Chapter 7: Privacy Safeguard 7 – Use or disclosure of CDR data for direct marketing by accredited data recipients or designated gateways

Publication date: 15 November 2022

Download the print version (version 4.0)

Key points

Privacy Safeguard 7[1] prohibits accredited data recipients of CDR data from using or disclosing the CDR data for direct marketing, unless the consumer consents and such use or disclosure is required or authorised under the consumer data rules (CDR Rules). [2]
Direct marketing in the CDR context involves the use or disclosure of CDR data to promote goods and services directly to a consumer.
The CDR Rules permit accredited data recipients of CDR data to engage in certain direct marketing activities in relation to particular goods or services, if consent has been received to do so.
An accredited data recipient of CDR data must comply with the data minimisation principle when using the CDR data for direct marketing.

What does Privacy Safeguard 7 say?

Accredited data recipients

7.1 Privacy Safeguard 7 prohibits accredited data recipients of CDR data from using or disclosing the CDR data for direct marketing, unless:

the disclosure is required under the CDR Rules in response to a valid request from the CDR consumer, or
the use or disclosure is authorised under the CDR Rules in accordance with a valid consent from the CDR consumer.[3]

7.2 Rule 7.8 and subrule 7.5(3) of the CDR Rules authorise certain direct marketing related uses or disclosures by accredited data recipients (in accordance with the consumer’s consent).

Designated gateways

7.3 Privacy Safeguard 7 prohibits designated gateways for CDR data from using or disclosing the CDR data for direct marketing unless:

the disclosure is required or authorised under the CDR Rules, or
the use is authorised under the CDR Rules.[4]

7.4 While Privacy Safeguard 7 applies to designated gateways, there are currently no designated gateways in the banking or energy sector.[5] There are also currently no CDR Rules for the use or disclosure of CDR data by designated gateways. [6]

Why is it important?

7.5 To provide a positive consumer experience and ensure consumer control over their data. consumers should not be subjected to unwanted direct marketing.

7.6 Direct marketing is addressed separately to other uses and disclosures (see under Privacy Safeguard 6) to ensure that direct marketing under the CDR accords with the particular wishes of the CDR consumer.

Who does Privacy Safeguard 7 apply to?

7.7 Privacy Safeguard 7 applies to accredited data recipients of CDR data and designated gateways for CDR data. It does not apply to data holders.

7.8 Data holders must ensure that they adhere to their obligations under the Privacy Act 1988 and the APPs, including APP 7 in respect of direct marketing.

7.9 As a non-accredited entity, a CDR representative is not directly bound by Privacy Safeguard 7. However, under the terms of the CDR representative arrangement with their CDR principal,[7] a CDR representative is required to not use or disclose the service data other than in accordance with the CDR representative arrangement.[8] Further, any use or disclosure of service data by the CDR representative is taken to have been a use or disclosure by their CDR principal (regardless of whether the CDR representative’s actions accord with the CDR representative arrangement).[9]

How Privacy Safeguard 7 interacts with the Privacy Act

7.10 It is important to understand how Privacy Safeguard 7 interacts with the Privacy Act and the APPs.[10]

7.11 APP 7 sets out when an APP entity is prohibited from using or disclosing personal information for the purpose of direct marketing.

CDR entity	Privacy protections that apply in the CDR context
Accredited data recipient	Privacy Safeguard 7 For accredited data recipients of a consumer’s CDR data, Privacy Safeguard 7 applies to any uses or disclosures of that CDR data for direct marketing.[11] APP 7 does not apply in relation to that CDR data.[12]
Designated gateway	Privacy Safeguard 7 For designated gateways for CDR data, Privacy Safeguard 7 applies to the use and disclosure of the CDR data for direct marketing.[13] APP 7 does not apply in relation to that CDR data.[14]
Data holder[15]	APP 7 Privacy Safeguard 7 does not apply to a data holder.

CDR entity

Privacy protections that apply in the CDR context

Accredited data recipient

Privacy Safeguard 7

For accredited data recipients of a consumer’s CDR data, Privacy Safeguard 7 applies to any uses or disclosures of that CDR data for direct marketing.[11]

APP 7 does not apply in relation to that CDR data.[12]

Designated gateway

Privacy Safeguard 7

For designated gateways for CDR data, Privacy Safeguard 7 applies to the use and disclosure of the CDR data for direct marketing.[13]

APP 7 does not apply in relation to that CDR data.[14]

Data holder[15]

APP 7

Privacy Safeguard 7 does not apply to a data holder.

What is direct marketing?

7.12 ‘Direct marketing’ is not defined in the Competition and Consumer Act. The term is also used in APP 7 but is not defined in the Privacy Act.[16]

7.13 For the purpose of Privacy Safeguard 7, ‘direct marketing’ takes its ordinary meaning, and involves an entity’s use or disclosure of CDR data to communicate directly with a consumer to promote goods and services.

7.14 An example of direct marketing by an entity includes sending an email to a consumer promoting financial products using the consumer’s CDR data.[17]

7.15 ‘Direct marketing’ is distinct from the situation where:

a consumer has requested a good or service
the accredited data recipient has obtained the consumer’s consent to collect and use the consumer’s CDR data to provide this good or service, and
the requested good or service is to provide the consumer with offers about suitable products (for example, a service offered by a comparison site).[18]

This is illustrated in the following examples.

Example 1 — comparison site

Kwok wishes to obtain suitable offers from multiple providers for electricity plans and provides Tang and Co Pty Ltd, an accredited person, with a valid request to collect his CDR data from the relevant data holders of his CDR data for this purpose.

Tang and Co provides Kwok with offers for electricity plans as requested, using Kwok’s CDR data that it has collected in accordance with the CDR Rules.

Example 2 — switching banking providers

Guy is considering switching banking providers for his credit card and provides McCarthy Bank, an accredited person, with a valid request to collect his CDR data from his existing bank for the purpose of providing suitable offers in relation to credit cards.

McCarthy Bank provides Guy with the offers for credit card products as requested, using Guy’s CDR data it has collected in accordance with the CDR Rules.

In both examples, the uses of the consumer’s CDR data by the accredited person (Tang and Co/McCarthy Bank) would not be ‘direct marketing’ and Privacy Safeguard 7 would not apply. The accredited person’s use of the consumer’s CDR data would be a permitted use under Privacy Safeguard 6 as the CDR data would be used for the purpose of providing the service requested by the consumer (Kwok/Guy).

However, if Tang and Co or McCarthy Bank were to use Kwok or Guy’s CDR data to provide offers about other products not requested by the consumer, this would likely be ‘direct marketing’ and if so would be permitted only if this was authorised under the CDR Rules.[19]

When is direct marketing allowed?

7.16 Generally, an entity is not permitted to engage in direct marketing under the CDR system.

7.17 However, the CDR Rules permit an accredited data recipient of CDR data to engage in certain specific direct marketing activities in accordance with a ‘direct marketing consent’, in relation to:

the ‘existing goods or services’ being provided to the consumer, or
certain other goods or services provided by another accredited person.[20]

7.18 The ‘existing goods or services’ refer to the goods or services requested by the consumer.[21]

7.19 A ‘direct marketing consent’ is a consent provided by a consumer under the CDR Rules for an accredited data recipient to use or disclose CDR data for the purposes of direct marketing.[22] An accredited person must ask for the consumer’s express consent in accordance with Division 4.3 of the CDR Rules for any direct marketing they intend to undertake.[23]

7.20 Subrule 7.5(3) of the CDR Rules allows an accredited data recipient to use or disclose CDR data for the following permitted direct marketing activities:

in accordance with a consumer’s direct marketing consent:
- sending the consumer information about upgraded or alternative goods or services to the existing goods or services
- sending the consumer an offer to renew existing goods or services when they expire
- sending the consumer information about the benefits of existing goods or services
- sending the consumer information about other goods and services provided by another accredited person if the accredited data recipient reasonably believes the consumer might benefit from these other goods or services, and only sends such information on a reasonable number of occasions, and
- disclosing the consumer’s CDR data to an accredited person so that the accredited person may provide the goods or services referred to in the dot point above, but only where the consumer has provided a relevant collection, use and disclosure consent
using CDR data in a way and to the extent that is reasonably needed in order to send the consumer something permitted by the paragraph above (including by analysing the CDR data to identify the appropriate information to send)
disclosing the consumer’s CDR data to an outsourced service provider:
- for the purpose of doing the things referred to in the above 2 paragraphs, and
- to the extent reasonably needed to do those things, and
where the accredited data recipient is a CDR principal – disclosing CDR data to a CDR representative under a CDR representative arrangement for the purposes of specified direct marketing-related uses or disclosures by the CDR representative.[24]

Information about upgraded or alternative goods or services

7.21 Sending the consumer information about upgraded[25] or alternative[26] goods or services is direct marketing.[27] An accredited data recipient of CDR data may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under Division 4.3 of the CDR Rules.[28]

Example

Loan Tracker Pty Ltd is an accredited person that offers products and services to assist consumers to monitor and repay their loans.

Loan Tracker asks its customers for their consent to receive direct marketing information about upgraded or alternative goods or services when seeking their consent to collect and use their CDR data to provide the requested service.

Through the ‘Show Me My Money’ service offered by Loan Tracker, monthly emails are sent to consumers setting out their current aggregate loan balances, the amount required to be repaid over the month, and estimating the consumer’s disposable income for that month after repayments and living expenses are taken into account.

Loan Tracker also wishes to include in its monthly emails links to information about other products and services offered by Loan Tracker which it considers might be useful to the consumer.

‘If Loan Tracker includes these links to information about other products and services, this may constitute using consumers’ CDR data to directly market its other products and services.’

‘Loan Tracker may only use the CDR data to engage in the direct marketing activities if it:

has obtained a direct marketing consent (which is still current) for the purpose of sending information about upgraded or alternative goods or services, and
is able to show that the other products and services marketed are truly ‘upgraded’ or ‘alternative’ services to the ‘Show Me My Money’ service.’

Offer to renew existing goods or services

7.22 Sending the consumer an offer to renew the existing goods or services is direct marketing.[29] An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under Division 4.3 of the CDR Rules.[30]

7.23 If the consumer wishes to ‘renew’ the existing goods or services, the accredited data recipient must once again seek the consumer’s consent to the collection, use and (if applicable) disclosure of their CDR data for the relevant good or service. This is because an accredited person may seek to collect CDR data only in response to a valid request from the consumer.[31]

7.24 An accredited data recipient may, in certain cases, invite a consumer to amend the duration of a consent (including a direct marketing consent), for example by extending its duration.[32] Where an accredited data recipient wishes to issue such an invitation, they should first consider whether the invitation would constitute an offer to renew the existing goods or services under paragraph 7.5(3)(a)(ii) of the CDR Rules (in which case a direct marketing consent would be required).

Information about the benefits of existing goods or services

7.25 Sending the consumer information about the benefits of the existing goods or services being used by the consumer is direct marketing.[33] An accredited data recipient may only engage in this form of direct marketing if it has obtained a direct marketing consent (which is still current) from the consumer under Division 4.3 of the CDR Rules.[34]

Information about other goods or services provided by another accredited person

7.26 Sending the consumer information about other goods or services provided by another accredited person is direct marketing. An accredited data recipient may only engage in this form of direct marketing if it:

has obtained a direct marketing consent from the consumer under Division 4.3 of the CDR Rules[35]
reasonably believes that the consumer might benefit from the goods or services offered by the other accredited person, and
sends such information to the consumer on no more than a reasonable number of occasions.[36]

Disclosure to another accredited person to enable provision of promoted goods and services

7.27 An accredited data recipient of CDR data is permitted to disclose a consumer’s CDR data to another accredited person for the purposes of enabling that accredited person to provide the goods or services outlined in paragraph 7.26.[37]

7.28 An accredited data recipient may only disclose CDR data to another accredited person if the consumer has provided both a direct marketing consent and a disclosure consent to the accredited data recipient in accordance with Division 4.3 of the CDR Rules, and has also provided a collection consent and a use consent to the accredited person who will receive the data.[38]

Using the CDR data as reasonably needed, in accordance with the data minimisation principle

7.29 Using CDR data for the purpose of sending the information or renewal offer outlined above in paragraphs 7.21, 7.22, 7.25, 7.26 and 7.27, including by analysing the data to decide what, if any, information will be sent, is direct marketing.[39]

7.30 In order to use the CDR data for this purpose, the underlying direct marketing consent for the sending of information or renewal offers must be current.

7.31 An accredited data recipient must comply with the data minimisation principle when using the CDR data for these direct marketing purposes. This means that the CDR data, and any CDR data derived from it, must only be used as reasonably needed to fulfil the relevant direct marketing purpose.

7.32 For further information on the data minimisation principle, see Chapter B (Key concepts).

Privacy tip

An accredited data recipient must allow a consumer to withdraw their direct marketing consent by:[40]

using their dashboard, or
through a ‘simple alternative method of communication’ made available for that purpose, such as an embedded link in an email communication through which they may notify the accredited data recipient of their intention to ‘opt out’.

For further information regarding withdrawal of consent, see Chapter C (Consent).

Disclosure to an outsourced service provider

7.33 An accredited data recipient is permitted to disclose CDR data to an outsourced service provider for the purpose of sending the information or renewal offer (outlined above in paragraphs 7.21, 7.22, 7.25, 7.26 and 7.27), or to use the CDR data (as outlined above in paragraph 7.29). [41]

7.34 An accredited data recipient may only disclose CDR data to the extent reasonably needed to do those things.[42]

7.35 Under this permitted disclosure, accredited persons may engage third parties (who fall within the meaning of ‘outsourced service provider’)[43] to undertake direct marketing activities on their behalf, where such activities are permitted under subrule 7.5(3) of the CDR Rules.

7.36 In order to disclose the CDR data for this purpose, the underlying direct marketing consent to send information or renewal offers must be current. In addition, the accredited person must:

provide the information required by paragraph 4.11(3)(f) of the CDR Rules to the consumer at the time of seeking the consumer’s consent to collect and use the consumer’s CDR data, and
include certain information about outsourced service providers in its CDR policy.[44]

7.37 An accredited data recipient who discloses CDR data to an outsourced service provider must ensure that the provider complies with its requirements under the CDR outsourcing arrangement.[45]

7.38 For the purposes of this permitted disclosure, an outsourced service provider is a person to whom an accredited data recipient discloses[46] CDR data under a CDR outsourcing arrangement.[47]

7.39 If the disclosure is proposed to be made to an overseas outsourced service provider, Privacy Safeguard 8 will apply in addition to Privacy Safeguard 7 (see Chapter 8 (Privacy Safeguard 8)).

7.40 For further information, see Chapter B (Key Concepts), ‘Outsourced service providers’. For further guidance regarding an accredited data recipient’s obligations in relation to outsourced service providers, see Chapter 6 (Privacy Safeguard 6) .

Disclosure to a CDR representative

7.41 Where an accredited data recipient is a CDR principal, they are permitted to disclose CDR data to a CDR representative under a CDR representative arrangement for the purposes of the CDR representative:[48]

in accordance with a direct marketing consent, sending to the CDR consumer:
- information about upgraded or alternative goods or services
- offers to renew existing goods or services
- information about the benefits of existing goods or services, or
- information about other goods or services provided by another accredited person, where the CDR representative reasonably believes the consumer might benefit from those other goods or services, and sends such information to the consumer on no more than a reasonable number of occasions, or
using the CDR data as reasonably needed to send the above information to the CDR consumer (including by analysing the CDR data to identify the appropriate information to send).

7.42 See paragraphs 7.21 -7.26 and 7.29 - 7.32 for more information on these permitted purposes.

Risk point

As soon as the customer’s direct marketing consent is no longer current (i.e. because it expires or is withdrawn), the accredited data recipient can no longer engage in the permitted uses or disclosure relating to direct marketing under the CDR Rules.

Privacy tip

Accredited data recipients should have processes and systems in place to promptly inform any outsourced service providers engaging in direct marketing activities of the expiry of a consumer’s direct marketing consent.[49]

Interaction with other privacy safeguards

7.43 The prohibition against direct marketing in Privacy Safeguard 7 is complemented by Privacy Safeguards 6 (see Chapter 6 (Privacy Safeguard 6)), 8 (see Chapter 8 (Privacy Safeguard 8)) and 9 (see Chapter 9 (Privacy Safeguard 9)).

7.44 Privacy Safeguard 6 prohibits an accredited data recipient of CDR data from using or disclosing CDR data unless required or authorised under the CDR Rules or another Australian law or court or tribunal order.

7.45 Privacy Safeguard 8 restricts disclosures of CDR data made to recipients located overseas.

7.46 Privacy Safeguard 9 prohibits an accredited data recipient of CDR data that contains a government related identifier from adopting, using or disclosing that identifier, unless an exception applies.

Interaction with other legislation

7.47 Under the Privacy Act, APP 7 does not apply to the extent that the Do Not Call Register Act 2006, the Spam Act 2003 or any other legislation prescribed by the regulations applies (APP 7.8). There is no corresponding exemption under Privacy Safeguard 7.

7.48 This means that if an accredited data recipient or designated gateway engages in a form of direct marketing that may be permitted under another Act,[50] and the entity uses or discloses CDR data for that purpose, the entity will be in breach of Privacy Safeguard 7 unless that use or disclosure is required or authorised under the CDR Rules.

7.49 Similarly, this means that if an accredited data recipient or designated gateway engages in a form of direct marketing permitted under Privacy Safeguard 7 and the CDR Rules, the entity may nevertheless be in breach of another Act if the requirements relating to marketing communications under that Act are not also satisfied.

Footnootes

[1] Competition and Consumer Act, section 56EJ.

[2] Privacy Safeguard 7 also prohibits designated gateways from using or disclosing the CDR data for direct marketing, unless the use or disclosure is authorised, or the disclosure is required, under the CDR Rules. However, there are currently no designated gateways in the banking or energy sector, and no CDR Rules for the use or disclosure of CDR data by designated gateways.

[3] Competition and Consumer Act, subsection 56EJ(1).

[4] Competition and Consumer Act, subsection 56EJ(2).

[5] For the banking sector, see the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019. For the energy sector, the energy designation specifies AEMO as a gateway for certain information: Consumer Data Right (Energy Sector) Designation 2020, subsection 6(4). However, at the time of publication, AEMO is not a designated gateway for any CDR data because under current CDR Rules, no CDR data is (or is to be) disclosed to AEMO because of the reasons in paragraph 56AL(2)(c) of the Competition and Consumer Act.

There are also no designated gateways in the telecommunications sector, although unlike the banking and energy sectors at the date of publication of these guidelines, there are no rules allowing for the sharing of designated telecommunications data under the CDR system: Consumer Data Right (Telecommunications Sector) Designation 2022.

[6] CDR Rule 7.7, which relates to Privacy Safeguard 6, only applies accredited data recipients.

[7] A CDR representative arrangement is a written contract between a CDR representative and their CDR principal that meets the minimum requirements listed in subrule 1.10AA(2) of the CDR Rules.

[8] CDR Rules, paragraph 1.10AA(2)(d)(iii).

[9] CDR Rules, subrule 7.6(4). See also rule 1.16A in relation to a CDR principal’s obligations and liability.

[10] The Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government agencies (APP entities).

[11] Privacy Safeguard 7 applies from the point when the accredited person becomes an accredited data recipient of the CDR data. An accredited person becomes an accredited data recipient for CDR data when:

CDR data is held by (or on behalf of) the person
the CDR data, or any other CDR data from which it was directly or indirectly derived, was disclosed to the person under the consumer data rules, and
the person is neither a data holder, nor a designated gateway, for the first mentioned CDR data. See Competition and Consumer Act, section 56EK.

[12] The APPs do not apply to an accredited data recipient of CDR data, in relation to that CDR data: Competition and Consumer Act, paragraph 56EC(4)(a). However, subsection 56EC(4) does not affect how the APPs apply to accredited persons and accredited data recipients who are APP entities, in relation to the handling of personal information outside the CDR system. (Note: Small business operators accredited under the CDR system are APP entities in relation to information that is personal information but is not CDR data. See Privacy Act, subsection 6E(1D).) Subsection 56EC(4) also does not affect how the APPs apply to an accredited person who does not become an accredited data recipient of the CDR data (other than for Privacy Safeguards 1 – 4). See Competition and Consumer Act, paragraph 56EC(5)(aa).

[13] Competition and Consumer Act, subsection 56EJ(2).

[14] The APPs do not apply to designated gateways for CDR data in relation to that CDR data: Competition and Consumer Act, paragraph 56EC(4)(d). However, subsection 56EC(4) does not affect how the APPs apply to designated gateways who are APP entities, in relation to the handling of personal information outside the CDR system. See Competition and Consumer Act, paragraph 56EC(5)(b).

[15] In this chapter, references to data holders include AEMO. See Chapter B (Key concepts) for further information about how the privacy safeguards apply to AEMO.

[16] For the purposes of APP 7, the phrase has been interpreted to take its ordinary meaning of marketing addressed directly to individuals (Shahin Enterprises Pty Ltd v BP Australia Pty Ltd [2019] SASC 12 [113] (Blue J)). It involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services (Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 81).

[17] For information regarding ‘valid requests’, see Chapter 3 (Privacy Safeguard 3).

[18] Explanatory Statement to the CDR Rules.

[19] This would be ‘direct marketing’ even where the offers were about other products related to the requested product.

[20] CDR Rules, rule 7.8 and subrule 7.5(3). Examples of existing goods or services include the services provided by Tang and Co to Kwok, and McCarthy Bank to Guy, in the examples under paragraph 7.15.

[21] CDR Rules, paragraph 7.5(1)(a).

[22] CDR Rules, subrule 1.10A(d). See Chapter B (Key concepts) for further information on direct marketing consents.

[23] See especially CDR Rules, paragraphs 4.11(1)(a)(ii) and 4.11(1)(c) and subrule 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[24] CDR Rules, paragraph 7.5(3)(d). See paragraph 7.41 - 7.42 for more information on the specified uses or disclosures by CDR representatives.

[25] A good or service will be an ‘upgraded’ good or service if the good or service is an improved version of the existing good or service.

[26] A good or service will be an ‘alternative’ good or service if a consumer could choose between that good or service and the existing good or service in order to achieve a similar outcome.

[27] CDR Rules, paragraph 7.5(3)(a)(i).

[28] See especially CDR Rules, paragraphs 4.11(1)(a)(ii) and 4.11(1)(c) and subrule 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[29] CDR Rules, paragraph 7.5(3)(a)(ii).

[30] See especially CDR Rules, paragraphs 4.11(1)(a)(ii) and 4.11(1)(c) and subrule 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[31] The consumer’s consent to the collection and use of their CDR data for an accredited person to provide goods or services is required for a ‘valid request’: CDR Rules, rule 4.3. For information regarding valid requests and the requirements for seeking consent, see Chapter C (Consent).

[32] CDR Rules, rule 4.12B. For further information about the requirements for asking a consumer to amend their consent, see CDR Rules, rule 4.12C and Chapter C (Consent).

[33] CDR Rules, paragraph 7.5(3)(a)(iii).

[34] See especially CDR Rules, paragraphs 4.11(1)(a)(ii) and 4.11(1)(c) and subrule 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[35] See especially CDR Rules, paragraphs 4.11(1)(a)(ii) and 4.11(1)(c) and subrule 4.11(2). For guidance regarding the requirements for seeking direct marketing consents, see Chapter C (Consent).

[36] CDR Rules, paragraph 7.5(3)(a)(iv).

[37] CDR Rules, paragraph 7.5(3)(aa).

[38] For information regarding direct marketing consents and disclosure consents, see Chapter C (Consent).

[39] CDR Rules, paragraph 7.5(3)(b).

[40] CDR Rules, subrule 4.13(1).

[41] CDR Rules, paragraph 7.5(3)(c)(i).

[42] CDR Rules, paragraph 7.5(3)(c)(ii)..

[43] See CDR Rules, rule 1.10. ‘Outsourced service provider’ is discussed in Chapter B (Key concepts).

[44] CDR Rules, subrule 7.2(4). See Chapter 1 (Privacy Safeguard 1).

[45] CDR Rules, rule 1.16.

[46] Data will be ‘disclosed’ under the CDR system where it is made accessible or visible to others outside the entity. Whether an accredited data recipient retains effective control over the data does not affect whether data is ‘disclosed’.

[47] CDR Rules, rule 1.10. A CDR outsourcing arrangement is a written contract between the accredited data recipient and outsourced service provider which meets the requirements set out in subrule 1.10(2) of the CDR Rules, and under which the provider will provide goods or services to the accredited data recipient. For further information, see Chapter B (Key Concepts).

[48] CDR Rules, paragraph 7.5(3)(d).

[49] This will assist the accredited data recipient in directing an outsourced service provider under paragraph 1.10(2)(b)(iii) of the CDR Rules.

[50] For instance, a person may make telemarketing calls to a number registered on the Do Not Call Register if the relevant account holder has consented to the making of the call: Do Not Call Register Act 2006, subsection 11(2).

Previous chapter

Next chapter