CDR and the Privacy Act
How do the Australian Privacy Principles interact with the privacy safeguards?
If you are an accredited person or accredited data recipient, the privacy safeguards will apply instead of the Australian Privacy Principles (APPs) in relation to the handling of the CDR data in the system.
If you are a data holder, the APPs will generally apply to CDR data that is also personal information, with the exception of APP 10 (quality of personal information) and APP 13 (correction of personal information).
APP 10 and APP 13 are replaced by Privacy Safeguard 11 (quality of CDR data) and Privacy Safeguard 13 (correction of CDR data) once the data holder is required or authorised to disclose the CDR data under the CDR Rules.
Data holders must also comply with both APP 1 and Privacy Safeguard 1, which relate to open and transparent management of personal information and CDR data respectively. These obligations apply concurrently. The CDR Privacy Safeguard Guidelines set out further information on the interaction between the APPs and the privacy safeguards, at the beginning of chapters 1 to 13 (Privacy Safeguards 1 to 13), and in chapter A.
How do the credit reporting provisions in the Privacy Act interact with the CDR system?
CDR data may also constitute ‘credit information’ as set out in the definitions at section 6N of the Privacy Act.
Part IIIA of the Privacy Act regulates consumer credit reporting in Australia. It operates as a restrictive model whereby the collection, use, and disclosure of credit information between credit providers and credit reporting bodies (for the purposes of compiling consumer credit reports) is prohibited unless an exception applies.
The CDR system does not affect the operation of the credit reporting provisions in Part IIIA. This means that credit providers and credit reporting bodies participating in the CDR system will not be able to collect, use or disclose CDR data for credit reporting purposes, except in ways that they are already permitted to use the same information under Part IIIA.
Part IIIA does not prevent credit providers accredited under the CDR system from using information obtained through the CDR to make credit decisions. For example, a credit provider is not permitted to provide information received under the CDR system about incoming funds to a credit reporting body to be included on a credit report. However, they may request and use this information under the CDR for the purpose of deciding whether to give a consumer access to credit. This is regulated by the Australian Securities and Investments Commission under the National Credit Act and the National Credit Code.