days after receiving the communication, whichever is sooner.
  • Upon the consumer ceasing to be ‘eligible’ [120]
    • For example, the consumer no longer holds any open accounts with the data holder.
  • When the data holder is notified by the accredited person of the withdrawal of consent
    • Upon notification from the accredited person that the consumer has withdrawn their collection consent, the authorisation expires immediately.
  • For ongoing disclosure, at the end of the period of authorisation, or the period of authorisation as last amended (no longer than 12 months after authorisation was given or amended)
    • Authorisation expires at the end of the specified period for which the consumer gave authorisation for the data holder to disclose the CDR data. Where the period of the authorisation has been amended, authorisation expires at the end of this period. In both cases, the specified period cannot be longer than 12 months.
  • For disclosure on a single occasion, after the CDR data has been disclosed
  • If another CDR Rule provides that authorisation expires
    • For example: an authorisation to disclose CDR data expires once the accredited person becomes a data holder rather than an accredited data recipient for the CDR data.[121]
  • If the accredited person’s accreditation is revoked or surrendered
    • Authorisation for a data holder to disclose CDR data to that accredited person expires when the data holder is notified of the revocation or surrender.

Notification requirements

• A data holder must comply with the following consumer notification requirements under the CDR Rules:
  • Notification of disclosure
    • A data holder must notify the consumer of the disclosure of their CDR data as soon as practicable after the disclosure occurs.[122]
  • Update consumer dashboard
    • A data holder must update a consumer’s dashboard as soon as practicable after the information required to be contained on the dashboard changes.[123]
  • Additional notification obligation – joint accounts
    • If the relevant account is a joint account, the data holders must provide a notice (called an ‘approval notification’) to:
      • a relevant account holder, where the requester has given, amended or withdrawn an authorisation, or the authorisation has expired, or
      • the requester, where relevant account holder(s) have not given approval for disclosure within the relevant timeframe, or have withdrawn an approval.[124]
    • The data holder must provide the approval notification as soon as practicable after the relevant event occurs, unless the joint account holder has selected an alternative schedule of notifications.[125] The notification must be given through the data holder’s ordinary means of contacting the joint account holder(s).[126]
  • Additional notification obligation – authorisations given by secondary users
    • Where a secondary user amends or withdraws an authorisation, or such an authorisation expires, a data holder must notify the account holder of this fact as soon as practicable.[127]

Liability for third-party service providers

• In certain circumstances, a data holder may be accountable under the CDR system for the conduct of its third-party service providers. For example, where the service provider is acting on the data holder’s behalf, within the service provider’s actual or apparent authority.[128]
• The CDR system does not regulate a data holder’s engagement of a third-party service provider. However, data holders must still ensure they meet their obligations under the CDR system and any other relevant legislation (such as the Privacy Act).
• Where a data holder is also an accredited data recipient, they should be aware that the CDR system does regulate an accredited data recipient’s engagement of a third-party service provider (where that third party is considered an ‘outsourced service provider’ under the CDR Rules).[129] The CDR system also regulates CDR representative arrangements to which an accredited data recipient is a party, and an accredited data recipient is liable for the conduct of its CDR representatives under that arrangement.[130]

Providing access to copies of records

• A consumer may request access to copies of the following data holder records:
  • authorisations given by the consumer to disclose CDR data, including amendments to any such authorisations
  • withdrawals of authorisations given by the consumer to disclose CDR data
  • disclosures of CDR data made by the data holder in response to consumer data requests made by or on behalf of the consumer, and
  • CDR complaint data relating to the consumer.[131]
• Data holders are required to keep and maintain these and other records under the CDR Rules.[132]
• Where requested by a consumer, a data holder must provide the relevant copies of records as soon as practicable, but no later than 10 business days after receiving the request.[133]
• In adopting a timetable that is ‘as soon as practicable’, a data holder can take technical and resource considerations into account.
• A data holder is not excused from providing access to copies of records in a prompt manner by reason only that it would be inconvenient, time consuming or costly to do so.
• A data holder must provide the requested copies in the form (if any) approved by the ACCC.

Reporting requirements

• A data holder must prepare and submit a report for each reporting period to the OAIC and the ACCC, under rule 9.4 of the CDR Rules. Data holders are required to complete and submit their reports by entering information into the CDR Participant Portal.
• For information on these reporting requirements and using CDR Participant Portal, see the ACCC’s website (on ‘reporting forms (Rule 9.4)’) and ACCC’s Participant Portal User Guide.

Appendix A – primary data holder obligations in relation to SR (shared responsibility) data

• This appendix outlines key privacy obligations for primary data holders in relation to SR (shared responsibility) data.[134] As the energy sector is currently the only CDR sector with primary data holders, this appendix focuses on the energy sector.
• Primary data holders should read this appendix in conjunction with the body of this Guide (which covers obligations in relation to non-SR data) and the CDR Privacy Safeguard Guidelines.[135] For further guidance on primary and secondary data holders, including information about AEMO, data holders should refer to Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

What is SR data?

• SR data is a type of CDR data.[136] CDR data may be specified as SR data where it is held by one data holder (the secondary data holder), but it would be more practical for consumer data requests for the data to be directed to a different data holder (the primary data holder). [137]
• Under current arrangements, the only CDR sector with SR data is the energy sector. In the energy sector, certain NMI (national metering identifier) standing data, metering data and DER (distributed energy resource) register data is specified as SR data.[138]

Who is a primary data holder for SR data?

• Certain data holders will be ‘primary’ or ‘secondary’ data holders under the CDR Rules. A person will be a primary data holder for SR data if:
  • the person is a data holder (according to the criteria in section 56AJ of the Competition and Consumer Act), and
  • the person is specified as a primary data holder for the SR data in a sector schedule to the CDR Rules.[139]
• In the energy sector, retailers are specified as primary data holders for SR data.[140]

Which CDR privacy obligations apply to primary data holders in relation to SR data?

• Primary data holders will have a pre-existing relationship with the consumer, and from the consumer’s perspective will be treated as the data holder for all relevant CDR data.[141] This means consumer data requests for SR data will be made to the primary data holder. The primary data holder will then seek authorisation for disclosure of requested SR data, disclose or refuse to disclose SR data, receive any complaints, and keep records relating to SR data requests.[142]
• To reflect this role, the CDR Rules apply certain existing and modified privacy obligations to primary data holders in relation to SR data. The CDR Rules also create certain additional privacy obligations for primary data holders in relation to SR data.
• At a high level, primary data holder privacy obligations include requirements related to:
  • Privacy Safeguards 1, 10 and 13
  • SR data requests and disclosing SR data in response to a consumer data request
  • asking consumers to give or amend authorisations for disclosure of SR data
  • providing consumer dashboards for SR data
  • notifying consumers of certain matters in relation to their SR data sharing arrangements, and
  • providing access to copies of records, where requested by consumers.

Does the Privacy Act apply to primary data holders?

• Where a primary data holder is an APP entity,[143] it must continue to comply with the Privacy Act.
• In the energy sector, where Privacy Safeguard 13 (correction of CDR data) applies to a primary data holder in relation to SR data (with relevant modifications),[144] APP 13 (correction of personal information) will not apply.[145]

Privacy Safeguards

• In the energy sector, primary data holders (retailers) must comply with the following privacy safeguards in relation to SR data (which will be AEMO data):[146]
  • Privacy Safeguard 10 (notifying of the disclosure of CDR data), and
  • Privacy Safeguard 13 (correction of CDR data), with certain modifications.
• This reflects that the secondary data holder in the energy sector (AEMO) is exempt from certain privacy safeguards that usually apply to data holders.[147]
• Information about how to comply with these privacy safeguards is available in Chapters 1, 10 and 13 of the CDR Privacy Safeguard Guidelines.

SR data requests

• An accredited person may request that a primary data holder disclose a consumer’s CDR data to them (following a request from the consumer to do so).[148] Where such a request is for data that is or includes SR data, it is called an ‘SR data request’.[149]
• Rule 1.13 of the CDR Rules, which relates to consumer data request services, applies to the primary data holder as if it were a data holder for the SR data. Accredited persons will use the ‘accredited person request service’ required by rule 1.13 to make SR data requests to the primary data holder.[150]
• Further information about rule 1.13 and consumer data request services is available in the body of this Guide.

Responding to SR data requests

• When a primary data holder receives an SR data request, it must follow the requirements in rule 4.5 of the CDR Rules as if it were a data holder for the SR data.[151] This means the primary data holder must ask the relevant eligible CDR consumer to authorise disclosure of the CDR data.[152] The primary data holder must also provide the consumer dashboard according to rule 1.15 of the CDR Rules,[153] and follow the requirements in Division 4.4 in relation to authorisations.[154]
• If the consumer authorises the primary data holder to disclose SR data, the primary data holder must request the relevant SR data from the secondary data holder.[155] The primary data holder must do this in accordance with the data standards and using the secondary data holder’s relevant online request service.[156]
• The secondary data holder will disclose the requested SR data to the primary data holder in accordance with the data standards, or will notify the primary data holder of its refusal to disclose the information.[157]
• If the secondary data holder discloses the requested SR data to the primary data holder, the primary data holder must comply with the requirements in rule 4.6 of the CDR Rules in relation to disclosing the SR data.[158] As with other CDR data, the primary data holder may refuse to disclose SR data in the circumstances outlined in rule 4.7 of the CDR Rules.[159] The primary data holder must also comply with rule 4.13 of the CDR Rules, regarding withdrawal of consent, for any relevant SR data.[160]
• Further information about the requirements in rules 4.5–4.7, rule 1.15, and Division 4.4 of the CDR Rules is available in the body of this Guide. The flow chart at page 15 also demonstrates the key information flow between a consumer, the primary and secondary data holders and an accredited person.

Additional privacy obligations related to SR data

Using SR data for other purposes

• Primary data holders must not use or disclose SR data they receive from a secondary data holder in response to an SR data request for a purpose other than responding to the SR data request.[161] Once the primary data holder has responded to the SR data request, it must follow the CDR data deletion process in rule 1.18 of the CDR Rules.[162]

Dealing with unsolicited SR data

• Primary data holders have special obligations in relation to SR data which they collect from a secondary data holder purportedly under the CDR Rules, but not as the result of seeking to collect that SR data under the CDR Rules. For example, this could occur if SR data is disclosed to the primary data holder in error. Specifically, the primary data holder must, as soon as practicable, destroy this SR data, provided that the primary data holder is not required to retain it by or under an Australian law or court/tribunal order.[163]

Record keeping

• In addition to usual record keeping requirements in subrule 9.3(1) of the CDR Rules, the primary data holder must also keep and maintain records that record and explain any requests it makes to the secondary data holder for SR data, and disclosures of SR data or refusals to disclose SR data from secondary data holders.[164] Unlike certain other records, the primary data holder is not required to provide copies of these records to a CDR consumer upon their request.[165]