Chapter 5: Privacy Safeguard 5 — Notifying of the collection of CDR data

9 June 2021

Download the print version

Version 3.0

Key points

  • An accredited data recipient of a consumer’s CDR data must notify that consumer when they collect the data.
  • This notification must occur through the consumer’s dashboard as soon as practicable after the accredited data recipient has received the consumer’s CDR data.

What does Privacy Safeguard 5 say?

5.1 If an accredited data recipient collected a consumer’s CDR data under Privacy Safeguard 3, the accredited data recipient must notify that consumer of the collection by taking the steps identified in the consumer data rules (CDR Rules).[1]

5.2 The notification must:

  • be given to the consumer at whose request the CDR data was collected
  • cover the matters set out in the CDR Rules, and
  • be given at or before the time specified in the CDR Rules.

5.3 Under CDR Rule 7.4, an accredited data recipient of a consumer’s CDR data must notify the consumer by updating twathe consumer’s dashboard to include certain matters as soon as practicable after CDR data is collected from a data holder or accredited data recipient.

5.4 For information about the concept of ‘collects’ refer to Chapter B (Key concepts). For information about seeking to collect CDR data under Privacy Safeguard 3, see Chapter 3 (Privacy Safeguard 3).

Why is this important?

5.5 Notification of collection of CDR data is an integral element of the CDR regime as it provides confirmation to the consumer that their CDR data has been collected in accordance with their valid request.

5.6 This ensures consumers are informed when their CDR data is collected and builds trust between consumers and accredited data recipients.

Who does Privacy Safeguard 5 apply to?

5.7 Privacy Safeguard 5 applies to accredited data recipients of a consumer’s CDR data. It does not apply to data holders or designated gateways.

5.8 Data holders and designated gateways must ensure that they are adhering to their obligations under the Privacy Act 1988 (the Privacy Act) and the Australian Privacy Principles (APPs), including APP 3 and APP 5, when collecting personal information.

5.9 Data holders must also ensure they adhere to Privacy Safeguard 10, which requires them to notify consumers of the disclosure of their CDR data.

How Privacy Safeguard 5 interacts with the Privacy Act

5.10 It is important to understand how Privacy Safeguard 5 interacts with the Privacy Act and the APPs.[2]

5.11 Like Privacy Safeguard 5, APP 5 outlines when an entity must notify of collection, as well as what information must be included in the notification.

5.12 The Privacy Act and APP 5 provide protection where collected data is personal information, but not CDR data.

CDR entity

Privacy protections that apply in the CDR context

Accredited data recipient

Privacy Safeguard 5

For accredited data recipients of a consumer’s CDR data, the Privacy Safeguard 5 notification requirements apply to any of that consumer’s CDR data that been collected in accordance with Privacy Safeguard 3.[3]

APP 5 does not apply in relation to that CDR data. [4]  

Designated gateway

APP 5

Privacy Safeguard 5 does not apply to a designated gateway.

Data holder

APP 5

Privacy Safeguard 5 does not apply to a data holder.

How must notification be given?

5.13 An accredited data recipient must provide the notification by updating the consumer dashboard for a consumer to include the matters discussed in paragraphs 5.24 to 5.35 as soon as practicable after collecting CDR data relating to that consumer.[5]

5.14 The consumer dashboard is an online service that must be provided by an accredited person to each consumer who has provided consent to the collection, use and/or disclosure of their CDR data. Accredited persons are required by CDR Rule 1.14 to include within the consumer’s dashboard certain details of each consent to collect, use and disclose CDR data that has been given by the consumer. [6]

5.15 Where an accredited data recipient collected CDR data on behalf of another accredited person (the ‘principal’) under a CDR outsourcing arrangement, only the principal needs to notify the relevant consumer/s of collection by updating the relevant dashboard/s.[7]

5.16 Further guidance about the consumer dashboard is set out in Chapter B (Key concepts) and Chapter C (Consent).

Who must be notified?

5.17 The accredited data recipient must notify the consumer who gave the consent to collect the CDR data.

5.18 There may be more than one consumer to whom a set of CDR data applies, for example, where there are joint account holders of a bank account. In this example, the accredited data recipient is required by CDR Rule 7.4 to update only the consumer dashboard of the requesting joint account holder.

When must notification be given?

5.19 An accredited data recipient must notify the consumer as soon as practicable after the CDR data is collected.

5.20 As a matter of best practice, notification should generally occur in as close to real time as possible (for example, in relation to ongoing collection, as close to the time of first collection as possible).

5.21 The test of practicability is an objective test. It is the responsibility of the accredited data recipient to be able to justify any delay in notification.

5.22 In determining what is ‘as soon as practicable’, the accredited data recipient may take the following factors into account:

  • time and cost involved, when combined with other factors
  • technical matters, and
  • any individual needs of the consumer (for example, additional steps required to make the content accessible).

5.23 An accredited data recipient is not excused from providing prompt notification by reason only that it would be inconvenient, time consuming or costly to do so.

Risk point: Delays in notification of collection may result in confusion for a consumer, and non-compliance for an accredited data recipient.

Privacy tip:  Accredited data recipients should ensure that they have systems and processes in place to allow for real-time and automated notification.

What matters must be included in the notification?

5.24 The minimum matters that must be included in the notification, and provided via the consumer’s dashboard, are:

  • what CDR data was collected
  • when the CDR data was collected, and
  • the data holder or accredited data recipient from which the CDR data was collected.[8]

5.25 Accredited data recipients should provide information about these matters clearly and simply, but also with enough specificity to be meaningful for the consumer. How much information is required may differ depending on the circumstances.

5.26 Guidance on each of the minimum matters is provided below.

Risk point: Consumers may not read or understand a notification where the details of collection are complex.

Privacy tip: An accredited data recipient should ensure that the notification is as simple and easy to understand as possible. To do this, an accredited data recipient should consider a range of factors when formulating a notification, such as: 

  • what the data is being used for
  • the language used (including the level of detail), and
  • the presentation of the information (e.g. layout, format and any visual aids used). For more complex notifications, the accredited data recipient could consider providing a condensed summary of key matters in the notification and linking to more comprehensive information or, where it may assist the consumer, a full log of access.

What CDR data was collected

5.27 The accredited data recipient must notify the consumer of what CDR data was collected.

5.28 In doing so, the accredited data recipient should ensure CDR data is described in a manner that allows the consumer to easily understand what CDR data was collected.

5.29 The accredited data recipient must use the Data Language Standards when describing what CDR data was collected.[9] This will aid consumer comprehension by ensuring consistency between how CDR data was described in the consent-seeking process and how CDR data is described in the consumer dashboard.

When the CDR data was collected

5.30 The  accredited data recipient must notify the consumer of when the CDR data was collected.

‘One-off’ collection[10]

5.31 The accredited data recipient should include the date on which the CDR data was collected.

Ongoing collection[11]

5.32 The accredited data recipient should, at a minimum, include the date range in which CDR data will be collected, with the starting date being the date on which the CDR data was first collected, and the end date being the date on which the accredited person will make its final collection. This end date might not necessarily be the same as the date the consent to collect expires.

5.33 Where an accredited data recipient is unsure of the end date they may put the date the consent to collect expires, but must update the end date as soon as practicable after it becomes known.[12]

5.34 The accredited data recipient should, in addition to stating the date range for collection, note:

  • what activity will trigger ongoing collection (e.g. ‘We’ll continue to collect your transaction details from [e.g. data holder] each time you make a transaction’), and / or
  • if known, the frequency of any ongoing collection (e.g. ‘We’ll continue to collect your transaction details from [e.g. data holder] up to three times per day’).

From whom the CDR data was collected

5.35 In its notification to the consumer, the accredited data recipient must indicate from whom the CDR data was collected. There may be multiple data holders and/or accredited data recipients from whom the CDR data was collected.

Example

Watson and Co is an accredited person that provides a budgeting service through its Watspend application. Watspend uses transaction details to provide real-time, accurate budgeting recommendations to its users.

Zoe wants to use the Watspend application, so provides Watson and Co with a valid request to collect her transaction details from Bank Belle. Zoe provides consent for Watson and Co to collect and use her transaction details for the provision of the Watspend service from 1 July 2020 to 1 January 2021.

Watson and Co collect Zoe’s transaction details from Bank Belle on 1 July 2020 and becomes an accredited data recipient for this CDR data.

Watson and Co updates Zoe’s consumer dashboard on 1 July 2020 to include the following notification statement:   

We collected your transaction details from Bank Belle on 01.07.20. We’ll continue to collect your transaction details from Bank Belle each time you make a transaction until 01.01.21.

The above statement is an example of how Watson and Co could notify Zoe of the collection of her CDR data in accordance with CDR Rule 7.4.

Other notification requirements under the CDR Rules

5.36 In addition to the Privacy Safeguard 5 notification requirements in relation to collection, there are other notification requirements relating to consent that must be complied with: [13]

  • providing CDR receipts to the consumer (CDR Rule 4.18)
  • notification requirements where certain consents expire or are amended (CDR Rules 4.18A, 4.18B and 4.18C)
  • general obligation to update the consumer dashboard (CDR Rule 4.19), and
  • ongoing notification requirements for consents to collect and use (CDR Rule 4.20).

5.37 For further information regarding these notification requirements, see Chapter C (Consent).

How does Privacy Safeguard 5 interact with the other privacy safeguards?

5.38 The requirement in Privacy Safeguard 5 to notify consumers about the collection of their CDR data relates to all CDR data collected under Privacy Safeguard 3 (see Chapter 3 (Privacy Safeguard 3)).

5.39 While Privacy Safeguard 5 relates to notification on collection, Privacy Safeguard 10 sets out when an accredited data recipient and data holder must notify consumers about the disclosure of their CDR data. See Chapter 10 (Privacy Safeguard 10).

Footnotes

[1] Section 56EH of the Competition and Consumer Act.

[2] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies.

[3] Privacy Safeguard 5 applies from the point when the accredited person becomes an accredited data recipient of the CDR data. An accredited person becomes an accredited data recipient for CDR data when:

  • CDR data is held by (or on behalf of) the person
  • the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules, and
  • the person is neither a data holder, nor a designated gateway, for the first mentioned CDR data. See s 56EK of the Competition and Consumer Act.  

[4] The APPs do not apply to an accredited data recipient of CDR data, in relation to that CDR data - s 56EC(4)(a) of the Competition and Consumer Act. However, s 56EC(4) does not affect how the APPs apply to accredited persons and accredited data recipients who are APP entities, in relation to the handling of  personal information outside the CDR system. (Note: Small business operators accredited under the CDR system are APP entities in relation to information that is personal information but is not CDR data. See s 6E(1D) of the Privacy Act.) Section 56EC(4) also does not affect how the APPs apply to an accredited person who does not become an accredited data recipient of the CDR data (other than for Privacy Safeguards 1 – 4). See s 56EC(5)(aa) of the Competition and Consumer Act.

[5] CDR Rule 7.4.

[6] This includes the CDR data to which the consents relate and when the consents will expire. For further information regarding the requirements for an accredited person’s consumer dashboard, see CDR Rule 1.14, Chapter C (Consent) and Chapter B (Key concepts).

[7] CDR Rule 1.16(2)(a). For information on ‘CDR outsourcing arrangements’, see Chapter B (Key concepts).

[8] CDR Rule 7.4.

[9] The Data Language Standards are contained within the Consumer Experience Standards. They provide descriptions of the types of data to be used by accredited data recipients when making and responding to requests. Adherence to the Data Language Standards is mandatory and will help ensure there is a consistent interpretation and description of the consumer data that will be shared in the CDR regime. See s 56FA of the Competition and Consumer Act and CDR Rule 8.11.

[10] This is where the accredited person indicated the CDR data would be collected on a single occasion (CDR Rule 4.11(1)(b)(i)).

[11] This is where the accredited person indicated the CDR data would be collected over a specified period of time (CDR Rule 4.11(1)(b)(ii)).

[12] CDR Rule 4.19 requires an accredited person to update the consumer dashboard as soon as practicable, after the information required to be contained on the dashboard changes.

[13] For an accredited data recipient who collected CDR data on behalf of a principal in a CDR outsourcing arrangement, note the effect of CDR Rule 1.7(5) which provides that, in the CDR Rules, ‘unless the contrary intention appears, a reference to an accredited person making a consumer data request, collecting CDR data, obtaining consents, providing a consumer dashboard, or using or disclosing CDR data does not include a reference to an accredited person doing those things on behalf of a principal in its capacity as the provider in an outsourced service arrangement, in accordance with the arrangement’.

For information on ‘CDR outsourcing arrangements’, see Chapter B (Key concepts), ‘Outsourced service provider’.

 

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au