Consumer consent for the collection and use of their data is the foundation of the Consumer Data Right (CDR) system.
Consent empowers consumers to be the decision-makers in the CDR system, ensuring they can direct where their data goes to obtain the most value from it.
An accredited data recipient (ADR) will only be able to collect a consumer’s data after the consumer has given consent for them to do so. Rigorous consent requirements apply to both the sharing of data and the use of data under the CDR Rules.
The consent process should be transparent and ensure consumers understand what they are agreeing to, and any potential consequences The CDR Rules also aim to ensure that consumer consent is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.
A consumer’s consent is only valid if it is given in response to specific questions asked by an ADR about the particular data to be collected and used.
An ADR must:
- only ask a consumer for their consent to the collection of CDR data that is reasonably needed to provide the good or service
- not bundle consent with other directions, permissions, consents or agreements
- not include or refer to other documents during the consent process which may reduce comprehension, and
- present each consumer with an active choice to give consent, which must not be the result of default settings or pre-selected options
During this consent process, the consumer must be able to actively select or clearly indicate their consent for:
- the types of data to be collected
- the specific uses of that data, and
- the period over which that data is to be collected and used, up to a maximum of 12 months, including whether the data may be collected on a single occasion, or over a certain period
In asking a consumer to give consent, an ADR must comply with the data standards and have regard to the Consumer Experience Guidelines.
A data holder must ask for a consumer’s authorisation before disclosing CDR data to an accredited data recipient. For consumers who have joint accounts, the data holder might also need to seek an authorisation from the other joint account holder.
Information that must be provided to the consumer
When seeking authorisation, a data holder must provide certain information to the consumer, including:
- the name of the accredited data recipient
- the time period that relates to the data
- the types of CDR data they are asking the consumer to authorise sharing, and
- whether the authorisation relates to a one-off or ongoing disclosure. Data holders must also state that authorisation can be withdrawn at any time and provide instructions for how to withdraw authorisation.
What must not be included in an authorisation notice
To ensure that the notice is easy to understand and authorisation can be given voluntarily, a data holder must not:
- add any requirements to the authorisation process beyond what is set out in the data standards and the rules
- provide or request additional information during the authorisation process beyond what is specified in the data standards and the CDR rules, or
- offer additional or alternate services as part of the authorisation include or refer to other documents
Refusing to seek an authorisation
A data holder can refuse to seek authorisation to disclose CDR data, but only in the following circumstances:
- to prevent physical or financial harm or abuse
- where there are reasonable grounds to believe disclosure of the data could adversely impact the security, stability or integrity of the Register of Accredited Persons or the data holder’s ICT systems, or
- where this is required by the data standards
If a data holder refuses to disclose CDR data, they must inform the accredited data recipient of their refusal.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org