What is ‘CDR data’?
The definition of CDR data is set out in the designation instrument for each sector.
The designation instrument (DI) for the banking sector specifies the following classes of information as ‘CDR data’:
- information about the consumer or their associate (e.g. contact details)
- information about the use of a product by a consumer or their associate (e.g. transaction data), and
- information about a product (e.g. terms and conditions).
The definition of CDR data is broad. It includes data that has been ‘wholly or partly derived’ from data set out in the designation instrument, and data derived from any previously derived data.
Materially enhanced information
For the banking sector, ‘materially enhanced information’ refers to data about the use of a product that has become significantly more useful, usable or commercially valuable as a result of analysis or insight.
Materially enhanced information is CDR data. This is because CDR data includes information that has been subsequently derived from the data set out in a designation instrument.
Examples of ‘materially enhanced information’ in the banking sector include the findings of an income or expense assessment, and a categorisation of transactions as being related to groceries or rent. More examples of materially enhanced information can be found in the designation instrument (DI) for the banking sector.
What is not CDR data?
For the banking sector, certain types of credit information (as defined in the Privacy Act) are not considered to be CDR data.
The specific exclusions are set out in section 9 of the designation instrument for the banking sector, and include:
- a statement that an information request has been made for an individual by a credit provider, mortgage insurer or trade insurer
- new arrangement information about serious credit infringements
- court proceedings information about an individual
- personal insolvency information about an individual, and
- the opinion of a credit provider that an individual has committed a serious credit infringement.
When is CDR data subject to the privacy safeguards?
The privacy safeguards set out the privacy rights and obligations for participants in the CDR system. The safeguards apply only to CDR data for which there is one or more CDR consumers.
A CDR consumer is an identifiable or reasonably identifiable person to whom the CDR data relates, because of the supply of a good or service to the person (or an associate of the person). A CDR consumer can be an individual, a company, or a business enterprise.
This means that if there is no person that is identifiable or reasonably identifiable from the CDR data, the privacy safeguards do not apply –for example, because it is product data for which there is no consumer, or it has been successfully de-identified in accordance with the CDR Rules.
Where a participant is not sure whether the information is ‘CDR data for which there is a consumer’, they should err on the side of caution and handle the CDR data in accordance with the privacy safeguards.
Note: CDR data protected by the privacy safeguards will also be ‘personal information’ under the Privacy Act. For more information, see How the Privacy Act interacts with the CDR.
De-identifying CDR data
For CDR data to be considered ‘de-identified’, accredited data recipients must follow the process set out in the CDR Rules. This process has been designed to ensure that no consumers will remain reasonably identifiable, either from the data itself, or when combined with other information held by any person.
Accredited data recipients may want to de-identify CDR data to:
- meet obligations under Privacy Safeguard 12, when the data is no longer needed (as an alternative to deleting the information), or
- disclose the de-identified data to a third party (including by selling it), where the consumer has expressly provided their consent
For more information see Chapter 12 (Security of CDR data and destruction or de-identification of redundant CDR data).
Chapter C (Consent) of the CDR Privacy Safeguard Guidelines also provides information on seeking consent to de-identify CDR data for the purpose of disclosing it.
How CDR data is shared
The Consumer Data Right (CDR) system is administered under Part IVD of the Competition and Consumer Act and a set of rules made by the ACCC.
The consumer initiates the sharing of their data by giving consent to an accredited data recipient to request a transfer of their data from one or more data holders. The consumer then authorises each data holder to transfer their data to the accredited data recipient.
Link to long text description
- specify the type of data they want transferred
- specify the use of that data
- stop the data transfer if they change their mind, and
- request the recipient delete their data when the data is no longer required
There are common consumer data standards for participants to use that allow consumers to share this data via application programming interfaces (APIs) with trusted, accredited third parties.
The CDR Privacy Safeguard Guidelines and the Guide to Privacy for data holders provide detailed guidance to help participants comply with their privacy obligations under the CDR system.
Long text description
This chart illustrates the flow of information between data holders, consumers and accredited persons.
There are six steps involved:
The consumer consents to an accredited person obtaining their data in order to provide a requested good or service
The accredited person contacts the data holder, seeking to access the consumer’s data.
The data holder asks the consumer to authorise the disclosure of their data to the accredited person.
The consumer authorises the disclosure of their data by the data holder.
The data holder shares the consumer’s data with the accredited person. The accredited person becomes an accredited data recipient for the consumer’s CDR data.
The accredited data recipient uses the consumer’s CDR data to provide the requested good or service to the consumer.
Back to flow chart
Was this page helpful?
If you would like to provide more feedback, please email us at email@example.com