Chapter 1: Privacy Safeguard 1 — Open and transparent management of CDR data

9 June 2021

Download the print version

Version 3.0

Key points

  • Privacy Safeguard 1, together with consumer data rule (CDR Rule) 7.2, outlines the requirements for all consumer data right (CDR) entities (accredited persons who are or who may become an accredited data recipient of CDR data, data holders and designated gateways) to handle CDR data in an open and transparent way.
  • All CDR entities must take steps as are reasonable in the circumstances to implement practices, procedures and systems that will ensure they comply with the CDR regime, and are able to deal with related inquiries and complaints from consumers.
  • All CDR entities must have a clearly expressed and up-to-date policy about how they manage CDR data. The policy must be provided free of charge and made available in accordance with the CDR Rules.

What does Privacy Safeguard 1 say?

1.1 Privacy Safeguard 1 requires all CDR entities to:

  • take steps that are reasonable in the circumstances to establish and maintain internal practices, procedures and systems that ensure compliance with the CDR regime, including the privacy safeguards and CDR Rules, and
  • have a clearly expressed and up-to-date policy describing how they manage CDR data. The policy must be available free of charge and in a form consistent with the CDR Rules and provided to the consumer upon request.

Importance of open and transparent management of CDR data and having a CDR policy

1.2 The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. It is the bedrock principle.

1.3 By complying with Privacy Safeguard 1, CDR entities will be establishing accountable and auditable practices, procedures and systems that will assist with compliance with all the other privacy safeguards. This leads to a trickle-down effect where privacy is automatically considered when handling CDR data, resulting in better overall privacy management, practice and compliance through a ‘privacy-by-design’ approach.

1.4 It is also important that consumers are aware of how their CDR data is handled, and can inquire or make complaints to resolve their concerns. A CDR policy achieves this transparency by outlining how the CDR entity manages CDR data, and by providing information on how a consumer can complain and how the CDR entity will deal with a complaint. 

1.5 CDR policies are also a key tool for ensuring open and transparent management of CDR data which can build trust and engage consumers.

Who Privacy Safeguard 1 applies to

1.6 Privacy Safeguard 1 applies to data holders, designated gateways and accredited persons who are or who may become accredited data recipients of CDR data.[1]

Note: There are no designated gateways in the banking sector. See Chapter B (Key concepts) for the meaning of designated gateway.

How Privacy Safeguard 1 interacts with the Privacy Act

1.7 It is important to understand how Privacy Safeguard 1 interacts with the Privacy Act 1988 (the Privacy Act) and Australian Privacy Principle (APP) 1.[2]

1.8 APP 1 requires APP entities to manage personal information in an open and transparent way (see Chapter 1: APP 1 — Open and transparent management of personal information of the APP Guidelines).

CDR entity

Privacy protections that apply in the CDR context

Accredited person who may become an accredited data recipient

Privacy Safeguard 1

When an accredited person is planning to handle a CDR consumer’s data, and may become an accredited data recipient of that CDR data (for example, because they are seeking to collect it), Privacy Safeguard 1 applies.

APP 1 does not apply to the accredited person in relation to that CDR data. [3]

Accredited data recipient

Privacy Safeguard 1

An accredited data recipient of a consumer’s CDR data must comply with Privacy Safeguard 1 in relation to the management of that CDR data.

APP 1 does not apply to the accredited data recipient in relation to that CDR data.[4]  

Designated gateway

APP 1 and Privacy Safeguard 1

A designated gateway must comply with:

  • Privacy Safeguard 1 in relation to the handling of CDR data, and
  • APP 1 in relation to the handing of personal information (if they are an APP entity).

As the obligations in Privacy Safeguard 1 apply generally to an entity’s handling of data, a designated gateway must have systems, practices and procedures to comply with both the privacy safeguards and the APPs (including having both a CDR policy and a privacy policy in place).

Data holder

APP 1 and Privacy Safeguard 1

A data holder must comply with:

  • Privacy Safeguard 1 in relation to the handling of CDR data, and
  • APP 1 in relation to the handing of personal information (if they are an APP entity).

This means that a data holder must have systems, practices and procedures to comply with both the privacy safeguards and the APPs (including having both a CDR policy and a privacy policy in place).[5]

Implementing practices, procedures and systems to ensure compliance with the CDR regime

1.9 Privacy Safeguard 1 requires all CDR entities to take steps that are reasonable in the circumstances to establish and maintain internal practices, procedures and systems that:

  • ensure compliance with the CDR regime, including the privacy safeguards and the CDR Rules, and
  • enable the entity to deal with inquiries or complaints from consumers about the entity’s compliance with the CDR regime, including the privacy safeguards and CDR Rules.

1.10 This is a distinct and separate obligation upon a CDR entity, in addition to being a general statement of its obligation to comply with the CDR regime.

1.11 The CDR Rules contain several governance mechanisms, policies and procedures that will assist entities to take steps that are reasonable to comply with the CDR regime.[6] However, while compliance with the CDR Rules will assist entities to take steps that are reasonable, this does not of itself mean that the entity has complied with Privacy Safeguard 1.

1.12 To comply with Privacy Safeguard 1, CDR entities need to proactively consider, plan and address how to implement any practices, procedures and systems under the privacy safeguards and the CDR Rules (including how these interact with other obligations). This will assist CDR entities to manage CDR data in an open and transparent way, in accordance with the object of Privacy Safeguard 1.[7]

1.13 Compliance with Privacy Safeguard 1 should therefore be understood as a matter of good governance.

Risk point: Entities who implement the requirements of the privacy safeguards and the CDR Rules in isolation or at a late stage risk incurring unnecessary costs, and/or implementing inadequate solutions that fail to address the full compliance picture.  

Privacy tip: Entities should take a ‘privacy-by-design’ approach in relation to handling CDR data across and within their organisation. This ensures CDR requirements are considered holistically. A tool that may assist an entity in this regard is the CDR data management plan, as outlined in paragraphs 1.29 to 1.32. The OAIC’s suggested approach to compliance with Privacy Safeguard 1 in paragraphs 1.33 to 1.42 may also be of assistance.

Circumstances that affect reasonable steps

1.14 The requirement under Privacy Safeguard 1 to implement practices, procedures and systems is qualified by a ‘reasonable steps’ test.

1.15 This requires an objective assessment of what is considered reasonable in the specific circumstances, which could include:

  • the CDR Rules and other legislative obligations that apply to the CDR entity
  • the nature of the CDR entity
  • the amount of CDR data handled by the CDR entity
  • the possible adverse consequences for a consumer in the case of a breach, and
  • the practicability, including time and cost involved.

The CDR regime obligations that apply to the CDR entity

1.16 The CDR regime obligations (such as the privacy safeguards and the CDR Rules) that apply to the entity will be relevant to determining what steps will be reasonable in terms of compliance with Privacy Safeguard 1. 

1.17 For example, the obligations that apply to accredited persons/accredited data recipients are in many cases different to those that apply to data holders and will therefore require the development and implementation of different practices, procedures and systems to achieve compliance.

1.18 Further, where an entity participates in the CDR regime in more than one capacity (e.g. as a data holder and an accredited person), this will also affect what constitutes reasonable steps, and the entity will need to put in place mechanisms to ensure it complies with the CDR regime in all its different CDR entity capacities.

Examples of key CDR regime privacy obligations

The CDR regime imposes a range of privacy obligations upon CDR entities. Some of these privacy obligations apply to all CDR entities, while other privacy obligations apply only to a particular entity type. Entities will need to ensure that all of the relevant obligations that apply to them are considered when deciding on the steps to be taken in relation to Privacy Safeguard 1.

For example, an accredited data recipient of CDR data must comply with the privacy safeguards in relation to the CDR data.

However, a data holder needs to comply with the APPs in relation to CDR data that is also personal information with the exception of APPs 10 and 13, which are replaced by Privacy Safeguards 11 and 13 once the data holder is required or authorised to disclose the CDR data under the CDR Rules. Data holders must also comply with both Privacy Safeguard 1 and APP 1, as well as Privacy Safeguard 10.[8] Information regarding compliance with each of the privacy safeguards is available in the relevant chapters of these Guidelines.

In addition to obligations under the privacy safeguards, accredited persons/accredited data recipients and data holders must also consider their obligations in the CDR Rules for the purposes of compliance with Privacy Safeguard 1. These obligations will need to be reflected in the steps taken under Privacy Safeguard 1. For example:

  • Accredited persons/accredited data recipients have obligations to report regularly regarding their ongoing information security obligations,[9] including privacy and security training to staff.[10]
  • Data holders have obligations relating to consumer data request services. [11]
  • Both accredited data recipients and data holders have obligations to provide consumers with access to copies of records upon request.[12]
  • In the banking sector, both accredited persons and data holders must have internal dispute resolution processes that meet the requirements under the Australian Securities and Investments Commission’s Regulatory Guide 165 on internal and external dispute resolution.[13] 

Nature of the entity

1.19 The size of the CDR entity, its resources, the complexity of its operations and the business model are all relevant to determining what steps would be reasonable when putting in place practices, procedures and systems.

1.20 For instance, where a CDR entity uses outsourced service providers, the reasonable steps it should take may be different to those it would take if it did not operate in this manner.

The amount of CDR data handled by the CDR entity

1.21 More rigorous steps may be required as the amount of CDR handled by a CDR entity increases. Generally, as the amount CDR data that is held increases, so too will the steps to ensure that it is reasonable.

Adverse consequences for a consumer

1.22 Entities should consider the possible adverse consequences for the consumers concerned if the CDR data is not handled in accordance with the CDR regime. For example, the nature of the CDR data or amount of data held could result in material harm from identity theft or fraud, discrimination, or humiliation or embarrassment. The likelihood of harm occurring will be relevant in considering whether it is reasonable to take a particular step.

Practicability of implementation

1.23 The practicality of implementing, including the time and cost involved, will influence the reasonableness. A ‘reasonable steps’ test recognises that privacy protection should be viewed in the context of the practical options available to a CDR entity.

1.24 However, a CDR entity is not excused from implementing particular practices, procedures or systems by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.

1.25 CDR entities are also not excused from any specific processes, procedures or systems that are required by the CDR regime.

Existing privacy governance arrangements

1.26 Where an entity has existing privacy practices and procedures for personal information it handles under the Privacy Act, it may be appropriate to extend these to its CDR data.[14]

1.27 However, the mere extension of current practices and procedures does not mean in and of itself that an entity has taken reasonable steps to implement practices, procedures and systems.

1.28 Entities will need to take further action to modify practices, procedures and systems to ensure compliance with the particularities of the CDR regime, including the Privacy Safeguards and CDR Rules. 

Have a CDR data management plan

1.29 A useful tool that can help CDR entities to plan and document the steps they will take to implement practices, procedures and systems under Privacy Safeguard 1 is a CDR data management plan.

1.30 A CDR data management plan is a document that identifies specific, measurable goals and targets, and sets out how an entity will meet its ongoing compliance obligations under Privacy Safeguard 1. As part of this, the CDR data management plan could set out the tasks an entity will undertake to ensure compliance with Privacy Safeguard 1.

1.31 The CDR data management plan should also set out the processes that will be used to measure and document the CDR entity’s performance against their CDR data management plan. 

1.32 Where entities have an existing privacy management plan, they may wish to update it with CDR activities so that it is integrated into the entity’s privacy management processes. Alternatively, they may choose to have a separate CDR data management plan.

A suggested approach to compliance with Privacy Safeguard 1

1.33 The ongoing compliance requirement in Privacy Safeguard 1 can be addressed in a range of different ways, but should be tailored to the circumstances of the particular entity.

1.34 The following sections outline a suggested method for how steps could be taken to implement practices, procedures and systems under Privacy Safeguard 1.

1.35 The suggested method consists of four overarching steps:

  • Embed a culture that respects and protects CDR data.
  • Establish robust and effective privacy practices, procedures and systems.
  • Review and evaluate privacy processes.
  • Enhance response to privacy issues.

Privacy tip: Where a CDR entity has a CDR data management plan, they may choose to structure that plan around the four overarching steps outlined in paragraph 1.35.

Embed a culture that respects and protects CDR data

1.36 Good CDR data management stems from good data and information governance that creates a culture of privacy that respects and protects CDR data.

1.37 To embed a culture of privacy, entities could:

  • Appoint a member of senior management to be responsible for the strategic leadership and overall management of CDR data.
  • Appoint an officer (or officers) to be responsible for the day to day managing, advising and reporting on privacy safeguard issues.
  • Record and report on how datasets containing CDR data are treated, managed and protected.
  • Implement reporting mechanisms that ensure senior management are routinely informed about privacy and data management issues.

Establish robust and effective privacy practices, procedures and systems

1.38 Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.

1.39 For example, an entity should: 

  • Implement risk management processes that allow identification, assessment and management of privacy risks, including CDR security risks. As part of this, accredited persons/accredited data recipients should consider their obligations to implement strong minimum information security controls under Schedule 2 to the Rules.[15]
  • Establish clear processes for reviewing and responding to CDR data complaints. For the banking sector, CDR entities should consider their obligations to have internal dispute resolution processes that meet the relevant ASIC requirements.[16]
  • Integrate privacy safeguards training into induction processes and provide regular staff training to those who deal with CDR data. This regular training should occur at a minimum of once per year. Note that accredited persons/accredited data recipients already have obligations to ensure all users undergo mandatory security and privacy training prior to interacting with the CDR data environment, with ‘refresher courses’ provided at least annually.[17]
  • Establish processes that allow consumers to promptly and easily access and correct their CDR data, in accordance with the privacy safeguards and CDR Rules. As part of this, and in relation to access, data holders should consider their obligations to provide consumer data request services.[18] In relation to correction, CDR entities should consider their obligations under Privacy Safeguard 13 to respond to correction requests from consumers.[19]

Privacy tip: As a starting point for deciding what practices, procedures and systems should be established, a CDR entity should consider their privacy obligations under the privacy safeguards and CDR Rules. 

See paragraphs 1.16 to 1.18 for examples of the CDR regime privacy obligations that apply to a CDR entity.

Regularly reviewing and evaluating privacy processes

1.40 To evaluate privacy practices, procedures and systems, entities should make a commitment to:

  • Monitor and review CDR privacy processes regularly. This could include assessing the adequacy and currency of practices, procedures and systems, to ensure they are up to date and being adhered to.
  • Create feedback channels for both staff and consumers to continue to learn lessons from complaints and breaches, as well as customer feedback more generally.

1.41 Notably, accredited persons are required to provide regular assurance reports (an audit report) and attestation statements concerning compliance with certain information security requirements.[20]

Risk point: Changes to a CDR entity’s role in the CDR regime and/or information handling practices may mean that existing practices, procedures and systems are no longer fit for purpose.

Privacy tip: When reviewing and evaluating privacy processes, a CDR entity should consider a range of factors including:

  • Role in the CDR regime – has the entity taken on a new role, for example by becoming an accredited person in addition to being a data holder? [21]
  • Method of service delivery — has the entity changed the way in which it provides goods or services to CDR consumers, for example, by using outsourced service providers to perform any of its functions?[22]
  • Online platforms – has the entity changed the online platforms used to communicate with CDR consumers, for example by creating a new mobile application?[23]

    The answers to these questions will assist a CDR entity to make the necessary and appropriate changes to practices, procedures and systems (as recommended in the following ‘Enhance response to privacy issues’ section). cont

Privacy tip:  Where a CDR entity has a CDR data management plan, they should set out the processes that will be used to measure and document the CDR entity’s performance against their CDR data management plan, and measure performance against this plan as part of reviewing and evaluating privacy processes.

Enhance response to privacy issues

1.42 Good privacy management requires entities to be proactive, forward thinking and to anticipate future challenges. To enhance response to privacy issues, entities should make a commitment to:

  • Use the results of the evaluations to make necessary and appropriate changes to an organisation’s practices, procedures and systems.
  • Consider having practices, procedures and systems externally assessed to identify areas where privacy processes may be improved.[24]
  • Continuously monitor and address new privacy risks.

Privacy tip: Where a CDR entity has a CDR data management plan, they should ensure this plan is updated to reflect any changes to the entity’s practices, procedures and systems and accommodate new privacy risks.

Having a CDR policy

1.43 Privacy Safeguard 1 requires all CDR entities to have and maintain a clearly expressed and up-to-date CDR policy.

1.44 The CDR policy must be in the form of a document that is distinct from any of the CDR entity’s privacy policies.[25] The Information Commissioner may, but has not, approved a form for the CDR policy.[26]

1.45 Privacy Safeguard 1 and CDR Rule 7.2 set out the requirements for what information must be included in a CDR policy, how it must be made available and what form it should be in.[27]

1.46 There are different requirements depending on whether the CDR entity is an accredited person/accredited data recipient, a data holder, or a designated gateway, as set out below.

1.47 Where an entity occupies more than one role in the CDR regime (for example is both a data holder and an accredited person), the entity can either have a single CDR policy that outlines how CDR data is handled in both capacities, or a separate CDR policy for each capacity. 

Privacy tip: The OAIC has prepared a Guide to developing a CDR policy to assist CDR entities to prepare and maintain a CDR policy. It provides detailed guidance about what must be included in a CDR policy, as well as a suggested process, and a checklist to help ensure all requirements have been met.

Information that must be included in a CDR policy

1.48 The following sections outline the minimum requirements for information that must be included in a CDR policy.

1.49 For further information and discussion about the requirements for a CDR policy, see the OAIC’s Guide to developing a CDR policy.

Accredited persons/Accredited data recipients

1.50 Privacy Safeguard 1 requires that accredited persons who are or may become accredited data recipients must include the following in their CDR policy:

  • the classes of CDR data that are (or may be) held by or on behalf of the entity as an accredited data recipient. The classes of CDR data for each sector will be set out in the relevant designation instrument. For example, for the banking sector the designation instrument sets out three classes of information: customer information,[28] product use information,[29] and information about a product[30]
  • how the CDR data is (or is to be) held by or on behalf of the entity as an accredited data recipient
  • purposes for which the entity may collect, hold, use or disclose CDR data
  • how a consumer may access or correct CDR data
  • how a consumer can complain and how the entity will deal with a complaint
  • whether overseas disclosure to accredited persons is likely, and the countries those persons are likely to be based in, if practicable to specify this
  • circumstances in which the entity may disclose CDR data to a person who is not an accredited person[31]
    • events about which the entity will notify the consumers of such CDR data,[32] and
  • when the entity must delete or de-identify CDR data in accordance with a request by a consumer.

1.51 In addition, CDR Rule 7.2(4) provides other matters that an accredited data recipient must include in the CDR policy, including:

  • A statement indicating the consequences to the consumer if they withdraw a consent to collect or to use CDR data. This could include information about any early cancellation fees. 
  • A list of outsourced service providers (whether based in Australia or based overseas, and whether or not any is an accredited person).
  • For each such service provider, the nature of the services it provides and the CDR data or classes of CDR data that may be disclosed to it.
  • Where the entity wishes to undertake general research using de-identified CDR data, a description of the research to be conducted and any benefits to be provided to the CDR consumer for consenting to the use.[33]
  • Where the entity is likely to disclose CDR data to an overseas, non-accredited outsourced service provider, the countries where there are likely to be based in the CDR policy, where practicable.[34]
  • If applicable, the following information about de-identification of CDR data that is not redundant data:
    • how the accredited data recipient uses CDR data that has been de-identified in accordance with the CDR data de-identification process to provide goods or services to consumers
    • how the entity de-identifies CDR data, including a description of techniques that it uses to de-identify CDR data, and
    • if the entity ordinarily discloses (by sale or otherwise) de-identified CDR data to one or more persons: the fact of this disclosure; the classes of persons such data is ordinarily disclosed to; and the purposes for which the accredited data recipient discloses de-identified CDR data.
  • The following information about deletion of redundant CDR data:
    • when it deletes redundant data
    • how a CDR consumer may elect for this to happen, and
    • how it deletes redundant data.
  • If applicable, the following information about de-identification of redundant data:
    • if the de-identified data is used by the accredited data recipient—examples of how the accredited data recipient ordinarily uses de-identified data
    • how the entity de-identifies CDR data, including a description of techniques that it uses to de-identify CDR data, and
    • if the entity ordinarily discloses (by sale or otherwise) de-identified CDR data to one or more persons: the fact of this disclosure; the classes of persons such data is ordinarily disclosed to; and the purposes for which the accredited data recipient discloses de-identified CDR data.
  • The following information about the consumer’s election to delete their CDR data:
    • how the election operates and its effect, and
    • how consumers can exercise the election.
  • Further information regarding how a consumer can complain and how the entity will deal with the complaint, specifically: 
    • where, how and when a complaint can be lodged
    • when a consumer should expect an acknowledgement of their complaint
    • what information is required from the complainant
    • the complaint handling process, including time periods associated with the various stages
    • options for redress, and
    • options for review.

Data holder

1.52 Privacy Safeguard 1 requires that data holders must include in their CDR policy how a consumer can access and correct the CDR data, and how they may complain. 

1.53 In addition, the CDR Rules provide other matters that must be included in the CDR policy, including:

  • whether the data holder accepts consumer data requests for voluntary product data or voluntary consumer data, and, if so whether the data holder charges fees for disclosure of such data and what those fees are,[35] and
  • how a consumer can complain and how the entity will deal with a complaint, specifically:
    • where, how and when a complaint can be lodged
    • when a consumer should expect an acknowledgement of their complaint
    • information required from the complainant
    • complaint handling process, including time periods associated with the various stages
    • options for redress, and
    • options for review.

Designated gateway

1.54 Privacy Safeguard 1 requires that designated gateways must include the following in their CDR policy:

  • an explanation of how the entity will act between persons to facilitate the disclosure of the CDR data, the accuracy of the CDR data, or any other matters required under the CDR Rules, and
  • how a consumer may complain about a failure of the CDR entity to comply with the privacy safeguards or the CDR Rules, and how the CDR entity will deal with such a complaint.

Availability of the CDR policy

1.55 The CDR policy must be publicly and freely available in accordance with the CDR Rules.[36] This furthers the objective of Privacy Safeguard 1 of ensuring that CDR data is managed in an open and transparent way.

1.56 The CDR Rules provide that the CDR policy must be readily available on each online service where the CDR entity ordinarily deals with CDR consumers.[37]

Consumer requests for a CDR policy

1.57 If a copy of the CDR entity’s policy is requested by a consumer for the CDR data, the CDR entity must give the consumer a copy in accordance with CDR Rule 7.2.

1.58 CDR Rule 7.2 provides that, if requested by consumer, the CDR entity must give the consumer a copy of the policy electronically or hard copy as requested by the consumer.

Interaction between an entity’s privacy policy and CDR policy

1.59 An entity should be aware that their privacy policy and CDR policy obligations may overlap or relate to each other.

1.60 While the privacy policy and CDR policy need to be separate,[38] the entity’s CDR policy and privacy policy may reference and link to each other where appropriate or required.

1.61 For example, Privacy Safeguard 1 requires a data holder’s CDR policy to explain how a consumer may access their CDR data and seek its correction.[39] As a consumer who is an individual may also access their data through APP 12 or seek correction of their data under APP 13 (where the data holder has not been authorised or required to disclose that data), the CDR policy must explain these alternative processes to those under the CDR regime.

Footnotes

[1] An accredited person ‘may become’ an accredited data recipient when they are seeking to collect CDR data. This means that an accredited person must ensure that they comply with their Privacy Safeguard 1 obligations before they seek to collect CDR data.

[2] The Privacy Act includes 13 APPs that regulate the handling of personal information by APP entities. See Chapter B: Key concepts of the APP Guidelines for further information.

[3] See ss 56EC(4) and 56ED(1) of the Competition and Consumer Act.

Note: If Privacy Safeguard 1 does not apply, APP 1 may continue to apply to other open and transparent management of the individual’s personal information where the accredited person is an APP entity (see s 56EC(4) and (5)(aa) of the Competition and Consumer Act). Small business operators accredited under the CDR system are APP entities in relation to information is that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act. 

[4] The APPs do not apply to an accredited data recipient of the CDR data in relation to the CDR data (s 56EC(4)(a) of the Competition and Consumer Act). However, this does not affect how the APPs apply to accredited persons in relation to the open and transparent management of the individual’s other personal information outside the CDR system. It also does not affect how the APPs apply to CDR data where the accredited person does not become an accredited data recipient of the CDR data. (see s 56EC(4) and (5)(aa) of the Competition and Consumer Act). Note: Small business operators accredited under the CDR system are APP entities in relation to information is that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act.  

[5] See section 56AJ of the Competition and Consumer Act for the meaning of data holder.

[6] For example, accredited persons/accredited data recipients are required to establish a formal governance framework for managing information security risks. See Privacy Safeguard 12, CDR Rule 5.12, CDR Rule 7.11 and Schedule 2 to the CDR Rules. For further information see Chapter 12 (Privacy Safeguard 12) and the ACCC’s Supplementary Accreditation Guidelines on Information Security available on the ACCC’s Accreditation Guidelines page.

[7] Section 56ED(1) of the Competition and Consumer Act.

[8] Privacy Safeguard 10 does not have an APP equivalent.

[9] Part 2 of Schedule 1 to the CDR Rules. For further information, see the ACCC’s Supplementary Accreditation Guidelines on Information Security available on the ACCC’s Accreditation Guidelines page.

[10] Accredited persons/accredited data recipients must ensure all users undergo mandatory security and privacy training prior to interacting with the CDR data environment, with ‘refresher courses’ provided at least annually: see Privacy Safeguard 12, CDR Rule 5.12 and Part 2 of Schedule 2 to the CDR Rules. For further information, see the ACCC’s Supplementary Accreditation Guidelines on Information Security available on the ACCC’s Accreditation Guidelines page.

[11] For further information on consumer data request services, authorisation, disclosure of CDR data and a data holder’s privacy obligations more generally, see the Guide to privacy for data holders.

[12] CDR Rule 9.5. Accredited data recipients and data holders are required to keep and maintain certain records as outlined in CDR Rule 9.3. They are also required to comply with the reporting requirements in CDR Rule 9.4.

[13] See CDR Rule 5.12(1) (for accredited persons) and Part 6 of the CDR Rules (for data holders).

[14] CDR data protected by the privacy safeguards will also be ‘personal information’ under the Privacy Act. For further information, see Chapter A (Introductory matters) of the CDR Privacy Safeguard Guidelines.      

[15] See Privacy Safeguard 12, CDR Rule 5.12 and Schedule 2 to the CDR Rules. For further information see Chapter 12 (Privacy Safeguard 12) and the ACCC’s Supplementary Accreditation Guidelines on Information Security available on the ACCC’s Accreditation Guidelines page.

[16] The obligation is to have internal dispute resolution processes that meet the requirements under the Australian Securities and Investments Commission’s Regulatory Guide 165 on internal and external dispute resolution. See CDR Rule 5.12(1) (for accredited persons) and Part 6 of the CDR Rules (for data holders).

[17] See Privacy Safeguard 12, CDR Rule 5.12(1), CDR Rule 7.11 and Schedule 2 to the CDR Rules.

[18] See CDR Rule 1.13. For further information regarding consumer data request services, see the Guide to privacy for data holders.

[19] See Chapter 13 (Privacy Safeguard 13) for further information.

[20] These obligations are contained in CDR Rule 5.9 and clause 2.1 of Part 2 of Schedule 1 to the CDR Rules regarding default conditions on accreditation. For further information, see the ACCC’s Supplementary Accreditation Guidelines on Information Security available on the ACCC’s Accreditation Guidelines page.

[21] Different CDR regime obligations apply depending on what capacity an entity is acting in. See paragraphs 1.16 to 1.18 for further information.

[22] An outsourced service provider is a person:

  • who is accredited and collects CDR data from a CDR participant on behalf of an accredited person under a CDR outsourcing arrangement, and/or
  • to whom an accredited person discloses CDR data under a CDR outsourcing arrangement.

Accredited persons must ensure they comply with the CDR Rules relating to outsourced service providers.  For further information, see Chapter B (Key concepts) of the CDR Privacy Safeguard Guidelines.

[23] By way of example, a CDR entity would need to ensure their CDR policy was available on these new online platforms: see CDR Rule 7.2(8), which requires accredited data recipients and data holders to make their CDR policy readily available through the online service that they ordinarily use to deal with consumers, such as their website or mobile applications.

[24] Accredited persons have obligations to provide regular assurance reports (an audit report) and attestation statements concerning compliance with certain Privacy Safeguard 12 CDR Rules. See the ACCC’s Supplementary Accreditation Guidelines on Information Security available on the ACCC’s Accreditation Guidelines page.

[25] CDR Rule 7.2(2).

[26] Section 56ED(3)(b) of the Competition and Consumer Act and CDR Rule 7.2(1).

[27] The Information Commissioner may, but has not, approved a form for the CDR policy: section 56ED(3)(b) of the Competition and Consumer Act and CDR Rule 7.2(1).

[28] Specified in section 6 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019.

[29] Specified in section 7 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019.

[30] Specified in section 8 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019.

[31] An accredited data recipient is not authorised to disclose CDR data to a non-accredited person, except directly to the consumer or to an outsourced service provider in accordance with CDR Rule 7.5(1).

[32] The events about which an accredited person will notify a consumer will include:

  • when a consumer gives consent to the person collecting, using and/or disclosing their CDR data or withdraws such a consent (for further information, see Chapter C (Consent))
  • the collection of a consumer’s CDR data (see Chapter 5 (Privacy Safeguard 5))
  • the disclosure of a consumer’s CDR data to an accredited person (see Chapter 10 (Privacy Safeguard 10))
  • any ongoing notification requirements concerning a consumer’s consent (see Chapter C (Consent))
  • any notification requirements concerning or in relation to the expiry of a consumer’s consent (see Chapter C (Consent))
  • any response to a consumer’s correction request under Privacy Safeguard 13 (see Chapter 13 (Privacy Safeguard 13)), and
  • any eligible data breach affecting a consumer under the Notifiable Data Breach scheme (see Chapter 12 (Privacy Safeguard 12) and the OAIC’s Data breach preparation and response guide).

[33] CDR Rule 7.5(1)(aa) permits the use or disclosure of CDR data for general research, where it has been de-identified in accordance with the CDR data de-identification processes.

[34] See sections 56ED(5)(e)-(f) of the Competition and Consumer Act, and CDR Rule 7.2(4)(d).

[35] Voluntary product data means CDR data for which there are no consumers that is not required product data: clause 3.1 of Schedule 3 to the CDR Rules. Voluntary consumer data means CDR data for which there are consumers that is not required consumer data: clause 3.2 of Schedule 3 to the CDR Rules.

[36] Section 56ED(7) of the Competition and Consumer Act.

[37] CDR Rule 7.2(8).

[38] CDR Rule 7.2(2).

[39] Section 56ED(4)(a) of the Competition and Consumer Act.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au