Publication date: 15 November 2022

Download the print version (version 4.0)

Key points

  • Privacy Safeguard 13, [1] together with the consumer data rules (CDR Rules) and the Competition and Consumer Regulations, sets out obligations for data holders and accredited data recipients of CDR data in relation to correction requests made by consumers in respect of their CDR data.
  • Privacy Safeguard 13 does not apply to the Australian Energy Market Operator Limited (AEMO) in its capacity as a data holder. [2] Accordingly, unless otherwise indicated, all references in this Chapter to data holders exclude AEMO.

What does Privacy Safeguard 13 say?

13.1 Privacy Safeguard 13 requires data holders and accredited data recipients who:

  • receive a request from the consumer to correct their CDR data, and
  • in the case of data holders, were earlier required or authorised under the CDR Rules to disclose the CDR data

to respond to the request by taking the relevant steps set out in the CDR Rules.

13.2 Rule 7.14 of the CDR Rules prohibits data holders and accredited data recipients from charging a fee for responding to or actioning a correction request.

Privacy Safeguard 13 obligations in respect of CDR data that is not AEMO data

13.3 For CDR data that is not AEMO data, rule 7.15 of the CDR Rules requires an entity to acknowledge receipt of a correction request as soon as practicable and sets out how the entity must, within 10 business days after receipt of the request, and to the extent it considers appropriate:

  • correct the CDR data, or
  • both:
    • include a statement with the CDR data to ensure that, having regard to the purpose for which the CDR data is held, it is accurate, up to date, complete and not misleading (qualifying statement), and
    • where practicable, attaching an electronic link to a digital record of the data in such a way that the statement will be apparent to any users of the data.

13.4 The entity must also give the consumer a notice, via electronic means, setting out how they responded to the correction request, why a correction or qualifying statement is unnecessary or inappropriate if no changes were made, and the complaint mechanisms available to the consumer.

Privacy Safeguard 13 obligations in respect of AEMO data

13.5 Privacy Safeguard 13 does not apply to AEMO. [3] However, it does apply (with modifications) to retailers in the energy sector, in relation to CDR data held by AEMO that AEMO has disclosed to the retailer as required by the Competition and Consumer Act. [4] Retailers must also comply with Privacy Safeguard 13 in respect of their own CDR data holdings. [5]

13.6 Clause 6.1 of Schedule 4 to the CDR Rules requires a retailer to acknowledge receipt of a correction request that relates to AEMO data as soon as practicable and:

  • if the request relates to NMI (national metering identifier) standing data or metering data, to initiate the relevant correction procedures under the National Electricity Rules, or
  • if the request relates to DER (distributed energy resource) register data, to provide the consumer with information about how they can contact the distributor to have the data corrected.

Why is it important?

13.7 The objective of Privacy Safeguard 13 is to ensure consumers have trust in and control over the accuracy of their CDR data that is disclosed and used as part of the CDR system.

13.8 For CDR data that is not AEMO data, Privacy Safeguard 13 does this by ensuring entities are required to correct CDR data in certain circumstances when requested to do so by the consumer. For AEMO data a retailer was earlier required or authorised to disclose under the CDR Rules, Privacy Safeguard 13 does this by requiring the retailer to initiate relevant correction procedures under the National Electricity Rules (in respect of NMI standing data or metering data) or provide the consumer with information about how they can contact the distributor to have their data corrected (in respect of DER register data).

13.9 This allows consumers to realise the benefits of the CDR system, such as receiving competitive offers from other service providers, as the accuracy of the data made available to sector participants can be relied upon.

Who does Privacy Safeguard 13 apply to?

13.10 Privacy Safeguard 13 applies to data holders and accredited data recipients of CDR data. It does not apply to designated gateways or AEMO. [6]

13.11 Importantly, in relation to data holders, Privacy Safeguard 13 only applies where a consumer has requested that a data holder correct their CDR data and the data holder was earlier required or authorised to disclose it under the CDR Rules. [7] APP 13 will continue to apply to CDR data that is personal information in all other circumstances. For example, where a consumer makes a correction request, but the CDR data has not previously been disclosed by the data holder under the CDR Rules, APP 13 will apply.

13.12 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 13. However, under the terms of the CDR representative arrangement with their CDR principal, [8] a CDR representative is required to comply with Privacy Safeguard 13 in its handling of service data as if it were the CDR principal. [9] [10] A CDR principal breaches subrule 7.16(1) of the CDR Rules if its CDR representative fails to comply with Privacy Safeguard 13 (subsection 56EP(2) of the Competition and Consumer Act) as if it were an accredited person (regardless of whether the CDR representative’s actions accord with the CDR representative arrangement). [11]

How Privacy Safeguard 13 interacts with the Privacy Act

13.13 It is important to understand how Privacy Safeguard 13 interacts with the  Privacy Act 1988 and the APPs.[12]

13.14 APP 13 requires an APP entity to correct personal information held by the entity in certain circumstances.

CDR entity

Privacy protections that apply in the CDR context

Accredited data recipient

Privacy Safeguard 13

For an accredited data recipient of a consumer’s CDR data, Privacy Safeguard 13 applies to the correction of that CDR data. [13]

The APPs do  not apply to accredited data recipients in relation to that CDR data. [14]

Data holder (other than AEMO)

Privacy Safeguard 13 or APP 13

Privacy Safeguard 13 applies instead of APP 13 where a consumer has requested that a data holder correct their CDR data, and the data holder was earlier required or authorised to disclose it under the CDR Rules.

APP 13 continues to apply to CDR data that is personal information in all other circumstances. This includes where:

  • the consumer makes a correction request, but the data has not previously been disclosed by the data holder under the CDR Rules, or
  • the consumer has not made a correction request, but the APP entity is satisfied that the data it holds is incorrect. [15]

Data holder (AEMO)

APP 13

Privacy Safeguard 13 does not apply to AEMO as a data holder.

Designated gateway

APP 13

Privacy Safeguard 13 does not apply to designated gateways.

When must an entity correct CDR data?

13.15 Privacy Safeguard 13 and rule 7.15 of the CDR Rules require an entity to correct or include a qualifying statement with CDR data (other than AEMO data) within 10 business days after the CDR consumer has requested their CDR data be corrected, unless the entity does not consider a correction or qualifying statement to be appropriate. [16]

13.16 Different obligations apply for entities that receive a correction request relating to AEMO data. A retailer will not be required to correct AEMO data but will instead be required to:

  • for NMI standing data or metering data - initiate relevant correction procedures under the National Electricity Rules, or
  • for DER register data - provide the requester with information about how the requester can contact the distributor to have the data corrected.

Acknowledging receipt of correction requests

13.17 When a consumer makes a request to correct their CDR data, subrule 7.15(a) of the CDR Rules requires the entity to acknowledge receipt of the correction request as soon as practicable.

13.18 An entity must acknowledge it has received the correction request. It is best practice for an entity to update the consumer dashboard to reflect that a correction request has been received, provided the consumer dashboard has such a functionality.

13.19 However, it is not a requirement that this acknowledgement be in writing or through the dashboard. For example, acknowledgement provided by other electronic means or over the phone is sufficient. Where an entity acknowledges receipt over the phone, it is best practice to also make a record of this as evidence that it has complied with subrule 7.15(a) of the CDR Rules.

13.20 In adopting a timetable that is ‘practicable’, an entity can take technical and resource considerations into account. However, it is the responsibility of the entity to justify any delay in acknowledging receipt of a request.

Actioning and responding to correction requests (for CDR data that is not AEMO data)

Taking action to correct, or qualify, the CDR data

13.21 Rule 7.15 of the CDR Rules requires an entity that receives a correction request relating to CDR data (that is not AEMO data) to either:

  • correct the CDR data, or
  • both:
    • include a qualifying statement with the data to ensure that, having regard to the purpose for which it is held, the data is accurate, up to date, complete and not misleading, and
    • where practicable, attach an electronic link to a digital record of the data in such a way that the statement will be apparent to any users of the data.

The entity must take one of these steps within 10 business days after receipt of the request, and to the extent that the entity considers appropriate in relation to the CDR data that is the subject of the request.

13.22 The 10 business day period commences on the day after the entity receives the correction request. [17] For example, if the entity receives the correction request on 2 August, the 10 business day period begins on 3 August.

13.23 A ‘business day’ is a day that is not Saturday, Sunday or a public holiday in the place concerned.

13.24 An entity must first consider the extent to which it considers it appropriate to correct or qualify the information. Once it determines this, it must either correct the CDR data or include a qualifying statement with the CDR data. Such corrections or qualifying statements must make the data accurate, up to date, complete and not misleading having regard to the purpose for which it is held (to the best of the entity’s knowledge).

13.25 The requirement to, where practicable, attach an electronic link to a digital record of the CDR data helps to ensure that any qualifying statement included with the CDR data is prominently displayed to those who access the data. An entity’s systems should be set up so that the CDR data cannot be accessed without the qualifying statement or a link to that statement being prominently displayed.

13.26 If an entity requires further information or explanation before it can determine which action to take, the entity should clearly explain to the consumer what additional information or explanation is required and/or why the entity cannot act on the information already provided. The entity could also advise where additional material may be obtained. The consumer should be given a reasonable opportunity to comment on the refusal or reluctance of the entity to make a correction without further information or explanation from the consumer.

13.27 An entity should also be prepared to search its own records and other readily accessible sources that it reasonably expects to contain relevant information, to find any information in support of, or contrary to, the consumer’s request. However, an entity need not conduct a full, formal investigation into the matters about which the consumer requests correction. The extent of the investigation required will depend on the circumstances, including the seriousness of any adverse consequences for the consumer if the CDR data is not corrected as requested.

When action is not necessary in response to a request

13.28 An entity may consider that it is not appropriate to make any correction or qualifying statement at all, [18] because (for instance) the CDR data as it exists is accurate, up to date, complete and not misleading, for the purpose it is held.

13.29 In such circumstances, the entity must give the CDR consumer a notice in accordance with subrule 7.15(c) in the CDR Rules detailing the reasons why it considered that no correction or qualifying statement was necessary or appropriate and setting out the available complaint mechanisms. [19]

13.30 Reasons for not correcting CDR data or including a qualifying statement with the data may include:

  • while there are inaccuracies in the data, it is nevertheless accurate, up to date, complete and not misleading for the purpose for which it is held
  • the CDR consumer is mistaken and has made the correction request in error
  • the CDR consumer is attempting to prevent an accredited person from collecting accurate CDR data that is unfavourable to the consumer
  • the entity is an accredited data recipient of the CDR data, but the request is in respect of data the entity has collected from a data holder, and the accredited data recipient is unable to determine whether the CDR data is correct using its own records and other readily accessible sources, [20] with the effect that the consumer should make the request to the data holder, or
  • the CDR data has already been corrected, or a qualifying statement already included with the data, on a previous occasion.

Example

Jessica defaults on her credit card repayments with data holder, BankaLot Ltd. Jessica authorises BankaLot to disclose her CDR data to accredited person, CreditCardFinder Pty Ltd, which sends BankaLot a consumer data request on Jessica’s behalf. Shortly after Jessica is notified that the data has been collected, Jessica requests CreditCardFinder to correct her repayment history to show that no default was made with BankaLot.

CreditCardFinder acknowledges receipt of the request the following business day through Jessica’s consumer dashboard. CreditCardFinder determines that because the CDR data was collected from BankaLot and CreditCardFinder has no method of independently determining the correctness of the data, it is not appropriate for it to make any corrections or include any qualifying statements with the data.

CreditCardFinder then gives Jessica a notice through her consumer dashboard that states this finding, and that if Jessica wants the data to be corrected, she should request that BankaLot make the relevant correction.

The notice also sets out the complaint mechanisms available to Jessica, which are in line with the corresponding section in CreditCardFinder’s CDR policy.

How must a correction notice be provided to consumers?

13.31 Subrule 7.15(c) of the CDR Rules requires an entity that receives a request from a CDR consumer to correct CDR data to give the consumer a written notice by electronic means. The written notice must contain the matters set out in paragraph 13.35 below.

13.32 The requirement for written notices to be given by electronic means will be satisfied if the notice is given, for example, over email or over the consumer’s dashboard.

13.33 The written notice may be in the body of an email or in an electronic file attached to an email.

13.34 While SMS is an electronic means of communicating a notice, practically it is unlikely to be appropriate as the number of matters that the written notice must address under subrule 7.15(c) of the CDR Rules would likely make the SMS very long.

Privacy tip

In selecting an ‘electronic means’ for the notice, it is best practice that data holders and accredited data recipients consider the consumer’s chosen method for receiving communications (if applicable), the means of communication the consumer used to make the Privacy Safeguard 13 request, and whether the consumer is likely to receive the notice in a timely manner through a given ‘electronic means’. For example, if the entity received the request in an email from the consumer, it may be most appropriate to provide the notice by responding to that email.

What must be included in a correction notice to consumers?

13.35 The correction notice to the consumer must set out:

  • what the entity did in response to the request
  • if the entity did not consider it appropriate to correct the data or include a qualifying statement, why a correction or statement is unnecessary or inappropriate, and
  • the complaint mechanisms available to the consumer.

13.36 The complaint mechanisms available to the consumer that must be included in the notice are:

  • the entity’s internal dispute resolution processes relevant to the consumer, including any information from the entity’s CDR policy about the making of a complaint relevant to the entity’s obligations to respond to correction requests, and
  • external complaint mechanisms the consumer is entitled to access, including the consumer’s right to complain to the Australian Information Commissioner under Part V of the Privacy Act, [21] and any external dispute resolution schemes recognised by the Australian Competition and Consumer Commission under subsection 56DA(1) of the Competition and Consumer Act.

13.37 An entity may, but is not required to, advise the consumer that if they have suffered loss or damage by the entity’s acts or omissions in contravention of the privacy safeguards or CDR Rules, they have a right to bring an action for damages in a court of competent jurisdiction under section 56EY of the Competition and Consumer Act.

Actioning and responding to correction requests (for AEMO data)

13.38 If a retailer receives a correction request relating to AEMO data, the retailer is not required to take action to correct, or qualify, the CDR data. Instead, the retailer must, as soon as practicable:

  • initiate the relevant correction procedures under the National Electricity Rules in relation to any NMI standing data or metering data for which correction is requested, and
  • if the request relates to DER register data, provide the consumer with information about how the consumer can contact the distributor to have the data corrected. [22]

What are the correction considerations?

13.39 For CDR data that is not AEMO data, Privacy Safeguard 13 requires that any statement included with CDR data in response to a correction request is to ensure that, having regard to the purpose for which it is held, the CDR data is ‘accurate’, ‘up to date’, ‘complete’ and ‘not misleading’. [23] ‘Held’ is discussed in  Chapter B (Key concepts).

13.40 Whether or not CDR data is accurate, up to date, complete and not misleading must be determined with regard to the purpose for which it is held.

13.41 When working out the purpose for which the CDR data is or was held, entities must disregard the purpose of holding the CDR data so that it can be disclosed as required under the CDR Rules. [24]

13.42 For example, a data holder that is an authorised deposit-taking institution collects transaction data for the purpose of providing a banking service to its customer. It does not hold transaction data for the purpose of being required to disclose the data under the CDR system.  Another example is a data holder that is an energy provider collects consumer contact details for the purpose of providing an energy service to its customer. It does not hold the consumer contact details for the purpose of being required to disclose the data under the CDR system. ‘Purpose’ is discussed further in  Chapter B (Key concepts).

13.43 The four terms listed in Privacy Safeguard 13, ‘accurate’, ‘up to date’, ‘complete’ and ‘not misleading’ are not defined in the Competition and Consumer Act or the Privacy Act. [25]

13.44 The following analysis of each term draws on the ordinary meaning of the terms, the APP Guidelines and Part V of the  Freedom of Information Act 1982. [26] As the analysis indicates, there is overlap in the meaning of the terms.

Accurate

13.45 CDR data is inaccurate if it contains an error or defect or is misleading. An example is factual information about a consumer’s account, income, assets, payment history or repayment history or employment status which is incorrect for the purpose it is held.

13.46 CDR data that is derived from other CDR data is not inaccurate by reason only that the consumer disagrees with the method or result of the derivation. [27] For the purposes of Privacy Safeguard 13, derived data may be ‘accurate’ if it is presented as such and accurately records the method of derivation (if appropriate).

13.47 For instance, an accredited data recipient may use the existing information it holds about a consumer to predict their income over a certain period of time. If the data is presented as the estimated future income for the consumer for that period, and states the bases of the estimation (that is, it is based on the consumer’s income over the previous financial years), this would not be inaccurate solely because, for instance, the consumer believes their income will be higher or lower during the projected period.

13.48 CDR data may be inaccurate even if it is consistent with a consumer’s instructions or if the inaccuracy is attributable to the consumer.

Up to date

13.49 CDR data is not up to date if it contains information that is no longer current. An example is a statement that a consumer has an active account with a certain entity, where the consumer has since closed that account or changed providers.

13.50 Another example is an assessment that a consumer has the ability to meet a loan repayment obligation, where in fact the consumer’s ability to do so has since changed. [28]

13.51 CDR data about a past event may have been up to date at the time it was recorded but has been overtaken by a later development. Whether that data is up to date will depend on the purpose for which it is held. If, for instance, a consumer has had their second child but their CDR data records them as only having one child, the CDR data will still be up to date if the data that records the consumer as having one child is held simply for the purpose of recording whether the consumer is a parent.

13.52 In a similar manner to accuracy, CDR data may not be up to date even if it is consistent with a consumer’s instructions or if the inaccuracy is attributable to the consumer.

Complete

13.53 CDR data is incomplete if it presents a partial or misleading picture of a matter of relevance, rather than a true or full picture.

13.54 An example is data from which it can be inferred that a consumer owes a debt, which in fact has been repaid. The CDR data will be incomplete under Privacy Safeguard 13 if the data is held, for instance, for the purpose of determining the borrowing capacity of the consumer. Where the CDR data is held for a different purpose for which the debt is irrelevant, the fact that the debt has been repaid may not of itself render the CDR data incomplete. If, however, the accredited person has requested a consumer’s CDR data for a specific period, and in that period the consumer owed a debt which is recorded in the CDR data, and that debt was repaid in a later period, the CDR data will still be ‘complete’ in respect of that specific period.

Not misleading

13.55 CDR data will be misleading if it conveys a meaning that is untrue or inaccurate or could lead a user, receiver or reader of the information into error. An example is a statement that is presented as a statement of fact but in truth is a record of the opinion of a third-party. In some circumstances an opinion may be misleading if it fails to include information about the facts on which the opinion was based, or the context or circumstances in which the opinion was reached.

13.56 CDR data may also be misleading if other relevant information is not included.

Example

Angelica consents to XYZ Solutions Pty Ltd (XYZ) (an accredited person) collecting her CDR data from Bright Spark Electricity (Bright Spark) (a data holder) and using that data for the purpose of providing Angelica with recommendations for various energy products.

Angelica has previously spoken with Bright Spark employee, Bert, about energy products offered by Bright Spark and been mistakenly advised that she has made an overpayment on her energy account, when she has not actually made an overpayment. Bert had recorded, as part of Angelica’s CDR data, that Angelica has made an overpayment on her energy account.

If Angelica requests that XYZ or Bright Spark correct her CDR data, the entity may include a qualifying statement with the data that Angelica has not made an overpayment on her energy account. Alternatively, the entity may delete or alter the relevant part of the data to make clear that Angelica has not made an overpayment on her energy account. If any one of these actions was taken, the data would no longer be inaccurate or misleading.

Charges to correct CDR data

13.57 Rule 7.14 of the CDR Rules prohibits an entity from charging a fee for responding to, or actioning, a request under Privacy Safeguard 13.

Interaction with other privacy safeguards

Privacy Safeguard 5

13.58 Privacy Safeguard 5 requires an accredited data recipient of CDR data to notify a consumer of the collection of their CDR data by updating the consumer’s dashboard.

13.59 Where an accredited person has collected CDR data, and then collects corrected CDR data after the data holder or accredited data recipient complies with the consumer’s requests to correct and disclose corrected data under Privacy Safeguards 11 and 13, the accredited person must notify that consumer under Privacy Safeguard 5 in respect of both collections.

Privacy Safeguard 10

13.60 Privacy Safeguard 10 requires a data holder and accredited data recipient to notify a CDR consumer of the disclosure of their CDR data by updating the consumer’s dashboard.

13.61 Where a data holder or accredited data recipient has disclosed CDR data and then discloses corrected data as a result of the consumer’s requests to correct and disclose corrected data under Privacy Safeguards 11 and 13, the entity must notify that consumer under Privacy Safeguard 10 in respect of both disclosures.

Privacy Safeguard 11

13.62 A correction request made under Privacy Safeguard 13 may trigger a CDR entity’s obligations under Privacy Safeguard 11 (Quality of CDR data).

13.63 Under Privacy Safeguard 11, data holders and accredited data recipients have an obligation to advise consumers if they disclose CDR data at a point in time, but then later become aware that some or all of the CDR data disclosed was inaccurate, out of date or incomplete, having regard to the purpose for which the data was held at the time of disclosure. Privacy Safeguard 11 also requires data holders and accredited persons to disclose corrected CDR data to the accredited person who originally received the data, where requested by the affected consumer.

13.64 A CDR entity may become aware of inaccuracies in CDR data in a range of ways – including through a consumer’s request that the entity correct their CDR data under Privacy Safeguard 13, or during an investigation that is triggered by a Privacy Safeguard 13 request.

13.65 Therefore, an entity that corrects CDR data, or includes a qualifying statement with such data in accordance with Privacy Safeguard 13, must also consider whether the consumer must be advised of any previous disclosures of incorrect CDR data, in accordance with Privacy Safeguard 11. [29]

Privacy Safeguard 12

13.66 Where an accredited data recipient corrects CDR data to comply with Privacy Safeguard 13, it should consider whether it needs to take action under Privacy Safeguard 12 to destroy or de-identify the original data.

Footnotes

[1] Competition and Consumer Act, section 56EP.

[2] Competition and Consumer Regulations, paragraph 28RA(2)(a)(iii).For information about how Privacy Safeguard 13 applies to retailers who receive CDR data from AEMO, see paragraph 13.5 to 13.6.

[3] Competition and Consumer Regulations, paragraph 28RA(2)(a)(iii).

[4] Competition and Consumer Regulations, sub-regulation 28RA(4).

[5] See paragraphs 13.3 to 13.4 on Privacy Safeguard 13 obligations in respect of CDR data that is not AEMO data.

[6] Although Privacy Safeguard 13 does not apply to AEMO, it does apply (with modifications) to retailers in the energy sector for requests that relate to AEMO data: see paragraphs 13.5 to 13.6.

[7] Competition and Consumer Act, subsection 56EP(1).

[8] A CDR representative arrangement is a written contract between a CDR representative and their CDR principal that meets the minimum requirements listed in subrule 1.10AA(2) of the CDR Rules.

[9] CDR Rule, paragraph 1.10AA(2)(d)(i)(E).

[10] See Chapter B (Key concepts) for more information on ‘CDR principal’, ‘CDR representative’, ‘CDR representative arrangement’ and ‘service data’.

[11] CDR Rules, rule 7.16. See also rule 1.16A in relation to a CDR principal’s obligations and liability.

[12] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies (APP entities).

[13] Privacy Safeguard 13 applies from the point when the accredited person becomes an accredited data recipient of the CDR data. An accredited person becomes an accredited data recipient for CDR data when:

  • CDR data is held by (or on behalf of) the person
  • the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules, and
  • the person is neither a data holder, nor a designated gateway, for the first mentioned CDR data. See Competition and Consumer Act, section 56AK.

[14] The APPs do not apply to an accredited data recipient of CDR data, in relation to that CDR data: Competition and Consumer Act, paragraph 56EC(4)(a). However, subsection 56EC(4) does not affect how the APPs apply to accredited persons and accredited data recipients who are APP entities, in relation to the handling of  personal information outside the CDR system. (Note: Small business operators accredited under the CDR system are APP entities in relation to information that is personal information but is not CDR data: see Privacy Act, subsection 6E(1D).) Subsection 56EC(4) of the Competition and Consumer Act also does not affect how the APPs apply to an accredited person who does not become an accredited data recipient of the CDR data (other than for Privacy Safeguards 1 – 4). See Competition and Consumer Act, paragraph 56EC(5)(aa).

[15] Specifically, a data holder who is also an APP entity must continue to take reasonable steps to correct CDR data that is personal information where it is inaccurate, out-of-date, incomplete, irrelevant or misleading for the purpose for which it is held under APP 13.

[16] For data holders, this obligation only arises if the entity was earlier required or authorised under the CDR Rules to disclose the CDR data.

[17] See Acts Interpretation Act 1901, section 36.

[18] See CDR Rules, subrule 7.15(b).

[19] Competition and Consumer Act, paragraph 56EP(3)(b).

[20] Note that data derived from CDR data collected by an accredited data recipient continues to be ‘CDR data’: see Competition and Consumer Act, section 56AI.

[21] Competition and Consumer Act, subsection 56ET(4).

[22] See CDR Rules, clause 6.1 of Schedule 4.

[23] Competition and Consumer Act, paragraph 56EP(3)(a)(ii).

[24] Competition and Consumer Act, subsection 56EP(4).

[25] The terms ‘accurate, ‘up to date’ and ‘complete’ are also used in Privacy Safeguard 11 in respect of the quality considerations of CDR data. See Chapter 11 (Privacy Safeguard 11) for further information and for examples of an entity determining the purpose for which it holds CDR data.

[26] See APP Guidelines, Chapter 10 (APP 10).

[27] Data derived from CDR data continues to be ‘CDR data’: see Competition and Consumer Act, section 56AI.

[28] Such an assessment will likely be ‘materially enhanced information’ under section 10 of the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019, or section 11 of the Consumer Data Right (Energy Sector) Designation 2020, and therefore not ‘required consumer data’ under the CDR Rules.

[29] Competition and Consumer Act, subsection 56EN(3).