Chapter 11: Privacy Safeguard 11 – Quality of CDR data

Key points

• Privacy Safeguard 11,[1] together with rule 7.10 of the consumer data rules (CDR Rules), sets out obligations for data holders and accredited data recipients of CDR data to:
  • ensure the quality of disclosed consumer data right (CDR) data
  • inform consumers if they become aware they disclosed incorrect CDR data, and
  • disclose corrected CDR data to the original recipient if requested to do so by the affected consumer.
• The Australian Energy Market Operator Limited (AEMO) is not subject to Privacy Safeguard 11 in its capacity as a data holder.[2] Accordingly, unless otherwise indicated, all references in this Chapter to data holders exclude AEMO.

What does Privacy Safeguard 11 say?

11.1 Privacy Safeguard 11 requires:

• data holders who are required or authorised to disclose CDR data under the CDR Rules,[3] and
• accredited data recipients of a consumer’s CDR data who are disclosing that consumer’s CDR data when required or authorised under the CDR Rules

to:

• take reasonable steps to ensure that the CDR data is, having regard to the purpose for which it is held, accurate, up to date and complete
• advise the consumer in accordance with the CDR Rules if they become aware that the CDR data disclosed was not accurate, up to date and complete when disclosed, and
• where incorrect CDR data was previously disclosed, comply with a request by the consumer to disclose corrected CDR data to the original recipient in accordance with the CDR Rules.[4]

11.2 Privacy Safeguard 11 provides that holding CDR data so that it can be disclosed as required under the CDR Rules is not to be regarded as a purpose when working out the purpose for which the CDR data is or was held.[5]

11.3 Rule 7.10 of the CDR Rules requires data holders[6] and accredited data recipients of a consumer’s CDR data who have disclosed CDR data that was incorrect at the time of disclosure to provide the consumer with a written notice by electronic means that identifies:

• the accredited person to whom the CDR data was disclosed
• the CDR data that was incorrect, and
• the date of the disclosure.

11.4 The notice must also advise the consumer that they can request the entity to disclose the corrected data to the accredited person (to whom the incorrect CDR data was previously disclosed). The data holder or accredited data recipient must disclose the corrected data if the consumer requests them to do so.

11.5 This notice must be provided to the consumer as soon as practicable, but no more than 5 business days after the data holder or accredited data recipient becomes aware that some or all of the disclosed data was incorrect.

Why is it important?

11.6 The objective of Privacy Safeguard 11 is to ensure consumers have trust in and control over the quality of their CDR data disclosed as part of the CDR system.

11.7 Privacy Safeguard 11 does this by ensuring entities are disclosing CDR data that is accurate, up to date and complete, and by giving consumers control over their data by allowing them to require entities to disclose corrected data to the relevant accredited person.

11.8 This allows consumers to enjoy the benefits of the CDR system, such as receiving competitive offers from other service providers, as the data made available to sector participants can be relied on.

Who does Privacy Safeguard 11 apply to?

11.9 Privacy Safeguard 11 applies to data holders and accredited data recipients of CDR data.

11.10 Privacy Safeguard 11 does not apply to designated gateways or AEMO. Data holders that are retailers in the energy sector also do not have Privacy Safeguard 11 obligations in relation to CDR data held by AEMO that AEMO has disclosed to them.[7] Retailers must comply with Privacy Safeguard 11 in respect to their own data holdings.

11.11 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 11. However, under the terms of the CDR representative arrangement with their CDR principal,[8] a CDR representative is required to comply with Privacy Safeguard 11 in its handling of service data as if it were the CDR principal.[9] ,[10] A CDR principal breaches subrule 7.10A(1) in the CDR Rules if its CDR representative fails to comply with Privacy Safeguard 11 (subsection 56EN(2)) as if it were an accredited person (regardless of whether the CDR representative’s actions accord with the CDR representative arrangement).[11]

How Privacy Safeguard 11 interacts with the Privacy Act

11.12 It is important to understand how Privacy Safeguard 11 interacts with the Privacy Act 1988 and APPs.[12]

11.13 APP 10 requires APP entities to take reasonable steps to ensure the quality of personal information in certain circumstances.

11.14 APP 10 requires an APP entity to take reasonable steps to ensure the quality of personal information at the time of the ‘collection’ and ‘use’ as well as the ‘disclosure’ of the information.

11.15 Although Privacy Safeguard 11 applies only in relation to the ‘disclosure’ of CDR data, good practices and procedures by data holders that ensure the quality of personal information collected, used and disclosed under APP 10 will also help to ensure the quality of CDR data that is ‘disclosed’ under the CDR system.

11.16 Data holders (including AEMO) should also be aware that APP 13 (correction of personal information) obligations under the Privacy Act continue to apply in certain circumstances. For example, where the data holder becomes aware of incorrect CDR data, but the data holder has not disclosed that data to an accredited data recipient, the data holder must continue to comply with APP 13 and take steps that are reasonable to correct CDR data.[13]

What are the quality considerations?

11.17 The 3 quality considerations under Privacy Safeguard 11 are that data should be ‘accurate, up to date and complete’. Whether or not CDR data is accurate, up to date and complete must be determined with regard to the purpose for which it is held. ‘Held’ is discussed in Chapter B (Key concepts) .

11.18 When working out the purpose for which the CDR data is or was held, entities must disregard the purpose of holding the CDR data so that it can be disclosed as required under the CDR Rules.

11.19 For example, a data holder that is an authorised deposit-taking institution collects transaction data for the purpose of providing a banking service to its customer. It does not hold transaction data for the purpose of being required to disclose the data under the CDR system. ‘Purpose’ is discussed further in Chapter B (Key concepts).

11.20 The 3 terms listed in Privacy Safeguard 11, ‘accurate’, ‘up to date’, and ‘complete’, are not defined in the Competition and Consumer Act or the Privacy Act.[20]

11.21 The following analysis of each term draws on the ordinary meaning of the terms and the APP Guidelines.[21] As the analysis indicates, there is overlap in the meaning of the terms.

Accurate

11.22 CDR data is inaccurate if it contains an error or defect or is misleading. An example is factual information about a consumer’s contact details, account, income, assets, payment or repayment history or employment status which is incorrect having regard to the purpose for which it is held.

11.23 CDR data that is derived from other CDR data is not inaccurate by reason only that the consumer disagrees with the method or result of the derivation.[22] For the purposes of Privacy Safeguard 11, derived data may be ‘accurate’ if it is presented as such and accurately records the method of derivation (if appropriate).

11.24 For instance, an accredited data recipient may use the existing information it holds about a consumer to predict their income over a certain period of time. If the data is presented as the estimated future income for the consumer for that period, and states the basis for that estimation (that is, it is based on the consumer’s income over previous financial years), this would not be inaccurate solely because the consumer believes their income will be higher or lower during the projected period.

11.25 CDR data may be inaccurate even if it is consistent with a consumer’s instructions or if the inaccuracy is attributable to the consumer. For example, if a consumer has provided an incorrect mobile number which is held by the data holder for the purpose of being able to contact the consumer, and the data holder discloses this, the CDR data may be inaccurate and the data holder may later become aware of this inaccuracy.

Up to date

11.26 CDR data is not up to date if it contains information that is no longer current at, or during, the time that the data holder is required or authorised to disclose the CDR data. An example is a statement that a consumer has an active account with a certain entity, where the consumer has closed that account before the time that the data disclosure occurred. Another example is an assessment that a consumer has the ability to meet a loan repayment obligation, where in fact the consumer’s ability to do so changed in the period before the data disclosure was required or authorised. [23]

11.27 CDR data about a past event may have been up to date at the time it was recorded but has been overtaken by a later development. Whether that data is up to date at the time it is disclosed will depend on the purpose for which it is held. For example, if a consumer has had a second child but their CDR data records them as having only one child, the CDR data will still be up to date if that data is held for the purpose of recording whether the consumer is a parent.

11.28 In a similar manner to accuracy, CDR data may not be up to date even if it is consistent with a consumer’s instructions or if the inaccuracy is attributable to the consumer.

Complete

11.29 CDR data is incomplete if it presents a partial or misleading picture of a matter of relevance, rather than a true or full picture.

11.30 An example is data from which it can be inferred that a consumer owes a debt, which in fact has been repaid. The CDR data will be incomplete under Privacy Safeguard 11 if the data is held, for instance, for the purpose of determining the borrowing capacity of the consumer. Where the CDR data is held for a different purpose for which the debt is irrelevant, the fact that the debt has been repaid may not of itself render the CDR data incomplete. If, however, the accredited person has requested a consumer’s CDR data for a specific period, and in that period the consumer owed a debt which is recorded in the CDR data, and that debt was repaid in a later period, the CDR data will still be ‘complete’ in respect of that specific period.

Taking reasonable steps to ensure the quality of CDR data

When must an entity take reasonable steps?

11.31 Privacy Safeguard 11 requires an entity to take reasonable steps to ensure the quality of CDR data at the following points in time:

• ‘for data holders’: at the time the entity is required or authorised, or throughout the period in which the entity is required or authorised, to disclose CDR data under the CDR Rules. This includes when a data holder discloses CDR data:
  • to accredited data recipients under rule 4.6 in the CDR Rules, and
  • to consumers under rule 3.4 in the CDR Rules
• ‘for accredited data recipients’: at the time the entity discloses CDR data when required or authorised under the CDR Rules. This includes (but is not limited to) when an accredited data recipient discloses CDR data to:
  • an accredited data recipient under paragraph 7.5(1)(g) in the CDR Rules[24]
  • the consumer under paragraph 7.5(1)(c) in the CDR Rules
  • an outsourced service provider, sponsor or affiliate under paragraph 7.5(1)(d) in the CDR Rules
  • a trusted adviser under paragraph 7.5(1)(ca) in the CDR Rules
  • a specified person (in the case of a CDR insight) under paragraph 7.5(1)(ca) in the CDR Rules, or
  • a CDR representative under paragraph 7.5(1)(h) in the CDR Rules.

11.32 At other times, regular reviews of the quality of CDR data held by the entity may also assist to ensure the CDR data is accurate, up-to-date and complete at the time it is disclosed.

11.33 Entities should also be aware that Privacy Safeguard 11 only requires accredited data recipients to take reasonable steps when disclosing CDR data ‘under the CDR Rules’. It does not apply in relation to other disclosures of CDR data, for example where an accredited data recipient is required or authorised under another Australian law or court/tribunal order to disclose CDR data. The concept, ‘required or authorised to use or disclose CDR data under the CDR Rules’ is discussed in Chapter B (Key concepts).

What constitutes ‘reasonable steps’?

11.34 The requirement to ensure the quality of CDR data is subject to a ‘reasonable steps’ test.

11.35 This test requires an objective assessment of what is considered reasonable, having regard to the purpose for which the information is held, which could include:

• ‘The nature of the entity.’ The size of the entity, its resources, the complexity of its operations and its business model are all relevant to determining what steps would be reasonable for the entity to take to ensure the quality of the CDR data it is authorised or required to disclose.
• ‘The sensitivity of the CDR data held and adverse consequences for the consumer if the quality of CDR data is not ensured.’ An entity should consider the sensitivity of the data and possible adverse consequences for the consumer concerned if the CDR data is not correct for the purpose it is held. For example, a data holder should take more extensive steps to ensure the quality of highly sensitive data that it might be required or authorised to disclose. More rigorous steps may be required as the risk of adversity increases.
• ‘Whether the CDR data has been inferred.’ Entities may be required to take more rigorous steps to ensure the quality of CDR data that has been created, generated or inferred through analytics processes.
• ‘The practicability of taking action, including time and cost involved.’ A ‘reasonable steps’ test recognises that privacy protection must be viewed in the context of the practical options available to entities. The time, cost and resources involved in ensuring the quality of CDR data are relevant considerations. However, an entity is not excused from taking certain steps by reason only that it would be inconvenient, time-consuming, or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.

11.36 In some circumstances, it will be reasonable for an accredited data recipient to take no steps to ensure the quality of CDR data. For example, where an accredited data recipient collects CDR data from a data holder known to be reliable, and the accredited data recipient has not created, generated, or inferred any further CDR data, it may be reasonable to take no steps to ensure the quality of that data. It is the responsibility of the entity to be able to justify that this is reasonable.

Examples of reasonable steps

11.37 The following are given as examples of reasonable steps that an entity should consider:

• Implementing internal practices, procedures and systems to verify, audit, monitor, identify and correct poor-quality CDR data to ensure that CDR data is accurate, up to date and complete at the point of disclosure.
• Ensuring internal practices, procedures and systems are commensurate with other reasonable steps the entity is taking to ensure the quality of CDR data the entity is authorised or required to disclose.
• Ensuring updated or new CDR data is promptly added to the relevant existing records as appropriate.[26]
• For a data holder, implementing protocols to ensure that the CDR data is accurate, up to date and complete both before and once it has been converted to the format required by the Data Standards.
• For an accredited data recipient, ensuring that any analytic processes used are operating appropriately and are fit for purpose, and not creating inaccurate or unjustified results. This is because data derived from CDR data collected by an accredited data recipient continues to be ‘CDR data’.[27]

Advising a consumer when disclosed CDR data is incorrect

11.38 Under Privacy Safeguard 11, if a data holder or accredited data recipient becomes aware that disclosed CDR data was not accurate, up to date and complete, they must advise the consumer in accordance with the CDR Rules.[28]

11.39 Rule 7.10 in the CDR Rules sets out the requirements for notifying the consumer where a data holder or accredited data recipient becomes aware that disclosed CDR data was not accurate, up to date and complete.  These requirements are summarised below.

In what circumstances must a consumer be advised that disclosed CDR data was incorrect?

11.40 Data holders and accredited data recipients must advise a consumer that some or all of the CDR data was incorrect if the entity:[29]

• has disclosed CDR data after being required or authorised to do so under the CDR Rules, and
• later becomes aware that some or all of the CDR data, when disclosed, was not accurate, up to date and complete, having regard to the purpose for which the data was held.

11.41 Data holders and accredited data recipients may later ‘become aware’ of inaccuracies in CDR data that was previously disclosed if they discover an inconsistency during normal business practices. Examples include but are not limited to circumstances where:

• information provided by the consumer is inconsistent with CDR data previously disclosed, or
• the entity is notified by the consumer or another entity that the CDR data is incorrect (this may include a data holder providing corrected data to an accredited data recipient),[30] or
• a practice, procedure or system that the entity has implemented to ensure compliance with the privacy safeguards (such as a periodic audit or monitoring program) indicates that the CDR data previously disclosed was incorrect.

11.42 The obligation to notify the consumer that disclosed CDR data was incorrect is not affected by whether the entity took reasonable steps to ensure the quality of the data. Privacy Safeguard 11 and rule 7.10 of the CDR Rules require the consumer to be notified when, in fact, the CDR data was not accurate, up to date and complete when disclosed, regardless of the reason for the incorrect data.

What information must be provided to the consumer when incorrect CDR data has been disclosed?

11.43 Rule 7.10 of the CDR Rules requires a data holder or accredited data recipient that has disclosed incorrect CDR data to an accredited person to provide the consumer, via electronic means, with a written notice that:

• identifies the accredited person
• states the date of the disclosure
• identifies which CDR data was incorrect, and
• states that the data holder or accredited data recipient must disclose the corrected data to that accredited person if the consumer requests that they do so.

11.44 Where the data holder or accredited data recipient disclosed the incorrect CDR data to an accredited person who was collecting that CDR data on behalf of another accredited person (the ‘principal’) under a CDR outsourcing arrangement, the data holder or accredited data recipient only needs to identify the principal accredited person in the notice.[31]

11.45 A notice may deal with one or more disclosures of incorrect CDR data.

How must a notice be provided?

11.46 Rule 7.10 of the CDR Rules requires a data holder or accredited data recipient to notify the consumer in writing by electronic means after disclosing incorrect data.

11.47 The requirement for this notice to be given by electronic means will be satisfied if, for example, the notice is given over email or over the consumer’s dashboard.

11.48 The written notice may, for instance, be in the body of an email or in an electronic file attached to an email.

How quickly must the consumer be notified?

11.49 Data holders and accredited data recipients must provide notices to the consumer as soon as practicable, but no more than 5 business days after the entity becomes aware that some or all of the disclosed data was incorrect.

11.50 The test of practicability is an objective test. The entity should be able to justify that it is not practicable to give notification more quickly than 5 days after becoming aware of the disclosure of incorrect CDR data.[32]

11.51 In adopting a timetable that is ‘practicable’, an entity can take technical and resource considerations into account. However, it is the responsibility of the entity to justify any delay in providing the notice.

11.52 The maximum time of 5 business days will rarely be an appropriate period of time before a notice is given. This maximum period would only be appropriate in circumstances such as where a system error has caused a data holder to disclose incorrect data to a large number of accredited persons in respect of a large number of consumers.

11.53 The 5 business day period commences on the day after the entity becomes aware that some or all of the disclosed data was incorrect.[33] For example, if the entity becomes aware on 2 August, the 5 business day period begins on 3 August.

11.54 A ‘business day’ is a day that is not Saturday, Sunday or a public holiday in the place concerned.[34]

In what circumstances must an entity disclose corrected CDR data to the original recipient?

11.55 Privacy Safeguard 11 requires data holders and accredited data recipients to disclose corrected CDR data, in accordance with the CDR Rules, to the original recipient[35] of the disclosure if:[36]

• the entity has advised the consumer that some or all of the CDR data was incorrect when the entity disclosed it, and
• the consumer requests, in accordance with the CDR rules, the entity to disclose the corrected CDR data.

11.56 The obligation to disclose corrected CDR data applies regardless of whether the entity failed to take reasonable steps to ensure the quality of the CDR data disclosed.

11.57 The term ‘corrected CDR data’ is not defined in the Competition and Consumer Act. For the purposes of the obligation to disclose corrected CDR data under Privacy Safeguard 11, ‘corrected CDR data’ includes:

• CDR data which has been corrected in accordance with paragraph 56EP(3)(a)(i) of the Competition and Consumer Act, and
• CDR data for which a qualifying statement has been included in accordance with paragraph 56EP(3)(a)(ii) of the Competition and Consumer Act.[37]

Record keeping requirements

11.58 If an entity discloses corrected CDR data in accordance with Privacy Safeguard 11,[38] the entity (and, if the data is disclosed to an accredited person, the recipient) must comply with the record keeping requirements under rule 9.3 in the CDR Rules.

11.59 For data holders, subrule 9.3(1) of the CDR Rules requires the entity to keep and maintain various records relating to CDR data, including records of disclosures of CDR data made in response to consumer data requests.[39] If corrected data is disclosed, the data holder must keep and maintain a record of both the initial disclosure in which incorrect CDR data was disclosed, and the subsequent disclosure in which the corrected CDR data was disclosed. This is because both disclosures are made in response to the original consumer data request. There is no requirement, however, to record the disclosure as either ‘correct’ or ‘incorrect’.

11.60 For accredited data recipients, subrule 9.3(2) of the CDR Rules requires the recipient to keep and maintain various records relating to CDR data, including records of collections of CDR data under the CDR Rules.[40] This means that, similarly to data holders, accredited data recipients must keep and maintain a record of both the initial collection of the incorrect CDR data and the subsequent collection of the corrected CDR data, in circumstances where corrected CDR data is disclosed under subsection  56EN(4) of the Competition and Consumer Act.

How does Privacy Safeguard 11 interact with the other privacy safeguards?

Privacy Safeguard 5

11.61 Privacy Safeguard 5 requires an accredited data recipient to notify a consumer of the collection of their CDR data by updating the consumer’s dashboard.

11.62 Where an accredited data recipient has collected CDR data, and then collects corrected CDR data after the data holder complies with the consumer’s request to correct and disclose corrected data under Privacy Safeguards 11 and 13, the accredited data recipient must notify that consumer under Privacy Safeguard 5 in respect of both collections.

Privacy Safeguard 10

11.63 Privacy Safeguard 10 requires data holders to notify a consumer of the disclosure of their CDR data by updating the consumer’s dashboard.

11.64 Where a data holder has disclosed CDR data, and then discloses corrected CDR data as a result of the consumer’s request to correct and disclose corrected CDR data under Privacy Safeguards 11 and 13, the data holder must notify that consumer under Privacy Safeguard 10 in respect of both disclosures.

Privacy Safeguard 12

11.65 Where an accredited data recipient amends CDR data to comply with Privacy Safeguard 11, it should consider whether it needs to take action under Privacy Safeguard 12 to destroy or de-identify the original data.

Privacy Safeguard 13

11.66 As set out in Chapter 13 (Correction of CDR data), a correction request made under Privacy Safeguard 13 may trigger the obligations under Privacy Safeguard 11.

11.67 Privacy Safeguard 13 applies where a consumer requests that a data holder or accredited data recipient correct their CDR data, where that data has previously been disclosed under the CDR Rules. In most circumstances, Privacy Safeguard 13 requires the data holder or accredited data recipient to respond to the consumer’s request by either correcting the CDR data, including a qualifying statement with the CDR data to ensure it is accurate, up to date, complete and not misleading (having regard to the purpose for which it is held), or stating why a correction is unnecessary or inappropriate. [41]

11.68 Where a data holder corrects CDR data or includes a qualifying statement with the data in accordance with Privacy Safeguard 13, they should be aware that this may trigger Privacy Safeguard 11, meaning the consumer must be advised of any previous disclosures of the CDR data where the data may have been incorrect when it was disclosed. In such circumstances, the data holder will be on notice that the CDR data was likely incorrect when disclosed.