Chapter C: Consent – The basis for collecting and using CDR data

Publication date: 15 November 2022

Download the print version (version 4.0)

Key points

An accredited person may only collect, use and disclose CDR data with the consent of the consumer.
The CDR system sets out specific categories of consents that an accredited person may seek from a CDR consumer. It prohibits an accredited person from seeking a consent which does not fit into these categories.
The consumer data rules (CDR Rules) seek to ensure that a consumer’s consent is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn. An accredited person must ask a CDR consumer to give or amend a consent in accordance with the CDR Rules.
A CDR representative is responsible for seeking a CDR consumer’s consent when CDR data is being collected by a CDR principal under a CDR representative arrangement. However, the CDR principal is liable if the CDR representative does not obtain consent in accordance with the CDR Rules.
In giving consent to the collection and use of their CDR data, a CDR consumer provides the accredited person with a ‘valid request’ to seek to collect the relevant CDR data.
An accredited person’s processes for asking a CDR consumer to give or amend a consent must be compliant with the data standards and have regard to the Consumer Experience Guidelines.
An accredited person must comply with the data minimisation principle when collecting or using CDR data.
A data holder may disclose CDR data only with the authorisation of the relevant CDR consumers.

Why is it important?

C.1 The CDR system places the control of consumer data in the hands of the consumer. This is achieved by requiring the consumer’s consent for the collection, use and disclosure of their CDR data.

C.2 Consumer consent is the bedrock of the CDR system. Consent enables CDR consumers to be the decision makers in the CDR system, ensuring that they can direct where their data goes in order to obtain the most value from it.

How is consent in the CDR system different to the Privacy Act?

C.3 It is important to understand how consent in the CDR system differs from consent under the Privacy Act 1988.

C.4 Under the CDR system:

express consent from consumers is required for the collection, use and disclosure of their CDR data by accredited persons.[1] Without express consent, the accredited person is not able to collect, use, or disclose CDR data
consent must meet the requirements set out in the CDR Rules
a consumer can only give consent for a maximum period of 12 months.

C.5 However, under the Privacy Act:

consent is not the primary basis upon which an entity may collect, use or disclose personal information[2]
consent can be either express or implied[3]
there is no maximum period for which a consumer can give consent, although consent given at a particular time in particular circumstances cannot be assumed to endure indefinitely.[4]

C.6 The CDR Rules contain specific requirements for an accredited person’s processes for seeking consent in the CDR system, as well as for information that must be presented to a CDR consumer when they are being asked to consent.[5]

C.7 The requirements by which an accredited person must seek consent from a CDR consumer are discussed in this Chapter.

How does consent fit into the CDR system?

C.8 Consent is the primary basis on which an accredited person may collect, use and disclose CDR data for which there are one or more consumers.[6]

C.9 Where an accredited person:

offers a good or service through the CDR system, and
needs to collect a consumer’s CDR data from a data holder or accredited data recipient (‘CDR participant’) in order to use it to provide such goods or services,

the accredited person may ask for the consumer’s consent to the collection and use of their CDR data to provide the good or service.[7] Under a CDR representative arrangement, the CDR representative asks the consumer for these consents.[8]

C.10 In giving the above consents, the CDR consumer provides the accredited person with a ‘valid request’ to seek to collect the relevant CDR data.[9] An accredited person can only collect the CDR data if it has obtained this consent.

C.11 Upon obtaining a ‘valid request’ from the consumer, the accredited person[10] may seek to collect the consumer’s CDR data from the relevant CDR participant of the CDR data. The accredited person collects this CDR data by making a ‘consumer data request’ to the relevant CDR participant/s.[11]

C.12 Privacy Safeguard 3 prohibits an accredited person from seeking to collect data under the CDR system unless it is in response to a ‘valid request’ from the consumer.

C.13 Consent also underpins how an accredited person may use or disclose CDR data under Privacy Safeguard 6 and Privacy Safeguard 7. An accredited person can only use the CDR data if it has obtained a use consent.

C.14 The flow charts below paragraph C.15 demonstrate how consent fits in the key information flow between a consumer, accredited person, data holder and (for the energy sector) AEMO as secondary data holder, in relation to CDR data.

C.15 The following charts demonstrate the points at which a valid request is given by the consumer and a consumer data request is made on behalf of the consumer by the accredited person.

What are the different categories of consents in the CDR system?

C.16 The CDR system requires an accredited person to obtain different categories of consents from a consumer depending on what data-handling activity they propose to undertake.

C.17 Consent means a collection consent, a use consent or a disclosure consent (including a consent that has been amended by a consumer under the CDR Rules).[12] The categories of consents that may be given by a consumer to an accredited person in the CDR system are as follows:[13]

‘Collection consent’: a consent for an accredited person to collect particular CDR data from a data holder or accredited data recipient of that CDR data.[14]
‘Use consent’: a consent for an accredited data recipient of particular CDR data to use that CDR data in a particular way, for example to provide goods or services requested by the consumer. [15] Types of use consents include a direct marketing consent for an accredited data recipient to use CDR data for the purposes of direct marketing, and a de-identification consent (as outlined below).[16]
‘AP disclosure consent’: a consent for an accredited data recipient of particular CDR data to disclose that CDR data to another accredited person in response to a consumer data request.[17]
‘Direct marketing consent’: a consent for an accredited data recipient of particular CDR data to use or disclose that CDR data for the purposes of direct marketing.[18]
- A direct marketing consent for an accredited data recipient to use CDR data for the purposes of direct marketing is a form of ‘use consent’.
- A direct marketing consent for an accredited data recipient to disclose CDR data to another accredited person for the purposes of direct marketing is a form of ‘disclosure consent’.[19]
‘TA disclosure consent’: a consent for an accredited data recipient of particular CDR data to disclose that CDR data to a trusted adviser of the CDR consumer, who belongs to one of the classes of ‘trusted advisers’ prescribed by CDR Rule 1.10C(2).[20]

An accredited data recipient must not make any of the following a condition for the supply of the goods or services:
- the consumer nominating a trusted adviser
- the consumer nominating a particular person as a trusted adviser, or
- the consumer giving consent to disclosure of data to a trusted adviser.[21]
‘Insight disclosure consent’: a consent for an accredited data recipient to disclose certain insights based on their CDR data to a specified person for a permitted purpose.[22] These limited permitted purposes are:
- to verify the CDR consumer’s identity
- to verify the CDR consumer’s account balance, or
- to verify the details of credits to, or debits from the consumer’s accounts.[23]
However, where the CDR data relates to more than one transaction, the insight disclosure consent cannot authorise the accredited data recipient to disclose an amount or date in relation to any individual transaction.[24]
De-identification consent: a form of ‘use consent’ for an accredited data recipient of particular CDR data to de-identify some or all of that CDR data in accordance with the CDR data de-identification process[25] and:
- use the de-identified data for general research,[26] and/or
- disclose (including by selling) the de-identified data.

C.18 A CDR representative is also able to seek and obtain these use and disclosure consents in relation to CDR data it holds as service data.[27]

C.19 An accredited person (or CDR representative) is prohibited from seeking a consent that is not in the list above.[28]

C.20 Each category of consent operates independently of each other. This means that an accredited person can ask for more than one category of consent, and that a CDR consumer must be enabled by an accredited person to independently manage each category of consent.[29] For example, an accredited person may ask a consumer for a collection consent and use consent, and the consumer can (in future) choose to withdraw only the collection consent, if they wish.[30]

C.21 The categories of consent are based off the ‘types’ of consents set out in the CDR Rules.[31]

How must consent be sought?

C.22 An accredited person must ask the consumer to give consent in accordance with Division 4.3 of the CDR Rules.[32] Division 4.3 sets out the specific requirements for each consent outlined in the section above.[33]

C.23 The requirements in Division 4.3 are outlined below under the headings ‘Requirements for asking a consumer to give or amend a consent’, ‘Restrictions on seeking consents’ and ‘How consents must be managed’.

C.24 The object of Division 4.3 of the CDR Rules is to ensure that consent given by a consumer is voluntary, express, informed, specific as to purpose, time limited and easily withdrawn.[34]

C.25 In obtaining consent from a consumer, an accredited person must comply with requirements relating to:

an accredited person’s processes for asking for consent[35]
information to be presented to the consumer when asking for consent,[36] and
restrictions on seeking consent.[37]

C.26 Where a consumer is not an individual and wishes to use the accredited person’s good or service through the CDR system, the accredited person should ensure the consent is given by a person who is duly authorised to provide the consent on the entity’s behalf.[38]

CDR representative arrangements

C.27 Under a CDR representative arrangement, the CDR representative seeks the relevant consents from the consumer, including consent for the CDR principal to collect the consumer’s CDR data.[39] See Chapter B (Key concepts) for more information on ‘CDR representative arrangement’, ‘CDR representative’ and ‘CDR principal’.

C.28 Like accredited persons, the unaccredited CDR representative must ask for consent in accordance with Division 4.3 of the CDR Rules (as modified by subrule 4.3C(1)).[40] The CDR principal is liable for any breach of Division 4.3 (as modified by subrule 4.3C(1)) by its CDR representative.[41]

C.29 A CDR representative can seek certain specific consents from the consumer as follows:[42]

a collection consent for the CDR principal to collect CDR data from a CDR participant, and
a use consent for:
- the CDR principal to disclose that data (once collected) to the CDR representative, and
- the CDR representative to use that data in order to provide the requested goods or services to the consumer.

Once a collection consent has been given, a CDR representative may also ask the consumer to provide a disclosure consent in relation to the CDR data.[43]

Sponsorship arrangements

C.30 Under a sponsorship arrangement, an affiliate is responsible for seeking consents from the consumer. This is regardless of whether the affiliate intends to collect the CDR data themselves (which they are permitted to do from an accredited data recipient) or request their sponsors to do so on their behalf.[44]

C.31 Like all accredited persons, an affiliate must ask for consents in accordance with Division 4.3 of the CDR Rules.

Can consents be amended?

C.32 An accredited person may invite a consumer to amend an existing consent. This includes allowing a consumer to change:

the types of CDR data that can be collected and/or disclosed
what the CDR data can be used for
what accounts or data holders CDR data is to be collected from, and/or
the duration of the consent.[45]

C.33 An invitation to amend a consent may be issued only where the amendment would:[46]

better enable the accredited person to provide the goods or service requested by the consumer under the existing consent,[47] or
be consequential to an agreement between the accredited person and consumer to modify those goods or services, and enable the accredited person to provide the modified goods or services.

C.34 An invitation to amend an existing consent may be given via the consumer dashboard (if applicable)[48] or in writing to the CDR consumer.[49] An invitation can only be given where the consent is current (i.e. has not expired).[50]

C.35 Where an accredited person wishes to invite a CDR consumer to amend the duration of their consent, the invitation must not be given:

any earlier than a reasonable period before the existing consent expires, and
more than a reasonable number of times within this period.[51]

Example

A CDR consumer has given a consent to an accredited data recipient in relation to CDR data for a period of 3 months. In the 3 weeks prior to expiry, the accredited person invites the consumer on 2 occasions to extend the duration of their existing consent. The accredited data recipient has decided, based on their circumstances, that they have provided the invitation within a reasonable period before the existing consent expires, and a reasonable number of times within that period.[52]

C.36 Where an accredited person wishes to invite a CDR consumer to extend the duration of their consent, it should first consider whether the invitation would constitute an offer to renew existing goods or services under paragraph 7.5(3)(a)(ii) of the CDR Rules (in which case a direct marketing consent would be required).[53]

C.37 An accredited person cannot ask a CDR consumer to extend the duration of an existing consent for longer than 12 months.[54]

C.38 An accredited person must ask the CDR consumer to give any amendments to their existing consent in the same manner that it asked the consumer to provide the existing consent (i.e. in accordance with Division 4.3 of the CDR Rules).[55] There are some exceptions, as outlined in the following section (‘Requirements for asking a consumer to give or amend a consent').[56]

C.39 Where a CDR consumer amends their collection consent, the accredited person must notify the relevant CDR participant/s that the consent has been amended:[57]

where the CDR data is being collected from a data holder, in accordance with the data standards, and/or
where the CDR data is being collected from an accredited data recipient, as soon as practicable. This notice should contain sufficient detail to enable the accredited data recipient to understand the types of CDR data to which the amended collection consent now applies.

C.40 An accredited person must also provide a CDR consumer with certain notifications upon the amendment of a consent. These are outlined under ‘Notification requirements’ in paragraph C.108.

C.41 An amendment of a consent takes effect when the CDR consumer amends the consent.[58]

Requirements for asking a consumer to give or amend a consent

General processes

C.42 An accredited person’s processes for asking a CDR consumer to give or amend a consent must:

accord with any consumer experience data standards,[59] and
be as easy to understand as practicable, including by using concise language and, where appropriate, visual aids.[60]

C.43 In ensuring processes are easy to understand, an accredited person must also have regard to the Consumer Experience Guidelines.[61]

C.44 An accredited person must not:

include or refer to the accredited person’s CDR policy or other documents in a way that would reduce consumer comprehension when seeking consent, or
bundle consents with other directions, agreements, consents or permissions.[62] This practice has the potential to undermine the voluntary nature of the consent.

C.45 However, an accredited person may refer to its CDR policy when seeking consent, so long as doing so would not be likely to reduce consumer comprehension.[63]

C.46 Each time an accredited person seeks a CDR consumer’s consent, it must allow the consumer to actively select or clearly indicate:

for collection and disclosure consents,[64] the particular types of CDR data to which the consent will apply [65]
for all consents, whether the data will be:
- collected and, if applicable, disclosed on a single occasion and used over a specified period of time (not exceeding 12 months), or
- collected and, if applicable, disclosed on an ongoing basis and used over a specified period of time (not exceeding 12 months)[66]
for a use consent,[67] the specific uses of that CDR data,[68] and
for a disclosure consent, [69] the person to whom the CDR data may be disclosed.[70]

C.47 Each time an accredited person seeks a CDR consumer’s consent, it must also:

ask for the consumer’s express consent for the selections in paragraph C.46 above,[71] and
not pre-select these options,[72] except where the accredited person is asking the consumer to amend an existing consent.[73] In this situation, the accredited person may pre-select the above options to reflect what the consumer has selected in the past.[74]

Fees for disclosure

C.48 An accredited person may charge the CDR consumer a fee for the disclosure of CDR data, or pass on to the consumer a fee charged by the data holder for the disclosure of CDR data.[75] This must be made clear to the consumer.

C.49 To do this, the accredited person must:

clearly distinguish between the CDR data for which a fee will, and will not, be charged or passed on[76]
inform the consumer of the amount of the fee, and the consequences if the consumer does not consent to the collection or disclosure, as appropriate, of the CDR data for which a fee will be charged or passed on,[77] and
allow the consumer to actively select or otherwise clearly indicate whether they consent to the collection or disclosure, as appropriate, of the CDR data for which a fee will be charged or passed on.[78]

Name and accreditation number

C.50 The accredited person must ensure that its name is clearly displayed in the consent request.[79]

C.51 The accredited person’s accreditation number must also be included in the consent request.[80] This number has been assigned to the accredited person by the Data Recipient Accreditor.

C.52 For more information on the Data Recipient Accreditor and the accreditation process and conditions, see the ACCC’s Accreditation Guidelines.

Data minimisation principle

C.53 Collection and use of CDR data is limited by the data minimisation principle,[81] which provides that an accredited person:

must not collect more data than is reasonably needed in order to provide the requested goods or services, including over a longer time period than is reasonably required, and
may use the collected data only in accordance with the consent provided, and only as reasonably needed in order to provide the requested goods or services or to fulfil any other purpose consented to by the consumer.[82]

Example

An accredited person is responding to a ‘valid request’ from a CDR consumer to collect their CDR data from their data holder in relation to the consumer’s eligibility to open a bank account. The accredited person asks the consumer to consent to the collection of their transaction data. However, transaction data has no bearing on the applicant's eligibility for the delivery of the service. The accredited person would therefore likely be in breach of the data minimisation principle.

C.54 Where an accredited person is seeking a collection consent or use consent,[83] the accredited person must explain how its collection and use is in line with the data minimisation principle.[84]

C.55 For a collection consent, this explanation must include an outline of why the accredited person believes collecting the data is ‘reasonably needed’ to provide the relevant goods or services or to fulfil another purpose for which the accredited person is seeking consent.[85]

For example, the accredited person must explain how the data is necessary to deliver the service that it is providing.[86]

C.56 The accredited person must also explain the reason for the data collection period. The collection period must be no longer than is ‘reasonably needed’ to provide the goods or services or to fulfil any other purpose for which the accredited person is seeking consent.[87] This means that:

the accredited person needs to explain why the data is collected over the collection period
there should be a reason why historical data is collected, and that reason must be both in line with the data minimisation principle and explained to the CDR consumer at the point of consent.

C.57 For a use consent,[88] the accredited person must also explain that it will not use the CDR data beyond what is reasonably needed to provide the relevant goods or services or to fulfil another purpose for which the accredited person is seeking consent.[89]

Insight disclosure consent

C.58 When seeking an insight disclosure consent, an accredited data recipient must explain to the CDR consumer the CDR insight to be disclosed, including what the CDR insight would reveal or describe about them.[90]

Outsourced service providers

C.59 Where the accredited person uses an outsourced service provider[91] to collect CDR data, or may disclose the consumer’s CDR data to an outsourced service provider (including one that is based overseas), the accredited person must:

tell the CDR consumer that the accredited person will use an outsourced service provider to collect CDR data and/or disclose the consumer’s CDR data to an outsourced service provider, and
provide the CDR consumer with a link to the accredited person’s CDR policy, noting that further information about outsourced service providers can be found in that policy.[92] ,[93]

Withdrawal of consent

C.60 The accredited person must explain to the CDR consumer: [94]

that their consent/s can be withdrawn at any time
how to withdraw consent, and
the consequences (if any) of withdrawing consent.

Treatment of redundant data

C.61 The accredited person must tell the CDR consumer whether the accredited person has a general policy of:

deleting redundant data,
de-identifying redundant data, or
deciding, when the CDR data becomes redundant, whether to delete or de-identify the redundant data.[95]

C.62 Where the accredited person will[96] or may[97] de-identify redundant data, the accredited person must also:

allow the CDR consumer to elect for their redundant data to be deleted, [98] including by outlining the consumer’s right to elect for this to occur and providing instructions for how the consumer can make the election.[99] Where the accredited person is asking the consumer to amend an existing consent, and the consumer previously made an election, the accredited person may pre-select this election[100]
tell the CDR consumer that the accredited person would de-identify redundant data in accordance with the prescribed process for de-identification of CDR data, and explain what this means[101]
tell the CDR consumer that, once the data is de-identified, the accredited person would be able to use or, if applicable, disclose the de-identified redundant data without seeking further consent from the consumer,[102] and
if applicable, provide the CDR consumer with examples of how the accredited person could use the redundant data once de-identified.[103]

C.63 See Chapter 12 (Privacy Safeguard 12) for further information on the treatment of redundant data (i.e. destruction or de-identification).

Collection by a sponsor at an affiliate’s request

C.64 When an affiliate is seeking a collection consent from a CDR consumer, and a sponsor will collect the data at the affiliate’s request under a sponsorship arrangement, the affiliate must provide the consumer with the following information:

a statement of the fact that the sponsor will be collecting the consumer’s CDR data at the request of the affiliate
the sponsor’s name
the sponsor’s accreditation number
a link to the sponsor’s CDR policy, and
a statement that the consumer can obtain further information about the sponsor’s collection of CDR data (and subsequent disclosure of that data to the affiliate) from the sponsor’s CDR policy.[104]

De-identification consents

C.65 Where an accredited person is asking the CDR consumer for a de-identification consent as defined under rule 1.10A of the CDR Rules, the accredited person must also tell the consumer the additional information in rule 4.15:[105]

what the CDR de-identification process is[106]
if the accredited person would disclose (for example, by sale) the de-identified data to one or more other persons:
- a statement of that fact
- the classes of persons to whom the accredited person would disclose the de-identified data (for example, to market research organisations or university research centres), and
- the purpose/s for which the accredited person would disclose the de-identified data (for example, to sell the de-identified data or to provide to a university for research)
if the accredited person would use the de-identified data for general research:[107]
- a statement of that fact
- that the CDR consumer can find further information in the accredited person’s CDR policy of the research to be conducted and any additional benefit to be provided to the consumer for consenting to this use of their data,[108] and
- a hyperlink to the relevant section/s of the accredited person’s CDR policy, and
that the CDR consumer would not be able to elect to have the de-identified data deleted once it becomes redundant data.

C.66 When seeking a de-identification consent, the accredited person must explain how their collection and use is in line with the data minimisation principle.[109] See paragraphs C.53 to C.57 above.

Tip

Where an accredited person is seeking a de-identification consent so that it may use the de-identified data for general research, the accredited person could inform the CDR consumer that the general research does not relate to the provision of the requested goods or services. This will help to ensure a consumer is aware of this fact so they may make an informed decision when deciding whether to provide the de-identification consent.

Amendment of consent

C.67 Where an accredited person is inviting a CDR consumer to amend their existing consent, in addition to the other requirements outlined in the above sections, the accredited person must give the consumer statements that outline:[110]

the consequences of amending a consent, and
the extent to which the accredited person will be able to use any CDR data that has already been disclosed to it.

Example

Laypac, an accredited person, offers CDR consumers the ability to amend their collection consent, in order to remove certain data types. Prior to making an amendment, Laypac tells a consumer:

“If you amend your consent, we will no longer collect your account balance and details, but we will use the data we’ve already collected. Don’t worry – when you withdraw your use consent or when it expires on 1 October, we will delete it,[111] along with all your other data, in accordance with our CDR policy…”[112]

Restrictions on seeking consents

C.68 CDR Rule 4.12 provides that when seeking consent from a CDR consumer, an accredited person must not ask for:[113]

consent to collect, use or disclose CDR data over a period exceeding 12 months
consent to collect or use the data in a manner that is in breach of the data minimisation principle[114]
a consent that is not in a ‘category’ of consents (see paragraph C.17 for a list of the categories of consents), or[115]
consent to use the CDR data, including by aggregating it, for the purpose of identifying, compiling insights or building a profile in relation to any identifiable person who is not the consumer who is providing the consent.[116]

C.69 However, in some circumstances an accredited person can use the CDR data, including by aggregating it, for the purpose of identifying, compiling insights or building a profile in relation to any identifiable person who is not the CDR consumer who is providing the consent. This is permitted where:[117]

the person’s identity is readily apparent
the accredited person is seeking consent to derive, from the consumer’s CDR data, CDR data about the non-CDR consumer’s interactions with the consumer, and
the accredited person will use that derived CDR data only for the purpose of providing the goods or services requested by the consumer.

Example

ChiWi is an accredited person offering a budgeting service that tracks a person’s spending. One category of spending is ‘gifts’.

Antonio has recently moved out of home and receives an allowance from his mother, Maria, each week. He has Maria’s account saved in his banking address book under her full name.

Antonio transfers his transaction data to ChiWi to track his spending. Maria’s identity is readily apparent from Antonio’s transaction data.

ChiWi may consider Maria’s behaviour only in so far as it is relevant to Antonio’s spending and saving habits for the purpose of providing Antonio with the budgeting service.

How consents must be managed

Consumer dashboards

C.70 An accredited person must provide a consumer dashboard for each CDR consumer who has provided a consent in relation to their CDR data.[118]

C.71 Where an accredited person collects a consumer’s CDR data on behalf of another accredited person (the ‘principal’) under a CDR outsourcing arrangement, only the principal needs to provide the relevant consumer with a dashboard.[119]

C.72 Where a sponsor collects a consumer’s CDR data on behalf of their affiliate under a sponsorship arrangement, the affiliate must provide a consumer dashboard for each consumer who has provided a consent to the affiliate in relation to their CDR data.

C.73 Where a CDR principal collects a consumer’s CDR data on behalf of their CDR representative under a CDR representative arrangement, the CDR principal may arrange for the CDR representative to provide a consumer dashboard on its behalf.[120]

Privacy tip

To enhance consumer understanding and reduce the risk of confusion, it may be preferable for the CDR representative, rather than the CDR principal, to provide the consumer dashboard. This is because it is the CDR representative, rather than the CDR principal, that has the consumer-facing relationship.

Where this option is chosen, the CDR principal should include an obligation for the CDR representative to provide the dashboard as an additional requirement in the written contract (CDR representative arrangement). The CDR principal should further monitor compliance with these obligations as part of ensuring the CDR representative complies with the minimum requirements of that written contract.

C.74 An accredited person’s consumer dashboard is an online service that can be used by each CDR consumer to manage consumer data requests[121] and consents for the accredited person to collect, use and disclose CDR data.

C.75 The consumer dashboard should be provided to the CDR consumer as soon as practicable after the accredited person receives a valid request from that consumer for the collection and use of their CDR data.[122] This is so that the accredited data recipient can comply with its obligation under Privacy Safeguard 5 to notify of the collection of CDR data via the consumer’s dashboard.[123]

C.76 The consumer dashboard must contain the following details of each consent that has been given by the CDR consumer:[124]

the CDR data to which the consents relate
for a use consent,[125] the specific use or uses for which the consumer has given consent
the date on which the consumer gave the consents
whether the consents were for the collection of CDR data on a single occasion or over a period of time
if the consumer consented to collection and/or disclosure of CDR data over a period of time – what that period is and how often data has been (and is expected to be) collected and/or disclosed over that period
if the consents are current – when they will expire
if the consents are not current – when they expired
for an insight disclosure consent – a description of the CDR insight and to whom it was disclosed[126]
the information required to notify the consumer of the collection of their CDR data, being:
- what CDR data was collected
- when the CDR data was collected, and
- the CDR participant of the CDR data that was collected[127]
the information required to notify the consumer of the disclosure of their CDR data to an accredited person, being:
- what CDR data was disclosed
- when the CDR data was disclosed, and
- the accredited person to whom the CDR data was disclosed, identified in accordance with any entry on the Register of Accredited Persons specified as being for that purpose[128]
the information required to notify the consumer when their CDR data has been disclosed to a trusted adviser, being:
- what CDR data was disclosed
- when the CDR data was disclosed, and
- who the trusted adviser was[129]
the information required to notify the consumer when a CDR insight has been disclosed, being:
- what CDR data was disclosed
- when the CDR data was disclosed, and
- the person to whom it was disclosed[130]
where the accredited person is an affiliate[131] and the CDR data will be collected by a sponsor at its request under a sponsorship arrangement, the sponsor’s name and accreditation number,[132] and
if applicable, details of each amendment that has been made to a consent.

C.77 The consumer dashboard must also contain a statement that the CDR consumer is entitled to request further records in accordance with rule 9.5 of the CDR Rules (Request from CDR consumers for copies of records), and information about how to make such a request.[133]

C.78 The consumer dashboard must have a functionality that allows the CDR consumer, at any time, to:[134]

withdraw each consent
elect for their CDR data be deleted once it becomes redundant, and
withdraw an election regarding whether their CDR data should be deleted once it becomes redundant.

C.79 These functionalities must be simple and straightforward to use, and prominently displayed.[135]

Tip

For best practice examples of how to present this information on the consumer dashboard, and other related recommendations, see the Consumer Experience Guidelines.

C.80 The consumer dashboard may also include a functionality that allows a CDR consumer to amend an existing consent.[136]

C.81 Data holders also have an obligation under the CDR Rules to offer, and in most circumstances provide, a consumer dashboard to a consumer when the data holder receives a consumer data request on behalf of the consumer by an accredited person.[137]

C.82 The data holder’s consumer dashboard is used to manage the consumer’s authorisations to disclose the consumer’s CDR data to the accredited person.[138] For further information, see Chapter B (Key concepts) and the Guide to privacy for data holders.

Consumers may withdraw consent

C.83 A CDR consumer who has given a consent to an accredited person in relation to their CDR data may withdraw the consent at any time.

C.84 Where a CDR consumer withdraws a collection consent, the accredited person must notify:

the data holder of the withdrawal in accordance with the data standards,[139] and/or
the accredited data recipient of the CDR data, as soon as practicable.[140] ,[141]

C.85 Where a CDR consumer withdraws an AP disclosure consent, the accredited person must notify the accredited data recipient to whom the data is being disclosed to, as soon as practicable.[142]

C.86 An accredited person must allow a CDR consumer to withdraw each consent they have provided by:[143]

using the accredited person’s consumer dashboard, or
using a simple alternative method of communication made available by the accredited person.[144]

C.87 The functionality to withdraw consent on the consumer dashboard must be simple and straightforward to use, and prominently displayed.[145]

C.88 The alternative method of communicating the withdrawal of consent must be simple.[146] In addition, it:

should be accessible and straightforward for a consumer to understand and use, and
may be written or verbal. Where it is written, the communication may be sent by electronic means (such as email) or non-electronic means (such as by post).

C.89 An accredited person may wish to ensure its alternative method of communication is consistent with existing channels already made available to its customers,[147] for example:

through its telephone helpline, or
in the case of direct marketing consents, through embedded links in any email communications that will allow a CDR consumer to notify the accredited person of their intention to ‘opt out’ of receiving direct marketing communications.[148]

C.90 Where an accredited person does not have a general policy of deleting redundant data, and the CDR consumer has not already requested that their redundant data be deleted, it should refer to the requirements in the Consumer Experience Standards.[149]

Tip

For examples of how to implement the withdrawal functionality on the consumer dashboard, and best practice recommendations for how to do this, see the Consumer Experience Guidelines.

Effect of withdrawing consent

C.91 The main consequence of the withdrawal of a consent is that the consent expires,[150] and the accredited person may no longer collect, use or disclose the CDR data (as applicable, depending on what category of consent has been withdrawn). Information about when a consent expires is contained in the following section.

C.92 Where a collection consent for the collection of CDR data from a data holder is withdrawn, the accredited person must notify the data holder of the withdrawal in accordance with the data standards.[151]

C.93 Where only a collection consent for particular CDR data is withdrawn, but other use consents,[152] and/or disclosure consents,[153] for that CDR data with the same accredited data recipient remain current, an accredited data recipient may continue to use and/or disclose the relevant CDR data. [154]

C.94 Where a consent is withdrawn for an SR data request, the procedures and arrangements for withdrawal of consent in rule 4.13 of the CDR Rules apply to the primary data holder as if it were the data holder for the SR data covered by that request.[155]

C.95 Where a CDR consumer withdraws each of their collection, use and disclosure consents, the CDR data is likely to become redundant data that the accredited person is required to delete or de-identify in accordance with Privacy Safeguard 12 (unless an exception applies).[156]

C.96 If a CDR consumer withdraws a consent using the accredited person’s consumer dashboard, the withdrawal is immediately effective.[157]

C.97 If a withdrawal is not communicated over the consumer dashboard, the accredited person must give effect to the withdrawal as soon as practicable, but not more than 2 business days after receiving the communication.[158]

C.98 The test of practicability is an objective test. In adopting a timetable that is ‘practicable’ an accredited person can take technical and resource considerations into account. However, the accredited person must be able to justify any delay in giving effect to the consumer’s communication of withdrawal.

C.99 ‘Giving effect’ to the withdrawal includes updating the consumer dashboard to reflect that the consent has expired,[159] as required by rule 4.19 of the CDR Rules.[160]

C.100 Where a CDR consumer has elected for their CDR data to be deleted upon becoming redundant data, withdrawal of a consent will not affect this election.[161]

Tip

For best practice examples of how to present this information on the consumer dashboard, and other related recommendations, see the Consumer Experience Guidelines.

When a consent expires

C.101 Where a consent expires, the accredited person may no longer collect, use or disclose the CDR data (as applicable, depending on what category of consent has expired).

C.102 Where each of a CDR consumer’s collection, use and disclosure consents expire, the CDR data is likely to become redundant data that the accredited person is required to delete or de-identify in accordance with Privacy Safeguard 12 (unless an exception applies).[162]

C.103 Rule 4.14 of the CDR Rules provides that a consent expires in the following circumstances:

‘If the consent is withdrawn’: if a withdrawal notice is given via the consumer dashboard, the consent expires immediately.[163] Where withdrawal is not given through the consumer dashboard, the consent expires when the accredited person gives effect to the withdrawal, or 2 business days after receiving the communication, whichever is sooner.[164]
‘At the end of the period of consent (no longer than 12 months after consent was given)’: a consent expires at the end of the specified period for which the consumer gave the consent.[165] This specified period cannot be longer than 12 months.[166]
‘Twelve months after the consent was given or last amended: a consent expires at the end of the period of 12 months after:
- the consent was given, or
- if the duration of the consent has been amended, the consent was last amended.[167]
‘For a collection consent, when the accredited person is notified‘:
- ‘by the data holder of the withdrawal of authorisation’: upon such notification, the consent expires immediately.[168]
- ‘by the accredited data recipient of the expiry of the AP disclosure consent’: upon such notification, the AP disclosure consent expires immediately.[169]
‘For an AP disclosure consent, when the accredited data recipient is notified by the accredited person of the expiry of the collection consent’: upon such notification, the collection consent expires immediately.[170]
‘If the accredited person’s accreditation is revoked or surrendered’: consent expires when the revocation or surrender takes effect.[171]
‘If an accredited person becomes a data holder, rather than an accredited data recipient, of particular CDR data’: upon becoming a data holder,[172] all consents in relation to the particular CDR data expire.[173]
‘If an affiliate ceases to have a registered sponsor’: upon an affiliate[174] ceasing to have a registered sponsor,[175] any collection consents for the affiliate expire (but any use or disclosure consents continue in effect).[176] The affiliate would be required to notify a CDR consumer of this fact under rule 4.18A of the CDR Rules.
‘If another CDR Rule provides that a consent expires’:[177] (there is only one applicable CDR Rule: CDR Rules, subrule 5.1B(6) in relation to affiliates.)

C.104 The expiry of a CDR consumer’s collection consent does not automatically result in expiry of the use consent relating to any CDR data that has already been collected.[178]

C.105 In light of this, where a CDR consumer’s collection consent expires, but their use consent to provide the requested goods or services[179] remains current,[180] the accredited person must notify the consumer as soon as practicable that they may, at any time:[181]

withdraw the use consent, and
make an election to delete redundant data in respect of that CDR data.[182]

C.106 This notification must be given in writing (though not through the consumer’s dashboard - although a copy of the notification may also be included in the consumer’s dashboard).

C.107 This notification is important because where the collection consent expired as a result of the consumer’s withdrawal, and the CDR consumer did not also withdraw their use consent, the accredited person may continue to use the CDR data it has already collected to provide the requested goods or services.[183] A consumer might not be aware of this.[184]

Notification requirements

Notifications to consumers

C.108 The CDR Rules require an accredited person[185] to provide the following notifications to a CDR consumer about consents, collections and disclosures:

‘Notification following consent’: There is a requirement to provide a notice in the form of a CDR receipt to the CDR consumer after they provide, amend or withdraw a consent.[186] The matters that must be included in the CDR receipt are outlined in rule 4.18 of the CDR Rules.[187]
‘Ongoing notification for collection and use consents’: There is an ongoing notification requirement regarding the currency of the CDR consumer’s collection and use consents. Rule 4.20 of the CDR Rules requires an accredited person to notify the consumer that their collection consent and/or use consent is still current where 90 days have elapsed since the latest of the following events:[188]
- the consumer consenting to the collection and/or use of their CDR data
- the consumer last amending their collection and/or use consents
- the consumer last using their consumer dashboard, or
- the accredited person last sending the consumer a notification that their collection consent or use consent is still current.
‘Notification if collection consent expires’: Where a CDR consumer’s collection consent expires, but their use consent to provide the requested goods or services remains current, the accredited person must notify the consumer of the matters in rule 4.18A of the CDR Rules as soon as practicable. [189]
‘Notification of collection’: There is a requirement to notify the CDR consumer of the collection of their CDR data as soon as practicable after the collection of CDR data.[190]
‘Notification of disclosure’: There is requirement to notify the CDR consumer of the disclosure of their CDR data to an accredited person as soon as practicable after the disclosure of the CDR data.[191]
‘Updating the consumer’s dashboard’: There is a general obligation to update the CDR consumer’s dashboard as soon as practicable after the information required to be contained on the consumer dashboard changes.[192]

C.109 Where a CDR representative has obtained consents from the CDR consumer under a CDR representative arrangement, the CDR principal must comply with the notification requirements set out in paragraph C.108.[193] However, the CDR Rules provide that, where a CDR principal is required to provide one of these notifications, the notice may be given through the CDR representative.[194]

Tip

To enhance consumer understanding and reduce the risk of confusion, it may be preferable for the CDR representative, rather than the CDR principal, to provide the notifications required by subdivision 4.3.5 of the CDR Rules. This is because it is the CDR representative, rather than the CDR principal, that has the consumer-facing relationship.

Where this option is chosen, the CDR principal should include an obligation for the CDR representative to provide the notifications as an additional requirement in the written contract (CDR representative arrangement). The CDR principal should further monitor compliance with these obligations, as part of ensuring the CDR representative complies with the minimum requirements of that arrangement.

Where a CDR principal decides it is preferable to provide the notifications required by subdivision 4.3.5 of the CDR Rules themselves, the first time a notification is provided to the consumer, they could consider explaining their relationship to the CDR representative.

The above tips will help to aid the consumer’s informed understanding of these important notifications (as the consumer might otherwise be confused as to why they are being contacted by an entity other than the CDR representative, in relation to the relevant goods or services).

C.110 Data holders also have a general obligation under the CDR Rules to update the CDR consumer’s consumer dashboard as soon as practicable, where there is a change in the information required for that dashboard.[195] In addition, data holders must notify the consumer of the disclosure of their CDR data as soon as practicable after the disclosure of CDR data.[196]

Notifications to CDR participants

C.111 An accredited person must provide the following notifications about consents to CDR participants under the CDR Rules:

‘Notification to accredited data recipient if collection consent expires’: Where a CDR consumer’s collection consent expires, and the CDR data is being collected from an accredited data recipient, the accredited person must notify that accredited data recipient of the CDR data, as soon as practicable.[197]
‘Notification to data holder if collection consent is withdrawn’: Where a CDR consumer withdraws their collection consent, and the CDR data is being collected from a data holder, the accredited person must notify that data holder of the withdrawal in accordance with the data standards. [198]
‘Notification if collection consent is amended’: Where a CDR consumer amends their collection consent, the accredited person must notify the relevant CDR participant/s that the consent has been amended, in accordance with rule 4.18C of the CDR Rules.[199]
‘Notification if AP disclosure consent expires’: Where a CDR consumer’s AP disclosure consent expires, the accredited person must notify the accredited data recipient to whom the data is being disclosed to, as soon as practicable.[200]

Authorisation

C.112 Before an accredited person can receive a CDR consumer’s CDR data from a data holder, the consumer must authorise the data holder to disclose the particular data to that accredited person.

C.113 After receiving a CDR consumer data request, the data holder must seek the consumer’s authorisation for required or voluntary consumer data in accordance with Division 4.4 of the CDR Rules and the data standards,[201] unless an exception applies.[202]

C.114 For requests that relate to joint accounts, in some cases, the data holder might need to seek an authorisation (known as an ‘approval’) from the other joint account holder/s.[203]

C.115 Once a data holder has received this authorisation it:

must disclose the required consumer data, and
may disclose the relevant voluntary consumer data

through its accredited person request service and in accordance with the data standards, unless an exception applies.[204]

C.116 The flow charts below demonstrate the role of authorisation in the key information flow between a CDR consumer, accredited person and data holder.

C.117 If the consumer data request relates to SR data, the primary data holder must request that the secondary data holder provide it with the SR data, so the primary data holder can disclose that SR data to the relevant accredited person.[205] Currently, the energy sector is the only CDR sector with a secondary data holder (AEMO) and SR data.

C.118 For further information on a data holder’s authorisation obligations, see the Guide to privacy for data holders.

Footnotes

[1] Consent is the only basis on which an accredited person may collect CDR data. See Chapter 3 (Privacy Safeguard 3) for information on seeking to collect CDR data.

Consent is the primary basis on which an accredited data recipient of CDR data may use and disclose that data. For example, under Privacy Safeguard 6 an accredited data recipient may use or disclose CDR data where in accordance with the CDR Rules (which requires consent), unless a use or disclosure is required or authorised by law: Competition and Consumer Act, paragraph 56EI(1)(c). For information regarding use or disclosure of CDR data, see Chapter 6 (Privacy Safeguard 6), Chapter 7 (Privacy Safeguard 7), Chapter 8 (Privacy Safeguard 8) and Chapter 9 (Privacy Safeguard 9).

[2] For example, an APP entity can collect personal information (other than sensitive information) if the information is reasonably necessary for one or more of the entity’s functions or activities. See APP Guidelines, Chapter 3 (APP 3) and Chapter B (Key concepts) .

[3] See subsection 6(1) of the Privacy Act and APP Guidelines, Chapter B (Key concepts).

[4] See B.49, APP Guidelines, Chapter B (Key concepts).

[5] CDR Rules, rules 4.10 and 4.11.

[6] An accredited person may make a product data request without the involvement of a consumer, in which case consent is not required because it is not CDR data for which there are one or more consumers. For CDR data for which there are one or more consumers, while consent is the only basis on which an accredited person may collect such CDR data, consent is a primary basis on which an accredited person may use and disclose such CDR data. See Chapter 6 (Privacy Safeguard 6), Chapter 7 (Privacy Safeguard 7), Chapter 8 (Privacy Safeguard 8) and Chapter 9 (Privacy Safeguard 9) for further information regarding use and disclosure of CDR data.

[7] CDR Rules, rule 4.3.

[8] CDR Rules, subrule 4.3A(2). See ‘CDR representative arrangement’ and ‘CDR representative’ in Chapter B (Key Concepts).

[9] CDR Rules, subrules 4.3(3) and 4.3A(4). Where a consumer has given a CDR representative consent for a CDR principal to collect their CDR data and disclose it to the CDR representative, the CDR consumer provides the CDR principal (an accredited person) with a valid request.

[10] The accredited person is the CDR principal where the CDR consumer has given the CDR principal a valid request.

[11] CDR Rules, rules 4.4 and 4.7A. For information regarding ‘valid requests’ and ‘consumer data requests’, see Chapter 3 (Privacy Safeguard 3). See also the flow chart underneath paragraph C.15 which demonstrates the points at which a valid request is given by the consumer and consumer data request is made on behalf of the consumer by the accredited person.

[12] CDR Rules, rule 1.7.

[13] Note: Each category of consent (except a ‘collection consent’) refers to an ‘accredited data recipient of particular CDR data’, rather than an ‘accredited person’. This is because, while the entity will be an ‘accredited person’ when seeking this category of consents, the entity would become an ‘accredited data recipient of particular CDR data’ in relation to that consumer upon collecting the relevant CDR data. See Chapter B (Key concepts) which outlines some key words and phrases that are used in the privacy safeguards and CDR Rules, including in relation to consent.

[14] CDR Rules, paragraphs 1.10A(1)(a) and 1.10A(2)(a). If, in response to a collection consent, an accredited person proposes to make an SR data request to a data holder, the request must be made to the primary data holder and not the secondary data holder: CDR Rules, subrules 1.23(1)-(2). If the CDR consumer authorises the primary data holder to disclose the requested data, the primary data holder will then request any SR data it needs to the respond to the request from the secondary data holder: CDR Rules, subrule 1.23(4). Under current arrangements, this is only relevant to the energy sector as the only sector with SR data and a secondary data holder (AEMO). For more information on SR data, see Chapter B (Key Concepts).

[15] CDR Rules, paragraphs 1.10A(1)(b) and 1.10A(2)(b).

[16] CDR Rules, rule 1.7 defines a consent as ‘a collection consent, a use consent or a disclosure consent; or such a consent as amended in accordance with these rules’.

[17] CDR Rules, paragraphs 1.10A(1)(c)(i) and 1.10A(2)(e).

Currently the CDR system only requires a consumer’s consent for disclosures to accredited persons. Consent is not required for disclosures to outsourced service providers, however before doing so an accredited person must comply with other requirements in the CDR Rules. See Chapter 6 (Privacy Safeguard 6), Chapter 7 (Privacy Safeguard 7) and ‘outsourced service provider’ in Chapter B (Key Concepts).

[18] CDR Rules, paragraphs 1.10A(1)(d) and 1.10A(2)(c).

[19] CDR Rules, paragraph 1.10A(1)(c)(ii). A ‘disclosure consent’ includes an AP disclosure consent, as well as a consent for an accredited data recipient to disclose CDR data to an accredited person for the purposes of direct marketing.

[20] CDR Rules, paragraph 1.10A(1)(c)(iii).

[21] CDR Rules, subrule 1.10C(4). For the definition of a trusted adviser, including the classes of professions that are listed as trusted advisers, see Chapter B (Key concepts).

[22] CDR Rules, paragraph 1.10A(1)(c)(iv).

[23] CDR Rules, paragraph 1.10A(3)(a)(i)-(iii).

[24] CDR Rules, paragraph 1.10A(3)(b).

[25] See CDR Rules, rule 1.17 and Chapter 12 (Privacy Safeguard 12) for further information on the CDR data de-identification process.

[26] ‘General research’ is defined in CDR Rules, rule 1.7 to mean research undertaken by an accredited data recipient with CDR data de-identified in accordance with the CDR Rules that does not relate to the provision of goods or services to any particular consumer.

[27] CDR Rules, subrule 1.10A(5). See C.29 for more information.

[28] CDR Rules, paragraph 4.12(3)(a) (and as modified by subrule 4.3C(1) in relation to CDR representatives).

[29] See the Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 at [7].

[30] For example, where the consumer wishes to allow the accredited data recipient to keep using their CDR data so they may continue to receive the relevant good or service. Where a consumer withdraws both their collection consent and use consent, it is likely the CDR data would become redundant data that must be deleted or de-identified under Privacy Safeguard 12, unless an exception applies. For further information, see paragraphs C.91 to C.100 (‘Effect of withdrawing consent’).

[31] The ‘categories’ of consent are listed at CDR Rules, subrule 1.10A(2) and defined by reference to the ‘types’ of consents listed at CDR Rules, paragraph 1.10A(1).

[32] These requirements are modified in relation to CDR representatives seeking consent by CDR Rules, rule 4.3C.

[33] Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, 13, which provides that an accredited person must ask for consent in accordance with Division 4.3 of the CDR Rules which now encompass provisions relating to all types and categories of consent. See also CDR Rules, subrule 4.3(2). Where a CDR representative is seeking consent from the consumer for their CDR principal to collect CDR data, the requirements in Division 4.3 are modified in relation to CDR representatives by CDR Rules, rule 4.3C.

[34] CDR Rules, rule 4.9. The Explanatory Statement to the CDR Rules, together with the Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, provides that the CDR Rules are intended to ensure that all consents sought in the CDR system are transparent and that consumers understand the potential consequences of what they are consenting to.

[35] CDR Rules, rule 4.10.

[36] CDR Rules, rule 4.11.

[37] CDR Rules, rule 4.12.

[38] A person is entitled, under section 128 of the Corporations Act 2001, to make the assumptions set out in section 129 of that Act when dealing with corporations, including that persons held out by the company as directors, officers and agents are duly appointed and have authority to exercise customary powers.

[39] CDR Rules, rule 4.3A.

[40] As the Division 4.3 requirements are drafted to apply to accredited persons seeking consent, CDR Rules, subrule 4.3C(1) sets out how these are to be modified to apply to unaccredited CDR representatives seeking consent.

[41] CDR Rules, subrule 4.3C(2).

[42] CDR Rules, subrule 4.3A(2).

[43] CDR Rules, subrules 1.10A(c) and 4.3A(3).

[44] See CDR Rules, rule 5.1B. In particular, where CDR data is to be collected from a data holder, the affiliate must ask their sponsor to collect it as an affiliate cannot collect directly from a data holder: CDR Rules, subrule 5.1B(3).

[45] See the Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 at [6].

[46] CDR Rules, subrule 4.12B(3).

[47] That is, the goods or services requested by the consumer as part of their valid request in CDR Rules, paragraph 4.3(1)(a).

[48] It is optional for accredited persons to offer a consent amendment functionality in the consumer dashboard: see CDR Rules, paragraphs 4.12B(2)(a) and 1.14(2A).

[49] CDR Rules, subrule 4.12B(2).

[50] CDR Rules, subrule 4.12B(3). See paragraphs C.101 to C.107 and CDR Rule 4.14 for information on when consent expires.

[51] CDR Rules, subrule 4.12B(4).

[52] Example adapted from the Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, 15.

[53] Sending the consumer an offer to renew existing goods or services when they expire is direct marketing, and is only permitted if the accredited person has obtained a direct marketing consent from the consumer to send them information for these purposes. See Competition and Consumer Act, subsection 56EJ(1) and CDR Rules, paragraph 7.5(3)(a)(ii). For further information on this requirement, see Chapter 7 (Privacy Safeguard 7).

[54] This is as a result of CDR Rules, subrule 4.12(1), which provides that the duration of a consent cannot exceed 12 months.

[55] CDR Rules, subrule 4.12C(1).

[56] The exceptions are contained in subrule 4.12C(2) of the CDR Rules and allow certain details of the existing consent to be presented as pre-selected options (namely, the details covered by CDR Rules, paragraphs 4.11(1)(a), (b) and (ba)). They also require additional information to be presented to the consumer to explain: the consequences of amending consent; and that the accredited person would be able to continue to use CDR data already disclosed to it to the extent allowed by the amended consent.

[57] CDR Rules, rule 4.18C.

[58] CDR Rules, rule 4.12A. As per the note to this CDR Rule, it is not possible for the consumer to specify a different date or time.

[59] CDR Rules, rule 4.10. The consumer experience standards are data standards regarding the obtaining and withdrawal of consents, the collection and use of CDR data, and the types of CDR data and description of those types to be used by CDR participants when making requests. Further information is available in Chapter B (Key concepts).

[60] CDR Rules, rule 4.10.

[61] CDR Rules, rule 4.10. The ‘Consumer Experience Guidelines’ provide best practice interpretations of several CDR Rules relating to consent and are discussed in Chapter B (Key concepts).

[62] CDR Rules, rule 4.10. Bundled consent refers to the ‘bundling’ together of multiple requests for a consumer’s consent to a wide range of collections, uses and/or disclosures of CDR data, without giving the consumer the opportunity to choose which collections, uses or disclosures they agree to and which they do not.

[63] Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, 14. Indeed, accredited persons are required to provide links to their CDR policy at certain points in the consent-seeking process, for example when providing information about outsourced service providers (CDR Rules, paragraphs 4.11(3)(f)(i) and (ii)) and general research (CDR Rules, subrule 4.15(c)).

[64] Including both an AP disclosure consent (as defined in CDR Rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to disclose that CDR data to another accredited person for the purposes of direct marketing: CDR Rules, paragraph 1.10A(1)(c)(ii).

[65] CDR Rules, paragraphs 4.11(1)(a)(i) and 4.11(1)(c) and subrule 4.11(2).

[66] CDR Rules, paragraphs 4.11(1)(b) and 4.11(1)(c), and subrules 4.11(2) and 4.12(1).

[67] Including a de-identification consent (as defined in CDR Rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to use that CDR data for the purposes of direct marketing (as per CDR Rules, rule 1.10A).

[68] CDR Rules, paragraphs 4.11(1)(a)(ii) and 4.11(1)(c) and subrule 4.11(2).

[69] Including both an AP disclosure consent (as defined in CDR Rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to disclose that CDR data to another accredited person for the purposes of direct marketing: CDR Rules, paragraph 1.10A(1)(c)(ii).

[70] CDR Rules, paragraph 4.11(1)(ba) and subrule 4.11(2).

[71] CDR Rule, paragraph 4.11(1)(c).

[72] CDR Rules, subrule 4.11(2).

[73] CDR Rules, paragraph 4.12C(2)(a).

[74] For example, where this would assist the consumer to make an informed decision as to how they would like to amend their consent.

[75] For example, where the consumer’s request covers voluntary consumer data, the data holder may decide to charge the accredited person a fee. For information regarding ‘required consumer data’ and ‘voluntary consumer data’, see Chapter B (Key concepts).

[76] CDR Rules, paragraph 4.11(1)(d).

[77] CDR Rules, paragraph 4.11(3)(d).

[78] CDR Rules, paragraph 4.11(1)(d).

[79] CDR Rules, paragraph 4.11(3)(a).

[80] CDR Rules, paragraph 4.11(3)(b). Where a CDR representative is seeking consent, it must instead include the CDR principal’s name and accreditation number, the fact that the data will be collected by the CDR principal at the CDR representative’s request, a link to the CDR principal’s CDR policy, and a statement that the CDR consumer can obtain further information about collections or disclosures from the CDR principal’s CDR policy: CDR Rules, subrule 4.11(3) as modified by rule 4.3C.

[81] CDR Rules, subrule 4.12(2).

[82] CDR Rules, rule 1.8.

[83] Including a de-identification consent (as defined in CDR Rules, rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to use that CDR data for the purposes of direct marketing (as per CDR Rules, rule 1.10A).

[84] CDR Rules, paragraph 4.11(3)(c). For further information regarding the data minimisation principle, see Chapter B (Key concepts).

[85] CDR Rules, paragraph 4.11(3)(c)(i).

[86] CDR Rules, paragraph 4.11(3)(c).

[87] CDR Rules, paragraph 4.11(3)(c)(i).

[88] Including a de-identification consent (as defined in CDR Rules, rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to use that CDR data for the purposes of direct marketing (as per CDR Rules, rule 1.10A).

[89] CDR Rules, paragraph 4.11(3)(c)(ii).

[90] CDR Rules, paragraph 4.11(3)(ca).

[91] For further information regarding outsourced service providers, see Chapter B (Key concepts).

[92] CDR Rules, paragraph 4.11(3)(f). An accredited data recipient’s CDR policy must include, amongst other things, a list of outsourced service providers, the nature of their services, the CDR data and classes of CDR data that may be disclosed to those outsourced service providers. For further information, see Chapter 1 (Privacy Safeguard 1) and the Guide to developing a CDR policy.

[93] Where a CDR representative is seeking consent from the CDR consumer, this requirement applies to outsourced service providers engaged by their CDR principal where CDR data may disclosed to or collected by one of those providers, and a link to the CDR principal’s CDR policy should be provided. CDR Rules, paragraph 4.11(3)(f) as modified by rule 4.3C.

[94] CDR Rules, paragraph 4.11(3)(g).

[95] CDR Rules, paragraph 4.11(3)(h)(i) and subrule 4.17(1).

[96] That is, because the accredited person communicated (when seeking consent) a general policy of de-identifying redundant data.

[97] That is, because the accredited person communicated (when seeking consent) a general policy of deciding, when the CDR data becomes redundant, whether to delete or de-identify the redundant data.

[98] CDR Rules, paragraph 4.11(1)(e) and rule 4.16. The accredited person must allow the consumer to make this election when providing consent to the accredited person in relation to their CDR data, and at any other point in time before the consent expires (CDR Rules, subrule 4.16(1)).

[99] CDR Rules, paragraph 4.11(3)(h).

[100] CDR Rules, paragraph 4.12C(2)(b).

[101] CDR Rules, paragraphs 4.17(2)(a), 4.17(2)(b). The prescribed process is the CDR data de-identification process outlined in rule 1.17. Further information on the CDR data de-identification process is in Chapter 12 (Privacy Safeguard 12).

[102] CDR Rules, paragraph 4.17(2)(a).

[103] CDR Rules, paragraph 4.17(2)(c).

[104] See CDR Rules, subrule 4.3(2B) and paragraph 4.11(3)(i). Where a CDR representative asks a consumer for consent, the requirement to include this information is replaced by a requirement to include certain information about the CDR principal – see footnote 91 for more information.

[105] CDR Rules, paragraph 4.11(3)(e) and rule 4.15.

[106] The CDR data de-identification process is outlined in CDR Rules, rule 1.17. More information on this requirement is in Chapter 12 (Privacy Safeguard 12).

[107] ‘General research’ is defined in CDR Rules, rule 1.7 to mean research undertaken by an accredited data recipient with CDR data de-identified in accordance with the CDR Rules that does not relate to the provision of goods or services to any particular CDR consumer. An example is product or business development: Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 at [21].

[108] For example, a benefit may include the accredited data recipient paying a fee to the consumer for using their data or providing a discount on the services they provide to the consumer: ACCC, CDR Rules Expansion Amendments Consultation Paper, September 2020, 48.

[109] CDR Rules, paragraph 4.11(3)(c). For further information regarding the data minimisation principle, see paragraphs C.53 to C.57 and Chapter B (Key concepts).

[110] CDR Rules, subrule 4.12C(3).

[111] See Chapter 12 (Privacy Safeguard 12) for information on when CDR data will become ‘redundant data’ that must be deleted or de-identified in accordance with the CDR Rules, unless an exception applies.

[112] Example from Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020, 16.

[113] CDR Rules, rule 4.12.

[114] The data minimisation principle is discussed in Chapter B (Key concepts), and at paragraph C.53 of this Chapter C.

[115] See CDR Rules, subrule 1.10A(2).

[116] For example, where an accredited person receives information such as BSB numbers and account numbers as part of a consumer’s payee list, the accredited person is prohibited from using that information to discover the name or identity of the payee or compile insights or a profile of that payee.

[117] CDR Rules, subrule 4.12(4).

[118] CDR Rules, rule 1.14.

[119] See CDR Rules, subrule 1.7(5). For information regarding CDR outsourcing arrangements, see Chapter B (Key concepts).

[120] CDR Rules, subrule 1.14(5).

[121] See Chapter B (Key concepts).

[122] For further information regarding ‘valid requests’, see CDR Rules, rule 4.3 and Chapter 3 (Privacy Safeguard 3).

[123] Privacy Safeguard 5 requires an accredited person to notify the consumer of the collection of their CDR data by updating the consumer’s dashboard as soon as practicable to include certain matters. For further information, see CDR Rules, rule 7.4 and Chapter 5 (Privacy Safeguard 5) of the CDR Privacy Safeguard Guidelines.

[124] CDR Rules, subrule 1.14(3).

[125] Including a de-identification consent (as defined in CDR Rules, rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to use that CDR data for the purposes of direct marketing (as per CDR Rules, rule 1.10A).

[126] CDR Rules, paragraph 1.14(3)(ea).

[127] Privacy Safeguard 5 requires an accredited person to notify the consumer of the collection of their CDR data by updating the consumer’s dashboard to include certain matters. For further information, see CDR Rules, rule 7.4 and Chapter 5 (Privacy Safeguard 5).

[128] Privacy Safeguard 10 requires an accredited data recipient to notify the consumer of the disclosure of their CDR data to an accredited person by updating the consumer’s dashboard to include certain matters. For further information, see CDR Rules, subrule 7.9(2) and Chapter 10 (Privacy Safeguard 10).

[129] CDR Rules, subrule 7.9(3).

[130] CDR Rules, subrule 7.9(4).

[131] An affiliate is a person with sponsored accreditation who has entered into a sponsorship arrangement with another person with unrestricted accreditation (the ‘sponsor’). See Chapter B for more information.

[132] CDR Rules, paragraph 1.14(3)(ha).

[133] CDR Rules, subrule 1.14(3A).

[134] CDR Rules, paragraph 1.14(1)(c).

[135] CDR Rules, paragraph 1.14(1)(c).

[136] See paragraphs C.32 to C.41 for information on amending consents.

[137] Energy consumers may be eligible CDR consumers even if they do not have an online account with their retailer: see Chapter B (Key concepts) for further information. For eligible energy consumers without an online account, the retailer must offer the CDR consumer a dashboard and provide it if the CDR consumer accepts: CDR Rules, clause 2.3 of Schedule 4. For other CDR consumers, each data holder must provide a consumer dashboard: CDR Rules, rule 1.15.

[138] CDR Rules, rule 1.15.

[139] CDR Rules, subrule 4.13(2). Rule 4.13 applies as if the primary data holder were the data holder for any SR data covered by an SR data request: CDR Rules, subrule 1.23(10). For more information on SR data, see Chapter B (Key Concepts).

[140] CDR Rules, subrule 4.18B(2).

[141] Where the CDR consumer withdraws a consent that was originally given to a CDR representative, it is the CDR principal under the CDR representative arrangement who must notify the data holder and accredited data recipient – CDR Rules, subrules 4.13(2) and 4.18B(2) as modified by subrule 4.3C(1).

[142] CDR Rules, subrule 4.18B(3).

[143] CDR Rules, rule 4.13. A consumer must be enabled by an accredited person to independently withdraw each type of consent. For example, where a consumer provided a collection consent and use consent, the consumer can choose to withdraw only the collection consent. See the Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 at [7].

[144] Where the CDR consumer withdraws a consent that was originally given to a CDR representative, it is the CDR principal under the CDR representative arrangement that must allow the consumer to withdraw consent via their consumer dashboard, or by an alternative method made available by the CDR principal for that purpose.

[145] CDR Rules, paragraph 1.14(1)(c).

[146] CDR Rules, subrule 4.13(1).

[147] Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2020.

[148] For information about the use and disclosure of CDR data for direct marketing, see Chapter 7 (Privacy Safeguard 7).

[149] The Consumer Experience Standards are available on the Consumer Data Standards website, consumerdatastandards.gov.au.

[150] CDR Rules, paragraphs 4.14(1)(a) and (1)(b).

[151] CDR Rules, paragraph 4.13(2)(b). Where the CDR consumer withdraws a consent that was originally given to a CDR representative, it is the CDR principal under the CDR representative arrangement who must notify the data holder: CDR Rules, subrule 4.13(2) as modified by subrule 4.3C(1). When a data holder is notified of the withdrawal of the collection consent, the authorisation given by the consumer to the data holder to disclose that CDR data expires: see CDR Rules, paragraph 4.26(1)(d).

[152] Including a de-identification consent (as defined in CDR Rules, rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to use that CDR data for the purposes of direct marketing (as per CDR Rules, rule 1.10A).

[153] Including both an AP disclosure consent (as defined in CDR Rules, rule 1.10A) and a direct marketing consent for an accredited data recipient of particular CDR data to disclose that CDR data to another accredited person for the purposes of direct marketing: CDR Rules, paragraph 1.10A(1)(c)(ii).

[154] An accredited person may only collect CDR data in response to a ‘valid request’ from a consumer: Competition and Consumer Act, section 56EF. A request ceases to be ‘valid’ if the consumer withdraws their collection consent: CDR Rules, subrule 4.3(4). However, if the consumer does not also withdraw their use consent, the accredited person may continue to use the CDR data it has already collected to provide the requested goods or services: s ee the note under CDR Rule s, subrule 4.3(4). See further CDR Rules, rule 4.18A for ongoing notification requirements in this circumstance. For further information, see Chapter 3 (Privacy Safeguard 3).

[155] CDR Rules, subrule 1.23(10). For more information on SR data, see Chapter B (Key Concepts).

[156] More information on ‘redundant data’ and the requirement to destroy or de-identify redundant data is in Chapter 12 (Privacy Safeguard 12).

[157] CDR Rules, paragraph 4.14(1)(b).

[158] CDR Rules, paragraph 4.13(2)(a). Where the CDR consumer withdraws a consent that was originally given to a CDR representative, it is the CDR principal under the CDR representative arrangement who must give effect to the withdrawal.

[159] See CDR Rules, paragraph 1.14(3)(g).

[160] CDR Rules, rule 4.19 requires an accredited person to update the consumer dashboard as soon as practicable after the information required to be contained on the dashboard changes. CDR Rules, rule 4.19 as modified by subrule 4.3C(1) requires the CDR principal under the CDR representative arrangement to make this update where the CDR consumer originally gave consent to a CDR representative.

[161] CDR Rules, subrule 4.13(3) provides that withdrawal of a consent does not affect an election under CDR Rules, rule 4.16 that the consumer’s collected CDR data be deleted once it becomes redundant. CDR Rules, rule 4.16 is discussed in Chapter 12 (Privacy Safeguard 12).

[162] More information on ‘redundant data’ and the requirement to destroy or de-identify redundant data is in Chapter 12 (Privacy Safeguard 12).

[163] CDR Rules, paragraph 4.14(1)(b).

[164] CDR Rules, paragraph 4.14(1)(a).

[165] CDR Rules, paragraph 4.14(1)(e).

[166] CDR Rules, subrule 4.12(1). CDR Rules, paragraph 4.14(1)(d) reinforces this maximum duration by providing that consent expires after the 12 month period after the consent was given.

[167] CDR Rules, paragraph 4.14(1)(d).

[168] CDR Rules, subrule 4.14(1A).

[169] CDR Rules, subrule 4.14(1B).

[170] CDR Rules, subrule 4.14(1B).

[171] A revocation or surrender takes effect when the fact that the accreditation has been revoked or surrendered is included in the Register of Accredited Persons: CDR Rules, rule 5.22. For further information, see the ACCC’s Accreditation Guidelines.

[172] As a result of subsection 56AJ(4) of the Competition and Consumer Act and related clause 7.2 of Schedule 3.

[173] CDR Rules, subrule 4.14(1C).

[174] An affiliate is a person with sponsored accreditation who has entered into a sponsorship arrangement with another person with unrestricted accreditation (the ‘sponsor’). See Chapter B (Key concepts) for more information.

[175] For example, this would occur if the sponsorship arrangement between the sponsor and affiliate terminates.

[176] CDR Rules, paragraph 4.14(1)(f) and subrule 5.1B(6).

[177] CDR Rules, paragraph 4.14(1)(f).

[178] See the note under CDR Rules, subrule 4.3(4). See also the Explanatory Statement to the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 3) 2020 at [8].

[179] Being the goods or services requested under CDR Rules, subrule 4.3(1) as part of the valid request.

[180] For example, because the consumer withdraws only their collection consent.

[181] CDR Rules, rule 4.18A.

[182] See CDR Rules, rule 4.16.

[183] See the note under CDR Rules, subrule 4.3(4).

[184] An accredited data recipient must also provide a statement in its CDR policy indicating the consequences to the consumer for withdrawing a consent to collect and use CDR data: CDR Rules, paragraph 7.2(4)(a).

[185] However, these notification requirements do not apply to an accredited person acting on behalf of a principal in its capacity as the provider of an outsourced service arrangement, in accordance with the arrangement, see CDR Rules, subrule 1.7(5). For information on ‘CDR outsourcing arrangements’, see Chapter B (Key concepts), ‘Outsourced service provider’.

[186] CDR Rules, subrule 4.18(1).

[187] CDR Rules, subrule 4.18(1). A CDR receipt must be given in writing other than through the consumer dashboard (although a copy of the CDR receipt may be included in the consumer’s consumer dashboard). For more information, see CDR Rules, rule 4.18.

[188] CDR Rules, subrules 4.20(3) and (4) state that this notification must be given in writing otherwise than through the consumer’s consumer dashboard, however a copy may be included on the consumer dashboard.

[189] CDR Rules, rule 4.18A. For further information on when a consent expires, see paragraphs C.101 to C.107.

[190] Privacy Safeguard 5 requires an accredited data recipient to notify the consumer of the collection of their CDR data by updating the consumer’s consumer dashboard to include certain matters. For further information, see CDR Rules, rule 7.4 and Chapter 5 (Privacy Safeguard 5).

[191] Privacy Safeguard 10 requires an accredited data recipient to notify the consumer of the disclosure of their CDR data to an accredited person by updating the consumer’s consumer dashboard to include certain matters. For further information, see CDR Rules, subrules 7.9(2), 7.9(3) and 7.9(4) and Chapter 10 (Privacy Safeguard 10).

[192] CDR Rules, rule 4.19.

[193] CDR Rules, subdivision 4.3.5 as modified by rule 4.3C.

[194] CDR Rules, subdivision 4.3.5 as modified by paragraph 4.3C(1)(l).

[195] CDR Rules, rule 4.27.

[196] Privacy Safeguard 10 requires a data holder to notify the consumer of the collection of their CDR data by updating the consumer’s consumer dashboard to include certain matters. For further information, see CDR Rules, rule 7.9 and Chapter 10 (Privacy Safeguard 10).

[197] CDR Rules, subrule 4.18B(2).

[198] CDR Rules, subrule 4.13(2).

[199] For further information on the requirements under CDR Rules, rule 4.18C, see paragraph C.39.

[200] CDR Rules, subrule 4.18B(3).

[201] See CDR Rules, rule 4.5.

[202] See CDR Rules, rule 4.7.

[203] See CDR Rules, subdivision 4A.3.2, which sets out how consumer data requests to data holders that relate to joint accounts are handled in the CDR system.

[204] See CDR Rules, rule 4.6A.

[205] It is not mandatory for the secondary data holder to disclose the requested SR data to the primary data holder: CDR Rules, subrule 1.22(4). However, if a secondary data holder chooses not to disclose the requested SR data to the primary data holder, it must notify the primary data holder of its refusal: CDR Rules, subrule 1.22(5). For more information on SR data and primary data holders, see Chapter B (Key Concepts).

Previous chapter

Next chapter