Guide to developing a Consumer Data Right policy

Updated: 26 June 2024

Download the Guide to developing a Consumer Data Right policy (PDF, 490 KB)

View the Consumer Data Right policy video

Introduction

All CDR entities must have and maintain a clearly expressed and up-to-date CDR policy.[4] A CDR policy must be a separate document to the general privacy policy.[5]

For this Guide, a ‘CDR entity’ is:

• a data holder of CDR data (other than AEMO)
• an accredited person who is or who may become an accredited data recipient of CDR data.[6]

This Guide uses ‘accredited persons’ to refer to accredited persons who are or who may become an accredited data recipient, unless otherwise indicated.

A CDR policy is a document that provides information to consumers about:

• how CDR data is managed,[7] and
• how they can make an inquiry or make a complaint.[8]

It is a key tool for ensuring that CDR participants manage CDR data in an open and transparent way.

Privacy Safeguard 1 and CDR Rule 7.2 set out the requirements for what information must be included in a CDR policy, what form it should be in, and how it should be made available.

To help you meet these obligations, this Guide sets out a suggested process for developing a CDR policy and outlines the minimum requirements for what must be included.

There is also a checklist to help you work out if you have considered all your CDR policy obligations.

How the CDR policy interacts with other existing privacy and data protection policies

It is important to understand how your CDR policy interacts with your obligations under the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Privacy Act), or other obligations (for example, those under the European Union General Data Protection Regulation).

Under Privacy Safeguard 1, all CDR entities must have a CDR policy about the entity’s management of CDR data. Many CDR entities will also be APP entities under the Privacy Act.[15] The Privacy Act requires APP entities to have an APP Privacy Policy about how the entity manages personal information (APP 1.3 and 1.4).

Your CDR policy must be distinct from your APP Privacy Policy, or any other existing privacy policies.[16] This means your CDR policy must be a separate document and must expressly address each of the applicable matters listed in Privacy Safeguard 1 and CDR Rule 7.2. For example, it would not be sufficient for a CDR entity to provide a link to its APP Privacy Policy to address how a consumer could make an inquiry or make a complaint (even where that APP Privacy Policy includes identical or substantially similar complaint process information).

Information associated with an individual may be both CDR data and personal information under the Privacy Act (for example, information about the consumer or their use of product). Where an APP entity handles data that is both CDR data and personal information under the Privacy Act, the CDR policy and the APP Privacy Policy should clearly set out whether the privacy safeguards or APPs apply to the consumer’s data. The Privacy Safeguard Guidelines provide guidance on when a privacy safeguard applies instead of an APP.

Steps in developing a CDR policy

This section provides an overview of a suggested six-step process for developing your entity’s CDR policy.

These steps are intended to make it easier for you to meet your CDR policy obligations and to ensure that your CDR policy is genuinely informative and useful for consumers.

• Step 1: Understand your obligations and how you handle CDR data
• Step 2: Develop content, structure and presentation
• Step 3: Write your CDR policy
• Step 4: Test your CDR policy
• Step 5: Make your CDR policy available
• Step 6: Review and update your CDR policy

Step 1: Understand your obligations and how you handle or intend to handle CDR data

The first key step in developing a CDR policy is to ensure you have a clear understanding of what type (or types) of CDR entity you are, which obligations apply to you and how you handle (or intend to handle) CDR data. This includes understanding relevant practices, procedures and systems, and the arrangements you may have with third parties, such as CDR outsourcing arrangements or CDR representative arrangements. This will assist you to accurately and openly describe to your consumers how you will handle CDR data and enable you to deal with inquiries, requests and complaints under the CDR system.

You must include the mandatory requirements set out below under the section What information must be included in a CDR policy?

You must also understand your broader CDR privacy obligations regarding the collection, use and disclosure of CDR data. This will differ based on whether you are a data holder or an accredited person.

Where your entity performs more than one role in the CDR system (for example, as both a data holder and an accredited person), you may either have a single CDR policy that outlines how you handle CDR data in both capacities, or have separate CDR policies for each capacity.

Step 2: Develop content, structure and presentation

Although the CDR policy must cover all the topics in Privacy Safeguard 1 and CDR Rule 7.2, the information does not have to be presented in that order. You should aim to make the CDR policy as easy as possible for the consumer to find the information that is most important to them.

If you are a data holder and an accredited person and have a single CDR policy for both capacities, it should be clear to the consumer whether a specific section of the CDR policy relates to your capacity as a data holder, an accredited person or both.

Below are some tips to make the content and structure useful and manageable for consumers.

• Arrange the information in a way that makes sense so that it is easy to follow and intuitive to the reader. The presentation of the information should be clear and reflect your entity’s functions, activities and audience.
• Focus on key topics that consumers are likely to be most concerned about, unaware of, won’t reasonably expect or may not understand easily.
• Be as specific as possible about how your entity manages CDR data, as this will provide clarity and build trust. Unqualified use of vague words (such as ‘may’) could lead to concern about uses and disclosures that are not intended.
• Take a layered approach to providing information about how your entity will handle CDR data, by providing a summary version that focuses on what the consumer should know with a link to the complete CDR policy. This will be particularly effective in the online environment.

Step 3: Write your CDR policy

Once you have a clear idea of how your entity handles CDR data, what must be included in the CDR policy, and the proposed content and structure for your policy, you can begin drafting.

The CDR policy must be clearly expressed.[18]

To ensure the CDR policy is easy to read and understand:

• use an active voice and simple language — avoid legal jargon, acronyms and terms that may only be understood in-house
• use short sentences, break up text into paragraphs and group relevant sections together
• use headings to assist navigation
• avoid unnecessary length — include only relevant information.

You must also ensure the CDR policy is up-to-date, and that it reflects your current CDR data-handling practices (see Step 6: Review and update your CDR policy for guidance on keeping your CDR policy up-to-date).[19] The CDR policy should not include statements about possible future practices.

Step 4: Test your CDR policy

Test your CDR policy on the target audience or audiences, including likely readers. Where your resources are limited and systematic testing is not possible, you could consider providing it to colleagues from other internal business units to give you an idea of how easy it is to read.

Step 5: Make the CDR policy available

Your CDR policy must be freely and publicly available for consumers. If you are an accredited person or data holder, the CDR policy must be available through each online service that you ordinarily use to deal with consumers, such as your website or mobile applications.[20] Additionally, you must provide the CDR policy electronically (for example in a word document or pdf) or in hard copy if requested by the consumer.[21] If you are an accredited person with one or more CDR representatives, your CDR policy must also be available through each online service that your CDR representatives ordinarily use to deal with consumers.[22]

Appropriate accessibility measures should also be put in place so that the CDR policy may be accessed by all consumers (including consumers with a vision impairment, or those from a non-English speaking background). It is a good idea to provide information about how to request an accessible copy of the CDR policy in the same locations where consumers can access the policy.

Accredited persons and data holders will be requested to provide a hyperlink to the entity’s CDR policy to the Australian Competition and Consumer Commission.[23]

Step 6: Review and update your CDR policy

As there is a requirement to ensure the CDR policy is to up-to-date, the CDR policy should be reviewed regularly. This will help to ensure that the information in the CDR policy accurately reflects your current CDR data handling practices.[24]

You should review your CDR policy at least annually. You should also review your CDR policy where there are changes to your obligations (e.g. amendments to the CDR Rules), relevant changes to your CDR handling practices or organisation, or when you become aware of errors in the CDR policy. To assist readers, you could also:

• include the date the CDR policy was last reviewed or updated
• invite comments on the CDR policy to gain feedback and evaluate its effectiveness, and
• explain how any comments will be dealt with.

What information must be included in a CDR policy?

Depending on whether you are an accredited person or data holder, there are different matters that need to be covered in your CDR policy.

Categories of information that must be included are:

• Requirements for both data holders and accredited persons:
  • Information about the consumer complaints process
  • Information about access to and correction of CDR data
• Specific requirements for data holders:
  • Acceptance of voluntary consumer or product data requests
• Specific requirements for accredited persons:
  • What CDR data is held, and how it is held
  • Purposes CDR data is used for
  • Information about undertaking general research
  • Additional information about who CDR data may be disclosed to
  • Overseas storage practices
  • When consumers will be notified about certain events
  • Consequences of withdrawing consent
  • Deletion of CDR data
  • De-identification of CDR data
  • Information about sponsorship arrangements
  • Information about CDR representative arrangements
  • Information about CDR outsourcing arrangements

The sections below cover each of these items in more detail. There is also a checklist at Attachment A below to help you work out whether you have considered all of the relevant requirements.

For further information, see Chapter 1 (Open and transparent management of CDR data) of the CDR Privacy Safeguard Guidelines.

Information about the consumer complaints process — for data holders and accredited persons

Both accredited persons and data holders must have a process to deal with consumer complaints, in the event that a consumer thinks you have not met your CDR related obligations under the Competition and Consumer Act and/or CDR Rules.[25] A CDR consumer complaint means any expression of dissatisfaction made by a CDR consumer to or about a CDR participant (or a CDR representative) that relates to the participant’s CDR compliance obligations,[26] or the goods and services provided to the consumer under the CDR system, for which a response or resolution could be reasonably expected.[27]

The CDR Rules specify that the CDR policy needs to include the following information about your internal dispute resolution processes for complaints relating to the management of CDR data:

• where, how and when a complaint can be lodged (such as the contact information for lodging a complaint, as well as the circumstances in which a complaint may be lodged)
• when a consumer should expect an acknowledgment of their complaint
• the information that the consumer needs to provide
• the process for handling consumer complaints[28]
• the time periods associated with the various stages of the complaints process
• options for redress,[29] and
• options for review (i.e. review/appeal of the initial handling of a CDR consumer’s complaint) both internally (if available) and externally.[30]

Information on access to and correction of CDR data — for data holders and accredited persons

How to access CDR data

Both accredited persons and data holders must include information for consumers about how they may access their CDR data.[31]

A data holder may receive a request from an accredited person on the consumer’s behalf, or a consumer may make a request directly to the data holder.[32]

A data holder that is a retailer in the energy sector must also ensure that its CDR policy explains how a consumer may access their AEMO data.[33]

The CDR policy should also explain any alternative processes to accessing CDR data to those under the CDR system.

For further information about the CDR access requirements, see the Guide to privacy for data holders.

How to correct CDR data

Both accredited persons and data holders must include information for consumers about how they can correct their CDR data. The CDR policy should make clear that the consumer has a right to request correction of their CDR data.[36] For data holders, a consumer’s right to request correction under Privacy Safeguard 13 applies once the data holder has previously been required or authorised to disclose the CDR data.[37]

Where a data holder is also an APP entity under the Privacy Act, the data holder should provide additional information in its CDR policy about how a consumer who is an individual may seek correction of their personal information that is also CDR data under APP 13.[38]

A data holder that is a retailer in the energy sector must also ensure that its CDR policy explains how a CDR consumer may correct their AEMO data.[39]

For information about the correction requirements, see Chapter 13 (Correction of CDR data) of the CDR Privacy Safeguard Guidelines and the Guide to privacy for data holders.

Specific requirements for data holders — acceptance of voluntary consumer or product data requests

In addition to the requirements set out above, a data holder’s CDR policy must:

• make clear whether the entity accepts voluntary consumer or product data requests,[40] and
• state whether the data holder charges fees for such requests (and if so, how consumers can obtain information about those fees).[41]

Specific requirements for accredited persons

In addition to the requirements set out above, an accredited person’s CDR policy must include information about:

• what CDR data is held, and how it is held
• purposes for which CDR data is collected, held, used and disclosed
• undertaking general research
• who CDR data may be disclosed to
• overseas data storage practices
• when consumers will be notified about certain events
• consequences of withdrawing consent
• deletion of CDR data
• de-identification of CDR data[42]
• sponsorship arrangements
• CDR representative arrangements, and
• CDR outsourcing arrangements.

More detail on these requirements is set out below.

What CDR data is held, and how it is held?

An accredited person’s CDR policy must refer to the different classes of CDR data that it holds or may hold.[43] This includes CDR data that another entity holds or may hold on the accredited person’s behalf, for example, by an outsourced service provider (OSP).[44]

The classes of CDR data for each sector will be set out in the relevant designation instrument. For example, for the banking sector the designation instrument sets out 3 classes of information: customer information, product use information and information about the product.^[45] For the energy sector, the designation instrument sets out 4 classes of information: information about a customer or associate, information about the sale or supply of electricity, information about retail arrangements, and information about retail arrangements (natural gas).[46]

The CDR policy must also set out how the CDR data is held. This means providing general information about how CDR data is stored, including CDR data that another entity holds or may hold on the accredited person’s behalf (for example, by an OSP).[47]

Purposes for which CDR data is collected, held, used and disclosed

An accredited person must indicate the purposes for which it does each of the following (with the consumer’s consent): collects, holds, uses or discloses CDR data.[48]

Undertaking general research

If an accredited person wishes to undertake general research[49] using de-identified CDR data, its CDR policy must include:

• a description of the research to be conducted, and
• a description of any additional benefit to be provided to the consumer for consenting to the use.

Who CDR data may be disclosed to

An accredited person must include further specific information about disclosures of CDR data to non-accredited entities and entities located overseas, as set out below.

Disclosures to non-accredited entities:

• Disclosures to any non-accredited entities: If an accredited person intends to disclose CDR data to any non-accredited entity, it must include the circumstances in which the accredited person intends to disclose such data.[50] Disclosures to non-accredited entities include disclosures:
  • to unaccredited direct or indirect OSPs under a CDR outsourcing arrangement[51]
  • to CDR representatives with whom the accredited person has a CDR representative arrangement[52]
  • to trusted advisers with a TA disclosure consent,[53] and
  • of CDR insights to specified persons with an insight disclosure consent.[54]
  • to specified persons with a business consumer disclosure consent.[55]

Disclosures to entities located overseas:

• Disclosures to any overseas accredited persons: If an accredited person is likely to disclose CDR data to any overseas accredited persons, the CDR policy must state this fact,[56] and must also include the countries where they are likely to be located, where practicable.[57] If there are numerous countries where CDR data may be disclosed, one option would be to list those countries in an appendix or linked document. If it is impractical to list countries, the CDR policy could instead provide general regions.
• Disclosures to any overseas, non-accredited OSPs (including by any CDR representatives or direct or indirect OSPs): If an accredited person, any CDR representative of the accredited person, or any direct or indirect OSP of either the accredited person or CDR representative is likely to disclose CDR data to an overseas, non-accredited direct or indirect OSP, the CDR policy must include the countries in which such direct or indirect OSPs are likely to be based, if practicable to specify this.[58] If there are numerous countries where CDR data may be disclosed, one option would be to list those countries in an appendix or linked document. If it is impractical to list countries, the CDR policy could instead provide general regions.

Overseas data storage practices

If an accredited person proposes to store CDR data outside of Australia or an external territory, it must specify the countries where it proposes to store the data in the CDR policy.[59]

When consumers will be notified about certain events

An accredited person’s CDR policy must specify the events it will notify the consumer about, in relation to their CDR data.[60]

The events that an accredited person is required to notify the consumer about include:

• when a consumer gives consent to the person collecting, using and/or disclosing their CDR data[61]
• when a consumer amends[62] or withdraws consent[63]
• collection of a consumer’s CDR data[64]
• disclosure of a consumer’s CDR data to an accredited person[65]
• ongoing notification requirements about a consumer’s consent[66]
• notification requirements in relation to the expiry of a CDR consumer’s consent[67]
• responses to a consumer’s correction request,[68] and
• any eligible data breaches affecting a consumer under the Notifiable Data Breach Scheme.[69]

Consequences of withdrawing consent

An accredited person must provide a statement in the CDR policy indicating the consequences for the consumer of withdrawing their consent to collect and use CDR data.[70] This may include the details of any early cancellation fees or loss of access to goods or services based on CDR data.

Deletion of CDR data

An accredited data recipient has obligations to destroy or de-identify any redundant CDR data that it holds under Privacy Safeguard 12 and the CDR Rules.

An accredited person must include the following information about the deletion of redundant CDR data in its CDR policy:

• When redundant CDR data is deleted.[71] An accredited data recipient may be required to delete redundant CDR data, including where:
  • the consumer has elected for their redundant CDR data to be deleted[72]
  • the general policy is to delete redundant CDR data,[73] or
  • it is not possible to de-identify CDR data to the required extent.[74]
• Elections to delete CDR redundant data. An accredited person must include information about:
  • how a consumer may elect for their redundant CDR data to be deleted[75]
  • how the election operates
  • the effect of an election, and
  • how a consumer may exercise their election.[76]

Note: An accredited person does not need to provide a consumer with an 'election to delete’ where it has a general policy of deleting redundant data, and where it informs the consumer when seeking consent that redundant CDR data will be deleted.[77]

In these circumstances, the CDR policy should outline that consumers do not need to elect for their redundant CDR data to be deleted because the accredited person has a general policy of deleting all redundant data. The CDR policy should also outline that, when seeking consent, the accredited person informs the consumer that their redundant data will be deleted.

• How redundant CDR data is deleted.[78]
  • An accredited person should include a general description of how redundant CDR data is deleted in a way that is helpful and meaningful to the consumer.[79]

De-identification of CDR data

An accredited person must include the following information about the de-identification of CDR data in its CDR policy:

• The circumstances in which CDR data is de-identified in accordance with a consumer’s request.[80]
• The following information about de-identification of CDR data that is not redundant:[81]
  • how de-identified CDR data is used to provide goods or services to consumers[82]
  • the process for de-identification including, a description of techniques that are used to de-identify CDR data,[83] and
  • if de-identified CDR data is ordinarily disclosed to one or more persons:
    • the fact of this disclosure
    • the classes of persons to whom such data is ordinarily disclosed,[84] and
    • the purposes for which de-identified CDR data is disclosed.[85]
• The following information about de-identification of redundant CDR data:[86]
  • how the entity ordinarily uses any de-identified redundant CDR data, including examples
  • the process for de-identification, including a description of techniques that are used to de-identify CDR data,[87] and
  • if de-identified redundant CDR data is ordinarily disclosed (by sale or otherwise) to one or more persons:
    • the fact of this disclosure
    • the classes of person to whom such data is ordinarily disclosed,[88] and
    • the purposes for which the de-identified data is disclosed. [89]

Information about sponsorship arrangements

Where an accredited person is a sponsor or an affiliate, it must ensure that its CDR policy includes a list of other accredited persons with whom the accredited person has a sponsorship arrangement, and the nature of the services one party provides to the other party under each arrangement.[90]

Information about CDR representative arrangements

Where an accredited person is a CDR representative principal under a CDR representative arrangement, its CDR policy must include:

• a list of its CDR representatives
• for each CDR representative, the nature of the goods and services that the CDR representative provides to customers using CDR data.[91]

Information about CDR outsourcing arrangements

Where an accredited person has one or more CDR outsourcing arrangements with OSPs, its CDR policy must include:

• a list of the direct or indirect OSPs of the accredited person and of any CDR representative (whether based in Australia or overseas, and whether they are accredited or not)[92]
• specific details about the nature of the services provided by these OSPs (for example, where an OSP is collecting CDR data on the accredited person’s behalf)[93]
• the CDR data or classes of CDR data that may be disclosed to, or collected by, these OSPs.[94]

Attachment A — Checklist for your CDR policy

^[1]Competition and Consumer Regulations, paragraph 28RA(2)(a)(i).

^[2]The privacy safeguards are set out in the Competition and Consumer Act, Part IVD, Division V.

^[3] The CDR Privacy Safeguard Guidelines provide guidance on the privacy safeguards and related CDR Rules.

^[4] Section 56ED(3) of the Competition and Consumer Act.

^[5] CDR Rules, subrule 7.2(2).

^[6]An accredited person ‘may become’ an accredited data recipient when it is seeking to collect CDR data. This means that an accredited person must ensure that it has a CDR policy before it seeks to collect CDR data.

^[7] Competition and Consumer Act, paragraph 56ED(3)(a).

^[8]See Competition and Consumer Act, paragraphs 56ED(4)(b) (for data holders), 56ED(5)(d) (for accredited persons).

^[9] CDR Rules, paragraph 1.10AA(4)(f). Note that a CDR representative will also have obligations under Australian Privacy Principle 1 (open and transparent management of personal information) in the Privacy Act if they are an APP entity.

^[10] A CDR representative arrangement is a written contract between a CDR representative and their CDR representative principal. The requirements for this arrangement are outlined in CDR Rules, rule 1.10AA.

^[11] CDR Rules, rule 1.16A.

^[12]CDR Rules, paragraph 1.10(3)(b)(i)(A).

^[13] A CDR outsourcing arrangement is a written contract between an OSP principal and their provider that meets the minimum requirements listed in CDR Rules, subrule 1.10(3).

^[14]CDR Rules, rule 1.16.

^[15]The Privacy Act 1988 covers most Australian Government agencies and organisations with an annual turnover of more than $3 million, which includes any accredited person or data holders that meet this threshold. It also covers all accredited persons under the CDR system in relation to information is that is personal information but is not CDR data. See Privacy Act, subsection 6E(1D).

^[16] CDR Rules, subrule 7.2(2).

^[17] CDR Rules, subrule 7.2(2).

^[18] Subsection 56ED(3) of the Competition and Consumer Act.

^[19] Subsection 56ED(3) of the Competition and Consumer Act.

^[20] Competition and Consumer Act, subsection 56ED(7) and CDR Rules, subrule 7.2(8).

^[21] Competition and Consumer Act, subsection 56ED(8) and CDR Rules, subrule 7.2(9).

^[22] CDR Rules, subrule 7.2(8). Note that a CDR representative is required to adopt and comply with its CDR representative principal’s CDR policy (CDR Rules, paragraph 1.10AA(4)(f)).

^[23] CDR Rules, paragraphs 5.24(i)(ii) and 5.25(1)(b)(ii)(B). In addition, under CDR Rule 5.14, accredited persons are also required to notify the ACCC if there is a change to, or the accredited person becomes aware of, an error in the link to the CDR policy previously provided.

^[24] Competition and Consumer Act, subsection 56ED(3).

^[25]Competition and Consumer Act, subsections 56ED(4)(b) and (5)(d) and CDR Rules, subrule 7.2(6).

^[26] Compliance with Part IVD of the CCA, the CDR rules or binding data standards.

^[27] See CDR Rules, rule 1.7 for the meaning of ’CDR consumer complaint’.

^[28] Internal dispute resolution requirements are set out in the CDR Rules. See CDR Rules, subrule 5.12(1) (for accredited persons) and rule 6.1 for data holders as well as the sector specific internal dispute resolution requirements set out in the relevant sector Schedule (clause 5.1 of Schedule 3 (for the banking sector) and clause 5.1 of Schedule 4 (for the energy sector).

^[29]‘Redress’ in this context means options for remedy, rather than options for review. This could include resolution options such as correction, apology, etc.

^[30]CDR Rules, subrule 7.2(6). The CDR policy should clearly state the fact that a complaint may be taken to a recognised external dispute resolution scheme and provide the name of the relevant external dispute resolution scheme. The CDR policy should also state that a complaint may be taken to the Office of the Australian Information Commissioner. In addition, it is good practice for a CDR policy to outline the procedures and contact details for complaining to these external complaint bodies.

^[31] Competition and Consumer Act, paragraphs 56ED(5)(c) and 56ED(4)(a).

^[32] For the banking sector, a data holder’s obligations under Part 3 of the CDR Rules (regarding consumer data requests made by consumers) have not yet commenced: clause 6.6 of Schedule 3 to the CDR Rules. Part 3 does not apply in relation to energy sector data: clause 8.5 of Schedule 4 to the CDR Rules.

^[33]Competition and Consumer Regulations, paragraph 28RA(3)(a).

^[34]However, APP 12 does not apply to an accredited data recipient of CDR data, in relation to that data (Competition and

Consumer Act, paragraph 56EC(4)(a).

^[35] Note: APP entities only have APP 12 obligations in relation to consumers who are individuals (not businesses).

^[36] Competition and Consumer Act, paragraphs 56ED(4)(a) and 56ED(5)(c).

^[37] Competition and Consumer Act, paragraph 56EP(1)(c).

^[38] Where a data holder has not previously been required or authorised to disclose a consumer’s CDR data, a consumer is unable to make a correction request under Privacy Safeguard 13. However, where the data holder is an APP entity, the consumer will be able to make a correction request under APP 13. This is because APP 13 will continue to apply to CDR data that is personal information in all other circumstances. For further information, see Chapter 13 (Correction of CDR data) of the CDR Privacy Safeguard Guidelines.

^[39] Competition and Consumer Regulations, paragraph 28RA(3)(a).

^[40]CDR Rules, paragraph 7.2(3)(a). Voluntary product data means CDR data for which there are no consumers that is not required product data (clause 3.1 of Schedule 3, and clause 3.1 of Schedule 4, to the CDR Rules). Voluntary consumer data means CDR data for which there are consumers that is not required consumer data (clause 3.2 of Schedule 3, and clause 3.2 of Schedule 4 to the CDR Rules).

^[41]CDR Rules, paragraph 7.2(3)(b).

^[42] Competition and Consumer Act, subsection 56ED(5)(i) and CDR Rules, subrule 7.2(4)(j).

^[43] Competition and Consumer Act, paragraph 56ED(5)(a).

^[44]An accredited person (other than those with sponsored accreditation) who is an OSP chain principal may engage a third party to seek to collect CDR data on their behalf in accordance with the CDR Rules. For further information, see CDR Rules, paragraph 1.10(3)(a)(i) and Chapter 3 (Seeking to collect CDR data from CDR participants) of the CDR Privacy Safeguard Guidelines.

^[45] See sections 6-8 of the Consumer Data Right (Authorised Deposit‑Taking Institutions) Designation 2019.

^[46] See sections 7-10 of the Consumer Data Right (Energy Sector) Designation 2020.

^[47]Subsection 4(1) of the Competition and Consumer Act provides that a person ‘holds’ information if they have possession or control of a record within the meaning of the Privacy Act. If a person has a right or power to deal with particular data, the person has effective control of the data and therefore ‘holds’ the data. See Chapter B (Key Concepts) of the CDR Privacy Safeguard Guidelines for further information about the meaning of ‘holds’.

^[48] Competition and Consumer Act, paragraph 56ED(5)(b).

^[49] CDR Rules, paragraph 7.2(4)(h). General research relates to research an accredited data recipient wishes to undertake using de-identified CDR data, that does not relate to the provision of goods or services to any particular consumer. CDR Rules, paragraph 7.5(1) (b)(i) permits the use of CDR data for general research, where it is in accordance with a current de-identification consent, and de-identified in accordance with the CDR data de-identification processes.

^[50] Competition and Consumer Act, paragraph 56ED(5)(g).

^[51] Note that an accredited person must also include in its CDR policy further details about its direct and indirect OSPs of the accredited person and any CDR representatives – see CDR Rules, paragraphs CDR Rules, paragraphs 7.2(4)(f) – (g).

^[52]Note that an accredited person who is a CDR representative principal also needs to include in its CDR policy details of CDR representative arrangements – see CDR Rules, paragraphs 7.2(4)(d) – (e).

^[53] See CDR Rules, subparagraph 1.10A(1)(c)(iii) for information about TA disclosure consents.

^[54] See CDR Rules, subparagraph 1.10A(1)(c)(iv) and subrule 1.10A(3) for information about insight disclosure consent.

^[55]See CDR Rules, subparagraph 1.10A(1)(c)(v), paragraph 1.10A(2)(h) and subrules 1.10A(10) and (11) for information about business consumer disclosure consents.

^[56] Competition and Consumer Act, paragraph 56ED(5)(e).

^[57] Competition and Consumer Act, paragraphs 56ED(5)(e)-(f).

^[58] CDR Rules, paragraph 7.2(4)(i).

^[59] CDR Rules, subrule 7.2(7).

^[60] Competition and Consumer Act, paragraph 56ED (5)(h).

^[61]CDR Rules, paragraph 4.18 (1)(a). See Chapter C (Consent) of the CDR Privacy Safeguard Guidelines.

^[62] CDR Rules, paragraph 4.18 (1)(aa). See Chapter C (Consent of the CDR Privacy Safeguard Guidelines.

^[63] CDR Rules, paragraph 4.18 (1)(b). See Chapter C (Consent)  of the CDR Privacy Safeguard Guidelines.

^[64]CDR Rules, rule 7.4. See Chapter 5 (Notifying of collection of CDR data) of the CDR Privacy Safeguard Guidelines.

^[65] CDR Rules, subrule 7.9(2) See Chapter 10 (Notifying of the disclosure of CDR data) of the CDR Privacy Safeguard Guidelines).

^[66] CDR Rules, rule 4.20. See Chapter C (Consent) of the CDR Privacy Safeguard Guidelines.

^[67] CDR Rules, rule 4.18A.

^[68] CDR Rules, rule 7.15. See Chapter 13 (Correction of CDR data) of the CDR Privacy Safeguard Guidelines.

^[69]See Chapter 12 (Security of CDR data and destruction and de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines, s 56ES of the Competition and Consumer Act, and Part IIIC, Division 3 of the Privacy Act. Further information is available on the OAIC’s Notifiable Data Breaches scheme webpage.

^[70] CDR Rules, paragraph 7.2(4)(a).

^[71] CDR Rules, paragraph 7.2(4)(k)(i). See also para 56ED(5)(i) of the Competition and Consumer Act.

^[72] A consumer who gave a consent for an accredited person to collect and use CDR data may elect that the CDR data, and any data derived from it, be deleted when it becomes redundant CDR data: CDR Rules, rule 4.16. See Chapter C (Consent) and Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information.

^[73] Where an accredited data recipient advised the consumer of a general policy of deletion, the accredited data recipient must delete the redundant CDR data, even if its general policy has since changed. See Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information.

^[74]CDR Rules, subrule 1.17(4). See Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information about de-identification of CDR data and the ‘required extent’.

^[75] CDR Rules, paragraph 7.2(4)(k)(ii).

^[76] CDR Rules, paragraph 7.2(4)(m). A consumer’s right to elect for their redundant CDR data to be deleted is contained in CDR Rules, rule 4.16. See Chapter C (Consent) and Chapter 12 (Security of CDR data and destruction of de-identification of redundant CDR data) of the CDR Privacy Safeguard Guidelines for further information about this right.

^[77]CDR Rules, subrule 4.16(3).

^[78]CDR Rules, paragraph 7.4(k)(iii).

^[79] This could include whether redundant CDR data is irretrievably destroyed, reference to any applicable standards, how the accredited person manages hard copy information, how it confirms third party deletion and whether back-ups are secured. Part B of the OAIC’s Guide to securing personal information outlines questions entities should consider when destroying personal information. Also see Chapter 12 of the CDR Privacy Safeguard Guidelines for information on the CDR deletion process.

^[80] Competition and Consumer Act, paragraph 56ED(5)(i). A consumer may provide consent for an accredited data recipient to de-identify their CDR data for the purpose of disclosure (including selling) and/or for use in general research (see CDR Rules, paragraphs 1.10A(1)(e) and 7.5(1)(aa).  Where the accredited data recipient seeks or intends to seek a de-identification consent, it must provide certain information about de-identification in its CDR policy as outlined in CDR Rules, paragraph 7.2(4)(j).

^[81] These requirements are contained in CDR Rules, paragraph 7.2(4)(j) and subrule 7.2(5). Examples where this would be applicable include where the accredited data recipient intends to use de-identified CDR data for general research, and/or disclose (including by selling) the de-identified data in accordance with a de-identification consent. See CDR Rules, paragraphs 1.10A(1)(e) and 7.5(1)(aa).

^[82]CDR Rules, paragraph 7.2(4)(j)(i).

^[83]CDR Rules, paragraph 7.2(5)(a). The aim of this requirement is to give consumers greater transparency. This should therefore include a general description of how redundant CDR data is de-identified, with the aim being to assist consumers to understand how the entity gives effect to this de-identification obligation, in a way that is helpful and meaningful to them.

^[84]In the context of the CDR policy, ‘classes of persons’ means the types of entities or persons an accredited data recipient usually discloses de-identified data to (‘classes of persons’ is not defined in the CDR system. Accordingly, it has its ordinary meaning). Entities or persons do not need to be listed individually in the CDR policy, but should be described with enough specificity so that the consumer can understand the nature of those parties who will hold or have access to de-identified data.

^[85] CDR Rules, paragraph 7.2(5)(b)(i)-(iii).

^[86]These requirements are contained in CDR Rules, paragraph 7.2(4)(l) and subrule 7.2(5).

^[87] CDR Rules, paragraph 7.2(5)(a). The aim of this requirement is to give consumers greater transparency. Therefore this should include a general description of how redundant CDR data is de-identified, with the aim being to assist consumers to understand how the entity gives effect to this de-identification obligation, in a way that is helpful and meaningful to them.

^[88] In the context of the CDR policy, ‘classes of persons’ means the types of entities or persons an accredited data recipient usually discloses de-identified data to (‘classes of persons’ is not defined in the CDR system. Accordingly, it has its ordinary meaning). Entities or persons do not need to be listed individually in the CDR policy, but should be described with enough specificity so that the consumer can understand the nature of those parties who will hold or have access to de-identified data.

^[89] CDR Rules, paragraph 7.2(5)(b).

^[90] CDR Rules, paragraphs 7.2(4)(b) - (c).

^[91] CDR Rules, paragraphs 7.2(4)(d) and (e).

^[92] CDR Rules, paragraph 7.2(4)(f).

^[93] CDR Rules, paragraph 7.2(4)(g)(i).

^[94] CDR Rules, paragraph 7.2(4)(g)(ii). The ‘classes of CDR data’ are set out in the designation instrument for the relevant sector. In the banking sector, the designation instrument sets out three classes of information: customer information, product use information and information about a product. In the energy sector, the designation instrument sets out four classes of information: customer or associate information, information about the sale or supply of electricity, information about retail arrangements, and information about retail arrangements (natural gas).

Version changes