Chapter 3: Privacy Safeguard 3 — Seeking to collect CDR data from CDR participants

15 November 2022

Download the print version (version 4.0)

Update Information

We are currently in the process of publishing the current version of the Privacy Safeguard Guidelines on the OAIC’s website in HTML format. In the meantime, if you need assistance because the document you need is not available in a format you can access, please contact us at

Key points

  • Privacy Safeguard 3 prohibits an accredited person from attempting to collect CDR data under the CDR system unless it is in response to a ‘valid request’ from the consumer.
  • The consumer data rules (CDR Rules) set out what constitutes a valid request, including requirements and processes for seeking the consumer’s consent.
  • The accredited person must also comply with all other requirements in the CDR Rules for collection of CDR data. This includes the ‘data minimisation principle’, which requires that an accredited person must not seek to collect data beyond what is reasonably needed to provide the good or service to which a consumer has consented, or for a longer time period than is reasonably needed.
  • Privacy Safeguard 3 applies whether the collection is directly from the CDR participant or indirectly through a designated gateway.