Consumer consent and authorisation
Consumer consent for the collection, use and disclosure of their data is the foundation of the Consumer Data Right (CDR) system.
Consent empowers consumers to be the decision makers in the CDR system, ensuring they can direct where their data goes to obtain the most value from it.
An accredited data recipient (ADR) will only be able to collect a consumer’s data after the consumer has given consent for them to do so. Rigorous consent requirements apply to both the sharing of data and the use of data under the CDR Rules.
The consent process should be transparent and ensure consumers understand what they are agreeing to and any potential consequences. The CDR Rules also aim to ensure that consumer consent is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
A consumer’s consent is only valid if it is given in response to specific questions asked by an ADR about the particular data to be collected, used or disclosed.
An ADR must:
- only ask a consumer for their consent to the collection of CDR data and for a time period that is reasonably needed to provide the good or service
- not use the collected data beyond what is reasonably needed to provide the requested good or service
- not bundle consent with other directions, permissions, consents or agreements
- not include or refer to other documents during the consent process which may reduce comprehension
- present each consumer with an active choice to give consent, which must not be the result of default settings or pre-selected options.
During this consent process, the consumer must be able to actively select or clearly indicate their consent for:
- the types of data to be collected
- the specific uses of that data
- the period over which that data is to be collected and used, up to a maximum of 12 months, including whether the data may be collected on a single occasion, or over a certain period.
In asking a consumer to give consent, an ADR must comply with the data standards and have regard to the CX Guidelines.
A data holder must ask for a consumer’s authorisation before disclosing CDR data to an ADR. For consumers who have joint accounts, the data holder might also need to seek an authorisation (known as an ‘approval’) from the other joint account holder/s.
In addition, a data holder must invite a consumer to amend their authorisation where the accredited person notifies the data holder that a current consent has been amended.
Information that must be provided to the consumer
When asking a consumer to give or amend an authorisation, a data holder must provide certain information to the consumer:
- the name of the accredited person that made the request or provided notification of the relevant consent having been amended
- any information held by the Register of Accredited Persons in relation to the accredited person
- the time period that relates to the data
- the types of CDR data they are asking the consumer to authorise sharing
- whether the authorisation relates to a one-off or ongoing disclosure, and
- a statement that authorisation can be withdrawn at any time, with instructions on how to withdraw authorisation.
What must not be included in an authorisation notice
To ensure that the notice is easy to understand and authorisation can be given voluntarily, a data holder must not:
- add any requirements to the authorisation process beyond what is set out in the data standards and the CDR Rules
- provide or request additional information during the authorisation process beyond what is specified in the data standards and the CDR Rules
- offer additional or alternate services as part of the authorisation
- include or refer to other documents
Refusing to seek an authorisation
A data holder can refuse to seek authorisation or an amendment to authorisation to disclose CDR data, but only in the following circumstances:
- to prevent physical or financial harm or abuse
- where there are reasonable grounds to believe disclosure of the data could adversely impact the security, stability or integrity of the Register of Accredited Persons or the data holder’s ICT systems
- where the CDR data relates to an account that is blocked or suspended, or
- where this is required by the data standards.
If a data holder refuses to disclose CDR data for a reason outlined above, they must inform the ADR of their refusal.
A data holder may also refuse to seek an authorisation in the following situations:
- where the consumer data request relates to a non-individual CDR consumer or partnership account, but there is no nominated representative, and
- where the person who makes the request has account privileges, but the account holder has not provided a secondary user instruction for that person.