Thursday 28 September is International Access to Information Day, which highlights the community’s right to access government information. Learn more about the day and this year's theme: ‘the importance of the online space for access to information’.

Publication date: 23 December 2021

This page outlines the key privacy obligations relating to the disclosure of insights based on a consumer’s CDR data (‘CDR insights’). CDR insights can be shared with any third party, including those that are not accredited under the Consumer Data Right (CDR) system.

CDR insights are intended to allow accredited data recipients to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.

Disclosure of a CDR insight is not permitted under the CDR Rules until the earlier of:

  • 1 February 2022, or
  • the day the Data Standards Chair makes the data standard about the matter (see CDR Rule 7.5A(3)).

These obligations have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No.1) 2021). The CDR Privacy Safeguard Guidelines will be updated to reflect this content.

Key points

  • CDR insights are insights based on a consumer’s CDR data. CDR insights remain ‘CDR data’.
  • A consumer can only give a valid consent to disclose a CDR insight where it is for one of the purposes outlined in CDR Rule 1.10A(3)(a)(i)-(iii).
  • An accredited data recipient must not disclose a CDR insight if it includes or reveals sensitive information about a consumer.
  • Where a CDR insight relates to more than one transaction from a consumer’s account, the accredited data recipient must not disclose the amount or date of any individual transaction.
  • When seeking consent from a consumer (and prior to disclosure), an accredited data recipient must explain to the consumer what the CDR insight is and what it would reveal or describe about them.
  • If an accredited data recipient intends to disclose an insight to someone outside the CDR system, they must explain to the consumer that the data will not be subject to the same protections under the CDR system.
  • Unaccredited entities that receive CDR insights should consider whether they have any professional or other regulatory obligations (for example, under the Privacy Act 1988) in relation to their handling of a consumer’s data, and ensure they handle data transparently and confidentially.

What is a CDR insight?

CDR insights are insights based on a consumer’s CDR data.

These insights are intended to allow accredited data recipients to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.

Under the CDR Rules, a consumer can provide consent for an accredited data recipient to disclose CDR insights outside the CDR system for these limited purposes. This is known as an ‘insight disclosure consent’.

Insight disclosure consents can be provided by a consumer for the following permitted purposes:

  • to verify the consumer’s identity
  • to verify the consumer’s account balance, or
  • to verify the details of credits to, and debits from, the consumer’s accounts (see CDR Rule 1.10A(3)(a)(i)-(iii)).

In order to have a valid consent to disclose the consumer’s CDR data (for the purposes of CDR Rule 1.10A(3)), an accredited data recipient must ensure that disclosures of CDR data are for one of these permitted purposes.

Privacy tip CDR insights are intended to allow accredited data recipients to disclose CDR data to either confirm, deny, or provide simple information to a person selected by the consumer.

The data minimisation principle in CDR Rule 1.8 of the CDR Rules will apply to accredited data recipients when disclosing CDR insights. This means that an accredited data recipient must not use or collect a consumer’s data beyond what is reasonably needed to provide goods or services.

An accredited data recipient should therefore only disclose the minimum data required to provide the consumer with the relevant service.

Disclosing CDR data for a purpose that is not permitted under the CDR Rules will breach Privacy Safeguard 6 and be a breach of the CDR Rules, in particular CDR Rules 7.6(1) and 7.5(1)(ca), and may result in civil penalties.

Some examples of use cases for insights that will likely comply with these permitted purposes are provided below:

  • confirming the consumer’s account balance at a specific point in time (as this is for the purpose of verifying the consumer’s account balance – CDR Rule 1.10A(3)(a)(ii))
  • confirming whether a consumer’s account balance is over a certain amount (as this is for the purpose of verifying the consumer’s account balance – CDR Rule 1.10A(3)(a)(ii))
  • confirming whether a consumer has received a transfer of funds from a specific counterparty (as this is for the purpose of verifying the details of credits from a consumer’s account – CDR Rule 1.10A(3)(a)(iii)
  • disclosing the consumer’s average income over a specific period of time (as this is for the purpose of verifying the details of credits from a consumer’s account – CDR Rule 1.10A(3)(a)(iii))

While the examples above will likely fall within the permitted purposes for disclosing a CDR insight, in other instances, it might be less clear. In such cases, to ensure compliance with the CDR Rules, an accredited data recipient should ensure they are able to justify why the disclosure was for a permitted purpose.

Some further examples are outlined below.

Example 1 CDR insights regarding spending on certain categories of goods

An accredited data recipient wishes to provide a service where it discloses CDR insights about consumers, including amounts spent on certain categories of goods in any given period. One such category of goods is ‘amounts spent at major supermarkets’. As the types of debits that would be relevant to determining this insight can be clearly defined, this would generally meet the purpose of ‘verifying the details of…debits from the consumer’s account’ (CDR Rule 1.10A(3)(a)(iii)). Provided the consumer consents to this disclosure, the insight can likely be disclosed.

However, an insight purporting to reveal amounts spent on more specific categories of goods, such as ‘fresh foods’, or purporting to reveal information about an individual’s general attributes or behaviour based on their transaction history, may not be for a permitted purpose. This is because the types of debits that would be relevant to determining such an insight may not be able to be clearly defined. Such an insight is therefore unlikely to be for the purpose of verifying the details of particular debits from or credits to the consumer’s account.

Example 2 Direct debit failures

An accredited data recipient wishes to provide a service where it discloses CDR insights about consumers, indicating whether a direct debit/payment has failed during any given period. As this is for the purpose of verifying the details of a consumer’s debits from their account, such an insight would generally meet the relevant permitted purpose in CDR Rule 1.10A(3)(a).

By contrast, subjective predictions or analysis about average incomes over a period of time that indicate the accredited data recipient’s opinion about whether a direct debit is likely to fail, would not appear to be for a permitted purpose under the CDR Rules.

Disclosing a CDR insight

CDR insights can be disclosed to any person, provided the consumer has given valid consent (that is, consent in accordance with CDR Rule 1.10A(3), and any other relevant CDR Rules requirements).

This means that, unless the insight is disclosed to an accredited person, the CDR data will no longer be subject to the protections and safeguards of the CDR system. An accredited data recipient must explain this to the consumer at the time of disclosure in accordance with the relevant CX standard (see CDR Rule 8.11(1A)(b)).

Privacy tip While unaccredited recipients of CDR insights are not subject to CDR-specific obligations, they should still consider whether they have any professional or other regulatory obligations in relation to their handling of a consumer’s data. CDR insight recipients should also consider whether they have obligations under the Privacy Act 1988.

As a matter of best practice, CDR insight recipients should ensure that they handle data transparently and in a way that the consumer would expect.

Seeking consent to disclose

As noted above, before an accredited data recipient is permitted to disclose a CDR insight, the consumer needs to provide a valid consent known as an ‘insight disclosure consent’ (see CDR Rule 1.10A(3)).

An accredited data recipient must ask for an insight disclosure consent in accordance with Division 4.3 of the CDR Rules. This Division seeks to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn (see CDR Rule 4.9).

The CDR Rules also include a requirement for the accredited data recipient to give an explanation of the CDR insight to be disclosed, including what this would reveal or describe about the consumer (see CDR Rule 4.11(3)(ca)).

An accredited data recipient’s process for seeking consent from a consumer must also be consistent with the consumer experience data standards. Data standards must be made about the processes for disclosing CDR insights and obtaining consumer consent (see CDR Rule 8.11(c)(v)). Accredited data recipients must comply with these CX standards when they are made.

Privacy tip As a matter of best practice, where possible, accredited data recipients should show the consumer the CDR insight prior to it being disclosed.

This will promote transparency and help to ensure that the consumer is providing informed consent for the disclosure of their CDR data.

Prohibition on disclosing sensitive information

An accredited data recipient must not disclose a CDR insight if it includes or reveals sensitive information about a consumer as defined in the Privacy Act 1988 (see CDR Rule 7.5A(4)).

Sensitive information includes information or an opinion (that is also personal information) about an individual’s:

  • racial or ethnic origin
  • political opinions or membership of a political association
  • religious beliefs or affiliations
  • philosophical beliefs
  • membership of a professional or trade association, or trade union
  • sexual orientation or practices, or
  • criminal record.

It also includes:

  • health information
  • genetic information
  • biometric information used for automated biometric verification or identification,
  • or biometric or templates (see s 6 of the Privacy Act).

‘Health information’ includes information or an opinion, that is also personal information, about:

  • the health, including an illness, disability or injury of an individual
  • an individual's expressed wishes about the future provision of health services, or
  • a health service provided to an individual (see s 6FA of the Privacy Act).

It can also include information collected to provide a health service, information about donating body parts, organs or substances, or genetic information that could predict an individual’s health or the health of a genetic relative.

Examples of CDR data or insights that may include or reveal sensitive information may include details of transactions regarding:

  • payments to a doctor, psychologist or other health service provider
  • payments/reimbursements made to an individual’s bank account from Medicare, or
  • payments to a political party, union or professional association.

Prohibition on disclosing details of more than one transaction

Where a CDR insight relates to more than one transaction from a consumer’s account, the accredited data recipient must not disclose the amount or date of any individual transaction (see CDR Rule 1.10A(3)(b)).

In other words, while an insight may be derived from multiple transactions, the insight itself that is disclosed to the recipient must not detail the amounts or dates of any individual transactions.

This means that an accredited data recipient cannot disclose, for example, a full transaction list or a detailed business ledger from a consumer’s account in the form of a CDR insight.

Dashboard

An accredited data recipient must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data (see CDR Rule 1.14(1)).

Where an insight disclosure consent is provided, the consumer’s dashboard must include a description of the CDR insight and to whom it was disclosed (see CDR Rule 1.14(3)(ea)).

In accordance with Privacy Safeguard 10, when an accredited data recipient discloses a CDR insight they must also update each consumer dashboard as soon as practicable to indicate:

  • what CDR data was disclosed
  • when it was disclosed, and
  • the person they disclosed it to (see CDR Rule 7.9(4)).

An accredited data recipient must also include certain information in the consumer’s dashboard, stating that they can request copies of these records and how to request a copy (see CDR Rule 1.14(3A)).

Record keeping and reporting

An accredited data recipient must keep and maintain records when it discloses a CDR insight. This includes:

  • a copy of each CDR insight it discloses (that is, a copy of the actual insight itself)
  • a record of who it disclosed the insight to, and
  • a record of when the insight was disclosed (see CDR Rule 9.3(2)(ed)).

The accredited data recipient must include this information in their regular reports to the Australian Competition and Consumer Commission (ACCC).

The report must also state how many insight disclosure consents it received from consumers during the reporting period (see CDR Rule 9.4(2)(f)(viii)).

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia