Consumer Data Right Assessment: Data Quality obligations for a data holder

Part 1: Executive summary

1.1 On 6 September 2024, the Office of the Australian Information Commissioner (OAIC) notified Westpac Australia Group (Westpac) that we were commencing a Consumer Data Right (CDR) assessment under section 56ER of the Competition and Consumer Act 2010 (CCA). The risk-based assessment considered Westpac’s obligation as a data holder in the CDR to maintain the quality of data disclosed in the CDR.

1.2 The CDR aims to provide greater choice and control for Australians over how their data is used and disclosed. The security and integrity of CDR is maintained by 13 privacy safeguards, contained in the CCA and supplemented by the Consumer Data Rules. This assessment focused on Privacy Safeguard 11.1, which requires data holders to take reasonable steps to ensure that data disclosed in the CDR is, having regard to the purpose for which it is held, accurate, up to date and complete.^[1]

1.3 In this assessment, we found that Westpac has robust data quality management processes, including comprehensive systems to monitor and address data quality issues across the organisation, including within the CDR. This report highlights the areas of good practice we identified across Westpac’s processes.

1.4 We recommended one improvement and made one suggestion to enhance Westpac’s management of data quality risks:

• Suggestion 1: Westpac should review its training materials for customer-facing teams to ensure the materials clearly identify and explain relevant CDR privacy safeguards, and frame data quality and corrections requirements as privacy obligations.
• Recommendation 1: Westpac should review its CDR data quality incident reporting processes to provide a more comprehensive view of CDR data quality, which captures issues raised across the full range of internal and external sources. This should be supported by a documented process for review.

1.5 We did not identify high-level privacy risks in Westpac’s data quality management processes.

1.6 The report provides insights into the data quality management processes of an established CDR data holder that may assist the broader CDR community to take steps to proactively manage data quality risks in their own environments.

Part 2: Introduction

Background

2.1 The CDR gives consumers greater control over their data by allowing them to safely share the data that businesses hold about them. This can help consumers compare products and services to find offers that best match their needs.

2.2 The OAIC protects the privacy of individuals by regulating the privacy aspects of the CDR. The OAIC has the power to assess and audit the compliance of certain entities with their privacy and confidentiality obligations under the CDR, including the 13 Privacy Safeguards. ^[2]

Data quality

2.3 Data quality requirements under Privacy Safeguard 11 apply to data holders and accredited data recipients (ADRs) of CDR data.^[3] These participants are required to take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete. There is a parallel obligation under Australian Privacy Principle 10 (APP 10) that requires APP entities to take reasonable steps to ensure the quality of personal information at the time of collection and use and disclosure of information.

2.4 Questions around the quality of data shared in the CDR have been reported on in several forums and in the media.^[4] The Statutory Review of the CDR in 2022 found data quality was limiting the wider adoption of the CDR and that it should be addressed as a priority. An ACCC report on data quality in March 2023 identified concerns from some stakeholders about inadequate data quality inhibiting product development. The report noted a range of actions available to improve data quality in the CDR, including strong regulatory action.^[5] Insufficient data quality is identified as priority conduct in the joint OAIC and ACCC CDR Compliance and Enforcement Policy. ^[6]

2.5 This assessment focused on the steps taken by Westpac to meet its obligation to ensure data disclosed in the CDR is accurate, up to date and complete. What constitutes reasonable steps will depend on circumstances in each case, however relevant factors include the size and complexity of the entity, the sensitivity of the data held and the practicability of taking action to maintain data quality.

Part 3: Findings

3.1 We used 3 criteria to examine Westpac’s data quality management:

1. prevention of data quality issues: data collection practices and self-service facilities to verify, collect and maintain accurate and up-to-date information
2. identification of data quality issues: monitoring processes and controls to identify incorrect, incomplete or out-of-date consumer data
3. governance and remediation: governance, risk and compliance systems to address and remediate serious or systemic data quality issues.

3.2 Westpac’s processes for data quality management processes are considered under these 3 criteria below.

Criterion 1: Prevention of data quality issues

3.3 We reviewed information about a range of processes, specific to the CDR environment and across the organisation, which Westpac undertakes to prevent data quality issues.

3.4 At an organisational level, these include:

• data capture controls to prohibit or detect errors in data entry, including automated data validation
• load assurance and reconciliation controls to compare data transferred between two systems, including checks for data completeness and accuracy
• IT testing for all system upgrades to identify whether system upgrades correctly translate data from Westpac’s non-CDR systems into CDR-related systems
• change management controls to manage activities which have impacts on data and prevent inappropriate changes
• data quality requirements for data elements based on usage of data against relevant data quality dimensions
• data quality rules that set risk-based data quality thresholds to maintain accuracy, consistency, completeness, fitness for use and overall quality of data
• policies, frameworks and training to help guide users and minimise errors.

3.5 Westpac advised it reviews data quality rules at least annually to ensure the rules remain relevant and effective in mitigating data quality risks.

3.6 At the point of data capture, staff are supported by a repository of internal guidance which can be navigated through a search feature. Staff also undergo training and online learning modules relating to inputting and checking customer data, as well as mandatory annual training in privacy and identifying discrepancies.

3.7 We also observed specific policies and guidance documents dedicated to managing data quality issues, including Westpac’s:

• Data Quality Management Guidance, which governs use of data across the organisation
• Data Quality Standard Operating Procedures for Open Banking, which establishes quarterly data quality profiling activities to maintain the quality of data disclosed through the CDR
• CDR Data Quality Issues and Data Correction Requests - Standard Operating Procedures which address Westpac’s obligations under Privacy Safeguards 11 and 13 in relation to the quality and correction of CDR data.

Good practice

3.8 Westpac’s Data Load Assurance process is designed to test the accuracy and completeness of data prior to it being shared in the CDR. This is a business-as-usual process that runs continuously and applies to all data being shared in the CDR, with anomalies escalated for rectification.

3.9 This represents good practice in enabling Westpac to identify data quality issues early and complements Westpac’s broader suite of data quality controls and policies. It is also consistent with OAIC guidelines which suggests agencies implement protocols to ensure CDR data is accurate, up-to-date and complete prior to it being converted to the format required by the Consumer Data Standards.^[7]

Areas for improvement

3.10 Westpac provided us with training modules providing front line staff with, amongst other things, an Introduction to Open Banking and Open Banking for customer-facing teams.^[8] In general, we found these materials to be well-targeted and comprised of practical examples and insights into the practical mechanisms of the CDR. However, we consider the training materials could more clearly identify and explain Westpac’s privacy obligations under the CDR.

3.11 The Introduction to Open Banking contains references to ensuring the quality of CDR data and the need for ‘all privacy requirements’ to be met. These materials could be enhanced by including a clearer outline of relevant privacy CDR obligations for frontline staff. This includes the Privacy Safeguard 11 requirement to take reasonable steps to ensure data Westpac shares in the CDR is accurate, up-to-date and complete and the Privacy Safeguard 13 requirement to respond to data correction requests.

3.12 As we have identified in previous assessments^[9], to maximise staff understanding of the framework in which these requirements sit, it is important that training on data quality and corrections obligations is clearly framed to staff as a privacy requirement.

Criterion 2: Identification of data quality issues

3.13 Westpac manages data quality issues at a Group level^[10] through its Data Management Operating System (DM-OS), which provides a centrally managed view of data quality across the Group and enables monitoring of data quality in near real-time.

3.14 The DM-OS is a data governance ecosystem made up of systems, tools and processes which enable Westpac to measure the effectiveness of internal data controls and conformance with prudential standards and regulatory requirements. It is supported by a platform of automated controls, as well as manual processes, which identify data controls exceptions and breaches to data quality thresholds in incident management systems. Mandatory data incident training supports internal compliance with these processes and is provided to staff responsible for managing and implementing these controls.

3.15 Externally identified CDR data quality issues, such as consumer complaints and issues raised by ADRs, are logged in Westpac’s incident management systems and feed into Westpac’s monitoring processes through the DM-OS.^[11]

3.16 Additional processes and policies which help Westpac identify CDR data quality issues include:

• quarterly data quality profiling activities to detect and resolve data anomalies and ensure data Westpac discloses via the CDR is accurate, up-to-date and complete
• monitoring IT incidents for impact on data quality, with results feeding into the DM-OS dashboard
• ‘Authoritative Source’ requirements enabling data quality to be monitored against a ‘point of truth’
• policies and standards supporting data quality identification processes, including Westpac’s Enterprise Data Incident & Problem Management process, Incident Management policy and Open Banking End-to-End CDR Incident Management process.

Areas of good practice

3.17 Westpac’s DM-OS provides a comprehensive way to measure the quality of data from across the Group that may be shared in the CDR and monitor the effectiveness of existing data quality controls.

3.18 It represents good practice by bringing together data from across the Westpac Group, providing insights on data quality for any data that may later be shared via the CDR. It provides metrics on compliance with both internal and external requirements, such as Westpac’s data quality rules and the Australian Prudential Regulation Authority’s (APRA) Prudential Practice Guide – Managing Data Risk CP235 (CP235)^[12], and provides a tool for operational management as well as regulatory reporting.

3.19 Used effectively, the DM-OS has the potential to help identify data quality patterns and systemic issues across the Group and assist Westpac to monitor its compliance with Privacy Safeguard 11 requirements.

Criterion 3: Governance and remediation of data quality issues

3.20 Westpac has a strong governance framework in place to support its data quality obligations under CDR Privacy Safeguard 11, which is established by Westpac’s Data Risk Management Framework (DRM Framework) and supported by policy and guidance material, including:

• policy and guidance on data risk and data quality management
• data quality monitoring capability via the DM-OS
• ownership and accountability for defining, measuring and remediating data quality issues
• information management certification for program and project changes likely to impact data quality.

3.21 Westpac applies a hierarchy of data elements to manage risks with data it holds. It categorises data according to the risks associated with the data and the degree of governance and management applied to the data.^[13]

3.22 At the top of the hierarchy are Critical Data Elements (CDEs), which are critical to Westpac’s business and/or regulatory objectives. CDEs are subject to specific governance and management processes, including clearly defined and documented data quality requirements. Westpac advised us that most, if not all, data it shares through the CDR data will be CDEs, noting compliance with Privacy Safeguard 11 is a consideration when categorising data as a CDE.

3.23 Westpac’s DM-OS guidance provides clearly defined requirements for determining data quality for CDEs, including appropriate controls, data quality rules, data quality results within agreed threshold and resolution of data incidents in a timely manner. Further, as noted above, Westpac’s Data Risk Management Policy supports compliance with Privacy Safeguard 11, requiring that CDEs be accurate, complete and up-to-date, in addition to other data quality requirements such as consistency, availability and fitness for purpose.

3.24 Responsibility for monitoring and maintaining the quality of data Westpac shares through the CDR, rests with Westpac’s Open Banking team, which develops operating procedures consistent with the DRM Framework. This includes identifying and evaluating data quality risks, managing incidents and issues, and establishing appropriate controls to support risk mitigation.

3.25 Westpac monitors data quality issues via weekly status and operational meetings, which consider CDR data quality incidents reported via DM-OS, and those arising from consumer complaints and ADR reports. Westpac noted these meetings may also review data quality issues arising from a data correction request, where the issue is recorded as an incident.

3.26 Westpac applies a 3-tiered approach to data risk management, which includes:

• business division, data owner and data platform accountability for identifying, evaluating and managing data risk, uplifting and monitoring of data quality and data platform management
• assurance reviews, governance forums (risk forums, committee meetings) and prudential attestations
• group audit reviews.

3.27 Data quality metrics produced via the DM-OS are reported to Divisional Data Councils, including a bi-annual Data Quality Management Assessment that calculates performance against Westpac’s Data Risk Management Policy and the APRA’s CPG235. Systemic issues and control gaps are managed in accordance with Westpac’s Issue and Action Management Policy. This policy applies to issues originating from a range of sources, including customer complaints, control assessments, quality reviews, compliance breaches or governance forums.

Areas of good practice

3.28 Westpac’s governance processes for managing data risk and data quality reflect a cohesive approach to managing data risks that apply organisation-wide. The quality of data disclosed through the CDR depends on the quality of data capture processes, controls and management in the broader organisation; Westpac applies good practice by taking a consistent approach to data quality issues across the organisation.

Areas for potential improvement

3.29 Westpac demonstrates clear processes for governance and oversight of data quality issues across the organisation. While there are established processes for identifying, recording and monitoring CDR data quality issues, we consider there is scope to better support and document Westpac’s compliance with its data quality obligations under Privacy Safeguard 11.

3.30 Westpac advised that CDR data quality issues are raised at weekly status and operations meetings in the Open Banking team, with serious or systemic issues escalated to other forums and committees as necessary.

3.31 The weekly status and operations meetings may consider issues relating to CDR data quality from a range of sources. Sources include internal incidents recorded via DM-OS, internal load assurance and data profiling activities, together with externally raised incidents arising from consumer complaints, ADR reports or corrections processes.

3.32 Westpac’s Open Banking team currently produces a Data Quality Report, which is focused on the outcomes of quarterly manual data profiling activities. Westpac noted it does not produce a consolidated report on CDR data quality issues. Further, while Westpac advised its Open Banking team routinely considers data quality issues through its weekly status and operations meetings, it does not have a documented process for reporting on overall CDR data quality or compliance with Privacy Safeguard 11.

3.33 The absence of a global view on CDR data quality issues, or a consolidated report which captures data quality issues arising from all internal and external sources, creates a risk that trends or systemic issues relating to CDR data quality may not be identified or addressed. It may also mean that Westpac does not have a clear picture, or a single source of truth, of overall compliance with Privacy Safeguard 11. The absence of a documented process for reporting on CDR data quality creates a further risk that oversight of CDR data quality risks may not be maintained over time, or with changes in personnel.

3.34 We recommend Westpac consider ways to consolidate its CDR data quality incident reporting processes to provide a more comprehensive view of CDR data quality, and which captures issues raised across the full range of internal and external sources. This reporting process could be supported by a documented process for review by the relevant business area to ensure continuity and consistency in managing data quality issues over time.

3.35 This approach may yield benefits from an operational perspective, offering greater clarity on data quality trends and possible systemic issues. It would also provide a documented process for assessing and recording overall compliance with CDR data quality obligations and provide assurance to senior governance forums that Westpac’s Privacy Safeguard 11 obligation is being met.

Part 4: Suggestions and responses

Suggestion 1

OAIC suggestion

The OAIC suggests Westpac review its training materials for customer-facing teams to ensure the materials clearly identify and explain relevant CDR privacy safeguards and that data quality and corrections requirements are clearly framed as privacy obligations.

Westpac response

Westpac accepts the suggestion and undertakes to review all relevant training material for customer-facing staff to identify opportunities to clarify Privacy Safeguard (and related) obligations that arise from the Consumer Data Right. Westpac aims to complete this review by 30 June 2025 and will notify the OAIC when the associated changes are implemented.

Recommendation 1

OAIC recommendation

The OAIC recommends Westpac should review its CDR data quality incident reporting processes to provide a more comprehensive view of CDR data quality, which captures issues raised across the full range of internal and external sources. This should be supported by a documented process for review.

Westpac response

Westpac accepts the recommendation. Westpac has established a monthly CDR risk and compliance forum, commencing 30 April 2025, with broad membership from cross-functional areas of the group. This forum will, among other things, be tasked with ensuring it receives relevant, comprehensive, updates of all CDR data quality matters for review and, where required, escalation. This remit will be formally documented in terms of reference which will be periodically reviewed.

Additionally, Westpac will, on a bi-annual basis, aggregate observations and trends from the data quality material presented to this forum and distribute these results to relevant senior committees within the Westpac Group. Westpac will create a control to ensure that this bi-annual report is generated and monitored.

Part 5: About the assessment

Objective and scope

5.1 The objective of the assessment was to explore how data holders manage their obligation to take reasonable steps to maintain the quality of consumer data^[14] they disclose in the CDR, with the aim of educating CDR participants about any identified data quality risks and best practice.

5.2 The assessment was limited to the obligation in Privacy Safeguard 11 to take ‘reasonable steps’ to ensure that CDR data is accurate, up to date and complete.^[15]

5.3 The requirements of Privacy Safeguard 11^[16] relating to notification and handling requests to correct incorrect, out of date, or incomplete data were excluded from the scope. However, the assessment considered how Westpac uses information sources, such as correction requests and other feedback mechanisms, to identify emerging and systemic data quality issues.

5.4 The assessment also considered Westpac’s practices and procedures for the collection, use and disclosure of personal information under APP 10, noting the robustness of these practices will impact the quality of consumer data shared in the CDR.

Methodology

5.5 This assessment consisted of interviews with Westpac, as well as a desktop review of Westpac’s:

• internal policies and procedures
• staff training and guidance documentation
• responses to the OAIC’s request for information and documentation on how Westpac maintain and manage their data quality and
• other relevant documents, records, or information Westpac provided.

5.6 The assessment did not review Westpac’s active handling of data quality issues, nor did it review the quality of data disclosed by Westpac in the CDR. Rather, the assessment focussed on the processes Westpac has in place to manage CDR data quality and meet its obligations under Privacy Safeguard 11.1.

5.7 Westpac was offered an opportunity to respond to the OAIC’s questions regarding its obligations and practices. Where necessary, the OAIC also requested additional information or clarification.

Privacy risks

5.8 Where the OAIC identifies privacy risks and considers those risks to be high or medium according to OAIC guidance (see Appendix A), the OAIC makes recommendations about how to address those risks. Where the OAIC identifies privacy risks and considered those risks low risks (see Appendix A), the OAIC makes suggestions to suggestions about how to address those risks. The OAIC identified one medium risk and one low risk and made one recommendation and one suggestion. These are set out in Part 4 of this report.

5.9 The OAIC assessments are conducted as a ‘point in time’ assessment; that is, our observations and opinion are only applicable to the time period in which the assessment was undertaken.

5.10 For more information about privacy risk ratings, refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 9 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach. Appendix A explains the OAIC’s risk ratings.

Reporting

5.11 The OAIC publishes final assessment reports in full, or in an abridged version, on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege. This report has been published in full.

Part 6: Appendices

Appendix A – Privacy risk guidance