Summary of version changes to CDR Privacy Safeguard Guidelines

30 July 2020

The CDR Privacy Safeguard Guidelines may be updated from time to time, including to take account of changes in the Competition and Consumer Act 2010, Competition and Consumer (Consumer Data Right) Rules 2020 or other legislation, determinations made under s 52 of the Privacy Act 1988 (as a result of s 56ET of the Competition and Consumer Act 2010) and relevant tribunal and court decisions. Chapters of the CDR Privacy Safeguard Guidelines are updated individually. This page contains archived versions of each chapter, and notes on the changes between versions for each chapter.

Chapter A: Introductory matters
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  
2.0 30-Jul-2020 to …
  • Correction of minor typographical error ([A.11])
  • Expanded discussion about why CDR data protected by the privacy safeguards will also be ‘personal information’ under the Privacy Act, including new footnote ([A.27])
Chapter B: Key concepts
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to …

  • New references to the Guide to privacy for data holders ([B.16] and [B.93])
  • New guidance regarding the ‘CDR policy’ ([B.21] to [B.22])
  • Updated guidance on ‘eligible CDR consumer’ to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020 ([B.60])
  • New footnotes to explain that for the banking sector, it is not currently possible for a consumer to make a consumer data request directly to a data holder due to an exemption from relevant obligations until 1 November 2021 ([B.67], [B.70] and [B.78])
Chapter C: Consent — The basis for collecting and using CDR data
VersionCurrency datesChanges and other comments

1.0

24-Feb-2020 to 29-Jul-2020

 

2.0

30-Jul-2020 to …

  • New paragraph and footnote to clarify when a consumer dashboard should be provided by an accredited person ([C.48])
  • Minor wording changes for clarity ([C.49], [C.50], ([C.59] to [C.62], call out boxes under [C.51], [C.55] and [C.65])
  • New references to the Guide to privacy for data holders ([C.52] and [C.75])
  • Minor changes to sub-headings (above [C.53], [C.59], [C.66] and [C.70])
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020, including changes to how an accredited person must allow a consumer to withdraw consent ([C.54] to [C.58])
Chapter 1: Privacy Safeguard 1 — Open and transparent management of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  
2.0 30-Jul-2020 to …
  • Minor change to sub-heading (above [1.2])
  • Inclusion of further references to the object of Privacy Safeguard 1 ([1.5] and [1.12])
  • Expanded discussion regarding the CDR data management plan and how this can assist a CDR entity with the ongoing compliance obligation in Privacy Safeguard 1 (call out box under [1.13]; and [1.29] to [1.32])
  • Minor restructuring of the ‘Implementing practices, procedures and systems to ensure compliance with the CDR regime’ section to aid with readability
  • Revised and expanded discussion in ‘The CDR regime obligations that apply to the CDR entity’ section ([1.16] to [1.18], including new call out box)
  • Updated guidance regarding ‘A suggested approach to compliance with Privacy Safeguard 1’, including revised and expanded discussion of the four overarching steps suggested and addition of new privacy tips ([1.33] to [1.42])
  • Minor restructuring and redrafting of text for readability and streamlining in light of the new Guide to developing a CDR policy ([1.43] to [1.56])
  • New references to the Guide to developing a CDR policy ([1.47] and [1.49])
Chapter 2: Privacy Safeguard 2 — Anonymity and pseudonymity
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 3: Privacy Safeguard 3 — Seeking to collect CDR data from CDR participants
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 4: Privacy Safeguard 4 — Dealing with unsolicited CDR data from CDR participants
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 5: Privacy Safeguard 5 — Notifying of the collection of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to …

Minor change to sub-heading ([5.30])

Chapter 6: Privacy Safeguard 6 — Use or disclosure of CDR data by accredited data recipients or designated gateways
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 7: Privacy Safeguard 7 — Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 8: Privacy Safeguard 8 — Overseas disclosure of CDR data by accredited data recipients
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to …

Minor wording change for clarity (Key point 2)

Chapter 9: Privacy Safeguard 9 — Adoption or disclosure of government related identifiers by accredited data recipients
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 10: Privacy Safeguard 10 — Notifying of the disclosure of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to …

  • New reference to the Guide to privacy for data holder ([10.15])
  • Minor change to sub-heading ([10.28])
Chapter 11: Privacy Safeguard 11 — Quality of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to …

  • New guidance to clarify that Australian Privacy Principle 13 continues to apply for data holders and can help to support a data holder’s compliance with Privacy Safeguard 11 ([11.12] and footnote at [11.33])
  • Inclusion of new example of a ‘reasonable step’ under Privacy Safeguard 11 ([11.33])
  • Expanded discussion of the ways in which a data holder may become aware of inaccuracies in CDR data ([11.37])
  • Expanded discussion to draw attention to updating data holdings as a ‘reasonable step’ under Privacy Safeguard 11 (Examples under [11.47] and [11.62])
  • Removed a footnote for accuracy (Example under [11.47])
  • New reference in footnote to the Guide to privacy for data holders ([11.57])
  • Revised and expanded discussion to further clarify how Privacy Safeguard 11 interacts with Privacy Safeguard 13 ([11.64] to [11.65])
Chapter 12: Privacy Safeguard 12 — Security of CDR data and destruction or de-identification of redundant CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to …  
Chapter 13: Privacy Safeguard 13 — Correction of CDR data
VersionCurrency datesChanges and other comments
1.0 24-Feb-2020 to 29-Jul-2020  

2.0

30-Jul-2020 to …

  • Removed footnote for readability ([13.1])
  • New ‘note’ to clarify that a data holder still has an obligation to correct CDR data that is personal information under Australian Privacy Principle 13 if no correct request has been received under Privacy Safeguard 13 (Table under [13.11])
  • Removed examples regarding fraudulent transactions (under [13.12] and [13.31])
  • Removed example for accuracy ([13.46])
  • Revised and expanded discussion to further clarify how Privacy Safeguard 13 interacts with Privacy Safeguard 11 ([13.52] to [13.55])

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au