Complain to the business first
If you think a business has mishandled your Consumer Data Right (CDR) data or breached your privacy, you should complain to them first, before you lodge your complaint with the OAIC or a recognised external dispute resolution scheme.
Check the business’s CDR policy, which must explain how a consumer can make a complaint. The policy must be available through any online service the business uses to deal with consumers, such as its website and mobile app. A business participating in the CDR is required to provide you with a copy of the policy if you ask for it.
What to include in your complaint
When making a complaint to the business, you should:
- identify yourself
- give any identification or reference number(s), if relevant
- give a brief description of the matter and why you think the business has mishandled your CDR data (what happened, when it happened and any consequences)
- let them know what you would like them to do to resolve the matter.
If you put your complaint in writing, also include:
- a contact address
- a contact phone number
- the date (if you are sending a letter).
You may like to use the template below to make your complaint.
Dear Privacy/Consumer Data Right Officer
I am writing to you to make a Consumer Data Right complaint about how [name of business] has handled my data.
On [date], [provide an explanation of what happened, including as much detail as possible].
As a result of this [explain the impact the incident has had on you and why you’re concerned about this].
To resolve this complaint, I would like you to [outline what you’re seeking to resolve the complaint].
Please call me on [your phone number] to discuss the complaint.
If I do not receive a response from you within a reasonable time (generally 30 days) or the complaint is not resolved, I may contact the relevant external dispute resolution scheme or the Office of the Australian Information Commissioner to make a complaint.
Keep a record of your complaint and any responses
Make sure you keep a record of your complaint.
If you complained in person or over the phone, make a record of:
- the date you complained
- the name of the business you complained to
- the name of the person you complained to, if available
- a brief description of why you think the business has mishandled your CDR data (what happened, when it happened and any consequences)
- a brief description of what you asked the business to do to resolve the matter.
If you receive a response, make a record of:
- the date you received the response
- the name of the business that responded
- the name of the person you spoke to, if available
- a description of the response.
If the business responds in writing, keep a record of their response.
Give them at least 30 days to respond
You need to give the business a reasonable amount of time to respond to your complaint. We think 30 days is a reasonable time.
If the business doesn’t respond to your complaint or you are not happy with their response, you can lodge a complaint with us or the relevant external dispute resolution scheme.
If your complaint would be better handled by an external dispute resolution scheme, the OAIC will generally refer your complaint to the appropriate scheme. We will notify you if we refer your complaint.
The Australian Financial Complaints Authority is the external dispute resolution scheme for the Consumer Data Right in the banking sector.