What is Consumer Data Right data?
The definition of Consumer Data Right (CDR) data is set out in the designation instrument for each sector.
The designation instrument for the banking sector specifies the following classes of information as ‘CDR data’:
- information about the consumer or their associate (for example, contact details)
- information about the use of a product by a consumer or their associate (for example, transaction data)
- information about a product (for example, terms and conditions).
The definition of CDR data is broad. It includes data that has been ‘wholly or partly derived’ from data set out in the designation instrument, and data derived from any previously derived data.
Materially enhanced information
For the banking sector, ‘materially enhanced information’ refers to data about the use of a product that has become significantly more useful, usable or commercially valuable as a result of analysis or insight.
Materially enhanced information is CDR data. This is because CDR data includes information that has been subsequently derived from the data set out in a designation instrument.
Examples of ‘materially enhanced information’ in the banking sector include the findings of an income or expense assessment, and a categorisation of transactions as being related to groceries or rent. More examples of materially enhanced information can be found in the designation instrument for the banking sector.
What is not CDR data?
For the banking sector, certain types of credit information (as defined in the Privacy Act) are not considered to be CDR data.
The specific exclusions are set out in section 9 of the designation instrument for the banking sector and include:
- a statement that an information request has been made for an individual by a credit provider, mortgage insurer or trade insurer
- new arrangement information about serious credit infringements
- court proceedings information about an individual
- personal insolvency information about an individual
- the opinion of a credit provider that an individual has committed a serious credit infringement.
When is CDR data subject to the privacy safeguards?
The privacy safeguards set out the privacy rights and obligations for participants in the CDR system. The safeguards apply only to CDR data for which there are one or more CDR consumers.
A CDR consumer can be an individual, a company or a business enterprise.
There are a number of factors that determine whether CDR data has a ‘CDR consumer’. These are set out in chapter B of our CDR Privacy Safeguard Guidelines. For CDR data to have a CDR consumer, at least one person needs to be identifiable or reasonably identifiable from the CDR data or other information held by that participant. This means that if there is no person that is identifiable or reasonably identifiable from the CDR data, the privacy safeguards do not apply – for example, because it is product data for which there is no consumer, or it has been successfully de-identified in accordance with the CDR Rules.
Where a participant is not sure whether the information is ‘CDR data for which there is a consumer’, they should err on the side of caution and handle the CDR data in accordance with the privacy safeguards.
Note: CDR data protected by the privacy safeguards will also be ‘personal information’ under the Privacy Act. For more information on how the Privacy Act interacts with the CDR, see chapter A of our CDR Privacy Safeguard Guidelines.
De-identifying CDR data
For CDR data to be considered ‘de-identified’, accredited data recipients must follow the process set out in the CDR Rules. This process has been designed to ensure that no consumers will remain reasonably identifiable, either from the data itself, or when combined with other information held by any person.
Accredited data recipients may want to de-identify CDR data to:
- meet obligations under Privacy Safeguard 12, when the data is no longer needed (as an alternative to deleting the information)
- use the de-identified data for general research, where the consumer has expressly provided their consent
- disclose the de-identified data to a third party (including by selling it), where the consumer has expressly provided their consent.
For more information see chapter 12 of the CDR Privacy Safeguard Guidelines. Chapter C also provides information on seeking consent to de-identify CDR data for the purpose of disclosing it.
How CDR data is shared
The consumer initiates the sharing of their data by giving consent to an accredited data recipient to request a transfer of their data from one or more data holders. The consumer then authorises each data holder to transfer their data to the accredited data recipient.
- specify the type of data they want transferred
- specify the use of that data
- stop the data transfer if they change their mind
- request the recipient delete their data when the data is no longer required.
There are consumer data standards for participants to use that allow consumers to share this data via application programming interfaces (APIs) with trusted, accredited third parties.
The CDR Privacy Safeguard Guidelines and the Guide to Privacy for data holders provide detailed guidance to help participants comply with their privacy obligations under the CDR system.
Long text description
This chart illustrates the flow of information between data holders, consumers and accredited persons.
There are 6 steps involved:
- The consumer consents to an accredited person obtaining their data in order to provide a requested good or service.
- The accredited person contacts the data holder, seeking to access the consumer’s data.
- The data holder asks the consumer to authorise the disclosure of their data to the accredited person.
- The consumer authorises the disclosure of their data by the data holder.
- The data holder shares the consumer’s data with the accredited person. The accredited person becomes an accredited data recipient for the consumer’s CDR data.
- The accredited data recipient uses the consumer’s CDR data to provide the requested good or service to the consumer.