Publication date: 20 November 2023

The Consumer Data Right Privacy Safeguard Guidelines may be updated from time to time, including to take account of changes in the Competition and Consumer Act 2010, Competition and Consumer (Consumer Data Right) Rules 2020 or other legislation, determinations made under s 52 of the Privacy Act 1988 (as a result of s 56ET of the Competition and Consumer Act 2010) and relevant tribunal and court decisions. Chapters of the Consumer Data Right (CDR) Privacy Safeguard Guidelines are updated individually.

Versions

Version Applies from
5.017 November to present
4.015 November 2022 to 17 November 2023
3.0 9 June 2021 to 14 November 2022
2.0* 30 July 2020 to 8 June 2021
1.0 24 July to 29 July 2020

* Some chapters didn't require a version 2.0, so their version 1.0 applied from 24 July 2020 to 8 June 2021.

Current version’s changes

The changes between versions 4.0 and 5.0 of the Consumer Data Right Privacy Safeguard Guidelines reflect:

  • amendments made to the Competition and Consumer (Consumer Data Right) Rules 2020 on 21 July 2023 by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2023, including:
  • changes for clarity and readability.
    • updates to existing content on CDR representative arrangements to reflect changes to terminology and the structure of relevant consent rules, and the change to permit CDR representatives to engage outsourced service providers
    • updates to existing content on outsourcing arrangements to reflect chains of outsourced service providers, and changes to the content requirements for outsourcing arrangements
    • introduction of new content on business consumer disclosure consents
    • updates to existing content to reflect changes to permitted consent duration for certain business consumer consents.
  • changes for clarity and readability.
Chapter A: Introductory matters

Current version of Chapter A: Introductory matters

The changes can be viewed in Chapter A version 4.0 to 5.0.

Previous versions

View Chapter A: Introductory matters Version 4.0.

The changes between versions 3.0 to 4.0 of Chapter A: Introductory matters.

The changes between versions 3.0 and 4.0 of the Consumer Data Right Privacy Safeguard Guidelines reflect:

  • designation of the telecommunications sector under the Consumer Data Right (Telecommunications Sector) Designation 2022
  • changes made by the Competition and Consumer (Consumer Data Right) Amendment Rules (No.1) 2021, including:
    • the introduction of sponsorship and CDR representative models of participation
    • disclosures to trusted advisors and disclosures of CDR insights
  • changes made by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2021 and Competition and the Consumer Amendment (Consumer Data Right) Regulations 2021, to implement CDR in the energy sector
  • changes for clarity and readability.

View Version 3.0

  • Updated guidance to reflect that the energy sector was designated by the Treasurer under the Consumer Data Right (Energy Sector) Designation 2020.
  • Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and Australian Privacy Principles (APPs) apply to CDR data ([A.28]–[A.34]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to introduce new categories of consent for the disclosure of CDR data to accredited persons ([A.20]).
  • Clarifying guidance on the meaning of ‘CDR consumer’ ([A.12]–[A.14]).
  • Updates to reflect the OAIC and Australian Competition and Consumer Commission's (ACCC) joint Compliance and Enforcement Policy and OAIC’s Regulatory Action Policy ([A.42]).

View Version 2.0

  • Correction of minor typographical error ([A.11]).
  • Expanded discussion about why CDR data protected by the privacy safeguards will also be ‘personal information’ under the Privacy Act, including new footnote ([A.27]).

View Version 1.0

Chapter B: Key concepts

Current version of Chapter B: Key concepts

The changes can be viewed in Chapter B version 4.0 to 5.0 changes.

Previous versions

View Chapter B: Key concepts version 4.0

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including changes to the definition of ‘data holder’ ([B.101]) and ‘earliest holding day’ ([B.103]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including:

  • changes to the definition of an ‘outsourced service provider’ and ‘CDR outsourcing arrangement’ ([B.129], [B. 132]–[B.134])
  • new terms such as ‘service data’ ([B.168]–[B.169]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • the definition of ‘consent’, including different categories and types of consents, such as new categories for the disclosure of CDR data to accredited persons and the de-identification of CDR data for general research ([B.29]–[B.41])
  • the definition of ‘consumer data request’ ([B.73]–[B.77]), ‘eligible’ CDR consumer ([B.64]–[B.66]), ‘data minimisation principle’ ([B.106]) and ‘valid request’ ([B.84]–[B.88])
  • when a consent or authorisation will be ‘current’ [(B.91]–[B.96])
  • the joint account provisions (footnote 15, [B.14]).

Additional guidance, including:

  • on the limited circumstances in which providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure (in the ‘disclosure’ and ‘use’ entries at [B.123], [B.172]–[B.173])
  • on the meaning of ‘holds’ ([B.127]–[B.128])
  • in the entries for ‘reasonable steps’ ([B.142]), ‘required or authorised by an Australian law or by a court/tribunal order’ ([B.149]), ‘required or authorised to use or disclose CDR data under the CDR Rules’ ([B.160]–[B.161]).

Clarifying guidance, including:

  • on when an accredited person becomes an accredited data recipient (see ‘accredited data recipient’ and ‘accredited person’ entries at [B.4]–[B.6] and [B.7]–[B.11])
  • in the ‘CDR consumer’ entry ([B.42]–[B.66]).

View Version 2.0

  • New references to the Guide to privacy for data holders ([B.16] and [B.93]).
  • New guidance regarding the ‘CDR policy’ ([B.21] to [B.22]).
  • Updated guidance on ‘eligible CDR consumer’ to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020 ([B.60]).
  • New footnotes to explain that for the banking sector, it is not currently possible for a consumer to make a consumer data request directly to a data holder due to an exemption from relevant obligations until 1 November 2021 ([B.67], [B.70] and [B.78]).

View Version 1.0

Chapter C: Consent — The basis for collecting, using and disclosing CDR data

Current version of Chapter C: The basis for collecting, using and disclosing CDR data

The changes can be viewed in the Chapter C version 4.0 to 5.0.

Previous versions

View Chapter C: The basis for collecting, using and disclosing CDR data version 4.0.

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including:

  • changes to what information an accredited person must provide to a consumer about an outsourced service provider ([C.54])
  • which accredited person needs to provide a consumer dashboard where CDR data is collected under a CDR outsourcing arrangement ([C.65])
  • the need to consider the effect of CDR Rule 1.7(5) on an accredited person’s obligations to provide notifications to a consumer, where CDR data is collected and/or disclosed under a CDR outsourcing arrangement (footnote 156).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • the definition of ‘valid request’ and ‘consumer data request’ (see [C.8]–[C.15] and the updated flow chart under [C.15])
  • the definition of ‘consent’, including different categories and types of consents, such as new categories for the disclosure of CDR data to accredited persons and the de-identification of CDR data for general research ([C.16]–[C.21])
  • reflect that consent is required for certain disclosures in addition to the collection and use of a consumer’s CDR data (see, eg, [C.1], [C.4], [C.5])
  • enable amendments of consent [C.27]–[C.36], [C.42], [C.57], [C.61], [C.71])
  • the general requirements for asking a consumer to give (or amend) a consent ([C.37]–[C.40]), for example when an accredited person may refer to its CDR policy when seeking consent ([C.40])
  • introduce limited exceptions to the requirement for consent processes to comply with data standards other than the consumer experience data standards (Key point 4, [C.37])
  • clarify which category or categories of consent a requirement applies to (see especially [C.37]–[C.60]), including additional requirements for de-identification consents ([C.59]–[C.60])
  • restrictions on seeking consents, for example to prohibit the seeking of a consent which does not fit into a category of consent (Key point 2, [C.62])
  • when a fee for the disclosure of CDR data may be charged or passed on ([C.44]–[C.45])
  • the data minimisation principle and how an accredited person must explain their compliance with this principle (C.49]–[C.53])
  • the effect of withdrawing a consent, given the different categories of consents ([C.81]–[C.84])
  • when a consent expires ([C.90]–[C.96])
  • introduce new notification requirements ([C.74], [C.75]), [C.94]– [C.96], [C.97]–[C.99])
  • update accredited person consumer dashboard requirements [C.64]–[C.72])
  • the joint account Rules, as they relate to a data holder’s obligation to seek authorisation ([C.102]).

Clarifying guidance on when an accredited person should provide a dashboard to a consumer and the reasoning for this ([C.67]).

Additional guidance on:

  • an accredited person’s alternative method of allowing a consumer to withdraw consent in relation to direct marketing consents ([C.79])
  • what an accredited person must and should do where they do not have a general policy of deleting redundant data, and the consumer has not already requested that their redundant data be deleted ([C.80]).

View Version 2.0

  • New paragraph and footnote to clarify when a consumer dashboard should be provided by an accredited person ([C.48]).
  • Minor wording changes for clarity ([C.49], [C.50], ([C.59] to [C.62], call out boxes under [C.51], [C.55] and [C.65]).
  • New references to the Guide to privacy for data holders ([C.52] and [C.75]).
  • Minor changes to sub-headings (above [C.53], [C.59], [C.66] and [C.70]).
  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020, including changes to how an accredited person must allow a consumer to withdraw consent ([C.54] to [C.58]).

View Version 1.0

Chapter 1: Privacy Safeguard 1 – Open and transparent of CDR data

Current version of Chapter 1: Open and transparent management of CDR data

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 1 Open and transparent management of CDR data version 4.0

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including:

  • replacement of references to an accredited data recipient with ‘accredited person’ or ‘accredited person who is or who may become an accredited data recipient of CDR data’ throughout, to reflect changes to the application of Privacy Safeguard 1 (s 56ED)
  • clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person who may become an accredited data recipient’ and ‘accredited data recipient’ rows of the table under [1.8]).

Updated guidance on what information must be included in an accredited person’s CDR policy to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including that information about general research conducted must be included ([1.51]).

Clarifying amendment to what information an accredited person’s CDR policy must provide about who CDR data may be disclosed to, to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, which allow an outsourced service provider to collect CDR data ([1.51]).

Clarifying guidance, including:

  • that an accredited person’s CDR policy must include information about the CDR data that another entity holds or may hold on the accredited person’s behalf (for example, an outsourced service provider) ([1.51])
  • information about the deletion and de-identification CDR data in a CDR policy ([1.51]).

View Version 2.0

  • Minor change to sub-heading (above [1.2]).
  • Inclusion of further references to the object of Privacy Safeguard 1 ([1.5] and [1.12]).
  • Expanded discussion regarding the CDR data management plan and how this can assist a CDR entity with the ongoing compliance obligation in Privacy Safeguard 1 (call out box under [1.13]; and [1.29] to [1.32]).
  • Minor restructuring of the ‘Implementing practices, procedures and systems to ensure compliance with the CDR regime’ section to aid with readability.
  • Revised and expanded discussion in ‘The CDR regime obligations that apply to the CDR entity’ section ([1.16] to [1.18], including new call out box).
  • Updated guidance regarding ‘A suggested approach to compliance with Privacy Safeguard 1’, including revised and expanded discussion of the four overarching steps suggested and addition of new privacy tips ([1.33] to [1.42]).
  • Minor restructuring and redrafting of text for readability and streamlining in light of the new Guide to developing a CDR policy ([1.43] to [1.56]).
  • New references to the Guide to developing a CDR policy ([1.47] and [1.49]).

View Version 1.0

Chapter 2: Privacy Safeguard 2 – Anonymity and pseudonymity

Current version of Chapter 2: Anonymity and pseudonymity

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 2 Anonymity and pseudonymity version 4.0

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including:

  • replacement of references to an accredited data recipient with ‘accredited person’ or ‘accredited person (who is or who may become an accredited data recipient of CDR data)’ throughout, to reflect changes to the application of Privacy Safeguard 2 (s 56EE)
  • clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person who may become an accredited data recipient’ and ‘accredited data recipient’ rows of the table under [2.8]).

Additional guidance to note that the exceptions to Privacy Safeguard 2 in CDR Rule 7.3 do not apply to an accredited person who is not yet an accredited data recipient of CDR data (footnotes 1, 12 and 14).

View Version1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 3: Privacy Safeguard 3 – Seeking to collect CDR data from CDR participants

Current version of Chapter 3: Seeking to collect CDR data from CDR participants

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 3 Seeking to collect CDR data from CDR participants version 4.0

The changes can be viewed in Version 4.0

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person row of the table under [3.9]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to allow an accredited person to engage an accredited outsourced service provider to collect CDR data on their behalf ([3.3], [3.30]–[3.35]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • the definition of ‘valid request’ ([3.15]–[3.17])
  • the definition of ‘consumer data request’ ([3.22]–[3.26] and the updated flow chart on page 10)
  • the definition of ‘data minimisation principle’ ([3.27]–[3.29])
  • reflect that an accredited person may seek to collect CDR data from accredited data recipients in addition to data holders (by replacing references to ‘data holder’ with ‘CDR participant’ throughout)
  • reflect amendments to the requirements for asking for consent ([3.18]–[3.19]).

Clarifying guidance on obligations about managing the withdrawal of consent ([3.19]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 4: Privacy Safeguard 4 – Dealing with unsolicited CDR data from CDR participants

Current version of Chapter 4: Dealing with unsolicited CDR data from CDR participants

The changes can be viewed in the versions 4.0 to 5.0.

Previous version

Version chapter 4 Dealing with unsolicited CDR data from CDR participants version 4.0

The of changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited person row of the table under [3.9]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to allow an accredited person to engage an accredited outsourced service provider to collect CDR data on their behalf ([3.3], [3.30]–[3.35]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • the definition of ‘valid request’ ([3.15]–[3.17])
  • the definition of ‘consumer data request’ ([3.22]–[3.26] and the updated flow chart on page 10)
  • the definition of ‘data minimisation principle’ ([3.27]–[3.29])
  • reflect that an accredited person may seek to collect CDR data from accredited data recipients in addition to data holders (by replacing references to ‘data holder’ with ‘CDR participant’ throughout)
  • reflect amendments to the requirements for asking for consent ([3.18]–[3.19]).

Clarifying guidance on obligations about managing the withdrawal of consent ([3.19]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 5: Privacy Safeguard 5 – Notifying of the collection of CDR data

Current version of Chapter 5: Notifying of the collection of CDR data

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View Chapter 5 Notifying of the collection of CDR data version 4.0

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including changes to:

  • reflect clarifying amendments to how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [5.12])
  • refer to ‘accredited data recipients’ throughout, instead of ‘accredited persons’, to reflect changes to the application of Privacy Safeguard 5 (s 56EH).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to notification requirements where an accredited data recipient collected CDR data on behalf of a principal in a CDR outsourcing arrangement ([5.15)).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • other notification requirements under the CDR Rules to note the effect of CDR Rule 1.7(5) where CDR data has been collected under a CDR outsourcing arrangement (footnote 13) and for where certain consents expire or are amended ([5.36])
  • reflect that CDR data may have been collected from an accredited data recipient or data holder ([5.24], [5.35]).

View Version 2.0

Minor change to sub-heading ([5.30]).

View Version 1.0

Chapter 6: Privacy Safeguard 6 – Use or disclosure of CDR data by accredited data recipients or designated gateways

Current version of Chapter 6: Use or disclosure of CDR data by accredited data recipients or designated gateways

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 6 Use or disclosure of CDR data by accredited data recipients or designated gateways version 4.0

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ and ‘designated gateway’ rows of the table under [6.7]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to:

  • reflect the new term ‘service data’ ([6.50]–[6.51])
  • allow for disclosures of service data by an accredited outsourced service provider to a principal under a CDR outsourcing arrangement ([6.57]—[6.60]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • introduce additional permitted uses and disclosures of CDR data ([6.21], [6.28]–[6.30], [6.31]–[6.34], [6.54]–[6.56])
  • prohibited uses and disclosures of CDR data ([6.22])
  • the diagram that outlines at a high-level the permitted and prohibited uses or disclosures of CDR data (below [6.19])
  • the data minimisation principle (key point 5, [6.25]–[6.27]).

Additional guidance on:

  • the limited circumstances in which providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure ([6.15])
  • the application of s 56AU of the Competition and Consumer Act to considerations of an accredited data recipient’s liability for the acts of an outsourced service provider (footnote 51)
  • the interaction between Privacy Safeguard 6 and Privacy Safeguard 9 ([6.66]–[6.70]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 7: Privacy Safeguard 7 – Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

Current version of Chapter 7: Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 7 Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways version 4.0

The changes can be viewed in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ and ‘designated gateway’ rows of the table under [7.7]).

  • Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including permitting disclosures of service data by an accredited outsourced service provider to a principal in a CDR outsourcing arrangement ([7.33]–[7.36]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • the definition of a ‘direct marketing consent’ ([7.15])
  • introduce additional permitted uses and disclosures of CDR data for direct marketing ([7.16], [7.22] and [7.23]–[7.24])
  • address the interaction between the direct marketing Rules and amending consent Rules ([7.20])
  • the data minimisation principle, which now applies to the use of CDR data for direct marketing (Key point 4, [7.25]–[7.28]).

Additional guidance on:

  • outsourced service providers ([7.33]–[7.36])
  • the interaction between Privacy Safeguard 7 and Privacy Safeguard 9 ([6.66]–[6.70]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 8: Privacy Safeguard 8 – Overseas disclosure of CDR data by accredited data recipients

Current version of Chapter 8: Overseas disclosure of CDR data by accredited data recipients

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 8 Overseas disclosure of CDR data by accredited data recipients version 4.0

The changes can be viewed in Version 4.0

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including:

  • clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [8.10])
  • changes to the conditions in the CDR regulatory framework that affect when an accredited data recipient is liable when making an overseas disclosure, regarding s 56AU of the Competition and Consumer Act ([8.44]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to clarify that an accredited data recipient must also comply with the CDR Rules regarding disclosure consents before disclosing data to an overseas recipient (flow chart under [8.19], [8.21]).

Additional guidance on the limited circumstances in which providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure ([8.15]).

View Version 2.0

Minor wording change for clarity (key point 2).

View Version 1.0

Chapter 9: Privacy Safeguard 9 – Adoption or disclosure of government related identifiers by accredited data recipients

Current version of Chapter 9: Adoption or disclosure of government related identifiers by accredited data recipients

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 9  Adoption or disclosure of government related identifiers by accredited data recipients version 4.0

The changes can be viewed in version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [9.7]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 10: Privacy Safeguard 10 – Notifying of the disclosure of CDR data

Current version of Chapter 10: Notifying of the disclosure of CDR data

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View chapter 10 Notifying of the disclosure of CDR data version 4.0

View the changes in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to notification requirements for accredited data recipients where the CDR data that was disclosed was collected on behalf of a principal under a CDR outsourcing arrangement ([10.24]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including:

  • changes throughout to reflect that an accredited data recipient may now disclose CDR data to another accredited person, and accordingly, will have responsibilities under Privacy Safeguard 10 to notify consumers of that disclosure
  • additional guidance throughout to assist accredited data recipients to comply with Privacy Safeguard 10
  • the introduction of secondary users, non-individual consumers and partnership accounts, and how a data holder’s notification obligations operate in these cases ([10.16]–[10.17])
  • changes to how the accredited person to whom the CDR data was disclosed must be described (footnote 21, [10.42])
  • changes to the joint account Rules (see footnotes 7, 13 and 15).

Additional guidance on:

  • how Privacy Safeguard 10 interacts with the Privacy Act for data holders and accredited data recipients ([10.8]–[10.12])
  • other notification requirements under the CDR Rules for accredited data recipients ([10.44]–[10.45]).

View Version 2.0

  • New reference to the Guide to privacy for data holder ([10.15]).
  • Minor change to sub-heading ([10.28]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 11: Privacy Safeguard 11 – Quality of CDR data

Current version of Chapter 11: Quality of CDR data

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View Chapter 11: Quality of CDR data version 4.0

View the changes in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act

2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [11.14]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to notification requirements where the entity disclosed the incorrect CDR data to an accredited person who was collecting that CDR data on behalf of a principal ([11.41]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes throughout to reflect that an accredited data recipient may disclose CDR data to another accredited person, and accordingly, have responsibilities under Privacy Safeguard 11 if they become aware that the CDR data disclosed was incorrect.

  • Updated guidance on meaning of ‘reasonable steps’ to include that the assessment of what is considered ‘reasonable’ should have regard to whether the CDR data has been inferred ([11.32]–[11.33]).

Clarifying guidance on:

  • whether Privacy Safeguard 11 or the APPs will apply to the quality of CDR data for data holders ([11.9]–[11.14]) and the table under ([11.14])
  • how to interpret and apply the maximum time period of five business days for notifying consumers ([11.50]–[11.51]).

View Version 2.0

  • New guidance to clarify that Australian Privacy Principle 13 continues to apply for data holders and can help to support a data holder’s compliance with Privacy Safeguard 11 ([11.12] and footnote at [11.33]).
  • Inclusion of new example of a ‘reasonable step’ under Privacy Safeguard 11 ([11.33]).
  • Expanded discussion of the ways in which a data holder may become aware of inaccuracies in CDR data ([11.37]).
  • Expanded discussion to draw attention to updating data holdings as a ‘reasonable step’ under Privacy Safeguard 11 (Examples under [11.47] and [11.62]).
  • Removed a footnote for accuracy (Example under [11.47]).
  • New reference in footnote to the Guide to privacy for data holders ([11.57]).
  • Revised and expanded discussion to further clarify how Privacy Safeguard 11 interacts with Privacy Safeguard 13 ([11.64] to [11.65]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 12: Privacy Safeguard 12 – Security of CDR data and destruction or de-identification of redundant CDR data

Current version of Chapter 12: Security of CDR data and destruction or de-identification of redundant CDR data

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View Chapter 12: Security of CDR data and destruction or de-identification of redundant CDR data version 4.0

View the changes in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ and ‘designated gateway’ rows of the table under [12.14]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 2) 2020, including changes to reflect that CDR data may be collected by, in addition to disclosed to, outsourced service providers (call out box under [12.41], [12.53]).

Updated guidance to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to:

  • the CDR deletion process regarding what an accredited data recipient must do where another person holds the CDR data on their behalf ([12.103])
  • clarify requirements for de-identifying CDR data that is not ‘redundant data’ ([12.121]—[12.123]).

Clarifying guidance on:

  • the steps that an accredited data recipient must take where they have provided CDR data to an outsourced service provider and that CDR data becomes redundant ([12.114]–[12.116])
  • how accredited data recipients must provide certain information about the deletion and de-identification CDR data in their CDR policy under Privacy Safeguard 1 ([12.118]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)

Chapter 13: Correction of CDR data

Current version of Chapter 13: Correction of CDR data

The changes can be viewed in the versions 4.0 to 5.0.

Previous versions

View Chapter 13: Correction of CDR data version 4.0

View the changes in Version 4.0

For high-level information about the changes between versions 3.0 and 4.0 of the Privacy Safeguard Guidelines, see the previous version summary in Chapter A - Introductory matters above.

View Version 3.0

Updated guidance to reflect amendments to Part IVD of the Competition and Consumer Act 2010 introduced by the Treasury Laws Amendment (2020 Measures No. 6) Act 2020, including clarifying amendments on how the privacy safeguards and APPs interact (in the ‘accredited data recipient’ row of the table under [13.12]).

Clarifying guidance on:

  • how to interpret and apply the maximum time period of 10 business days to correct the CDR data to the extent appropriate ([13.18])
  • whether Privacy Safeguard 13 or the APPs will apply to the quality of CDR data for data holders ([13.10] and the table below [13.12])
  • how Privacy Safeguard 13 interacts with Privacy Safeguards 5 and 10 to reflect amendments to the CDR Rules introduced by the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, including changes to reflect that: accredited persons may collect CDR data from both data holders and accredited data recipients; and both accredited data recipients and data holders may disclose CDR data to accredited persons ([13.51]–[13.54]).

View Version 2.0

  • Removed footnote for readability ([13.1]).
  • New ‘note’ to clarify that a data holder still has an obligation to correct CDR data that is personal information under Australian Privacy Principle 13 if no correct request has been received under Privacy Safeguard 13 (Table under [13.11]).
  • Removed examples regarding fraudulent transactions (under [13.12] and [13.31]).
  • Removed example for accuracy ([13.46]).
  • Revised and expanded discussion to further clarify how Privacy Safeguard 13 interacts with Privacy Safeguard 11 ([13.52] to [13.55]).

View Version 1.0 (applied from 24 February 2020 to 8 June 2021)