Chapter 6: Privacy Safeguard 6 – Use or disclosure of CDR data by accredited data recipients or designated gateways

What does Privacy Safeguard 6 say?

Accredited data recipients

6.1 An accredited data recipient of a consumer’s CDR data must not use or disclose that data unless the:

• disclosure is required under the CDR Rules in response to a valid request from a consumer for the CDR data
• use or disclosure is otherwise required or authorised under the CDR Rules, or
• use or disclosure is required or authorised by or under another Australian law or a court/tribunal order, and the accredited data recipient makes a written note of the use or disclosure.

6.2 To be compliant with Privacy Safeguard 6, an accredited data recipient of CDR data must satisfy the requirements under subrules 7.5(1) and (2), and rules 7.5A and 7.6 of the CDR Rules.

Designated gateways

6.3 A designated gateway for CDR data must not use or disclose CDR data unless the:

• disclosure is required under the CDR Rules
• use or disclosure is authorised under the CDR Rules, or
• use or disclosure is required or authorised by or under an Australian law, or a court/tribunal order, and the designated gateway makes a written note of the use or disclosure.

6.4 While Privacy Safeguard 6 applies to designated gateways, there are currently no designated gateways in the banking or energy sector.[3] There are also currently no CDR Rules for the use or disclosure of CDR data by designated gateways. [4]

Who does Privacy Safeguard 6 apply to?

6.5 Privacy Safeguard 6 applies to accredited data recipients of CDR data and designated gateways for CDR data.

6.6 It does not apply to data holders. However, data holders should ensure that they adhere to their obligations under the Privacy Act 1988 and the APPs, including APP 6, when using or disclosing personal information.[5]

6.7 Data holders should also ensure that if they are a primary data holder, they comply with rule 1.24 of the CDR Rules in relation to SR data they receive from a secondary data holder in response to an SR data request.[6] Rule 1.24 states that primary data holders must not use or disclose such SR data for a purpose other than responding to the SR data request. Once the primary data holder has responded to the SR data request, it must follow the CDR data deletion process in rule 1.18 of the CDR Rules.

6.8 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 6. However, under the terms of the CDR representative arrangement with their CDR principal,[7] a CDR representative is required to not use or disclose the service data other than in accordance with the CDR representative arrangement.[8] Further, any use or disclosure of service data by the CDR representative is taken to have been a use or disclosure by their CDR principal (regardless of whether the CDR representative’s actions accord with the CDR representative arrangement).[9]

How Privacy Safeguard 6 interacts with the Privacy Act

6.9 It is important to understand how Privacy Safeguard 6 interacts with the Privacy Act and the APPs.[10]

6.10 APP 6 relates to the use or disclosure of personal information.[11]

Why is it important?

6.11 Consumer consent for the use and disclosure of their CDR data is at the heart of the CDR system.

6.12 By adhering to Privacy Safeguard 6 an accredited data recipient or designated gateway will ensure consumers have control over what their CDR data is being used for and who it is disclosed to. This is an essential part of the CDR system.

What is meant by ‘use’ and ‘disclose’?

‘Use’

6.13 The term ‘use’ is not defined within the Competition and Consumer Act.[17]

6.14 An accredited data recipient or designated gateway ‘uses’ CDR data where it handles or undertakes an activity with the CDR data within its effective control. For further discussion of use, see Chapter B (Key concepts). For example, ‘use’ includes:

• the entity accessing and reading the CDR data
• the entity making a decision based on the CDR data
• the entity de-identifying the CDR data, and
• the entity passing the CDR data from one part of the entity to another.

‘Disclose’

6.15 The term ‘disclose’ is not defined within the Competition and Consumer Act.[18]

6.16 An accredited data recipient or designated gateway ‘discloses’ CDR data when it makes it accessible or visible to others outside the entity.[19] This focuses on the act done by the disclosing party, and not on the actions or knowledge of the recipient. There will be a disclosure in these circumstances even where the information is already known to the recipient. For further discussion of disclosure, see Chapter B (Key concepts).

6.17 Examples of disclosure include where an accredited data recipient or designated gateway:

• shares the CDR data with another entity or individual, including a related party of the entity (subject to some exceptions, as outlined in paragraph 6.18 below)
• publishes the CDR data on the internet, whether intentionally or not
• accidentally provides CDR data to an unintended recipient
• reveals the CDR data in the course of a conversation with a person outside the entity, and
• displays data on a computer screen so that the CDR data can be read by another entity or individual.

6.18 Where an accredited data recipient engages a third party to perform services on its behalf, the provision of CDR data to that third party will in most circumstances be a disclosure. However, in limited circumstances, providing CDR data to a third party to perform services on behalf of the entity may be a use, rather than a disclosure. See ‘use’ and ‘disclosure’ in Chapter B (Key concepts) for guidance on how to determine whether providing CDR data to a third party is a use or disclosure.

When can an accredited data recipient use or disclose CDR data?

6.19 This section outlines when an accredited data recipient may use or disclose CDR data.[20]

6.20 This chapter does not consider when a designated gateway may use or disclose CDR data. This is because there are currently no designated gateways in the banking sector or energy sector.[21]

6.21 The following diagram outlines at a high-level the permitted and prohibited uses or disclosures of CDR data for an accredited data recipient. These uses and disclosures are discussed further below in this section.

6.22 An accredited data recipient must comply with the data minimisation principle when using CDR data. For further information on the data minimisation principle, see paragraphs 6.28- 6.30 below.

Use or disclosure required or authorised under the CDR Rules

6.23 Privacy Safeguard 6 provides that an accredited data recipient of CDR data must not use or disclose CDR data unless the use or disclosure is required or authorised under the CDR Rules.[22]

6.24 Subrule 7.5(1) of the CDR Rules authorises the following permitted uses or disclosures of CDR data by accredited data recipients:

• using CDR data to provide goods or services requested by the consumer in compliance with the data minimisation principle and in accordance with a current use consent from the consumer (other than a direct marketing consent)
• de-identifying CDR data in accordance with the CDR Rules to use for general research and/or for disclosing (including by selling) the de-identified data, in accordance with a current de-identification consent from the consumer[23]
• directly or indirectly deriving CDR data from the collected CDR data in accordance with the above uses
• disclosing to the consumer any of their CDR data for the purpose of providing the existing goods or services[24]
• disclosing the consumer’s CDR data in accordance with a current disclosure consent. This includes:[25]
  • disclosing CDR data to an accredited person in accordance with a current ‘AP disclosure consent’[26]
  • disclosing CDR data to a trusted adviser in accordance with a current ‘TA disclosure consent’
• disclosing a CDR insight to a specified person for a permitted purpose in accordance with a current ‘insight disclosure consent’[27]
• disclosing the consumer’s CDR data to an outsourced service provider under a CDR outsourcing arrangement, or to the other party in a sponsorship arrangement:
  • for specific purposes, and
  • to the extent reasonably needed to do those things[28]
• disclosing (by sale or otherwise) to any person, CDR data that has been de-identified in accordance with the CDR data de-identification process[29]
• where the accredited data recipient collected CDR data on behalf of a principal under a CDR outsourcing arrangement—disclosing service data to the principal under the arrangement[30]
• disclosing CDR data to an accredited person if the CDR consumer has provided the accredited person and accredited data recipient the appropriate consents,[31] and
• where the accredited data recipient is a CDR principal under a CDR representative arrangement – disclosing CDR data to a CDR representative for the purposes of a use or disclosure by the CDR representative that would be a permitted use or disclosure if the CDR representative were an accredited data recipient that had collected the CDR data under the consumer data request.[32]

6.25 The disclosures outlined in paragraph 6.24 are only permitted disclosures if they are done in accordance with the data standards.[33]

6.26 Subrule 7.5(2) and rule 7.5A of the CDR Rules prohibit the following uses or disclosures of CDR data by accredited data recipients:

• any uses or disclosures that an accredited data recipient is not permitted to seek consent for[34]
• disclosures of a CDR insight under an insight disclosure consent if the insight includes or reveals sensitive information as defined under section 6 of the Privacy Act.[35] For the definition of sensitive information, see Chapter B (Key concepts).
• using CDR data for the purpose of identifying, compiling insights in relation to, or building a profile in relation to, any identifiable person who is not a consumer who made the consumer data request (including through aggregating the CDR data), unless the accredited data recipient is, in accordance with the consumer’s consent:
  • deriving, from that CDR data, CDR data about that person’s interactions with the consumer, and
  • using that derived CDR data in order to provide the requested goods or services.[36]

6.27 The permitted uses and disclosures (in paragraph 6.24) are discussed further in this chapter.

Using CDR data in compliance with the data minimisation principle

6.28 An accredited data recipient must comply with the data minimisation principle when using CDR data to provide goods or services requested by the consumer, or to fulfil any other purpose consented to by the consumer.[37]

6.29 An accredited data recipient complies with the data minimisation principle if, when providing the requested goods or services or using collected CDR data for any other purpose consented to by the CDR consumer, it does not use the collected CDR data, or CDR data derived from it, beyond what is reasonably needed to provide the goods or services requested by the consumer or fulfill the other purpose as consented to by the consumer. [38] The accredited data recipient must also not seek to collect the CDR data to use for a longer time period than is reasonably needed.[39]

6.30 The data minimisation principle and meaning of ‘reasonably needed’ are discussed in more detail in Chapter B (Key concepts) and, as they relate to consent for collection, in Chapter 3 (Privacy Safeguard 3).

Using CDR data in accordance with a current consent to provide goods or services requested by the consumer

6.31 An accredited data recipient is authorised to use CDR data in accordance with a current use consent from the consumer to provide goods or services requested by the consumer.[40]

6.32 The relevant uses are those uses to which the consumer expressly consented, when providing a valid request for the accredited person to collect their CDR data from a CDR participant under subrule 4.3(1) of the CDR Rules.[41] Valid requests are discussed further in Chapter 3 (Privacy Safeguard 3).

6.33 For information regarding use consents and how they must be managed, see Chapter C (Consent).

Using or disclosing de-identified CDR data in accordance with a de-identification consent

6.34 An accredited data recipient is permitted to de-identify CDR data in accordance with a current de-identification consent[44] from the consumer to:

• use the de-identified data for general research, and/or
• disclose (including by selling) the de-identified data.[45]

6.35 The CDR data must be de-identified in accordance with the CDR data de-identification process outlined in rule 1.17 of the CDR Rules.[46]

6.36 ‘General research’ means research undertaken using de-identified CDR data that does not relate to the provision of goods or services to any particular consumer[47] (for example, research for product or business development).[48]

6.37 Before de-identifying CDR data in accordance with rule 1.17 of the CDR Rules, the accredited data recipient must have first:

• received a de-identification consent from the consumer,[49] and
• provided the consumer with additional information relating to the de-identification of CDR data.[50]

Deriving or indirectly deriving CDR data

6.38 An accredited data recipient is permitted to directly or indirectly derive CDR data from the collected CDR data in order to use the data to provide the goods or services requested by the consumer.[51]

6.39 This is a permitted use under subrule 7.5(1) of the CDR Rules and does not require the consent of the consumer.

6.40 However, where an accredited person:

• wishes to derive, from the consumer’s CDR data, CDR data about the interactions between the consumer and an identifiable person who is not the consumer, and
• will use that derived data to provide the goods or services requested by the consumer

the accredited data recipient must seek consent from the consumer before doing so.[52]

6.41 Derived CDR data is discussed in more detail in Chapter B (Key concepts).

Disclosing CDR data to the consumer

6.42 An accredited data recipient is permitted to disclose to a consumer any of their CDR data for the purpose of providing the existing goods or services.[53]

6.43 This includes CDR data collected from a data holder or accredited data recipient in response to the consumer’s valid request, as well as data that has been directly and/or indirectly derived from such CDR data.

6.44 This is a permitted disclosure under subrule 7.5(1) of the CDR Rules and does not require the consent of the consumer.

Disclosing CDR data to an accredited person

6.45 An accredited data recipient is permitted to disclose a consumer’s CDR data to an accredited person in accordance with an ‘AP disclosure consent’.[54]

6.46 An ‘AP disclosure consent’ is a consent given by the consumer for an accredited data recipient to disclose their CDR data to an accredited person in response to a consumer data request.[55]

6.47 For further information on  ‘AP disclosure consents’ and consumer data requests, see Chapter C Consent).

Disclosing CDR data to a trusted adviser

6.48 An accredited data recipient is permitted to disclose a consumer’s CDR data to a ‘trusted adviser’ in accordance with a ‘TA disclosure consent’.[56]

6.49 A ‘TA disclosure consent’ is a consent given by the consumer for an accredited data recipient to disclose their CDR data to a trusted adviser to enable the consumer to receive advice or a service from that adviser.[57]

6.50 Trusted advisers must belong to one of the following specified classes:[58]

• qualified accountants within the meaning of the Corporations Act 2001[59]
• people admitted to the legal profession that hold a current practising certificate
• registered tax agents, BAS agents and tax (financial) advisers within the meaning of the Tax Agent Services Act 2009
• financial counselling agencies within the meaning of the ASIC Corporations (Financial Counselling Agencies) Instrument 2017/792
• financial advisers that are relevant providers under the Corporations Act 2001, other than provisional and limited-service time-share advisers, and
• mortgage brokers within the meaning of the National Consumer Credit Protection Act 2009.

6.51 A person is taken to be a member of a class of trusted adviser if the accredited data recipient has taken ‘reasonable steps’ to confirm that the person is, and remains, a member of that class.[60] For more information on reasonable steps, see Chapter B (Key concepts).

6.52 Where an accredited data recipient discloses CDR data to someone who is not a member of a trusted adviser class the disclosure would contravene subrule 7.6(1) of the CDR Rules, unless the person took reasonable steps to confirm the person belonged to the class.

6.53 Trusted advisers are not CDR participants and are therefore not subject to the privacy safeguards or other obligations that apply under the CDR system. This means that the CDR data will no longer be subject to the protections of the CDR system. An accredited data recipient must explain this to the consumer at the time of disclosure in accordance with the relevant data standard.[61] The classes of trusted advisers are professions subject to existing regulatory frameworks, including consumer protection mechanisms.

6.54 For further information on ‘TA disclosure consents’ and consumer data requests, see Chapter C (Consent).

Disclosing a CDR insight to a specified person

6.55 An accredited data recipient is permitted to disclose a CDR insight in accordance with an ‘insight disclosure consent’.[62]

6.56 ‘CDR insights’ are insights based on a consumer’s CDR data. CDR insights remain CDR data. These insights are intended to allow accredited data recipients to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.

6.57 An ‘insight disclosure consent’ is a consent given by the consumer for an accredited data recipient to disclose CDR insights outside the CDR system for these limited purposes:[63]

• to verify the consumer’s identity
• to verify the consumer’s account balance, or
• to verify the details of credits to, and debits from, the consumer’s accounts.[64]

6.58 CDR insights can be disclosed to any person, provided the consumer has given valid consent.

6.59 This means that, unless the insight is disclosed to an accredited person, the CDR data will no longer be subject to the protections and safeguards of the CDR system. An accredited data recipient must explain this to the consumer at the time of disclosure in accordance with the relevant data standard.[65]

6.60 For further information on ‘insight disclosure consents’ and consumer data requests, see Chapter C (Consent).

Disclosing CDR data to an outsourced service provider

6.61 An accredited data recipient is permitted to disclose the consumer’s CDR data to an outsourced service provider for the purpose of:

• using the consumer’s CDR data to provide goods or services requested by the consumer, including by directly or indirectly deriving CDR data from the CDR data, and
• disclosing, to the consumer, any of their CDR data for the purpose of providing the existing goods or services,

to the extent reasonably needed to do those things.[66]

6.62 The consumer’s CDR data includes data collected from a data holder or accredited data recipient in response to the consumer’s request. The consumer’s CDR data also includes data that has been directly and/or indirectly derived from their CDR data.

6.63 Disclosure of a consumer’s CDR data by an accredited data recipient to an outsourced service provider for the purpose outlined in paragraph 6.61 is a permitted disclosure under subrule 7.5(1) of the CDR Rules that does not require the consent of the consumer.[67]

6.64 Where an accredited person intends to disclose the CDR data of a consumer to an outsourced service provider, the accredited person must:

• provide certain information to the consumer at the time of seeking the consumer’s consent to collect and use the consumer’s CDR data,[68] and
• include certain information about outsourced service providers in its CDR policy.[69]

6.65 An accredited data recipient who discloses CDR data to an outsourced service provider under a CDR outsourcing arrangement must ensure that the provider complies with its requirements under the arrangement.[70]

6.66 For the purposes of this permitted disclosure, an outsourced service provider is a person to whom an accredited data recipient discloses CDR data under a CDR outsourcing arrangement.[71]

6.67 In addition, the accredited data recipient should ensure that the relevant CDR outsourcing arrangement requires the outsourced service provider to adhere to the accredited data recipient’s Privacy Safeguard obligations.

6.68 The CDR outsourcing arrangement should also provide the accredited data recipient with the appropriate level of transparency to allow them to monitor and audit the arrangement.

6.69 The CDR data disclosed by an accredited data recipient to a provider under the CDR outsourcing arrangement, including any data directly or indirectly derived from such CDR data, is known as ‘service data’ in relation to that arrangement.

6.70 Any use or disclosure of such service data by the outsourced service provider (or their subcontractor) will be taken to have been a use or disclosure by the accredited data recipient. This occurs regardless of whether the use or disclosure is in accordance with the arrangement.[72]

6.71 When disclosing CDR data to an outsourced service provider located outside of Australia, an accredited data recipient must also have regard to the requirements for disclosure of CDR data to an overseas recipient under Privacy Safeguard 8.[73] See Chapter 8 (Privacy Safeguard 8) for more information.

6.72 For further information, see Chapter B (Key Concepts), ‘Outsourced service providers’.

Disclosing CDR data to the other party in a sponsorship arrangement

6.73 A party to a sponsorship arrangement is permitted to disclose the consumer’s CDR data to the other party to the arrangement for the purpose of:

• using the consumer’s CDR data to provide goods or services requested by the consumer, including by directly or indirectly deriving CDR data from the CDR data
• de-identifying CDR data to use for general research and/or to disclose (including by selling) the de-identified data, in accordance with a current de-identification consent, and
• disclosing, to the consumer, any of their CDR data for the purpose of providing the existing goods or services, to the extent reasonably needed to do those things.[74]

Disclosing service data to a principal in an CDR outsourcing arrangement

6.74 Where an accredited data recipient has collected CDR data on behalf of a principal (i.e. as an outsourced service provider) under a CDR outsourcing arrangement, the accredited data recipient is permitted to disclose that CDR data (known as ‘service data’) to the principal.[75]

6.75 ‘Service data’ consists of any CDR data that was collected from a CDR participant in accordance with the CDR outsourcing arrangement, or has been directly or indirectly derived from such CDR data.[76]

6.76 The ‘principal’ refers to the accredited person that engaged the accredited data recipient as an outsourced service provider under a CDR outsourcing arrangement.

6.77 Disclosure of service data in relation to a CDR outsourcing arrangement by an accredited data recipient to the relevant principal is a permitted disclosure under subrule 7.5(1) of the CDR Rules that does not require the consent of the consumer.

Disclosing service data to a CDR representative in a CDR representative arrangement

6.78 A CDR principal may disclose CDR data it collected on behalf of its CDR representative to that CDR representative for purposes of the CDR representative:

• using the CDR data to provide goods or services (in accordance with a use consent, and the data minimisation principal)
• de-identifying the data to use for general research or to disclose (including by sale) (in accordance with a use consent)
• directly or indirectly deriving CDR data from the collected CDR data in order to use the data for the 2 purposes outlined above
• disclosing to the CDR consumer any of their own CDR data, to provide the consumer with the requested good or services
• disclosing the consumer’s CDR data in accordance with a current disclosure consent
• disclosing (by sale or otherwise) to any person, CDR data that has been de-identified in accordance with the CDR data de-identification process, and
• disclosing CDR data to an accredited person if the CDR consumer has provided the accredited person and accredited data recipient the appropriate consents.[77]

6.79 Any use or disclosure of service data by a CDR representative is taken to have been by the CDR principal, whether or not the use or disclosure is in accordance with the CDR representative arrangement.[78]

Use or disclosure under Australian law or a court/tribunal order

6.80 An accredited data recipient may use or disclose CDR data if that use or disclosure is required or authorised by or under an Australian law or a court/tribunal order, and the entity makes a written note of the use or disclosure.[79]

6.81 For the purposes of Privacy Safeguard 6, an Australian law does not include the APPs under the Privacy Act.[80]

6.82 ‘Australian law’ and ‘court/tribunal order’ are discussed in Chapter B (Key concepts).

6.83 The accredited data recipient must keep a written note of any uses or disclosures made on this ground.

6.84 A written note should include the following details:

• the date of the use or disclosure
• details of the CDR data that was used or disclosed
• the relevant Australian law or court/tribunal order that required or authorised the use or disclosure
• if the accredited data recipient used the CDR data, how the CDR data was used by the accredited data recipient, and
• if the accredited data recipient disclosed the CDR data, to whom the CDR data was disclosed.

Interaction with other Privacy Safeguards

6.85 The restrictions on using or disclosing CDR data in Privacy Safeguard 6 are additional to those in Privacy Safeguards 7 (see Chapter 7 (Privacy Safeguard 7)), 8 (see Chapter 8 (Privacy Safeguard 8)) and 9 (see Chapter 9 (Privacy Safeguard 9)).

6.86 Privacy Safeguard 7 prohibits accredited data recipients and designated gateways from using or disclosing CDR data for direct marketing unless the use or disclosure is required or authorised under the CDR Rules and in accordance with a valid consent.

6.87 Privacy Safeguard 8 prohibits an accredited data recipient from disclosing CDR data to an overseas recipient unless an exception applies.

6.88 Privacy Safeguard 9 prohibits an accredited data recipient of CDR data that contains a government related identifier from adopting, using or disclosing that identifier, unless an exception applies.

6.89 Privacy Safeguard 7 operates to the exclusion of Privacy Safeguard 6[81] (which means that direct marketing uses or disclosures cannot be authorised under Privacy Safeguard 6), while Privacy Safeguards 8 and 9 operate as restrictions in addition to Privacy Safeguard 6.[82]