Assessment of Consumer Data Right data holders at June 2022
- The Office of the Australian Information Commissioner (OAIC) assessed Consumer Data Right (CDR) data holders’ compliance with Privacy Safeguard 1.
- Privacy Safeguard 1 outlines the requirements for CDR entities to handle CDR data in an open and transparent manner. It requires CDR entities to have a policy describing how they manage CDR data, and to maintain internal practices, procedures and systems to ensure compliance. It is the bedrock privacy safeguard that underpins compliance with all the other privacy safeguards.
- We assessed a sample of 7 data holders active on the CDR register (all were authorised deposit-taking institutions).
- We examined the data holders’ CDR policies against what the policies are required to include. We found 11 instances of non-compliance and 8 instances of partial compliance.
- The data holders’ CDR policies allowed consumers to generally understand how the data holder would handle their CDR data, and deal with complaints.
- The number of findings made about individual entities ranged from one to 6 findings.
- We examined the steps data holders took to implement practices, procedures and systems that will ensure they comply with their CDR obligations. We did not identify any high privacy risks. We found 3 medium privacy risks and 9 low privacy risks.
- The number of findings made about individual entities ranged from one to 4 medium or low privacy risks.
- None of the instances of partial or non-compliance, or privacy risks, were serious enough to warrant further regulatory action at this point. We made recommendations that, if implemented, will adequately address the partial or non-compliance and privacy risks.
- We have advised these data holders of the OAIC’s expectation that they implement our recommendations, and we will follow up to confirm they have done this in a timely manner.
- At the time of publication, 6 of the 7 data holders had taken steps to implement their recommendations. All data holders had accepted the recommendations that were not yet implemented.
- We will consider the findings of this assessment during any future update the CDR privacy safeguard guidelines.
Part 1: Introduction
The OAIC protects the privacy of individuals by regulating organisations’ compliance with personal information handling obligations. This includes regulating the privacy aspects of the CDR.
The CDR gives consumers greater control over their data. It enables a consumer to direct a data holder to provide their CDR data to an accredited data recipient or a CDR representative, in a CDR compliant format.
The OAIC has the power to assess whether data holders are complying with Privacy Safeguard 1 and the CDR rules that relate to Privacy Safeguard 1.
The targets of this assessment were a sample of 7 CDR data holders. These were Central West Credit Union (CWCU), Tyro Payments Limited (Tyro), Horizon Bank, G&C Mutual Bank Limited (G&C Mutual), Victoria Teachers Limited (Bank First), Police & Nurses Limited (P&N Bank) and Bank of Queensland Limited (BoQ). This report refers to them collectively as data holders.
We examined the data holders’ compliance with Privacy Safeguard 1. The objective of Privacy Safeguard 1 is to ensure CDR entities handle CDR data in an open and transparent way. Compliance with Privacy Safeguard 1 supports entities to embed privacy in their data-handling. This results in better overall privacy management, practice and compliance through a ‘privacy-by-design’ approach.
The assessment consisted of a desktop review of the data holders’ CDR policies, as well as their related processes, practices and systems. It also included analysis of questionnaires that the data holders completed about their compliance with Privacy Safeguard 1.
Part 2 of this document explains what Privacy Safeguard 1 and the CDR Rules require data holders to do. It outlines where the data holders have engaged in good privacy practices, and identifies areas for improvement. Part 3 provides more information on the objective, scope and conduct of the assessments, and implementation of the recommendations.
Part 2: Summary of findings
Privacy Safeguard 1 and CDR Rule 7.2 outline the requirements for CDR entities (including data holders) to handle CDR data in an open and transparent way.
Privacy Safeguard 1 requires CDR entities to have a policy about the entity’s management of CDR data. Privacy Safeguard 1 also requires entities to take steps that are reasonable in the circumstances to implement practices, procedures and systems that will ensure they comply with their CDR obligations, and are able to deal with related enquiries and complaints from consumers.
The criteria the OAIC uses to make its findings are:
High risk: an internal control or risk management issue that if not mitigated would likely lead to a breach of legislative obligations.
Not compliant: a compliance issue that if not addressed would likely lead to a breach of legislative obligations.
The OAIC expects the organisation to act immediately to address high risks and non‑compliance.
Medium risk: an internal control or risk management issue that if not mitigated would possibly lead to a breach of legislative obligations, or meet some (but not all) requirements of a specific obligation.
Partially compliant: a compliance issue that if not addressed would possibly lead to a breach of legislative obligations, or meet some (but not all) requirements of a specific obligation.
The OAIC expects organisations to address medium risks and partial compliance in a timely manner.
Low risk: the organisation could improve the way it complies and the OAIC suggests further management attention.
For more information about these privacy risk ratings, refer to Chapter 9 of the OAIC’s Guide to privacy regulatory action.
Policy about managing CDR data
All data holders must have a CDR policy that outlines how they manage CDR data. The CDR policy must be publicly and freely available, including being readily available on each online service where the CDR entity ordinarily deals with CDR consumers. This policy must be up to date and clearly expressed. The document must be distinct from the entity’s other privacy policies.
Privacy Safeguard 1 and the CDR rules specify information that data holders must have in their CDR policy. CDR policies must contain information about:
- how consumers can access and correct their CDR data
- whether the data holder accepts requests for voluntary product or consumer data
- how consumers can complain about a failure of the data holder to comply with the data holder’s obligations, and how the data holder will deal with that complaint.
Areas of good privacy practice
All the data holders developed a CDR policy, distinct from their other privacy policies, that outlined how they managed CDR data. The policies generally contained the mandatory information.
Each data holder’s CDR policy was available and accessible. The CDR policies were available free of charge. Each data holder demonstrated good privacy practice through the steps it took to ensure the complex information required in their CDR policy was expressed clearly. Their CDR policies used language that was accessible to a wide audience with varying levels of literacy.
All data holders included a consumer complaint handling process within their CDR policy.
The data holders’ CDR policies allowed consumers to generally understand how the data holder would deal with CDR enquiries and complaints. None of the data holders were found to be fully compliant, but several had only a small number of omissions. G&C Mutual did not have any areas of non-compliance (but had a finding of partial compliance). Bank First and Horizon both had one finding of non‑compliance and one finding of partial compliance. These 3 data holders had the fewest number of findings of partial or non-compliance.
Areas for improvement
This section identifies requirements in respect of which 2 or more data holders had partial or non‑compliance.
Data holders’ CDR policies must contain information about how a consumer may both access the CDR data and seek correction of the CDR data. Two data holders did not outline how consumers could access their data.
Data holders’ CDR policies must also contain information about whether the data holder accepts consumer data requests for voluntary product data or voluntary consumer data. Two data holders indicated they may accept requests for some types of voluntary data, but did not indicate whether this was voluntary consumer or product data.
The CDR rules set out information that data holders must include in their CDR policies about how a CDR consumer can complain and how the entity will deal with the complaint. This includes outlining key aspects of the data holder’s internal dispute resolution process. For banking sector data, data holders’ internal dispute resolution processes must comply with relevant sections of the Australian Securities and Investment Commission’s Regulatory Guidance 271 (RG 271).
The CDR rules require data holders to include information about their process for handling CDR complaints. For banking sector data, data holders should include steps required under paragraph 172 of RG 271. This requires public complaints policies to explain ‘key steps for dealing with complaints, including acknowledgement, assessment and investigation, and provision of an IDR response’. Three data holders did not address each of these 3 steps in their CDR policies and were found to be partially compliant.
None of the data holders’ CDR policies included sufficient information about options for redress of complaints made through internal dispute resolution processes, although one data holder was partially compliant. For banking sector data, paragraph 161 of RG 271 gives 13 examples of possible remedies. These include refunds, fee waivers, correction of records and compensation payments. Data holders should include examples of potential remedies in their CDR policies.
The CDR rules require data holders’ CDR policies to include options for review of dispute resolution outcomes, both internally (if available) and externally. For banking sector data, the Australian Financial Complaints Authority (AFCA) is the recognised external dispute resolution scheme. Most data holders included in their CDR policies that AFCA was an avenue for consumers to resolve disputes externally. Three data holders did not include that, in addition to AFCA, a consumer can also complain to the OAIC if the consumer is unsatisfied with the outcome of a data holder’s internal dispute resolution process. Data holders should include the OAIC as an option for external review of dispute resolution outcomes.
Internal polices, practices and systems
Data holders are required to take reasonable steps to implement practices, procedures and systems to ensure compliance with their CDR obligations and be able to receive enquiries and complaints. The OAIC expects data holders to monitor and review their CDR privacy processes regularly. Chapter 1 of the OAIC’s CDR privacy safeguard guidelines suggests steps to implement practices, procedures and systems under Privacy Safeguard 1.
When assessing what is reasonable given the data holders’ specific circumstances, the OAIC considered:
- the CDR rules and other legislative obligations that apply to the data holder
- the amount of CDR data handled by the data holder
- the possible adverse consequences for a consumer in the case of a breach
- the practicability, including time and cost involved.
The fact that it would be inconvenient, time-consuming or impose some cost to so implement practices, procedures and systems was not relevant. Instead, we considered whether the burden was excessive in the circumstances.
Areas of good privacy practice
We found all data holders were taking steps to establish and promote a culture that respects privacy and good information handling practices when managing CDR data.
All data holders had appointed senior staff responsible for strategic leadership of CDR and officers responsible for day-to-day management of CDR data.
The data holders generally demonstrated good practice by implementing procedures and systems to review their CDR policies at least annually (or after any legislative and operational changes). They had identified staff who were responsible for reviewing their CDR policy.
In assessing data holders’ internal policies, procedures and systems to ensure compliance with their CDR obligations. We identified one low risk in relation to each of P&N Bank, Bank First, Horizon and Tyro. These 4 data holders had the fewest number of findings of privacy risks.
Areas for improvement
This section identifies areas where 2 or more data holders had similar findings.
Paragraph 1.34 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines states that a CDR data management plan could set out the processes to measure and document a CDR entity’s performance. Five data holders had not established a CDR data plan or alternative processes to measure and document a CDR entity’s performance. We suggested the data holders establish data management plans as a way for them to improve compliance.
For 3 data holders we identified medium or low risks in their internal practices, procedures and systems to deal with consumer complaints. Most (but not all) of these risks were a consequence of partial or non-compliance relating to the consumer complaints information they included in their CDR policies. Internal documents should set out how the data holder carries out the processes it describes in its CDR policy. This includes outlining options for redress and ensuring both the OAIC and AFCA are listed as options for external review.
Part 3: Context
Objective and scope of the assessment
The objective of the assessments was to examine whether the data holders were managing CDR data in an open and transparent way.
Specifically, the OAIC evaluated whether the data holders had:
- taken reasonable steps in accordance with Privacy Safeguard 1 to implement practices, procedures and systems that support the effective management of CDR data and ensure compliance with their CDR obligations.
Conduct of the assessment
We selected a random stratified sample of 7 CDR data holders for this assessment. We selected these by using APRA data to sort data holders (as at March 2022) into groups by size of household deposits. From each group we randomly selected one in 10 data holders.
The data holders provided the OAIC with copies of their CDR policies and any related or relevant documents outlining internal practices, procedures and systems relating to their compliance with the privacy safeguards. They also completed questionnaires that gathered information about their compliance with Privacy Safeguard 1. The data holders provided these policies, documents and questionnaire responses to the OAIC on or before 24 June 2022. They provided additional information during the assessment as needed.
We conducted ‘point in time’ assessments. Our observations and opinions are only applicable to the time period in which we conducted the assessment. We looked at the data holders’ CDR policies that were in place on 24 June 2022, and information about internal processes, procedures and systems that they had in place between June and July 2022.
We conducted a desktop review of these policies, documents and questionnaire responses against the requirements of Privacy Safeguard 1 and the related CDR rules. We provided individual reports to each of the data holders, including recommendations and suggestions to address any privacy risks or areas of partial or non-compliance.
Our assessment focused on identifying areas of non-compliance with specific CDR obligations and privacy risks to the effective handling of CDR data. Our aim was to help entities improve their CDR policies and related internal practices, procedures and systems.
For more information about privacy risk ratings refer to the OAIC’s ‘Risk based assessments – privacy risk guidance’ in Appendix A of chapter 9 of the OAIC’s Guide to privacy regulatory action. This is available at oaic.gov.au/about-us/our-regulatory-approach/guide-to-privacy-regulatory-action.
Implementing the recommendations
On finalising the assessment the OAIC wrote to the data holders outlining our expectation that they respond with a plan for implementing our recommendations.
At the time of publishing this report, 6 of the 7 data holders had taken steps to implement the OAIC’s recommendations. All data holders had accepted the recommendations that were not yet implemented.
Six months after we sent the data holders the final report, we will follow up each data holder to ensure they have fully implemented the recommendations.
 This power is set out in section 56ER of the Competition and Consumer Act (2010) (Competition and Consumer Act).
 As set out in Part IVD of the Competition and Consumer Act and the CDR Rules.
 This is outlined in subsection 56ED(3) of the Competition and Consumer Act and Rule 7.2(2) of the CDR Rules.
 This is outlined in subsections 56ED(7) and 56ED(8) of the Competition and Consumer Act and CDR Rules 7.2(8) and 7.2(9).
 This is outlined in subsection 56ED(3) of the Competition and Consumer Act and Rule 7.2(2) of the CDR Rules
 This is outlined in subsection 56ED(4) of the Competition and Consumer Act and Rules 7.2(6) of the CDR Rules.
 See s 56ED(4)(a) and paragraph 1.55 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.
 See CDR Subrule 7.2(3)(a) and paragraph 1.56 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.
 See CDR Rule 7.2(6) and paragraph 1.56 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.
 See clause 5.1 of schedule 3 to the CDR rules
 See CDR Subrule 7.2(6)(f) and paragraph 1.56 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.
 See CDR Subrule 7.2(6)(h) and paragraph 1.56 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.
 See CDR Subrule 7.2(6)(i) and paragraph 1.56 of Chapter 1 of the OAIC’s CDR privacy safeguard guidelines.
 This is outlined in s 56ED(2) of the Competition and Consumer Act.
 This guidance is outlined in Chapter 1 of the OAIC’s CDR Privacy Safeguard Guidelines and the OAIC’s Guide for developing a CDR policy.
 This is outlined in subsection 56ED(2) of the Competition and Consumer Act.