Chapter 13: Privacy Safeguard 13 – Correction of CDR data

Key points

• Privacy Safeguard 13, [1] together with the consumer data rules (CDR Rules) and the Competition and Consumer Regulations, sets out obligations for data holders and accredited data recipients of CDR data in relation to correction requests made by consumers in respect of their CDR data.
• Privacy Safeguard 13 does not apply to the Australian Energy Market Operator Limited (AEMO) in its capacity as a data holder. [2] Accordingly, unless otherwise indicated, all references in this Chapter to data holders exclude AEMO.

What does Privacy Safeguard 13 say?

13.1 Privacy Safeguard 13 requires data holders and accredited data recipients who:

• receive a request from the consumer to correct their CDR data, and
• in the case of data holders, were earlier required or authorised under the CDR Rules to disclose the CDR data

to respond to the request by taking the relevant steps set out in the CDR Rules.

13.2 Rule 7.14 of the CDR Rules prohibits data holders and accredited data recipients from charging a fee for responding to or actioning a correction request.

Privacy Safeguard 13 obligations in respect of CDR data that is not AEMO data

13.3 For CDR data that is not AEMO data, rule 7.15 of the CDR Rules requires an entity to acknowledge receipt of a correction request as soon as practicable and sets out how the entity must, within 10 business days after receipt of the request, and to the extent it considers appropriate:

• correct the CDR data, or
• both:
  • include a statement with the CDR data to ensure that, having regard to the purpose for which the CDR data is held, it is accurate, up to date, complete and not misleading (qualifying statement), and
  • where practicable, attaching an electronic link to a digital record of the data in such a way that the statement will be apparent to any users of the data.

13.4 The entity must also give the consumer a notice, via electronic means, setting out how they responded to the correction request, why a correction or qualifying statement is unnecessary or inappropriate if no changes were made, and the complaint mechanisms available to the consumer.

Privacy Safeguard 13 obligations in respect of AEMO data

13.5 Privacy Safeguard 13 does not apply to AEMO. [3] However, it does apply (with modifications) to retailers in the energy sector, in relation to CDR data held by AEMO that AEMO has disclosed to the retailer as required by the Competition and Consumer Act. [4] Retailers must also comply with Privacy Safeguard 13 in respect of their own CDR data holdings. [5]

13.6 Clause 6.1 of Schedule 4 to the CDR Rules requires a retailer to acknowledge receipt of a correction request that relates to AEMO data as soon as practicable and:

• if the request relates to NMI (national metering identifier) standing data or metering data, to initiate the relevant correction procedures under the National Electricity Rules, or
• if the request relates to DER (distributed energy resource) register data, to provide the consumer with information about how they can contact the distributor to have the data corrected.

Why is it important?

13.7 The objective of Privacy Safeguard 13 is to ensure consumers have trust in and control over the accuracy of their CDR data that is disclosed and used as part of the CDR system.

13.8 For CDR data that is not AEMO data, Privacy Safeguard 13 does this by ensuring entities are required to correct CDR data in certain circumstances when requested to do so by the consumer. For AEMO data a retailer was earlier required or authorised to disclose under the CDR Rules, Privacy Safeguard 13 does this by requiring the retailer to initiate relevant correction procedures under the National Electricity Rules (in respect of NMI standing data or metering data) or provide the consumer with information about how they can contact the distributor to have their data corrected (in respect of DER register data).

13.9 This allows consumers to realise the benefits of the CDR system, such as receiving competitive offers from other service providers, as the accuracy of the data made available to sector participants can be relied upon.

Who does Privacy Safeguard 13 apply to?

13.10 Privacy Safeguard 13 applies to data holders and accredited data recipients of CDR data. It does not apply to designated gateways or AEMO. [6]

13.11 Importantly, in relation to data holders, Privacy Safeguard 13 only applies where a consumer has requested that a data holder correct their CDR data and the data holder was earlier required or authorised to disclose it under the CDR Rules. [7] APP 13 will continue to apply to CDR data that is personal information in all other circumstances. For example, where a consumer makes a correction request, but the CDR data has not previously been disclosed by the data holder under the CDR Rules, APP 13 will apply.

13.12 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 13. However, under the terms of the CDR representative arrangement with their CDR principal, [8] a CDR representative is required to comply with Privacy Safeguard 13 in its handling of service data as if it were the CDR principal. [9] [10] A CDR principal breaches subrule 7.16(1) of the CDR Rules if its CDR representative fails to comply with Privacy Safeguard 13 (subsection 56EP(2) of the Competition and Consumer Act) as if it were an accredited person (regardless of whether the CDR representative’s actions accord with the CDR representative arrangement). [11]

How Privacy Safeguard 13 interacts with the Privacy Act

13.13 It is important to understand how Privacy Safeguard 13 interacts with the  Privacy Act 1988 and the APPs.[12]

13.14 APP 13 requires an APP entity to correct personal information held by the entity in certain circumstances.

When must an entity correct CDR data?

13.15 Privacy Safeguard 13 and rule 7.15 of the CDR Rules require an entity to correct or include a qualifying statement with CDR data (other than AEMO data) within 10 business days after the CDR consumer has requested their CDR data be corrected, unless the entity does not consider a correction or qualifying statement to be appropriate. [16]

13.16 Different obligations apply for entities that receive a correction request relating to AEMO data. A retailer will not be required to correct AEMO data but will instead be required to:

• for NMI standing data or metering data - initiate relevant correction procedures under the National Electricity Rules, or
• for DER register data - provide the requester with information about how the requester can contact the distributor to have the data corrected.

Acknowledging receipt of correction requests

13.17 When a consumer makes a request to correct their CDR data, subrule 7.15(a) of the CDR Rules requires the entity to acknowledge receipt of the correction request as soon as practicable.

13.18 An entity must acknowledge it has received the correction request. It is best practice for an entity to update the consumer dashboard to reflect that a correction request has been received, provided the consumer dashboard has such a functionality.

13.19 However, it is not a requirement that this acknowledgement be in writing or through the dashboard. For example, acknowledgement provided by other electronic means or over the phone is sufficient. Where an entity acknowledges receipt over the phone, it is best practice to also make a record of this as evidence that it has complied with subrule 7.15(a) of the CDR Rules.

13.20 In adopting a timetable that is ‘practicable’, an entity can take technical and resource considerations into account. However, it is the responsibility of the entity to justify any delay in acknowledging receipt of a request.

Actioning and responding to correction requests (for CDR data that is not AEMO data)

Taking action to correct, or qualify, the CDR data

13.21 Rule 7.15 of the CDR Rules requires an entity that receives a correction request relating to CDR data (that is not AEMO data) to either:

• correct the CDR data, or
• both:
  • include a qualifying statement with the data to ensure that, having regard to the purpose for which it is held, the data is accurate, up to date, complete and not misleading, and
  • where practicable, attach an electronic link to a digital record of the data in such a way that the statement will be apparent to any users of the data.

The entity must take one of these steps within 10 business days after receipt of the request, and to the extent that the entity considers appropriate in relation to the CDR data that is the subject of the request.

13.22 The 10 business day period commences on the day after the entity receives the correction request. [17] For example, if the entity receives the correction request on 2 August, the 10 business day period begins on 3 August.

13.23 A ‘business day’ is a day that is not Saturday, Sunday or a public holiday in the place concerned.

13.24 An entity must first consider the extent to which it considers it appropriate to correct or qualify the information. Once it determines this, it must either correct the CDR data or include a qualifying statement with the CDR data. Such corrections or qualifying statements must make the data accurate, up to date, complete and not misleading having regard to the purpose for which it is held (to the best of the entity’s knowledge).

13.25 The requirement to, where practicable, attach an electronic link to a digital record of the CDR data helps to ensure that any qualifying statement included with the CDR data is prominently displayed to those who access the data. An entity’s systems should be set up so that the CDR data cannot be accessed without the qualifying statement or a link to that statement being prominently displayed.

13.26 If an entity requires further information or explanation before it can determine which action to take, the entity should clearly explain to the consumer what additional information or explanation is required and/or why the entity cannot act on the information already provided. The entity could also advise where additional material may be obtained. The consumer should be given a reasonable opportunity to comment on the refusal or reluctance of the entity to make a correction without further information or explanation from the consumer.

13.27 An entity should also be prepared to search its own records and other readily accessible sources that it reasonably expects to contain relevant information, to find any information in support of, or contrary to, the consumer’s request. However, an entity need not conduct a full, formal investigation into the matters about which the consumer requests correction. The extent of the investigation required will depend on the circumstances, including the seriousness of any adverse consequences for the consumer if the CDR data is not corrected as requested.

When action is not necessary in response to a request

13.28 An entity may consider that it is not appropriate to make any correction or qualifying statement at all, [18] because (for instance) the CDR data as it exists is accurate, up to date, complete and not misleading, for the purpose it is held.

13.29 In such circumstances, the entity must give the CDR consumer a notice in accordance with subrule 7.15(c) in the CDR Rules detailing the reasons why it considered that no correction or qualifying statement was necessary or appropriate and setting out the available complaint mechanisms. [19]

13.30 Reasons for not correcting CDR data or including a qualifying statement with the data may include:

• while there are inaccuracies in the data, it is nevertheless accurate, up to date, complete and not misleading for the purpose for which it is held
• the CDR consumer is mistaken and has made the correction request in error
• the CDR consumer is attempting to prevent an accredited person from collecting accurate CDR data that is unfavourable to the consumer
• the entity is an accredited data recipient of the CDR data, but the request is in respect of data the entity has collected from a data holder, and the accredited data recipient is unable to determine whether the CDR data is correct using its own records and other readily accessible sources, [20] with the effect that the consumer should make the request to the data holder, or
• the CDR data has already been corrected, or a qualifying statement already included with the data, on a previous occasion.

How must a correction notice be provided to consumers?

13.31 Subrule 7.15(c) of the CDR Rules requires an entity that receives a request from a CDR consumer to correct CDR data to give the consumer a written notice by electronic means. The written notice must contain the matters set out in paragraph 13.35 below.

13.32 The requirement for written notices to be given by electronic means will be satisfied if the notice is given, for example, over email or over the consumer’s dashboard.

13.33 The written notice may be in the body of an email or in an electronic file attached to an email.

13.34 While SMS is an electronic means of communicating a notice, practically it is unlikely to be appropriate as the number of matters that the written notice must address under subrule 7.15(c) of the CDR Rules would likely make the SMS very long.

What must be included in a correction notice to consumers?

13.35 The correction notice to the consumer must set out:

• what the entity did in response to the request
• if the entity did not consider it appropriate to correct the data or include a qualifying statement, why a correction or statement is unnecessary or inappropriate, and
• the complaint mechanisms available to the consumer.

13.36 The complaint mechanisms available to the consumer that must be included in the notice are:

• the entity’s internal dispute resolution processes relevant to the consumer, including any information from the entity’s CDR policy about the making of a complaint relevant to the entity’s obligations to respond to correction requests, and
• external complaint mechanisms the consumer is entitled to access, including the consumer’s right to complain to the Australian Information Commissioner under Part V of the Privacy Act, [21] and any external dispute resolution schemes recognised by the Australian Competition and Consumer Commission under subsection 56DA(1) of the Competition and Consumer Act.

13.37 An entity may, but is not required to, advise the consumer that if they have suffered loss or damage by the entity’s acts or omissions in contravention of the privacy safeguards or CDR Rules, they have a right to bring an action for damages in a court of competent jurisdiction under section 56EY of the Competition and Consumer Act.

Actioning and responding to correction requests (for AEMO data)

13.38 If a retailer receives a correction request relating to AEMO data, the retailer is not required to take action to correct, or qualify, the CDR data. Instead, the retailer must, as soon as practicable:

• initiate the relevant correction procedures under the National Electricity Rules in relation to any NMI standing data or metering data for which correction is requested, and
• if the request relates to DER register data, provide the consumer with information about how the consumer can contact the distributor to have the data corrected. [22]

What are the correction considerations?

13.39 For CDR data that is not AEMO data, Privacy Safeguard 13 requires that any statement included with CDR data in response to a correction request is to ensure that, having regard to the purpose for which it is held, the CDR data is ‘accurate’, ‘up to date’, ‘complete’ and ‘not misleading’. [23] ‘Held’ is discussed in  Chapter B (Key concepts).

13.40 Whether or not CDR data is accurate, up to date, complete and not misleading must be determined with regard to the purpose for which it is held.

13.41 When working out the purpose for which the CDR data is or was held, entities must disregard the purpose of holding the CDR data so that it can be disclosed as required under the CDR Rules. [24]

13.42 For example, a data holder that is an authorised deposit-taking institution collects transaction data for the purpose of providing a banking service to its customer. It does not hold transaction data for the purpose of being required to disclose the data under the CDR system.  Another example is a data holder that is an energy provider collects consumer contact details for the purpose of providing an energy service to its customer. It does not hold the consumer contact details for the purpose of being required to disclose the data under the CDR system. ‘Purpose’ is discussed further in  Chapter B (Key concepts).

13.43 The four terms listed in Privacy Safeguard 13, ‘accurate’, ‘up to date’, ‘complete’ and ‘not misleading’ are not defined in the Competition and Consumer Act or the Privacy Act. [25]

13.44 The following analysis of each term draws on the ordinary meaning of the terms, the APP Guidelines and Part V of the  Freedom of Information Act 1982. [26] As the analysis indicates, there is overlap in the meaning of the terms.

Accurate

13.45 CDR data is inaccurate if it contains an error or defect or is misleading. An example is factual information about a consumer’s account, income, assets, payment history or repayment history or employment status which is incorrect for the purpose it is held.

13.46 CDR data that is derived from other CDR data is not inaccurate by reason only that the consumer disagrees with the method or result of the derivation. [27] For the purposes of Privacy Safeguard 13, derived data may be ‘accurate’ if it is presented as such and accurately records the method of derivation (if appropriate).

13.47 For instance, an accredited data recipient may use the existing information it holds about a consumer to predict their income over a certain period of time. If the data is presented as the estimated future income for the consumer for that period, and states the bases of the estimation (that is, it is based on the consumer’s income over the previous financial years), this would not be inaccurate solely because, for instance, the consumer believes their income will be higher or lower during the projected period.

13.48 CDR data may be inaccurate even if it is consistent with a consumer’s instructions or if the inaccuracy is attributable to the consumer.

Up to date

13.49 CDR data is not up to date if it contains information that is no longer current. An example is a statement that a consumer has an active account with a certain entity, where the consumer has since closed that account or changed providers.

13.50 Another example is an assessment that a consumer has the ability to meet a loan repayment obligation, where in fact the consumer’s ability to do so has since changed. [28]

13.51 CDR data about a past event may have been up to date at the time it was recorded but has been overtaken by a later development. Whether that data is up to date will depend on the purpose for which it is held. If, for instance, a consumer has had their second child but their CDR data records them as only having one child, the CDR data will still be up to date if the data that records the consumer as having one child is held simply for the purpose of recording whether the consumer is a parent.

13.52 In a similar manner to accuracy, CDR data may not be up to date even if it is consistent with a consumer’s instructions or if the inaccuracy is attributable to the consumer.

Complete

13.53 CDR data is incomplete if it presents a partial or misleading picture of a matter of relevance, rather than a true or full picture.

13.54 An example is data from which it can be inferred that a consumer owes a debt, which in fact has been repaid. The CDR data will be incomplete under Privacy Safeguard 13 if the data is held, for instance, for the purpose of determining the borrowing capacity of the consumer. Where the CDR data is held for a different purpose for which the debt is irrelevant, the fact that the debt has been repaid may not of itself render the CDR data incomplete. If, however, the accredited person has requested a consumer’s CDR data for a specific period, and in that period the consumer owed a debt which is recorded in the CDR data, and that debt was repaid in a later period, the CDR data will still be ‘complete’ in respect of that specific period.

Not misleading

13.55 CDR data will be misleading if it conveys a meaning that is untrue or inaccurate or could lead a user, receiver or reader of the information into error. An example is a statement that is presented as a statement of fact but in truth is a record of the opinion of a third-party. In some circumstances an opinion may be misleading if it fails to include information about the facts on which the opinion was based, or the context or circumstances in which the opinion was reached.

13.56 CDR data may also be misleading if other relevant information is not included.

Charges to correct CDR data

13.57 Rule 7.14 of the CDR Rules prohibits an entity from charging a fee for responding to, or actioning, a request under Privacy Safeguard 13.

Interaction with other privacy safeguards

Privacy Safeguard 5

13.58 Privacy Safeguard 5 requires an accredited data recipient of CDR data to notify a consumer of the collection of their CDR data by updating the consumer’s dashboard.

13.59 Where an accredited person has collected CDR data, and then collects corrected CDR data after the data holder or accredited data recipient complies with the consumer’s requests to correct and disclose corrected data under Privacy Safeguards 11 and 13, the accredited person must notify that consumer under Privacy Safeguard 5 in respect of both collections.

Privacy Safeguard 10

13.60 Privacy Safeguard 10 requires a data holder and accredited data recipient to notify a CDR consumer of the disclosure of their CDR data by updating the consumer’s dashboard.

13.61 Where a data holder or accredited data recipient has disclosed CDR data and then discloses corrected data as a result of the consumer’s requests to correct and disclose corrected data under Privacy Safeguards 11 and 13, the entity must notify that consumer under Privacy Safeguard 10 in respect of both disclosures.

Privacy Safeguard 11

13.62 A correction request made under Privacy Safeguard 13 may trigger a CDR entity’s obligations under Privacy Safeguard 11 (Quality of CDR data).

13.63 Under Privacy Safeguard 11, data holders and accredited data recipients have an obligation to advise consumers if they disclose CDR data at a point in time, but then later become aware that some or all of the CDR data disclosed was inaccurate, out of date or incomplete, having regard to the purpose for which the data was held at the time of disclosure. Privacy Safeguard 11 also requires data holders and accredited persons to disclose corrected CDR data to the accredited person who originally received the data, where requested by the affected consumer.

13.64 A CDR entity may become aware of inaccuracies in CDR data in a range of ways – including through a consumer’s request that the entity correct their CDR data under Privacy Safeguard 13, or during an investigation that is triggered by a Privacy Safeguard 13 request.

13.65 Therefore, an entity that corrects CDR data, or includes a qualifying statement with such data in accordance with Privacy Safeguard 13, must also consider whether the consumer must be advised of any previous disclosures of incorrect CDR data, in accordance with Privacy Safeguard 11. [29]

Privacy Safeguard 12

13.66 Where an accredited data recipient corrects CDR data to comply with Privacy Safeguard 13, it should consider whether it needs to take action under Privacy Safeguard 12 to destroy or de-identify the original data.