Chapter 6: Privacy Safeguard 6 — Use or disclosure of CDR data by accredited data recipients or designated gateways

15 November 2022

Download the print version (version 4.0)

Update Information

We are currently in the process of publishing the current version of the Privacy Safeguard Guidelines on the OAIC’s website in HTML format. In the meantime, if you need assistance because the document you need is not available in a format you can access, please contact us at

Key points

  • Privacy Safeguard 6, together with rules 7.5, 7.5A, 7.6 and 7.7 of the consumer data rules (CDR Rules), applies to accredited data recipients of a consumer’s CDR data, placing restrictions and obligations on them in relation to the use and disclosure of that data.
  • Generally, accredited data recipients of CDR data and designated gateways can use or disclose CDR data only where required or authorised under the CDR Rules. The consumer must consent to these uses and disclosures of their CDR data.
  • Subrule 7.5(1) of the CDR Rules outlines the permitted uses and disclosures of CDR data.
  • In addition, subrule 7.5(2), rule 7.5A and subrule 7.6(1) of the CDR Rules prohibit certain uses or disclosures of CDR data.
  • Accredited data recipients of CDR data must comply with the data minimisation principle when using that data to provide the goods or services requested by the consumer, or to fulfil any other purpose consented to by the consumer.