Skip to main content
  • On this page

Published:  

Download the assessment summary

Last updated: 28 April 2025

Executive Summary

In October 2024, the Office of the Australian Information Commissioner (OAIC) assessed the Consumer Data Right (CDR) outsourced service provider (OSP) arrangements of 2 accredited data recipients (ADRs), in their role as OSP principals.

We aimed to ensure that the OSP principals had appropriate CDR outsourcing arrangements in place to manage and protect their clients’ CDR data. This was a risk and compliance-based assessment.

Our findings

Overall, we found that both OSP principals had taken steps to establish policies, processes and procedures to implement their CDR outsourcing arrangements, each of which generally included the conditions required by the CDR rules. In particular, both OSP principals had implemented robust governance structures to ensure they thoroughly vet prospective OSPs’ information security capabilities before they onboarded or shared CDR service data with an OSP.

We identified 6 medium and 3 low privacy risks for one OSP principal, and 3 low privacy risks for the other. Specifically, we found one of the OSP principals should provide more detail in their OSP contractual arrangements, including the practices, procedures and systems that underpin the arrangements. One principal did not include all the information the CDR Rules require in an outsourcing agreement.

Recommendations

We made 6 recommendations and 3 best practice suggestions for one OSP principal, and 3 best practice suggestions for the other.

Notably, we recommended that one OSP principal add an indirect OSP to its CDR policy to comply with CDR legislation. We also recommended the OSP add a provision to an OSP arrangement requiring its OSP to comply with relevant CDR service data privacy obligations as if it were the OSP principal.

We focused other key recommendations on encouraging the OSP principals to enhance their practices to support the CDR outsourcing arrangements meeting legislative requirements through OSP training, compliance monitoring and incident reporting.

Takeaways

OSP principals must ensure their OSP arrangements address legislative requirements and provide sufficient detail that both parties (OSPs and principals) will find practically informative and useful. OSP principals should tailor OSP arrangements to be relevant to the types of CDR data managed and establish appropriate controls to secure the CDR data that the OSP collects, uses or discloses.

OSPs principals should also ensure their OSPs apply the principal’s standards in handling CDR data. OSP principals should do this by ensuring OSPs receive appropriate training and providing technical guidance in handling their CDR data.

Part 1: Introduction

Background

The CDR gives consumers greater control over their data by allowing them to safely share their data with accredited service providers. This can help consumers compare products and services to find offers that best match their needs.

The OAIC regulates the privacy aspects of the CDR. The OAIC has the power to assess and audit certain CDR entities to ensure their compliance with their CDR privacy and confidentiality obligations, including the privacy safeguards.[1]

CDR outsourcing arrangements

When an ADR engages a provider to collect CDR data on its behalf and/or to use or disclose service data to provide the ADR with specified goods or services, it becomes an OSP principal (principal) and the provider becomes its direct OSP. The principal must create an outsourcing arrangement (an agreement that specifies the terms of engagement).[2] The direct OSP may, in turn, engage its own OSPs, who become the principal’s indirect OSPs. In such a case, the ADR becomes a chain principal, as illustrated below:[3]

Subrule 1.10(3) of the CDR Rules[4] obligates an OSP principal to include in its OSP outsourcing arrangement various OSP requirements, including:

  • securing CDR data and complying with Schedule 2 of the CDR Rules as if it were an ADR[5]
  • complying with privacy safeguards 4, 6, 7, 8 and 9
  • record keeping, deidentification and deletion.

If an OSP does not comply with a required provision of the relevant outsourcing arrangement, the principal is considered to have breached the Rules.[6]

For more information, please see the CDR outsourcing arrangement: privacy obligations for an outsourced service provider, and the CDR outsourcing arrangement: privacy obligations for a principal of an outsourced service provider.

Part 2: Summary of findings

Our assessment

The objective of this assessment was to ensure CDR principals have CDR outsourcing arrangements that comply with the relevant CDR Rules, Privacy Safeguard 1 (open and transparent management of CDR data),[7] and Privacy Safeguard 12 (security of CDR data).[8]

We examined 2 CDR principals to assess whether:

  • they maintained, implemented, and enforced CDR outsourcing arrangements
  • their CDR outsourcing arrangements contained adequate controls to protect CDR data[9]
  • their CDR policies contained a current and complete list of direct and indirect OSPs.[10]

Areas of good privacy practice

We found that the assessed OSP principals generally demonstrated good compliance and broadly addressed the minimum requirements in their CDR outsourcing arrangements. Below we highlight the main areas of good privacy practice we identified during this assessment.

Information security governance arrangements

Both principals maintained robust governance structures to protect CDR data by vetting prospective OSPs’ information security capabilities before they onboarded or shared CDR service data with them. For example, when vetting a prospective OSP, one principal assessed copies of the OSP’s most recent System and Organisation Controls (SOC) 2, SOC 3 or ASAE[11] reports (as available) then reviewed the controls to ensure they met the information security controls standards required by Schedule 2 of the CDR Rules.

Both principals had also established processes to review OSP information security measures, such as conducting annual assurance activities. Such actions included reviewing SOC 2, SOC 3 or ASAE reports, and weighing exceptions or breaches in the reports against their risk rating matrix.

These measures went toward complying with the CDR Rules, which require OSPs to implement certain minimum information security controls, such as data segregation (in which an OSP segregates its OSP data from all other data), information security capacity, and access controls.[12] While an OSP principal is required to confirm the OSP information security capabilities, the principals in this assessment demonstrated good governance in setting out the processes within their policy documents and also strong record keeping in this area.

Steps to minimise sharing CDR data

Both principals took steps to reduce the CDR service data shared. For example, both principals tried to limit sharing consumer transaction data to the extent the OSP needed to fulfill its contracted services. One principal scrambled customers’ identification information when sharing data, so the OSP could not readily link CDR service data to an individual.

Additionally, one principal had implemented a graduated system to control its OSP’s employee access to CDR data within the principal’s CDR data boundary. It limited access levels to what was necessary for specific roles to reduce the likelihood and impact of a data breach caused by human error.

Areas for improvement

Where this assessment identified areas for improvement, it was generally because there was an insufficient level of detail in the OSP contractual arrangement or the supporting practices, procedures and systems.

We highlight a selection of these areas below.

CDR outsourcing arrangements

While the contents of the outsourcing arrangements with most OSPs were generally compliant, we found that an arrangement with one OSP did not specify that the OSP must comply with the relevant legislation as if it were the OSP principal. This was a medium privacy risk. We recommended that the principal update the agreement to include the CDR Rule subrule 1.10 (3) requirement. This requirement aims to ensure that OSPs maintain the same high level of compliance with the privacy safeguards as the OSP principal.

We found a low privacy risk that both principals could enhance their CDR outsourcing arrangements by detailing their OSP oversight and communication protocols.

Specifically, we suggested the principals could document within the OSP arrangement:[13]

  • any internal assurance activities that the OSP will undertake to ensure CDR compliance
  • details of how OSPs will report to the principal immediately on any impactful security incidents and data breaches
  • any relevant policy documents to be shared between the parties
  • if applicable, any internal policy requiring OSPs to hold and retain accredited data recipient status.[14]

Documenting oversight and communication requirements within an outsourcing arrangement goes toward ensuring that all parties are aware of their relevant CDR obligations.[15] Additionally, maintaining established reporting protocols may reduce delays and mitigate impact following security incidents or data breaches.

We also found that one OSP principal did not annually review an OSP arrangement, which was a medium privacy risk, and recommended it does so. We further suggested that it establish a review date register and create processes to ensure that arrangements are reviewed and updated as necessary, but at least annually.

CDR outsourcing arrangement tip

Principals should ensure their CDR outsourcing arrangements address certain responsibilities and requirements, including:

  • the OSP’s obligation to cooperate with and/or participate in assurance activities[16]
  • the principal’s obligation to provide timely assistance when the OSP requests it.[17]
  • the OSP’s obligation to document any service data shared with or collected by its own direct OSPs, to facilitate de-identification and deletion processes.[18]

These details ensure both parties have clarity as to their obligations in serving as or engaging an OSP to handle CDR service data.

OSP information in CDR policy

To empower consumers to make informed decisions and to understand how their CDR data will be managed, a principal must list each direct and indirect OSP in its CDR Policy. This includes noting each OSP’s accreditation status and whether it is based overseas.[19] As well as the nature of the services the OSP provides, and the CDR data or classes of CDR data that may be disclosed to or collected by the OSP.[20]

At the time of the assessment, we found that an indirect OSP was not identified in the principal’s CDR Policy, which was a medium privacy risk. We recommended the principal update its CDR Policy to reflect the missing indirect OSP. We also suggested that it document a process to ensure any new OSP are added to the CDR policy.

Implementing practices, procedures, and systems to ensure compliance

OSP principals must take reasonable steps to implement practices, procedures and systems that will ensure the OSPs compliance with CDR legislation and mitigate risks to CDR service data. Both principals had taken steps to create internal policies and processes or integrating OSP considerations into existing policies.

However, we identified 3 medium risks for one of the principals and recommended it:

  • develop a risk-based OSP assurance plan and undertake annual assurance activities as a reasonable step to ensure its OSPs comply with relevant CDR outsourcing arrangement requirements
  • establish and document communication protocols between the OSP principal and the OSP around incident reporting, relevant trends, and impactful guidance
  • provide training or training materials to its OSPs to ensure that in handling CDR service data, its OSPs are aware of their obligation to comply with the same restrictions and requirements that bind the principal. Alternatively, principals should vet prospective OSPs’ training processes prior to onboarding, to ensure training sufficiently teaches staff how to comply.

Through establishing and documenting these processes and policies, an OSP principal can be better placed to protect CDR service data and ensure compliance with relevant CDR requirements.

CDR outsourcing arrangement tip

A principal could document an internal process or policy for approving any new direct or indirect OSPs. This process or policy could outline its vetting requirements (e.g., confirming prospective OSPs’ information security capabilities), recordkeeping requirements, and other onboarding processes, such as updating the principal’s CDR Policy to reflect its engagement with the OSP.

Part 3: About the assessment

Conduct of the assessment

Objective and scope

The objective of this assessment was to promote and uphold privacy rights in the CDR ecosystem by assessing whether the OSP principals:

  • were compliant with Privacy Safeguards 1 (open and transparent management of CDR data)[21] and 12 (security of CDR data).[22]
  • implemented, maintained, and enforced CDR outsourcing arrangements
  • ensured their CDR outsourcing arrangements contained adequate controls to protect CDR data from misuse, interference, loss, and unauthorised access, modification, or disclosure
  • ensured their CDR policies were updated to list all direct and indirect OSPs.

Where we identified privacy risk or non-compliance, we made recommendations and best practice suggestions to help ADRs achieve good practice with their CDR outsourcing arrangements.

Methodology

This risk and compliance-based assessment examined 2 ADRs[23] in their roles as OSP principals.

The assessment consisted of interviews with the respective principals, as well as a desktop review of each principal’s:

  • CDR outsourcing arrangements, as of July to August 2024
  • responses to the OAIC’s request for information, including documentation on how they implement their CDR outsourcing arrangement(s)
  • other relevant documents, records, or information they provided.

This was a point-in-time assessment that examined the principals’ compliance at the time of the assessment. Each of the principals was offered an opportunity to respond to the OAIC’s questions regarding their OSP arrangements and practices. Where necessary, we also requested additional information or clarification.

Recommendations and next steps

On concluding this assessment, we gave each principal a tailored individual assessment report with our findings. Where we identified non‑compliance or privacy risks, we recommended or suggested actions to rectify the relevant issues. In total, we made 6 recommendations and 6 suggestions to address areas of risk and non‑compliance we identified in this assessment.

As of this publishing, the principals have advised that they have taken steps to address the findings.


[1] CCA, s 56ER; CDR Rules, subr 9.6(2).

[2] CDR Rules, subr 1.10(3)(a).

[3] Consumer Data Right ( 2024) CDR outsourcing arrangements Fact sheet, CDR, accessed 17 January 2025.

[4] Subrules 1.10(3) and 1.16 of the CDR Rules describe necessary outsourcing arrangement provisions. Subrules 9.3(2)(ia), 7.2(4)(f), 1.18(c), and 7.12(2)(b) describe obligations related to recordkeeping, CDR policy content, data deletion, and de-identification protocols.

[5] CDR Rules, subr 1.10(3)(b)(ii).

[6] Subrule 1.16(2) of the CDR Rules.

[7] Section 56ED(2) of the CCA requires CDR entities to take steps that are reasonable in the circumstances to implement practices, procedures, and systems to ensure compliance with Part IVD of the CCA (which includes the privacy safeguards) and the CDR Rules.

[8] CCA s 56EO.

[9] Subrule 1.10(6) of the CDR Rules defines ‘service data’.

[10] Subrule 7.2(4)(f) of the CDR Rules requires the CDR Policy to list direct and indirect OSPs of the accredited person including whether based in Australia or based overseas, and whether or not any is an accredited person.

[11] ASAE 3100 9-09-08

[12] Subrule 1.10(3)(b)(ii) of the CDR Rules and Schedule 2 of the CDR Rules.

[13] Subrule 1.16(1) of the CDR Rules.

[14] There is no legal requirement for an OSP to have or retain ADR status. Both principals relied at least somewhat on their OSPs’ ADR status to inform their confidence in the OSPs reliability as to CDR compliance. This information also serves principals in ensuring compliance with subrule 7.2(4)(f) of the CDR Rules, which requires principals to note each of its OSPs’ accreditation status in its CDR Policy.

[15] CDR outsourcing arrangement: privacy obligations for a principal of an outsourced service provider.

[16] Schedule 2, Part 2, 2.2 (6) of the CDR Rules.

[17] CCA, s 56ED(2)(a); Subrule 1.16(1) of the CDR Rules; CDR outsourcing arrangement: privacy obligations for a principal of an outsourced service provider.

[18] CCA, s 56ED(2)(a); Subrules 1.16(1), 1.18(c), and 7.12 of the CDR Rules.

[19] Subrule 7.2(4)(f) of the CDR Rules.

[20] Subrule 7.2(4)(g) of the CDR Rules.

[21] CCA, s 56ED(2) requires CDR entities to take steps that are reasonable in the circumstances to implement practices, procedures, and systems to ensure compliance with Part IVD of the CCA (which includes the privacy safeguards) and the CDR Rules.

[22] CCA, s 56EO.

[23] The OAIC exercises discretion in identifying the CDR entities that are a focus of our assessments. We have not identified the CDR entities assessed due to the small cohort of 2 CDR entities, assessment outcomes and educative nature of this summary report. The OAIC may name CDR entities in future assessments.