Thursday 28 September is International Access to Information Day, which highlights the community’s right to access government information. Learn more about the day and this year's theme: ‘the importance of the online space for access to information’.

Publication date: 23 December 2021

This page outlines the key privacy obligations relating to disclosures to ‘trusted advisers’ under the Consumer Data Right (CDR) system.

These changes have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021) and allow consumers to use the CDR to share their data with members of specified professions (‘trusted advisers’) to receive advice or a service.

The CDR Privacy Safeguard Guidelines will be updated to reflect this content.

The disclosure of CDR data to a trusted adviser is not permitted under the CDR Rules until the earlier of:

  • 1 February 2022, or
  • the day the Data Standards Chair makes a consumer experience data standard for the disclosure of CDR data to trusted advisers (see CDR Rule 7.5A(2)).

Key points

  • Consumers can nominate certain people as their ‘trusted adviser’ and provide consent for an accredited data recipient to share data with that adviser, so the consumer can receive advice or a service.
  • Trusted advisers are people listed in CDR Rule 1.10C(2) and include people such as lawyers, accountants, financial advisers, tax agents and mortgage brokers.
  • A person is taken to be a member of a trusted adviser class for the purposes of CDR Rule 1.10C if the accredited data recipient has taken reasonable steps to confirm that the person was, and remains, a member of the class (CDR Rule 1.10C(3)).
  • Reasonable steps will differ in each case but may include checking a public register, such as the tax agents register for the relevant individual, asking them to provide proof of membership or a requesting a contractual warranty, attestation or representation.
  • An accredited data recipient must have the consumer’s consent before disclosing a consumer’s CDR data to their nominated trusted adviser.
  • An accredited data recipient must not make a consumer nominate a particular trusted adviser, or consent to data being disclosed to a trusted adviser, before agreeing to provide them with goods or services.
  • Trusted advisers should be aware of the professional obligations that they have that relate to their handling of a consumer’s data.

Who are trusted advisers?

A consumer can nominate certain people to be their trusted adviser. With the consumer’s consent, known as a ‘TA disclosure consent’, an accredited data recipient can disclose the consumer’s CDR data to the nominated trusted adviser.

Trusted advisers are not CDR participants and are therefore not subject to the privacy safeguards or other obligations that apply under the CDR system.

Trusted advisers must belong to one of the specified professions listed in CDR Rule 1.10C(2). These are:

Reasonable steps to confirm trusted adviser status

An accredited data recipient may, with a consumer’s consent, disclose the consumer’s CDR data to a member of a trusted adviser class.  A person is taken to be a member of a class for the purposes of CDR Rule 1.10C if the accredited data recipient has taken reasonable steps to confirm that the person was, and remains, a member of the class (CDR Rule 1.10C(3)).

Where an accredited data recipient discloses CDR data to a person who does not belong to a trusted adviser class, and did not take reasonable steps to confirm the person belonged to the class, the disclosure would contravene CDR Rule 7.6.

The ‘reasonable steps’ test is an objective one and an entity must be able to justify that reasonable steps were taken. As noted under ‘Record keeping’ below, the accredited data recipient should keep records of any steps it takes to confirm that the adviser is a member of a specified class.

An example of a reasonable step that may be taken to confirm that a trusted adviser is a member of a specified class is to search a public register to confirm the individual is currently included as a member. Examples of such registers include the tax agents register, or the various state-based registers of current practising lawyers.

Other examples that may constitute reasonable steps in the circumstances include asking the nominated individual to provide proof that they are a registered member of the profession, or requesting a contractual warranty, attestation, representation or statutory declaration from the trusted adviser that they belong to the relevant class.

What is reasonable will vary depending on the circumstances. Factors that may be relevant include:

  • the nature of the CDR data to be disclosed (with more rigorous steps required as the amount and/or sensitivity of CDR data to be disclosed increases), or
  • the nature of the relationship between the consumer and the nominated trusted adviser (for example, whether the trusted adviser is known to the consumer already and the length of their pre-existing relationship)
  • the possible adverse consequences for the consumer if the data is disclosed to someone who is not a trusted adviser (and therefore not subject to the professional obligations that apply to trusted adviser classes).

In some circumstances, it may be reasonable for an accredited data recipient to take no steps to confirm a trusted adviser is a member of a particular class. For example, this may be the case where the accredited data recipient has only recently taken reasonable steps to verify the status of that particular trusted adviser.

However, it would be good practice to verify the trusted adviser’s status at regular intervals, for example once every 12 months, in order to ensure they are still a member of the relevant class. Further, if the accredited data recipient becomes aware that the trusted adviser may no longer be a member of a listed class, it would be prudent at that time to take steps to verify their status before any further disclosures of CDR data are made.

Seeking consent to disclose

An accredited data recipient must have the consumer’s consent before disclosing a consumer’s CDR data to their nominated trusted adviser. This is known as ‘TA disclosure consent’ (see CDR Rule 1.10A(c)(iii)).

An accredited data recipient must ask for a TA disclosure consent in accordance with Division 4.3 of the CDR Rules. This Division seeks to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn.

As part of this, an accredited data recipient’s processes for asking a consumer for a TA disclosure consent must be consistent with the consumer experience data standards for the disclosure of CDR data to trusted advisers (see CDR Rule 8.11(c)(iv)).

Dashboard

An accredited data recipient must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data (see CDR Rule 1.14(1)).

In accordance with Privacy Safeguard 10, when an accredited data recipient discloses CDR data to a trusted adviser, they must also update each consumer dashboard as soon as practicable to indicate:

  • what CDR data was disclosed
  • when it was disclosed, and
  • who the trusted adviser was (see CDR Rule 7.9(3)).

An accredited data recipient must also include certain information in the consumer’s dashboard, stating that they can request copies of these records and how to request a copy (see CDR Rule 1.14(3A)).

No condition on supply of goods or services

An accredited data recipient must not make the nomination of a trusted adviser, the nomination of a particular person as a trusted adviser, or the giving of consent to disclose data to a trusted adviser, a condition for the supply of the goods or services (see CDR Rule 1.10C(4)).

This means that the accredited data recipient cannot tell the consumer that they will only provide goods or services if the consumer consents to a trusted adviser receiving their CDR data, or if they nominate a trusted adviser or a particular trusted adviser.

Professional obligations for trusted advisers

Trusted advisers do not have the same regulatory obligations that apply to an accredited data recipient under the CDR regime.

However, as members of a specified professional class, trusted advisers are subject to existing professional or regulatory oversight. Existing obligations may include the duty to act in the best interests of their client.

Privacy Tip: While trusted advisers are not subject to CDR-specific obligations, they should still consider their professional obligations in relation to their handling of a consumer’s data.

As a matter of best practice, trusted advisers who receive CDR data should ensure that they handle that data transparently and in a way that the consumer would expect.

Record keeping and reporting

An accredited data recipient must keep and maintain records when it discloses CDR data to a trusted adviser. This includes records that record and explain:

  • disclosures of CDR data to the trusted adviser
  • who the trusted adviser is, and
  • any steps it took to confirm that the adviser is a member of a class of professions listed as a trusted adviser (i.e. lawyer, accountant) (see CDR Rule 9.3(2)(eb)-(ec)).

In their regular reports to the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC), the accredited data recipient must include information about:

  • the number of consents received from CDR consumer to disclose CDR data to trusted advisers (CDR Rule 9.4(2)(f)(vi))
  • the number of trusted advisers in each class to whom they disclosed CDR data (CDR Rule 9.4(2)(f)(vii)).