Are CDR participants bound by the Privacy Act?

All accredited data recipients are subject to the Privacy Act for information they hold that is personal information, but not CDR data.

Where a data holder is an APP entity, they must continue to comply with the Privacy Act. The Privacy Act will apply to CDR data held by data holders (where it is also personal information), with some exceptions (as outlined in Guide to privacy for data holders).

How do the Australian Privacy Principles (APPs) interact with the privacy safeguards?

The privacy safeguards set out the privacy rights and obligations for participants in the CDR system. They apply only to CDR data that is also personal information.

In most cases in the CDR context, the relevant privacy safeguard applies instead of the corresponding APP. However, the APPs and the privacy safeguards may also apply concurrently in some circumstances, to ensure that there are no gaps in the protection of the data (in particular, APP 1 and Privacy Safeguard 1 apply concurrently).

The CDR Privacy Safeguard Guidelines set out further information on the interaction between the APPs and the privacy safeguards, at the beginning of Chapters 1-13 (Privacy Safeguards 1-13), and in Chapter A (Introductory Matters).

How do the credit reporting provisions in the Privacy Act interact with the CDR system?

CDR data may also constitute ‘credit information’ as set out in section 6N of the Privacy Act.

Part IIIA operates as a restrictive model whereby the collection, use, and disclosure of credit information between credit providers and credit reporting bodies (for the purposes of compiling consumer credit reports) is prohibited unless an exception applies.

The CDR system does not affect the operation of the credit reporting provisions in Part IIIA of the Privacy Act. This means that credit providers and credit reporting bodies participating in the CDR system will not be able to collect, use or disclose CDR data for credit reporting purposes, except in ways that they are already permitted to use the same information under Part IIIA of the Privacy Act.

Part IIIA of the Privacy Act does not prevent credit providers accredited under the CDR system from using information obtained through the CDR to make credit decisions. For example, a credit provider is not permitted to provide information received under the CDR system about incoming funds to a credit reporting body to be included on a credit report. However, they may request and use this information under CDR for the purpose of deciding whether to give a consumer access to credit. (This is regulated by the Australian Securities and Investments Commission (ASIC) under the National Credit Act and the National Credit Code).

Read more about credit reporting.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at