Publication date: 2 May 2024

In the CDR system, an outsourced service provider (OSP) may be engaged by an ‘OSP principal’ to handle service data under a CDR outsourcing arrangement. This arrangement is a written contract that must meet the requirements described in Rule 1.10 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021). An OSP principal may be an accredited person, CDR representative or existing OSP.

This page outlines the privacy obligations for OSP principals when they engage OSPs, which fall under the following topics:

  • Written contract
  • OSP chains
  • Liability
  • Consent
  • Disclosure
  • CDR policy
  • Restrictions for affiliates and CDR representatives

Where an OSP principal is an accredited person or CDR representative, these obligations apply in addition to the principal’s privacy and/or contractual obligations in that capacity (for example, to comply with the privacy safeguards).

In all circumstances of outsourcing, OSP chain principals (or CDR representative principals) must be aware of their additional liability for the actions of their OSPs, including the actions of any OSPs engaged under further CDR outsourcing arrangements.

For information on the privacy obligations for OSPs, see CDR outsourcing arrangements: Privacy obligations for outsourced service providers. For more information on CDR outsourcing arrangements generally, see the CDR Privacy Safeguard Guidelines.

You should read this guidance together with the full text of Division 5 of Part IVD of the Competition and Consumer Act 2010and the CDR Rules. This guidance is not legally binding and does not constitute legal advice. An entity may wish to seek independent legal advice where appropriate.

Key Points

  • An accredited person, CDR representative or OSP is an ‘OSP principal’ when they engage an OSP under a CDR outsourcing arrangement. The OSP being engaged is the ‘provider’ in that arrangement.
  • An ‘OSP chain principal’ is the initial OSP principal at the top of the chain, in a chain of CDR outsourcing arrangements.
  • An OSP is a person who does one or both of the following:
    • collects CDR data from a CDR participant on behalf of its OSP chain principal (if the OSP chain principal has unrestricted accreditation) in accordance with the CDR Rules
    • provides goods or services to its OSP principal by using or disclosing service data (being data that was collected by, or disclosed to, the OSP under the relevant CDR outsourcing arrangement).
  • An OSP principal must have a written contract in place with the OSP (known as a ‘CDR outsourcing arrangement’) that meets the requirements set out in CDR Rules, subrule 1.10(3).
  • The accreditation status of an entity affects the range of purposes for which they can engage an OSP. Only OSP chain principals with unrestricted accreditation can engage an OSP to collect CDR data on their behalf.
  • An OSP chain principal who is an accredited person is liable for the handling of CDR data by their direct or indirect OSPs, regardless of whether that handling is in accordance with a relevant CDR outsourcing arrangement. Where the OSP chain principal is a CDR representative, the CDR representative principal (the accredited person who engaged the CDR representative) is ultimately liable for the direct or indirect OSPs of that CDR representative).

Written contract

An OSP principal must have a ‘CDR outsourcing arrangement’ with their OSP that meets the requirements set out in CDR Rules, subrule 1.10(3).

A CDR outsourcing arrangement is a written contract between the OSP principal and the OSP under which the OSP will do one or both of the following:

  • collect CDR data from a CDR participant on behalf of its OSP chain principal (if the OSP chain principal has unrestricted accreditation) in accordance with the CDR Rules
  • provide goods or services to its OSP principal by using or disclosing service data.

The purpose of the CDR outsourcing arrangement is to govern the OSP’s handling of ‘service data’, being CDR data of a CDR consumer of the OSP chain principal, that is:

  • collected by the OSP on behalf of the OSP chain principal under the arrangement
  • disclosed to the OSP by the OSP chain principal for the purposes of the relevant arrangement
  • disclosed to the OSP by another direct or indirect OSP of the OSP chain principal in accordance with the relevant arrangement, or
  • directly or indirectly derived from the above.

The minimum terms that must be contained in the CDR outsourcing arrangement are listed in CDR Rules, subrule 1.10(3) and include a term requiring the OSP to comply with the minimum information security controls in Schedule 2 to the CDR Rules.  For more information on the minimum terms, see CDR outsourcing arrangements: Privacy obligations for outsourced service providers.

Privacy Tip: In limited circumstances, providing CDR data to a third party (such as a cloud service provider) for limited purposes may be a use of data, rather than a disclosure. This distinction has implications for whether an accredited person or CDR representative would be required to have a CDR outsourcing arrangement in place. It will constitute a ‘use’ (rather than a ‘disclosure’) of CDR data only if the data remains encrypted at all times, and the third party does not hold or have access to the decryption keys.

This distinction between use and disclosure needs to be carefully considered on a case-by-case basis and depends on the specific technical arrangements in place with the third party. For further information, see Chapter B (Key concepts) (‘Use’).

OSP chains

The CDR Rules allow OSPs to engage other OSPs under further CDR outsourcing arrangements.

An ‘OSP chain principal’ is the initial ‘OSP principal’ at the top of the chain, in a chain of CDR outsourcing arrangements. An OSP chain principal must be either an accredited person or CDR representative.

Where the initial person in a chain enters a CDR outsourcing arrangement with an OSP, the person is the ‘OSP principal’ and the OSP is the ‘provider’ in the arrangement. The provider is also the ‘direct OSP’ of that initial person in the chain.

Where that OSP enters a further CDR outsourcing arrangement with another OSP, the other OSP is an ‘indirect OSP’ of the initial person. The direct OSP becomes the OSP principal in this further outsourcing arrangement.

This can be applied repeatedly so there may be a chain of indirect OSPs for each direct OSP of the OSP chain principal at the top of the chain.

Information on the privacy obligations for OSPs can be found in CDR outsourcing arrangements: Privacy obligations for outsourced service providers.

Liability

Liability relating to accredited OSP chain principals

When engaging an OSP, an OSP chain principal who is an accredited persons must be aware of their obligations to ensure their OSPs (including any indirect OSPs engaged under further CDR outsourcing arrangements) comply with the requirements under the relevant CDR outsourcing arrangement (CDR Rule 1.16). The OSP chain principal breaches the CDR Rules if any such OSP fails to comply with their arrangement.

An OSP chain principal who is an accredited person is liable for any collection, use or disclosure of service data by its direct or indirect OSPs whether or not the collection, use or disclosure was made in accordance with a relevant CDR outsourcing arrangement (CDR Rule 7.6).

In addition, an OSP chain principal is liable where a direct or indirect OSP fails to comply with privacy safeguards 4 (destruction of unsolicited data), 8 (overseas disclosure) and 9 (government related identifiers) as if it were an accredited person (CDR Rules 7.3B and 7.8B).

Liability relating to OSP chain principals who are CDR representatives

For an OSP chain principal who is a CDR representative, their CDR representative principal (the accredited person who has engaged the CDR representative) is obligated to ensure the OSPs engaged by that CDR representative (including any indirect OSPs engaged under further CDR outsourcing arrangements) comply with the requirements under the relevant CDR outsourcing arrangements (CDR Rules, subrule 1.16(3)). The CDR representative principal breaches the CDR Rules if any such OSP fails to comply with their arrangement.

The CDR representative principal is liable for any use or disclosure of service data by its CDR representative’s direct or indirect OSPs, whether or not the use or disclosure was made in accordance with a relevant CDR outsourcing arrangement (CDR Rule 7.6).

In addition, the CDR representative principal is liable where a direct or indirect OSP of its CDR representative fails to comply with privacy safeguards 4 (destruction of unsolicited data), 8 (overseas disclosure) and 9 (government related identifiers) as if it were an accredited person (CDR Rules 7.3B and 7.8B).

Privacy tip:

An accredited data recipient (ADR) who becomes an OSP chain principal (or an ADR that is a CDR representative principal of a CDR representative who engages OSPs) will be liable for an OSP’s handling of CDR data under a relevant CDR outsourcing arrangement.

As such, where that ADR intends to permit outsourcing of CDR data handling, the ADR should include an additional term in their CDR outsourcing arrangement or CDR representative arrangement to require their direct OSP or CDR representative to comply with the same restrictions and requirements that apply to that ADR’s handling of CDR data and for the same to apply to any outsourcing arrangements, including further outsourcing arrangements. This would include requiring any OSP to comply with the requirements of the Privacy Safeguards, the CDR Rules and the relevant data standards.

The written contract must require the OSP to only handle the service data in accordance with the contract. The written contract should tightly prescribe how an OSP can handle CDR data, and this must align with what the principal would be permitted to do given that CDR data handled by the provider is taken to have been by the OSP chain principal or CDR representative principal .

This will help to reduce the risk that an OSP collects, uses or discloses CDR data in breach of the regulatory framework (a breach that the OSP chain principal or CDR representative principal would be liable for).

Monitoring compliance

As outlined above, the OSP chain principal of one or more direct or indirect OSPs must ensure that each direct and indirect OSP complies with its requirements under the relevant CDR outsourcing arrangement (CDR Rules, subrule 1.16(1)).

A CDR representative principal that permits its CDR representative to engage OSPs, must ensure that each direct and indirect OSP of its CDR representative complies with its requirements under the relevant CDR outsourcing arrangement (CDR Rules, subrule 1.16(3)).

OSP chain principals (or if the OSP chain principal is a CDR representative, their CDR representative principal) must ensure sufficient oversight, including that adequate controls and systems are in place to monitor compliance with outsourcing arrangements.

OSP principals in further outsourcing arrangements will have a contractual obligation to ensure their OSPs comply and should ensure sufficient oversight as described in this section.

To ensure adequate control and oversight by OSP principals and OSP chain principals over OSPs, CDR outsourcing arrangements must include a range of obligations on OSPs in relation to access to service data, deleting service data, and providing records of deletion of service data on the request of OSP and OSP chain principals (CDR Rules, subrules 1.10(3)(v) and 1.10(5)).

Privacy tip:

An OSP chain principal (or a CDR representative principal of a CDR representative) who has engaged OSPs, is required by CDR Rule 1.16 to ensure that their direct or indirect OSPs (or their CDR representatives’ direct or indirect OSPs) comply with the requirements of the relevant CDR outsourcing arrangement. To assist with compliance of this obligation, the OSP chain principal or CDR representative principal could consider:

  • undertaking review and assurance activities at least annually
  • requiring their OSPs to provide regular reports against compliance with the CDR outsourcing arrangement, and/or
  • providing their OSPs with any appropriate assistance or training in technical and compliance matters.

Prior to entering a CDR outsourcing arrangement, the OSP chain principal or CDR representative principal could undertake due diligence on the proposed OSP (or require their OSPs or CDR representatives to do so before engaging other OSPs), with a focus on its personal information handling capabilities, procedures and practices.

Taking these steps may assist the OSP chain principal or CDR representative principal in avoiding a breach of CDR Rule 1.16, and in doing so, may also assist the OSP chain principal or CDR representative principal in avoiding a breach of other privacy-related CDR Rules (given the OSP chain principal or CDR representative principal is liable for the actions of their OSPs (and their CDR representatives’ OSPs).

Listing OSPs in the CDR policy

OSP chain principals or CDR representative principals  must include certain information about OSPs in their CDR policy. This includes a list of any of their direct and indirect OSPs and the direct and indirect OSPs of their CDR representatives, the nature of the services that each such OSP provides, and the CDR data or classes of data that may be disclosed to or collected by each OSP.

Further, if any direct or indirect OSP is likely to disclose service data to an overseas-based, unaccredited OSP, the OSP chain principal or CDR representative principal must specify in its CDR policy (if practicable) the countries in which those OSPs are likely to be based.

See CDR Rules, subrule 7.2(4) and the Guide to developing a CDR policy.

Consent

Where CDR data may be disclosed to, or collected by, a direct or indirect OSP, the  OSP chain principal or CDR representative principal must provide certain additional information to the consumer when seeking their consent. This includes notifying the consumer of this fact, providing a link to the OSP chain principal or CDR representative principal’s CDR policy, and a statement that the consumer can obtain further information about such disclosures from the policy if desired. See CDR Rules, subparagraph 4.11(3)(f), 4.20E(3)(k) and (l), and Chapter C (Consent).

Disclosure

An OSP principal may disclose CDR data to an OSP in prescribed situations as set out in CDR Rules, subparagraphs 7.5(1)(f) and 7.5(3)(d). This includes disclosing for the purpose of the OSP using CDR data to provide goods or services requested by the consumer in compliance with the data minimisation principle, and disclosing for the purpose of the OSP undertaking specified direct marketing activities in accordance with a direct marketing consent.

Where they are a CDR representative, an OSP principal can only disclose CDR data (including to an OSP) in accordance with the terms of its CDR representative arrangement. That arrangement will include requirements to comply with Privacy Safeguards 6 and 7, and to only disclose data where it would be a permitted disclosure of the kind mentioned in certain paragraphs of CDR Rules, subrules 7.5(1) and (3).

Where an OSP is an OSP principal in a further outsourcing arrangement, the OSP can only disclose CDR data (including to other direct or indirect OSPs of the OSP chain principal) in accordance with the terms of the CDR outsourcing arrangement with their OSP principal.

For further information, please see existing guidance in Chapter 6 (Privacy Safeguard 6) and Chapter 7 (Privacy Safeguard 7).

Restrictions for affiliates and CDR representatives

The accreditation status of an entity affects the range of purposes for which they can engage an OSP:

  • OSP chain principals accredited to the unrestricted level can engage OSPs to collect data on their behalf, or use or disclose data, under a CDR outsourcing arrangement.
  • Entities accredited to the sponsored level (known as affiliates) must not engage an OSP to collect CDR data on their behalf (CDR Rules, subrules 1.10(3)(a)(i) and 5.1B(4)). However, they can engage OSPs to use or disclose data.
  • As unaccredited entities, CDR representatives must not engage an OSP to collect CDR data. However, they can engage an OSP to use or disclose service data, but only where its CDR representative arrangement permits it do so (CDR Rules, subparagraph 1.10AA(3)(b)).

For further information regarding levels of accreditation please see the ACCC Accreditation Guidelines.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia