CDR privacy and security

On this page

  • How your privacy is protected when using the Consumer Data Right
  • What businesses can handle your data
  • How your data is secured
  • How your data is deleted and de-identified

Your consumer data contains your personal information and is valuable. A range of measures are in place to keep your data secure and protect your privacy when using the Consumer Data Right (CDR).

How is your privacy protected?

Strict privacy safeguards are built into the Consumer Data Right to ensure your data is protected.

The CDR privacy safeguards in the Competition and Consumer Act 2010 set out your privacy rights and the strict obligations on businesses collecting and handling your data. There are 13 legally binding privacy safeguards.

Consent is the foundation of the Consumer Data Right, which is an opt-in system. A business may only collect, use and disclose your data with your express consent, and you can withdraw your consent at any time.

What businesses can handle your data?

A business can only handle your data under the Consumer Data Right if they are accredited by the Australian Competition and Consumer Commission (ACCC). These businesses are also known as ‘accredited data recipients’.

To become accredited, these businesses must meet strict requirements for:

  • data collection, use and storage
  • information security
  • protecting your privacy
  • obtaining your consent.

If they don’t meet these requirements, they can have their accreditation suspended or cancelled, or they can be fined or face other regulatory action.

You can find out which businesses are accredited under the Consumer Data Right on cdr.gov.au.

How is your data secured?

Data security requirements are built into the Consumer Data Right system.

Businesses must follow strict information security requirements around governance, minimum system controls, testing, monitoring, evaluation and reporting. Generally, they are required to destroy or de-identify your data if it is no longer needed. 

They must also comply with the Notifiable Data Breaches scheme, including by telling you and the OAIC about any serious data breach. 

While strict safeguards are in place, you should always protect yourself online. An accredited business should never ask for your personal password.

How is your data deleted or de-identified, and what does this mean for you?

If your CDR data is no longer needed, the business is generally required to delete or de-identify it. You can refer to their CDR policy to understand how they delete or de-identify data. 

If your data is not needed, you can ask the business to delete it via your consumer dashboard. Alternatively, you can notify the business in writing that you want them to delete your data.

If your data is de-identified, it means the business has followed a strict de-identification process to make sure the data cannot be traced back to you.

If the business wants to de-identify some of your data while it is still being used to provide you with a product or service, they will need to seek your consent first. For example, a business may ask for your consent to sell de-identified data to a third party, to provide you with a service free of charge. They may also ask for your consent to use your de-identified CDR data for general research.

Find out more about the CDR privacy safeguards.