Chapter C: Consent — The basis for collecting and using CDR data

15 November 2022

Download the print version (version 4.0)

Update Information

We are currently in the process of publishing the current version of the Privacy Safeguard Guidelines on the OAIC’s website in HTML format. In the meantime, if you need assistance because the document you need is not available in a format you can access, please contact us at

Key points

  • An accredited person may only collect, use and disclose CDR data with the consent of the consumer.
  • The CDR system sets out specific categories of consents that an accredited person may seek from a CDR consumer. It prohibits an accredited person from seeking a consent which does not fit into these categories.
  • The consumer data rules (CDR Rules) seek to ensure that a consumer’s consent is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn. An accredited person must ask a CDR consumer to give or amend a consent in accordance with the CDR Rules.
  • A CDR representative is responsible for seeking a CDR consumer’s consent when CDR data is being collected by a CDR principal under a CDR representative arrangement. However, the CDR principal is liable if the CDR representative does not obtain consent in accordance with the CDR Rules.
  • In giving consent to the collection and use of their CDR data, a CDR consumer provides the accredited person with a ‘valid request’ to seek to collect the relevant CDR data.
  • An accredited person’s processes for asking a CDR consumer to give or amend a consent must be compliant with the data standards and have regard to the Consumer Experience Guidelines.
  • An accredited person must comply with the data minimisation principle when collecting or using CDR data.
  • A data holder may disclose CDR data only with the authorisation of the relevant CDR consumers.