The security and integrity of the Consumer Data Right (CDR) system is upheld by 13 privacy safeguards, contained in the Competition and Consumer Act 2010 and supplemented by the CDR Rules.

The privacy safeguards set out the privacy obligations for participants in the CDR system, which cover, but are not limited to:

  • implementing practices, procedures and systems to ensure compliance with the CDR system
  • having a CDR policy that provides information to consumers about how their CDR data is managed, and how they can make an inquiry or complaint
  • obtaining the consumer’s consent before seeking to collect data
  • using data only for the purpose the consumer consented to
  • restrictions on direct marketing and overseas disclosure
  • quality and correction of data
  • information security requirements around minimum system controls, testing, monitoring, evaluation and reporting
  • deleting or de-identifying redundant data if it is no longer needed (with a right for the consumer to elect for their data to be deleted).

These privacy safeguard obligations and how to comply are set out in our CDR privacy safeguard guidelines.

Data holders and accredited data recipients must also comply with several other privacy obligations in the CDR Rules.

Having a CDR data management plan may help you to ensure you have the practices, procedures and systems to comply with these obligations. A CDR data management plan identifies specific, measurable privacy goals and targets, and sets out how a participant will meet its ongoing compliance obligations. For how to develop a CDR data management plan see CDR Privacy Safeguard Guidelines, chapter 1.

Our Guide to developing a CDR policy is designed to assist accredited data recipients and data holders to prepare and maintain a CDR policy.

For data holders, the applicable privacy obligations, including the privacy safeguards, and CDR Rules relating to authorisation, disclosure and management of records, are set out in the Guide to privacy for data holders.

What happens if there is a data breach?

Accredited data recipients have obligations to respond to information security incidents as soon as practicable under Schedule 2 to the CDR Rules. These include the following obligations:

  • managing all relevant stages of an incident, from detection to post-incident review
  • complying with the Notifiable Data Breaches scheme under the Privacy Act, including obligations to notify consumers and the OAIC about eligible data breaches. An eligible data breach occurs when there is unauthorised access to, or unauthorised disclosure of CDR data, or a loss of CDR data held by a CDR entity, where this is likely to result in serious harm to any of the consumers to whom the data relates
  • notifying the Australian Cyber Security Centre as soon as practicable (and no later than 30 days) after the information security incident occurs.

For more on the obligations in the event of a data breach, see the Notifiable Data Breaches scheme and CDR Privacy Safeguard Guidelines, chapter 12.