If you are concerned about how your CDR data has been handled by a CDR provider, you can lodge a complaint with the OAIC. A CDR provider may be:

  • a business that already holds your data, who can transfer it to another business at your request, or
  • a business who will have your data transferred to it under the CDR system

CDR data includes information about you such as your name and contact details, as well as detailed information about your use of a specific product or service.

Issues you might believe were mishandled may relate to:

  • collection of CDR data without your consent
  • notification of certain matters, including what CDR data was collected and when
  • consent that has been bundled, coerced, not explicit, or authorised
  • use and/or disclosure of CDR data
  • open and transparent management of CDR data
  • quality of CDR data
  • correction of CDR data
  • failure to ensure accuracy or completeness of CDR data
  • failure to allow anonymity/pseudonymity
  • failure to destroy unsolicited CDR data
  • security of CDR data
  • failure to advise of a data breach involving your CDR data

Generally, a complaint must be about a matter that occurred less than 12 months ago. It can be hard to investigate effectively and fairly for both parties beyond this period of time.

We may refer certain complaints to an external dispute resolution scheme or to the Australian Competition and Consumer Commission (ACCC) if we consider they are best placed to review the matter.

Before you lodge a complaint with us, take a few minutes to see if we are likely to investigate your CDR complaint. 

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au