Summary of version changes to CDR Privacy Safeguard Guidelines

6 September 2021

The CDR Privacy Safeguard Guidelines may be updated from time to time, including to take account of changes in the Competition and Consumer Act 2010, Competition and Consumer (Consumer Data Right) Rules 2020 or other legislation, determinations made under s 52 of the Privacy Act 1988 (as a result of s 56ET of the Competition and Consumer Act 2010) and relevant tribunal and court decisions. Chapters of the CDR Privacy Safeguard Guidelines are updated individually. This page contains archived versions of each chapter, and notes on the changes between versions for each chapter.

Chapter A: Introductory matters
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  
2.0 30-Jul-2020 to 8-Jun-2021
  • Correction of minor typographical error ([A.11]).
  • Expanded discussion about why CDR data protected by the privacy safeguards will also be ‘personal information’ under the Privacy Act, including new footnote ([A.27]).
3.0 9-Jun-2021 to 
  • Updated guidance to reflect that the energy sector was designated by the Treasurer under the Consumer Data Right (Energy Sector) Designation 2020.
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and Australian Privacy Principles (APPs) apply to CDR data ([A.28]–[A.34]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to introduce new categories of consent for the disclosure of CDR data to accredited persons ([A.20]).
  • Clarifying guidance on the meaning of ‘CDR consumer’ ([A.12]–[A.14]).
  • Updates to reflect the OAIC and Australian Competition and Consumer Commission's (ACCC) joint Compliance and Enforcement Policy and OAIC’s Regulatory Action Policy ([A.42]).
Chapter B: Key concepts
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to 8-Jun-2021

  • New references to the Guide to privacy for data holders ([B.16] and [B.93]).
  • New guidance regarding the ‘CDR policy’ ([B.21] to [B.22]).
  • Updated guidance on ‘eligible CDR consumer’ to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020 ([B.60]).
  • New footnotes to explain that for the banking sector, it is not currently possible for a consumer to make a consumer data request directly to a data holder due to an exemption from relevant obligations until 1 November 2021 ([B.67], [B.70] and [B.78]).

3.0 

9-Jun-2021 to 

  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including changes to the definition of ‘data holder’ ([B.101]) and ‘earliest holding day’ ([B.103]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including:
    • changes to the definition of an ‘outsourced service provider’ and ‘CDR outsourcing arrangement’ ([B.129], [B. 132]–[B.134])
    • new terms such as ‘service data’ ([B.168]–[B.169]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • the definition of ‘consent’, including different categories and types of consents, such as new categories for the disclosure of CDR data to accredited persons and the de-identification of CDR data for general research ([B.29]–[B.41])
    • the definition of ‘consumer data request’ ([B.73]–[B.77]), ‘eligible’ CDR consumer ([B.64]–[B.66]), ‘data minimisation principle’ ([B.106]) and ‘valid request’ ([B.84]–[B.88])
    • when a consent or authorisation will be ‘current’ [(B.91]–[B.96])
    • the joint account provisions (footnote 15, [B.14]).
  • Additional guidance, including:
    • on the limited circumstances in which providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure (in the ‘disclosure’ and ‘use’ entries at [B.123], [B.172]–[B.173])
    • on the meaning of ‘holds’ ([B.127]–[B.128])
    • in the entries for ‘reasonable steps’ ([B.142]), ‘required or authorised by an Australian law or by a court/tribunal order’ ([B.149]), ‘required or authorised to use or disclose CDR data under the CDR Rules’ ([B.160]–[B.161]).
  • Clarifying guidance, including:
    • on when an accredited person becomes an accredited data recipient (see ‘accredited data recipient’ and ‘accredited person’ entries at [B.4]–[B.6] and [B.7]–[B.11])
    • in the ‘CDR consumer’ entry ([B.42]–[B.66]).
Chapter C: Consent — The basis for collecting, using and disclosing CDR data
VersionCurrency datesChanges and other comments

1.0

24-Feb-2020 to 29-Jul-2020

 

2.0

30-Jul-2020 to 8-Jun-2021

  • New paragraph and footnote to clarify when a consumer dashboard should be provided by an accredited person ([C.48]).
  • Minor wording changes for clarity ([C.49], [C.50], ([C.59] to [C.62], call out boxes under [C.51], [C.55] and [C.65]).
  • New references to the Guide to privacy for data holders ([C.52] and [C.75]).
  • Minor changes to sub-headings (above [C.53], [C.59], [C.66] and [C.70]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020, including changes to how an accredited person must allow a consumer to withdraw consent ([C.54] to [C.58]).

3.0

9-Jun-2021 to 

  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including:
    • changes to what information an accredited person must provide to a consumer about an outsourced service provider ([C.54])
    • which accredited person needs to provide a consumer dashboard where CDR data is collected under a CDR outsourcing arrangement ([C.65])
    • the need to consider the effect of CDR Rule 1.7(5) on an accredited person’s obligations to provide notifications to a consumer, where CDR data is collected and/or disclosed under a CDR outsourcing arrangement (footnote 156).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • the definition of ‘valid request’ and ‘consumer data request’ (see [C.8]–[C.15] and the updated flow chart under [C.15])
    • the definition of ‘consent’, including different categories and types of consents, such as new categories for the disclosure of CDR data to accredited persons and the de-identification of CDR data for general research ([C.16]–[C.21])
    • reflect that consent is required for certain disclosures in addition to the collection and use of a consumer’s CDR data (see, eg, [C.1], [C.4], [C.5])
    • enable amendments of consent [C.27]–[C.36], [C.42], [C.57], [C.61], [C.71])
    • the general requirements for asking a consumer to give (or amend) a consent ([C.37]–[C.40]), for example when an accredited person may refer to its CDR policy when seeking consent ([C.40])
    • introduce limited exceptions to the requirement for consent processes to comply with data standards other than the consumer experience data standards (Key point 4, [C.37])
    • clarify which category or categories of consent a requirement applies to (see especially [C.37]–[C.60]), including additional requirements for de-identification consents ([C.59]–[C.60])
    • restrictions on seeking consents, for example to prohibit the seeking of a consent which does not fit into a category of consent (Key point 2, [C.62])
    • when a fee for the disclosure of CDR data may be charged or passed on ([C.44]–[C.45])
    • the data minimisation principle and how an accredited person must explain their compliance with this principle (C.49]–[C.53])
    • the effect of withdrawing a consent, given the different categories of consents ([C.81]–[C.84])
    • when a consent expires ([C.90]–[C.96])
    • introduce new notification requirements ([C.74], [C.75]), [C.94]– [C.96], [C.97]–[C.99])
    • update accredited person consumer dashboard requirements [C.64]–[C.72])
    • the joint account Rules, as they relate to a data holder’s obligation to seek authorisation ([C.102]).
  • Clarifying guidance on when an accredited person should provide a dashboard to a consumer and the reasoning for this ([C.67]).
  • Additional guidance on:
    • an accredited person’s alternative method of allowing a consumer to withdraw consent in relation to direct marketing consents ([C.79])
    • what an accredited person must and should do where they do not have a general policy of deleting redundant data, and the consumer has not already requested that their redundant data be deleted ([C.80]).
Chapter 1: Privacy Safeguard 1 — Open and transparent management of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  
2.0 30-Jul-2020 to 8-Jun-2021
  • Minor change to sub-heading (above [1.2]).
  • Inclusion of further references to the object of Privacy Safeguard 1 ([1.5] and [1.12]).
  • Expanded discussion regarding the CDR data management plan and how this can assist a CDR entity with the ongoing compliance obligation in Privacy Safeguard 1 (call out box under [1.13]; and [1.29] to [1.32]).
  • Minor restructuring of the ‘Implementing practices, procedures and systems to ensure compliance with the CDR regime’ section to aid with readability.
  • Revised and expanded discussion in ‘The CDR regime obligations that apply to the CDR entity’ section ([1.16] to [1.18], including new call out box).
  • Updated guidance regarding ‘A suggested approach to compliance with Privacy Safeguard 1’, including revised and expanded discussion of the four overarching steps suggested and addition of new privacy tips ([1.33] to [1.42]).
  • Minor restructuring and redrafting of text for readability and streamlining in light of the new Guide to developing a CDR policy ([1.43] to [1.56]).
  • New references to the Guide to developing a CDR policy ([1.47] and [1.49]).
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including:
    • replacement of references to an accredited data recipient with ‘accredited person’ or ‘accredited person who is or who may become an accredited data recipient of CDR data’ throughout, to reflect changes to the application of Privacy Safeguard 1 (s 56ED)
    • clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person who may become an accredited data recipient’ and ‘accredited data recipient’ rows of the table under [1.8]).
  • Updated guidance on what information must be included in an accredited person’s CDR policy to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including that information about general research conducted must be included ([1.51]).
  • Clarifying amendment to what information an accredited person’s CDR policy must provide about who CDR data may be disclosed to, to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, which allow an outsourced service provider to collect CDR data ([1.51]).
  • Clarifying guidance, including:
    • that an accredited person’s CDR policy must include information about the CDR data that another entity holds or may hold on the accredited person’s behalf (for example, an outsourced service provider) ([1.51])
    • information about the deletion and de-identification CDR data in a CDR policy ([1.51]).
Chapter 2: Privacy Safeguard 2 — Anonymity and pseudonymity
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including:
    • replacement of references to an accredited data recipient with ‘accredited person’ or ‘accredited person (who is or who may become an accredited data recipient of CDR data)’ throughout, to reflect changes to the application of Privacy Safeguard 2 (s 56EE)
    • clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person who may become an accredited data recipient’ and ‘accredited data recipient’ rows of the table under [2.8]).
  • Additional guidance to note that the exceptions to Privacy Safeguard 2 in CDR Rule 7.3 do not apply to an accredited person who is not yet an accredited data recipient of CDR data (footnotes 1, 12 and 14).
Chapter 3: Privacy Safeguard 3 — Seeking to collect CDR data from CDR participants
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person row of the table under [3.9]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to allow an accredited person to engage an accredited outsourced service provider to collect CDR data on their behalf ([3.3], [3.30]–[3.35]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • the definition of ‘valid request’ ([3.15]–[3.17])
    • the definition of ‘consumer data request’ ([3.22]–[3.26] and the updated flow chart on page 10)
    • the definition of ‘data minimisation principle’ ([3.27]–[3.29])
    • reflect that an accredited person may seek to collect CDR data from accredited data recipients in addition to data holders (by replacing references to ‘data holder’ with ‘CDR participant’ throughout)
    • reflect amendments to the requirements for asking for consent ([3.18]–[3.19]).
  • Clarifying guidance on obligations about managing the withdrawal of consent ([3.19]).
Chapter 4: Privacy Safeguard 4 — Dealing with unsolicited CDR data from CDR participants
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including changes to reflect clarifying amendments to how the privacy safeguards and APPs interact (in the ‘accredited persons’ row of the table under [4.9]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to reflect that CDR data may have been collected from an accredited data recipient or data holder (by replacing references to ‘data holder’ with ‘CDR participant’ throughout).
Chapter 5: Privacy Safeguard 5 — Notifying of the collection of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to 8-Jun-2021

  • Minor change to sub-heading ([5.30]).

3.0

9-Jun-2021 to 

  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including changes to:
    • reflect clarifying amendments to how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [5.12])
    • refer to ‘accredited data recipients’ throughout, instead of ‘accredited persons’, to reflect changes to the application of Privacy Safeguard 5 (s 56EH).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to notification requirements where an accredited data recipient collected CDR data on behalf of a principal in a CDR outsourcing arrangement ([5.15)).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • other notification requirements under the CDR Rules to note the effect of CDR Rule 1.7(5) where CDR data has been collected under a CDR outsourcing arrangement (footnote 13) and for where certain consents expire or are amended ([5.36])
    • reflect that CDR data may have been collected from an accredited data recipient or data holder ([5.24], [5.35]).
Chapter 6: Privacy Safeguard 6 — Use or disclosure of CDR data by accredited data recipients or designated gateways
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ and ‘designated gateway’ rows of the table under [6.7]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to:
    • reflect the new term ‘service data’ ([6.50]–[6.51])
    • allow for disclosures of service data by an accredited outsourced service provider to a principal under a CDR outsourcing arrangement ([6.57]—[6.60]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • introduce additional permitted uses and disclosures of CDR data ([6.21], [6.28]–[6.30], [6.31]–[6.34], [6.54]–[6.56])
    • prohibited uses and disclosures of CDR data ([6.22])
    • the diagram that outlines at a high-level the permitted and prohibited uses or disclosures of CDR data (below [6.19])
    • the data minimisation principle (key point 5, [6.25]–[6.27]).
  • Additional guidance on:
    • the limited circumstances in which providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure ([6.15])
    • the application of s 56AU of the Competition and Consumer Act to considerations of an accredited data recipient’s liability for the acts of an outsourced service provider (footnote 51)
    • the interaction between Privacy Safeguard 6 and Privacy Safeguard 9 ([6.66]–[6.70]).
Chapter 7: Privacy Safeguard 7 — Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ and ‘designated gateway’ rows of the table under [7.7]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including permitting disclosures of service data by an accredited outsourced service provider to a principal in a CDR outsourcing arrangement ([7.33]–[7.36]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • the definition of a ‘direct marketing consent’ ([7.15])
    • introduce additional permitted uses and disclosures of CDR data for direct marketing ([7.16], [7.22] and [7.23]–[7.24])
    • address the interaction between the direct marketing Rules and amending consent Rules ([7.20])
    • the data minimisation principle, which now applies to the use of CDR data for direct marketing (Key point 4, [7.25]–[7.28]).
  • Additional guidance on:
    • outsourced service providers ([7.33]–[7.36])
    • the interaction between Privacy Safeguard 7 and Privacy Safeguard 9 ([6.66]–[6.70]).
Chapter 8: Privacy Safeguard 8 — Overseas disclosure of CDR data by accredited data recipients
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to 8-Jun-2021

  • Minor wording change for clarity (key point 2).
3.0

9-Jun-2021 to 

  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including:
    • clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [8.10])
    • changes to the conditions in the CDR regulatory framework that affect when an accredited data recipient is liable when making an overseas disclosure, regarding s 56AU of the Competition and Consumer Act ([8.44]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to clarify that an accredited data recipient must also comply with the CDR Rules regarding disclosure consents before disclosing data to an overseas recipient (flow chart under [8.19], [8.21]).
  • Additional guidance on the limited circumstances in which providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure ([8.15]).
Chapter 9: Privacy Safeguard 9 — Adoption or disclosure of government related identifiers by accredited data recipients
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [9.7]).
Chapter 10: Privacy Safeguard 10 — Notifying of the disclosure of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to 8-Jun-2021

  • New reference to the Guide to privacy for data holder ([10.15]).
  • Minor change to sub-heading ([10.28]).

3.0

9-Jun-2021 to 

  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to notification requirements for accredited data recipients where the CDR data that was disclosed was collected on behalf of a principal under a CDR outsourcing arrangement ([10.24]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including:
    • changes throughout to reflect that an accredited data recipient may now disclose CDR data to another accredited person, and accordingly, will have responsibilities under Privacy Safeguard 10 to notify consumers of that disclosure

    • additional guidance throughout to assist accredited data recipients to comply with Privacy Safeguard 10

    • the introduction of secondary users, non-individual consumers and partnership accounts, and how a data holder’s notification obligations operate in these cases ([10.16]–[10.17])

    • changes to how the accredited person to whom the CDR data was disclosed must be described (footnote 21, [10.42])

    • changes to the joint account Rules (see footnotes 7, 13 and 15).

  • Additional guidance on:
    • how Privacy Safeguard 10 interacts with the Privacy Act for data holders and accredited data recipients ([10.8]–[10.12])

    • other notification requirements under the CDR Rules for accredited data recipients ([10.44]–[10.45]).

Chapter 11: Privacy Safeguard 11 — Quality of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to 8-Jun-2021

  • New guidance to clarify that Australian Privacy Principle 13 continues to apply for data holders and can help to support a data holder’s compliance with Privacy Safeguard 11 ([11.12] and footnote at [11.33]).
  • Inclusion of new example of a ‘reasonable step’ under Privacy Safeguard 11 ([11.33]).
  • Expanded discussion of the ways in which a data holder may become aware of inaccuracies in CDR data ([11.37]).
  • Expanded discussion to draw attention to updating data holdings as a ‘reasonable step’ under Privacy Safeguard 11 (Examples under [11.47] and [11.62]).
  • Removed a footnote for accuracy (Example under [11.47]).
  • New reference in footnote to the Guide to privacy for data holders ([11.57]).
  • Revised and expanded discussion to further clarify how Privacy Safeguard 11 interacts with Privacy Safeguard 13 ([11.64] to [11.65]).

3.0

9-Jun-2021 to 

  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [11.14]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to notification requirements where the entity disclosed the incorrect CDR data to an accredited person who was collecting that CDR data on behalf of a principal ([11.41]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes throughout to reflect that an accredited data recipient may disclose CDR data to another accredited person, and accordingly, have responsibilities under Privacy Safeguard 11 if they become aware that the CDR data disclosed was incorrect.
  • Updated guidance on meaning of ‘reasonable steps’ to include that the assessment of what is considered ‘reasonable’ should have regard to whether the CDR data has been inferred ([11.32]–[11.33]).
  • Clarifying guidance on:
    • whether Privacy Safeguard 11 or the APPs will apply to the quality of CDR data for data holders ([11.9]–[11.14]) and the table under ([11.14])
    • how to interpret and apply the maximum time period of five business days for notifying consumers ([11.50]–[11.51]).
Chapter 12: Privacy Safeguard 12 — Security of CDR data and destruction or de-identification of redundant CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 8-Jun-2021  
3.0 9-Jun-2021 to 
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ and ‘designated gateway’ rows of the table under [12.14]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to reflect that CDR data may be collected by, in addition to disclosed to, outsourced service providers (call out box under [12.41], [12.53]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:
    • the CDR deletion process regarding what an accredited data recipient must do where another person holds the CDR data on their behalf ([12.103])
    • clarify requirements for de-identifying CDR data that is not ‘redundant data’ ([12.121]—[12.123]).
  • Clarifying guidance on:
    • the steps that an accredited data recipient must take where they have provided CDR data to an outsourced service provider and that CDR data becomes redundant ([12.114]–[12.116])
    • how accredited data recipients must provide certain information about the deletion and de-identification CDR data in their CDR policy under Privacy Safeguard 1 ([12.118]).
Chapter 13: Privacy Safeguard 13 — Correction of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to 8-Jun-2021

  • Removed footnote for readability ([13.1]).
  • New ‘note’ to clarify that a data holder still has an obligation to correct CDR data that is personal information under Australian Privacy Principle 13 if no correct request has been received under Privacy Safeguard 13 (Table under [13.11]).
  • Removed examples regarding fraudulent transactions (under [13.12] and [13.31]).
  • Removed example for accuracy ([13.46]).
  • Revised and expanded discussion to further clarify how Privacy Safeguard 13 interacts with Privacy Safeguard 11 ([13.52] to [13.55]).
 3.0

9-Jun-2021 to 

  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [13.12]).
  • Clarifying guidance on:
    • how to interpret and apply the maximum time period of 10 business days to correct the CDR data to the extent appropriate ([13.18])
    • whether Privacy Safeguard 13 or the APPs will apply to the quality of CDR data for data holders ([13.10] and the table below [13.12])
    • how Privacy Safeguard 13 interacts with Privacy Safeguards 5 and 10 to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to reflect that: accredited persons may collect CDR data from both data holders and accredited data recipients; and both accredited data recipients and data holders may disclose CDR data to accredited persons ([13.51]–[13.54]).