Published: 15 Jan 2024
Assessment of Consumer Data Right consent and authorisation processes as at February 2023
Executive Summary
In January 2023, the Office of the Australian Information Commissioner (OAIC) commenced an assessment of 6 Consumer Data Right (CDR) participants. This assessment was the first to focus on how consumer consent and authorisation processes are being managed in the CDR system.
The assessment examined whether 3 accredited data recipients (ADRs) (including one CDR principal with CDR representative arrangements) were compliant with the consent obligations in Divisions 4.2 and 4.3 of the Competition and Consumer (Consumer Data Right) Rules 2020 (CDR Rules).[1] The assessment also examined whether 3 banking sector data holders were compliant with the authorisation obligations in Division 4.4 of the CDR Rules.
Overall, we found that, at the time of assessment (in February 2023), the 3 data holders and 2 of the ADRs demonstrated a high level of compliance with the obligations assessed. In relation to the CDR principal, we examined the consent process of one of its CDR representatives and found a lower level of compliance with the obligations assessed. Further regulatory activities may be required to assess the compliance of CDR principals’ representative arrangements more broadly within the CDR ecosystem.
For 3 CDR participants, we did not identify any compliance concerns. Across the other 3 CDR participants we identified a total of 7 areas of non-compliance that resulted in 7 recommendations:
- We found 2 issues where a data holder and an ADR were not presenting certain required information to consumers about withdrawing a consent to collect or an authorisation to disclose their CDR data.
- In relation to the CDR principal, we found it had not met its overall obligation to ensure its CDR representative complied with the CDR Rules.
- We also identified that the CDR principal, due to its representative arrangement, had 4 areas of non‑compliance. These related to not presenting withdrawal of consent information, not identifying a general policy of information on redundant data or de-identifying redundant data handling and intended treatment of redundant data, including election to delete within the consent process. We also found the CDR principal had not met its obligations in relation to ensuring data minimisation.
Part 1: Introduction
Background
The CDR gives consumers greater control over their data. It allows a consumer to access particular data (‘CDR data’) in a usable form and to direct a data holder to securely transfer that data to an accredited person (who then becomes an ADR).
The OAIC regulates the privacy aspects of the CDR. We have the power to assess whether a data holder or an ADR is maintaining and handling CDR data in accordance with the privacy safeguards in the Competition and Consumer Act 2010 (Cth) and related CDR Rules.[2]
Consumer consent is the bedrock of the CDR system. It ensures consumers can control where their CDR data goes in order to obtain the most value from it. An accredited person cannot collect, use or disclose a consumer’s CDR data without the consumer’s express consent, and a data holder cannot disclose CDR data to the accredited person without the consumer’s authorisation. Consent and authorisation obligations relate to privacy safeguards 3 and 10.
For this assessment, we chose to assess a sample of 6 CDR participants made up of data holders and ADRs, including one CDR principal. The CDR principal had arrangements with multiple CDR representatives. We examined the consent processes of one of these CDR representatives. The table below specifies the CDR participants we assessed. While these CDR participants may hold more than one role within the CDR system, they were assessed only for the role indicated.
Table 1: CDR participants included in this assessment
Data holders | ADR | CDR principal |
|---|---|---|
HSBC Bank Australia Limited | Beyond Bank Australia Limited | Fiskil Pty Ltd (selected CDR representative: Resly Pty Ltd)[3] |
MyState Bank Limited | National Australia Bank Limited | |
Police Credit Union Limited |
Objective, scope and methodology
This assessment examined CDR participants’ compliance with the version of the CDR Rules that was in effect at the commencement of the assessment fieldwork (as at 10 February 2023). We conducted the desktop review of data holders and ADRs (including a CDR principal[4]) by requesting that they provide video examples of their consent and authorisation process. This included the screens that a consumer views when their consent or authorisation is being sought.
We assessed compliance with relevant rules in Divisions 4.2, 4.3 and 4.4 of the CDR Rules as follows:
- Division 4.2 prescribes the consent process for an ADR and/or a CDR representative making a consumer data request to a data holder. This assessment considered the required steps for how a consumer data request is made.
- Division 4.3 outlines the specific information an ADR and/or a CDR representative needs to include when asking a consumer to give a consent. This assessment looked at the consent process and the requirements for an ADR/CDR representative under the CDR Rules.
- Division 4.4 sets out obligations relating to a data holder’s processes for seeking and managing an authorisation to disclose CDR data. The assessment examined how the data holders ensured they only disclose the CDR data that the consumer’s consent provides for. Before a data holder seeks a consumer’s authorisation to disclose the CDR data in response to an ADR’s request, there must be a valid request to which the consumer has consented. Additionally, the assessment considered the processes that data holders are required to maintain by which the data holder asks CDR consumers for their authorisation to disclose CDR data and for an amendment to their authorisation, including a video of each process.[5]
While the findings in this report relate to point-in-time (past) conduct and obligations, we expect the CDR participants assessed will implement our recommendations as appropriate and ensure their own compliance with the latest version of the CDR Rules.
Part 2: Summary of findings
Data Holders
The CDR Rules require that data holders must provide consumers with certain information when seeking authorisation to disclose their CDR data to an accredited person. This includes:
- the accredited person’s name
- the date, frequency and duration of the requested disclosure
- the types of CDR data to be disclosed.
Two of the 3 data holders assessed were found to have been compliant in relation to the information provided to the consumers when seeking authorisation.
The remaining data holder provided most of the required information, however we found that its authorisation flow did not include the required statement or instructions about the withdrawal of authorisation. The CDR Rules required data holders to provide the required statement that, at any time, the authorisation can be withdrawn and instructions for how the authorisation can be withdrawn. [6]
The CDR Rules also prohibit data holders from introducing any additional restrictions into their authorisation flows.[7] This includes added requirements, additional information provided or requested beyond what is specified in the CDR Rules. We found all 3 data holders were compliant with this obligation. No additional/alternate services were offered as part of the data holders authorisation process.
Privacy Tip: A data holder may disclose CDR data only with the authorisation of the relevant CDR consumers.
Accredited data recipients (ADRs)
In obtaining consent from a consumer, an accredited data recipient must comply with requirements relating to an accredited person’s processes for asking for consent. These processes ensure that ADR consent requests are as easy for a consumer to understand as practicable. We found both ADRs to be compliant with these requirements.[8]
An accredited person must present specific information to a CDR consumer when asking them to give consent to share their CDR data.[9] Among other things, this includes the accredited person’s name and accreditation number, information about how they will handle redundant data, and a statement about any consequences to the CDR consumer if they withdraw the consent.[10] We found that one ADR did not include this statement in its consent flow.
The CDR Rules also include restrictions on what an accredited person can ask a consumer to consent to.[11] We found both ADRs to be compliant with these restrictions, including the data minimisation principle and the restriction on seeking consent to collect the consumer’s data for a period longer than 12 months.
Privacy Tip: The CDR Rules seek to ensure that a consumer’s consent is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn. An accredited person must ask a CDR consumer to give or amend a consent in accordance with the CDR Rules, and must minimise the amount of data requested.
CDR principal
The CDR representative model allows an unaccredited person known as a ‘CDR representative’ to provide CDR goods or services directly to a consumer, where they have a written contract (CDR representative arrangement) in place with an unrestricted accredited person known as a ‘CDR principal’. These CDR representative arrangements must meet the requirements set out in the CDR Rules.[12] The CDR Rules also require that the CDR principal must ensure the CDR representative complies with the requirements of its CDR representative arrangement.[13]
While the CDR principal’s role in the CDR representative model is to collect the CDR data, it is the CDR representative that seeks the relevant consents from the consumer, including the consent for the CDR principal to collect the consumer’s CDR data.
A CDR principal must ensure that their CDR representative seeks a consumer’s consent in accordance with the CDR Rules as if it were an accredited person.[14] The CDR principal is liable for any breach of Division 4.3 by its CDR representative.[15] Our assessment found that the CDR principal assessed was not compliant with this obligation. Its CDR representative’s consent processes had multiple areas of non‑compliance with the CDR Rules.
We found that the CDR representative’s consent flow was not compliant with the data minimisation principle as appropriate to the specific products or services offered.[16] The CDR representative should only collect such CDR data and for such a time period as is reasonably needed to provide the product or service offered to the consumer. This may depend on whether the use or collection is related to an ongoing service or product.
When asking a consumer to give consent, the CDR Rules require an accredited person to clearly state whether they have a general policy of deleting redundant data or de-identifying redundant data, or deciding, when the data becomes redundant, whether to delete or de-identify it. The CDR Rules also require a consent flow to include a statement outlining intended treatment of redundant data, a statement outlining a CDR consumer’s right to elect redundant data deletion, and instructions for how the election can be made. [17] We found the CDR representative’s consent flow was not compliant with both these obligations.
The CDR Rules also require that, when asking a consumer to give consent, an accredited person must give the consumer a statement indicating the consequences (if any) to the consumer if they withdraw the consent.[18] This is to ensure that consumers are presented with required information to make an informed choice when providing consent. We found that the CDR representative did not include the required statement in its consent flow.
Privacy Tip: A CDR representative is responsible for seeking a CDR consumer’s consent when CDR data is being collected by a CDR principal under a CDR representative arrangement. However, the CDR principal is liable if the CDR representative does not obtain consent in accordance with the CDR Rules.
Part 3: Recommendations and next steps
In total, we identified 7 compliance issues during this assessment. We have communicated individual findings to all CDR participants assessed. For those CDR participants with areas of non‑compliance, we have recommended actions they should take to rectify the relevant issues.
The CDR participants have each accepted our findings and any recommendations. At the time of publishing this report, 6 of these recommendations have been actioned by the CDR participants. The OAIC will follow up the implementation of the remaining recommendation in the next 6-12 months.
We also engaged with the CDR participants assessed to promote best practice, for example, by directing them to relevant resources, or notifying them about any potential compliance risks identified and requesting further information from the CDR participant in response. We referred participants to the following guidance materials:
- CDR Privacy Safeguard Guidelines
- CDR representative model: privacy obligations of a CDR principal
- Guidance for CDR representative principals on ensuring compliance of their CDR representatives
- Guide to privacy for data holders
[1]Competition and Consumer (Consumer Data Right) Rules 2020 (Register ID F2022C00187 Comp No. 7) were in force at the time of this assessment and have since been superseded.
[2] See s 56ER of the Competition and Consumer Act.
[3] We assessed whether the CDR principal, Fiskil Pty Ltd, had ensured its CDR representative, Resly Pty Ltd, had complied with the relevant CDR Rules and privacy safeguards as if it were the ADR.
[4] Rule 1.10AA of theCDR Rules defines the term 'CDR representative’. A ‘CDR representative arrangement’ is an arrangement between a CDR principal and its CDR representative. From the consumer’s perspective, they deal with the CDR representative as if they were dealing with the CDR principal.
[5] See Subrule 9.3(1)(g) of the CDR Rules.
[6] See Subrule 4.23(1)(f) and Subrule 4.23(1)(g) of the CDR Rules.
[7] See Rule 4.24 of the CDR Rules.
[8] See Rule 4.10 of the CDR Rules.
[9] See Subrule 4.11(3) of the CDR Rules.
[10] See Subrule 4.11(3)(g) of the CDR Rules.
[11] See Rule 4.12 of the CDR Rules.
[12] See Subrule 1.10AA of the CDR Rules.
[13] See Subrule 1.16A of the CDR Rules.
[14] See Rule 4.3 of the CDR Rules, as modified by CDR Rule 4.3C(1).
[15] See Subrule 4.3C(2) of the CDR Rules.
[16] See Subrule 4.11(3)(c) of the CDR Rules.
[17] See Subrules 4.11(3)(h) and 4.17(1) of the CDR Rules.
[18] See Subrule 4.11(3)(g) of the CDR Rules.
