Chapter 10: Privacy Safeguard 10 — Notifying of the disclosure of CDR data

24 February 2020

Download the print version

Version 1.0

Key points

  • Where a data holder discloses consumer data right (CDR) data to an accredited person, the data holder must notify the consumer by updating the consumer dashboard.

  • The consumer data rules (CDR Rules) set out the matters that must be included in this notification.

What does Privacy Safeguard 10 say?

10.1 Where a data holder is required or authorised under the CDR Rules to disclose CDR data, they must notify the consumer by taking the steps identified in the CDR Rules.[1]

10.2 Where an accredited data recipient discloses CDR data, they must notify the consumer by taking the steps identified in the CDR Rules.[2]

10.3 The notification must:

  • be given to those consumers that the CDR Rules require to be notified
  • cover the matters set out in the CDR Rules, and
  • be given at or before the time specified in the CDR Rules.

10.4 Under CDR Rule 7.9, a data holder must notify the consumer by updating each relevant consumer dashboard to include certain matters as set out in that Rule as soon as practicable after CDR data is disclosed.

Why is it important?

10.5 Notification of disclosure of CDR data is an integral element of the CDR regime, as it provides confirmation to consumers that their CDR data has been disclosed in response to a consumer data request.

10.6 This ensures consumers are informed when their CDR data is disclosed and builds trust between consumers, data holders and accredited data recipients.

Who does Privacy Safeguard 10 apply to?

10.7 Privacy Safeguard 10 applies to data holders and accredited data recipients. It does not apply to designated gateways.

10.8 Although Privacy Safeguard 10 applies to accredited data recipients, there are currently no CDR Rules requiring accredited data recipients to notify consumers about the disclosure of CDR data.

10.9 This is because accredited data recipients are generally not permitted to disclose CDR data unless the disclosure is directly to the consumer or to an outsourced service provider (CDR Rule 7.5). On that basis, an accredited data recipient does not currently have notification obligations under Privacy Safeguard 10.

Who must be notified?

10.10 The data holder must notify each of the consumers for the CDR data that has been disclosed.[3]

10.11 There may be more than one consumer for the CDR data. In the banking sector, a key example is CDR data relating to a joint account.[4] In this case, the data holder must notify both the requesting and non-requesting joint account holders. However, a data holder will not be required to notify the non-requesting joint account holder/s where the data holder considers this necessary to prevent physical or financial harm or abuse.[5]

10.12 This exception to notification is to accommodate existing procedures a data holder may have to protect consumers, for example particular arrangements relating to consumers that may be experiencing family violence.

How must notification be given?

10.13 A data holder must provide the notification by updating the consumer dashboard for a consumer (and, if applicable, the dashboard of the other joint account holder)[6] to include the matters discussed in paragraphs 10.21 to 10.31 as soon as practicable after CDR data relating to that consumer is disclosed.[7]

10.14 The consumer dashboard is an online service that must be provided by a data holder to each consumer (and, if applicable, the other joint account holder)[8] where a consumer data request has been made on their behalf by an accredited person. Data holders are required by CDR Rule 1.15 to include within the consumer’s dashboard certain details of each authorisation to disclose CDR data that has been given by the consumer. [9]

10.15 Further guidance about the consumer dashboard is set out in Chapter B (Key concepts) and Chapter C (Consent).

When must notification be given?

10.16 A data holder must notify the consumer/s as soon as practicable after the CDR data is disclosed.[10]

10.17 As a matter of best practice, notification should generally occur in as close to real time as possible (for example, in relation to ongoing disclosure, as close to the time of first disclosure as possible).

10.18 The test of practicability is an objective test. It is the responsibility of the data holder to be able to justify any delay in notification.

10.19 In determining what is ‘as soon as practicable’, the data holder may take the following factors into account:

  • the time and cost involved, in combination with other factors
  • technical matters, and
  • the individual needs of the consumer (for example, any additional steps required to make the content accessible).

10.20 A data holder is not excused from providing prompt notification by reason only that it would be inconvenient, time consuming, or costly to do so.

What matters must be included in the notification?

10.21 The minimum matters that must be included in the notification, and provided via the consumer’s dashboard are:

  • what CDR data was disclosed
  • when the CDR data was disclosed, and
  • the accredited data recipient of the CDR data.[11]

10.22 Data holders should provide information about these matters clearly and simply, but also with enough specificity to be meaningful for the consumer. How much information is required may differ depending on the circumstances.

10.23 Guidance on each of the minimum matters follows.

Risk point: Consumers may not read or understand a notification if it is complex.

Privacy tip: A data holder should ensure that the notification is as simple and easy to understand as possible. To do this, a data holder should consider a range of factors when formulating a notification, such as:

  • the audience
  • the language used (including the level of detail), and
  • the presentation of the information (e.g. layout, format and any visual aids used). For more complex notifications, the data holder could consider providing a condensed summary of key matters in the notification and linking to a more comprehensive summary or, where it may assist the consumer, a full log of disclosure.

What CDR data was disclosed

10.24 The data holder must notify the consumer of what CDR data was disclosed.

10.25 In doing so, the data holder should ensure the CDR data is described in a manner that allows the consumer to easily understand what CDR data was disclosed.

10.26 The data holder must use the Data Language Standards when describing what CDR data was disclosed. [12] This will aid consumer comprehension by ensuring consistency between how CDR data was described in the authorisation-seeking process and how CDR data is described in the consumer dashboard.

When the CDR data was disclosed

10.27 The data holder must notify the consumer when the CDR data was disclosed.

‘Once-off’ disclosure:[13]

10.28 The data holder should include the date on which the CDR data was disclosed.

Ongoing disclosure:[14]

10.29 The data holder should, at a minimum, include the date range in which CDR data will be disclosed, with the starting date being the date on which the CDR data was first disclosed, and the end date being the date on which the data holder will make its final disclosure. This end date might not necessarily be the same as the date authorisation expires.

10.30 Where a data holder is unsure of the end date they may put the date authorisation expires, but must update the end date as soon as practicable after it becomes known.[15]

The accredited data recipient of the CDR data

10.31 In its notification to the consumer, the data holder must indicate to whom the CDR data was disclosed.

Example

Bank Belle, a data holder, receives a consumer data request on 1 July 2020 from Watson and Co, an accredited person, to disclose Zoe’s transaction details.

Bank Belle asks Zoe on 1 July 2020 to authorise the disclosure of her transaction details to Watson and Co for the sharing period specified in the consumer data request (i.e. 1 July 2020 to 1 January 2021).

Upon receiving Zoe’s authorisation, Bank Belle discloses Zoe’s transaction details to Watson and Co on 1 July 2020.

Bank Belle updates Zoe’s consumer dashboard on 1 July 2020 to include the following notification statement:

We shared your transaction details with Watson and Co on 01.07.20. We’ll continue to share your transaction details with Watson and Co until 01.01.21.

The above statement is an example of how Bank Belle could notify Zoe of the disclosure of her CDR data in accordance with CDR Rule 7.9.

Other notification requirements under the CDR Rules

10.32 In addition to the Privacy Safeguard 10 notification requirements in relation to disclosure, the data holder must update a consumer’s dashboard as soon as practicable after the information required to be contained on the dashboard changes.[16]

Disclosure to a designated gateway

Note: There are currently no designated gateways in the CDR regime.

10.33 Privacy Safeguard 10 applies where a data holder or accredited data recipient discloses CDR data to a designated gateway as required or authorised under the CDR Rules.[17]

10.34 There are currently no CDR Rules made for this circumstance.

Interaction with other Privacy Safeguards

10.35 CDR participants must comply with Privacy Safeguard 1 by taking reasonable steps to implement practices, procedures and systems that will ensure they comply with the CDR regime, including Privacy Safeguard 10. See Chapter 1 (Privacy Safeguard 1).

10.36 Privacy Safeguard 11 mandates the steps by which a data holder must advise a consumer where the data holder has disclosed CDR data that was incorrect. See Chapter 11 (Privacy Safeguard 11).

Footnotes

[1] Section 56EM(1) of the Competition and Consumer Act. For further information on ‘required or authorised to use or disclose CDR data under the CDR Rules’, refer to Chapter B (Key concepts).

[2] Section 56EM(2) of the Competition and Consumer Act.

[3] Section 56EM(1)(b) of the Competition and Consumer Act and CDR Rule 7.9. The CDR Rules may also set requirements for other consumers that must be notified when CDR data is disclosed. There are currently no additional requirements in the CDR Rules, other than in relation to joint account holders in the banking industry.

[4] For details regarding the inclusion of CDR data that relates to a joint account under the CDR regime, see the phasing summary table to the CDR Rules.

[5] CDR Rule 7.9 and clause 4.6 of Schedule 3 to the CDR Rules.

[6] Where the CDR data disclosed relates to a joint account and the data holder has provided an equivalent consumer dashboard (see clause 4.4 of Schedule 3 to the CDR Rules), the data holder must also notify the non-requesting joint account holder by updating their consumer dashboard to include those same matters as soon as practicable after the CDR data is disclosed.

[7] CDR Rule 7.9.

[8] See clause 4.4 of Schedule 3 to the CDR Rules.

[9] This includes the CDR data to which the authorisation relates and when the authorisation will expire.

[10] CDR Rule 7.9.

[11] CDR Rule 7.9.

[12] The Data Language Standards are contained within the Consumer Experience Guidelines. They provide descriptions of the types of data to be used by data holders when making and responding to requests. Adherence to the Data Language Standards is mandatory and will help ensure there is a consistent interpretation and description of the consumer data that will be shared in the CDR regime. See s 56FA of the Competition and Consumer Act and CDR Rule 8.11.

[13] This is where the accredited person made a consumer data request on behalf of the consumer for a collection of CDR data on a single occasion.

[14] This is where the accredited person made a consumer data request on behalf of the consumer for collection of CDR data over a specified period of time.

[15] CDR Rule 4.27 requires a data holder to update the consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes.

[16] CDR Rule 4.27.

[17] CDR Rules may be made in relation to the notification requirements for that disclosure.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au