Publication date: 30 April 2024

In the CDR system, an outsourced service provider (OSP) is a person engaged by an accredited person, CDR representative, or other OSP (the ‘OSP principal’) to handle service data under a CDR outsourcing arrangement. This arrangement is a written contract that must meet the requirements described in Rule 1.10 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Rules 2020).

This page outlines the privacy obligations for OSPs. The main privacy obligation for an OSP is to comply with the terms of its written contract with the OSP principal that engaged them. This page contains the following topics (which explain what the written contract is, and outlines its key minimum terms):

  • OSP chains
  • Collection
  • Use and disclosure
  • Information security
  • Deletion
  • Access

For information on the privacy obligations for OSP principals (including accredited persons, CDR representatives or other OSPs engaging OSPs under a CDR outsourcing arrangement), see CDR outsourcing arrangements: Privacy obligations for principals. For more information on CDR outsourcing arrangements generally, see the CDR Privacy Safeguard Guidelines.

You should read this guidance together with the full text of Division 5 of Part IVD of the Competition and Consumer Act 2010 and the CDR Rules. This guidance is not legally binding and does not constitute legal advice. An entity may wish to seek independent legal advice where appropriate.

Key Points

  • In the CDR system, an outsourced service provider (OSP) is a person engaged by an accredited person, CDR representative, or other OSP (the ‘OSP principal’) to handle service data under a CDR outsourcing arrangement. The OSP being engaged is the ‘provider’ in that arrangement.
  • An ‘OSP chain principal’ is the initial OSP principal at the top of the chain, in a chain of CDR outsourcing arrangements.
  • An OSP is a person who does one or both of the following:
    • collects CDR data from a CDR participant on behalf of its OSP chain principal (if the OSP chain principal has unrestricted accreditation) in accordance with the CDR Rules
    • provides goods or services to its OSP principal by using or disclosing service data (being data that was collected by, or disclosed to, the OSP under the relevant CDR outsourcing arrangement).
  • An OSP must have a written contract in place with its OSP principal (known as a ‘CDR outsourcing arrangement’) that meets the requirements set out in CDR Rules, subrule 1.10(3).
  • An OSP must comply with the terms of its CDR outsourcing arrangement.  The OSP’s obligations under the arrangement are outlined in this resource.
  • An OSP is not required to be accredited.

Written contract

An OSP must have a ‘CDR outsourcing arrangement’ with its OSP principal that meets the minimum requirements set out in CDR Rules, subrule 1.10(3).

A CDR outsourcing arrangement is a written contract between the OSP and an OSP principal under which the OSP will do one or both of the following:

  • collect CDR data from a CDR participant on behalf of  its OSP chain principal (if the OSP chain principal has unrestricted accreditation) in accordance with the CDR Rules;
  • provide goods or services to its OSP principal by using or disclosing service data.

The purpose of the CDR outsourcing arrangement is to govern the OSP’s handling of ‘service data’, being CDR data of a CDR consumer of the OSP chain principal, that is:

  • collected by the OSP on behalf of the OSP chain principal under the arrangement
  • disclosed to the OSP by the OSP chain principal for the purposes of the relevant arrangement
  • disclosed to the OSP by another direct or indirect OSP of the OSP chain principal in accordance with the relevant arrangement, or
  • directly or indirectly derived from the above.

The minimum terms that must be contained in the CDR outsourcing arrangement are listed in CDR Rule, subrule 1.10(3) and described in this page.

Privacy tip:

An OSP may be required by their OSP principal to participate in certain activities to ensure compliance with their CDR outsourcing arrangement. These could include:

  • undertaking review and assurance activities at least annually
  • regular reporting against the OSP’s compliance with the CDR outsourcing arrangement, and/or
  • any appropriate assistance or training in technical and compliance matters provided by the OSP principal.

Prior to entering CDR outsourcing arrangements, an OSP principal may undertake due diligence on a proposed OSP, with a focus on personal information handling capabilities, procedures and practices.

OSP chains

The CDR Rules allow OSPs to engage other OSPs under further CDR outsourcing arrangements.

An ‘OSP chain principal’ is the initial ‘OSP principal’ at the top of the chain, in a chain of CDR outsourcing arrangements. An OSP chain principal must be either an accredited person or CDR representative.

Where the initial person in a chain enters a CDR outsourcing arrangement with an OSP, the person is the ‘OSP principal’ and the OSP is the ‘provider’ in the arrangement. The provider is also the ‘direct OSP’ of that initial person in the chain.

Where that OSP enters a further CDR outsourcing arrangement with another OSP, the other OSP is an ‘indirect OSP’ of the initial person. The direct OSP becomes the OSP principal in this further outsourcing arrangement.

This can be applied repeatedly so there may be a chain of indirect OSPs for each direct OSP of the OSP chain principal at the top of the chain.

An OSP’s privacy obligations under the arrangement are outlined in the following sections of this document.

Information on the privacy obligations for OSP principals can be found in CDR outsourcing arrangements: Privacy obligations for a principal of an outsourced service provider.

Collection

Where an OSP has been engaged to collect CDR data on behalf of an OSP chain principal with unrestricted accreditation, the OSP must collect the CDR data in accordance with the CDR Rules. For example, this means an OSP can only collect CDR data if the OSP chain principal has obtained the relevant consent from the consumer.

Holding, using and disclosing service data

When holding, using or disclosing service data, an OSP must comply with the following as if it were the OSP principal:

  • the OSP principal’s CDR policy in relation to the deletion and de-identification of CDR data and the treatment of redundant or de-identified data
  • Privacy Safeguard 4 (destroying unsolicited CDR data)
  • Privacy Safeguard 6 (use or disclosure of CDR data)
  • Privacy Safeguard 7 (use or disclosure of CDR data for direct marketing)
  • Privacy Safeguard 8 (overseas disclosure of CDR data), and
  • Privacy Safeguard 9 (adoption or disclosure of government-related identifiers).

In addition, a CDR outsourcing arrangement must include requirements that the OSP:

  • not disclose service data other than:
    • to another direct or indirect OSP of the OSP chain principal
    • to the OSP chain principal
    • in circumstances where the disclosure of the service data by the OSP chain principal would be permitted under the Rules
  • not use or disclose service data other than in accordance with the CDR outsourcing arrangement
  • ensure its own OSPs (if it is the OSP principal in further outsourcing) comply with their respective CDR outsourcing arrangements, including in relation to service data disclosed to them by the OSP chain principal or another direct or indirect OSP of the OSP chain principal.

Information security

An OSP must take the steps in Schedule 2 of the CDR Rules to protect the service data as if it were an accredited data recipient. This includes the implementation of minimum information security controls outlined in Part 2 of Schedule 2, such as data segregation (to segregate data held by an entity in its capacity as an OSP from data held by that entity in its other capacities).

For guidance on the steps in Schedule 2, see Chapter 12 of the Privacy Safeguard Guidelines (Privacy Safeguard 12).

Deletion and access

An OSP must, when directed by its OSP principal or the OSP chain principal:

  • provide that person with access to any service data that it holds
  • delete any service data that it holds in accordance with the CDR data deletion process, and make the records required as part of that process (see CDR Rules, rule 1.18)
  • provide that person with these records of deletion, and
  • direct any other person to which it has disclosed the service data under a further CDR outsourcing arrangement to take corresponding steps.

An OSP must, when directed by the CDR representative principal of the OSP chain principal (where the OSP chain principal is a CDR representative):

  • delete any service data that it holds in accordance with the CDR data deletion process, and make the records required as part of that process (see CDR Rules, rule 1.18)
  • provide the CDR representative principal with these records of deletion, and
  • direct any other person to which it has disclosed the service data under a further CDR outsourcing arrangement to take corresponding steps.

For information on the CDR deletion process please see CDR Rules, rule 1.18 and Chapter 12 of the Privacy Safeguard Guidelines (Privacy Safeguard 12).

Collection by accredited OSPs

While there is no requirement for an OSP to be accredited under the CDR system, some accredited persons may be engaged in an OSP capacity.

Where an OSP is an accredited person and, in its capacity as a direct or indirect OSP, collects CDR data on behalf of an OSP chain principal, certain obligations are adjusted under the CDR Rules to ensure that there is no duplication. These are:

  • Privacy Safeguard 5 and CDR Rules, rule 7.4 – only the principal needs to notify the consumer of the collection of the CDR data.
  • Privacy Safeguard 10 and CDR Rules, rule 7.9 – only the principal needs to notify the consumer of the disclosure of CDR data.
  • Privacy Safeguard 11 and CDR Rules, subparagraph 7.10(1)(a) – only the principal needs to be identified as the accredited data recipient to whom the incorrect CDR data was disclosed.

For further information see CDR Rules, subrule 1.16(5).