CDR representative model – Privacy obligations of CDR principals

23 December 2021

The CDR representative model is intended to facilitate the participation of a broader array of business models in the CDR system.

It allows an unaccredited person (known as a ‘CDR representative’) to provide CDR goods or services directly to a consumer, where they have a written contract in place with an unrestricted accredited person (known as a ‘CDR principal’).

Under this arrangement, the CDR principal is liable for the actions of the CDR representative. This page outlines the key privacy obligations for CDR principals, which fall under the following topics:

  • Consent
  • Collection and disclosure
  • Requirements of the written contract
  • Liability
  • Dashboard
  • Notifications
  • CDR policy
  • Record keeping, reporting and access
  • Dispute resolution

These obligations have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021) and have been binding since 19 October 2021. The CDR Privacy Safeguard Guidelines will be updated to reflect this content.

These obligations apply in addition to a CDR principal’s privacy obligations as an accredited person and accredited data recipient (for example, to comply with the privacy safeguards).

For information regarding a CDR principal’s accreditation obligations, see the ACCC’s Accreditation Guidelines.

For information on the privacy obligations for CDR representatives, see CDR representative model – Privacy obligations of CDR representatives.

Key points

  • A CDR principal is a person who has received accreditation at the unrestricted level and has engaged a CDR representative under a written contract that meets the requirements in the CDR Rules.
  • A CDR principal collects CDR data on behalf of their CDR representative so that the representative may provide goods or services directly to the consumer using that data.
  • While the CDR representative has the consumer-facing relationship, the CDR principal retains obligations in relation to the consumer for a range of matters, including providing the dashboard and notifications. Some of these obligations may be delegated to the CDR representative.
  • The written contract is known as a ‘CDR representative arrangement’ in the CDR Rules and must contain the minimum requirements set out in CDR Rule 1.10AA.
  • The CDR principal is liable for the actions of their CDR representative, including breaches of the privacy safeguards.
  • A CDR principal may have more than one CDR representative.
  • For examples of situations in which a CDR principal could engage a CDR representative, see page 17 of the explanatory statement to the amending instrument for the Version 3 CDR Rules.

Collection and disclosure

A CDR principal collects CDR data on behalf of their CDR representative, and discloses that data to the CDR representative so they may provide goods or services to consumers using that data.

A CDR representative is permitted under the CDR Rules to collect CDR data only from their CDR principal. They are not permitted under the CDR Rules to collect CDR data directly from data holders or accredited data recipients (other than their CDR principal).

This section outlines the three key steps that a CDR principal must go through to collect data, and the requirements that apply at each step. The key steps are:

  • Receiving a valid request
  • Making a consumer data request
  • Disclosing data

Valid request

A CDR principal may only collect CDR data on behalf of their CDR representative in response to a ‘valid request’ from the consumer (CDR Rule 4.3A).

A ‘valid request’ is made where the CDR representative has obtained the following consents from a consumer in accordance with Division 4.3 of the CDR Rules (as modified by CDR Rule 4.3C(1)):

  • a collection consent for the CDR principal to collect CDR data from a CDR participant
  • a use consent
    • for the CDR principal to disclose that data (once collected) to the CDR representative, and
    • for the CDR representative to provide the requested goods or services to the consumer.

A request is no longer a ‘valid request’ if the consumer withdraws their collection consent. If this occurs, the CDR principal must not collect any CDR data.

If a CDR principal seeks to collect CDR data without a ‘valid request’, they may be in breach of Privacy Safeguard 3.

Consumer data request

Upon receiving a valid request from the consumer, a CDR principal collects CDR data by making a consumer data request to the relevant CDR participant. The requirements for making a consumer data request are outlined in:

  • CDR Rule 4.4 (where the data is to be collected from a data holder)
  • CDR Rule 4.7A (where the data is to be collected from an accredited data recipient)

The CDR principal must comply with the data minimisation principle when making a consumer data request.

Disclosing data

A CDR principal may disclose CDR data collected on behalf of its CDR representative to that CDR representative for the following purposes, being to:

  • use the CDR data to provide goods or services (in accordance with a use consent, and the data minimisation principle)
  • de-identify data to use for general research or to disclose (including by sale) (in accordance with a use consent)
  • transform, analyse or otherwise derive CDR data in order to use the CDR data for the two purposes outlined above
  • disclose to the CDR consumer any of their own CDR data, to provide the consumer with the requested goods or services
  • otherwise disclose the consumer’s CDR data in accordance with a current disclosure consent
  • send the CDR consumer information about the following matters (in accordance with a direct marketing consent):
    • upgraded or alternative goods or services
    • offers to renew existing goods or services
    • information about the benefits of existing goods or services, or
    • information about other goods or services provided by another accredited person, or
  • use the CDR data (including by analysing it) in order to send the consumer the above information (in accordance with a direct marketing consent).

See CDR Rules 7.5(1)(h) and 7.5(3)(d) for further information.

A CDR principal will be in breach of Privacy Safeguard 6 and Privacy Safeguard 7 if it discloses CDR data for other purposes, unless an exception applies.

Consent

While the CDR principal’s role in the CDR representative model is to collect the CDR data, it is the CDR representative that seeks the relevant consents from the consumer, including the consent for the principal to collect the consumer’s CDR data.

A CDR principal must ensure that their CDR representative seeks a consumer’s consents in accordance with Division 4.3 of the CDR Rules, as modified by CDR Rule 4.3C(1). The CDR principal is liable for any breach of Division 4.3 by its CDR representative (CDR Rule 4.3C(2)).

Division 4.3 sets out the requirements for seeking consent, including the processes for asking for consent and restrictions when doing so. As the Division 4.3 requirements are drafted to apply to accredited persons, CDR Rule 4.3C(1) sets out how these are to be modified to apply to an unaccredited CDR representative.

For example, while Division 4.3 usually requires an accredited person to provide the consumer with their accreditation number, CDR Rule 4.3C(1) modifies Division 4.3 to require the CDR representative to provide their CDR principal’s accreditation number (as the representative does not have one).

Liability

A CDR principal is liable for its CDR representative’s handling of CDR data. This includes the CDR representative’s collection, use, disclosure and correction of CDR data (see generally Part 7 of the CDR Rules). A CDR principal is also liable for its CDR representative’s actions when seeking consent from consumers (CDR Rule 4.3C(2)).

For example, where a CDR representative uses or discloses CDR data in breach of Privacy Safeguard 6 (s 56EI of the Competition and Consumer Act), the CDR principal will be in breach of that privacy safeguard. This will be the case whether or not the use or disclosure was made in accordance with the written contract between the parties (CDR Rule 7.6(4)). The written contract is explained in the following section.

The CDR Rules that establish a CDR principal’s liability for their CDR representative are CDR Rules 4.3C(2), 7.3(2), 7.3A, 7.6(4), 7.8A, 7.9(5), 7.10A, 7.11(2), 7.12(3) and 7.16.

Requirements of the written contract

A CDR principal must have a written contract with its CDR representative that meets the minimum requirements listed in CDR Rule 1.10AA(2). This written contract is known in the CDR Rules as a ‘CDR representative arrangement’.

The purpose of the written contract is to govern the CDR representative’s handling of CDR data disclosed to it by the CDR principal.

The minimum terms that must be contained in this contract include a requirement for the CDR representative to comply with a number of privacy safeguards (CDR Rule 1.10AA(2)(d)).

Ensuring compliance

A CDR principal must ensure that the CDR representative complies with the requirements of the written contract (CDR Rule 1.16A).

The CDR principal will breach CDR Rule 1.16A if the CDR representative breaches any of the requirements listed in CDR Rule 1.10AA(2).

Privacy tip: A CDR principal is required by CDR Rule 1.16A to ensure that their CDR representative complies with the requirements of the written contract. As part of discharging this obligation, a CDR principal could consider:

  • undertaking review and assurance activities at least annually
  • requiring the CDR representative to provide regular reports against its compliance with the written contract, and/or
  • providing the CDR representative with any appropriate assistance or training in technical and compliance matters.
  • Prior to entering the written contract, the CDR principal could undertake due diligence on the proposed CDR representative, with a focus on their personal information handling capabilities, procedures and practices.
  • Taking these steps may assist the CDR principal in avoiding a breach of CDR Rule 1.16A, and in doing so, may also assist the CDR principal in avoiding a breach of other privacy-related CDR Rules (given the CDR principal is liable for the actions of the CDR representative).

Additional terms in the written contract

Privacy tip – Avoiding breaches of the CDR Rules

The CDR principal is liable for the actions of its CDR representative. To minimise the risk of a CDR representative breaching key privacy obligations, and to support the CDR principal’s compliance with its own privacy obligations, a CDR principal should consider including the following terms in its written contract with its CDR representative (in addition to the minimum requirements in CDR Rule 1.10AA(2) that must be included):

  • A term requiring the CDR representative to provide the CDR principal with evidence that it has obtained the consents required for a ‘valid request’ under CDR Rule 4.3A. This will ensure that a CDR principal does not collect CDR data in breach of Privacy Safeguard 3.
  • If applicable (e.g. where the CDR principal chooses for their CDR representative to provide the dashboard), a term requiring the  representative to notify the  principal as soon as possible upon becoming aware that a consumer has withdrawn their collection consent or that the collection consent has otherwise expired. This will ensure that a CDR principal does not collect CDR data in breach of the CDR Rules.

Privacy tip – Best practice options

A CDR principal also may wish to include the following terms in the written contract, by way of privacy best practice:

  • A term requiring the CDR representative to take steps as are reasonable in the circumstances to implement practices, procedures and systems that will ensure the CDR representative complies with the terms of the written contract. This will assist in minimising the risk of the CDR representative breaching a privacy obligation by encouraging a ‘privacy-by-design’ approach.
  • For an abundance of clarity, a term prohibiting the CDR representative from collecting CDR data from any person, except for the CDR principal themselves.
  • A term requiring the CDR representative to comply with the use and disclosure restrictions in Privacy Safeguards 6 and 7. This is because any use or disclosure of CDR data by the CDR representative is taken to be by the CDR principal.
  • A term requiring the CDR representative to notify a consumer in accordance with CDR Rule 7.10, where it becomes aware that it disclosed incorrect CDR data.
  • A term requiring the CDR representative to notify the CDR principal of a possible eligible data breach for the purposes of the notifiable data breaches (NDB) scheme, where the CDR  representative is otherwise bound by the Privacy Act. (While CDR  representatives are not covered by the NDB scheme by virtue of their CDR representative status, this is best privacy practice and will also help the CDR principal to be aware of any potential ramifications of a possible data breach for their obligations under Privacy Safeguard 12).

Dashboard

A CDR principal must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data.

For consumers that provide their consent to a CDR representative, a CDR principal may choose for the relevant CDR representative to provide the dashboard on their behalf (CDR Rules 1.14(1) and 1.14(5)).

Privacy tip: To enhance consumer understanding and reduce the risk of confusion, it may be preferable for the CDR representative, rather than the CDR principal, to provide the consumer dashboard. This is because it is the CDR representative, rather than the CDR principal, that has the consumer-facing relationship.

Where this option is chosen, the CDR principal should include an obligation for the CDR representative to provide the dashboard as an additional requirement in the written contract. The CDR principal should further monitor compliance with these obligations as part of ensuring the CDR representative complies with the minimum requirements of that written contract.

Notifications

The CDR principal must notify the consumer of the following matters:

  • Where a CDR principal collects a consumer’s CDR data on behalf of a CDR representative, they must notify the consumer of that collection under Privacy Safeguard 5.
  • Where a CDR representative discloses a consumer’s CDR data, the CDR principal must notify that consumer of the disclosure under Privacy Safeguard 10.
  • A CDR principal must also notify the consumer of other matters as set out in subdivision 4.3.5 of the CDR Rules. See Chapter C (Consent) for further information (‘Notification requirements’).

Under CDR Rule 1.14(5), a CDR principal may arrange for the CDR  representative to provide the consumer dashboard on its behalf.

Privacy tip - Providing collection notifications: Consumers will likely be unaware of the existence of a CDR  representative arrangement, and the CDR principal’s role in their relationship with the CDR representative (as it is the CDR representative that has the consumer-facing relationship, including responsibility for seeking the relevant consents and providing the goods or services directly to the consumer).

As such, in addition to the minimum notification requirements prescribed by Privacy Safeguard 5, to ensure transparency the CDR principal could inform the consumer that the CDR data was collected by the CDR principal on behalf of the CDR representative.

Privacy tip - All other notifications: To enhance consumer understanding and reduce the risk of confusion, it may be preferable for the CDR representative, rather than the CDR principal, to provide the notifications required by Privacy Safeguard 10 and subdivision 4.3.5. This is because it is the CDR representative, rather than the CDR principal, that has the consumer-facing relationship.

Where this option is chosen, the CDR principal should include an obligation for the CDR representative to provide the notifications as an additional requirement in the written contract. The CDR principal should further monitor compliance with these obligations, as part of ensuring the CDR representative complies with the minimum requirements of that arrangement.

Where a CDR principal decides it is preferable to provide the notifications themselves, they could consider explaining their relationship to the CDR representative the first time a notification is provided to the consumer.

The above tips will help to aid the consumer’s informed understanding of these important notifications (as the consumer might otherwise be confused as to why they are being contacted by an entity other than the CDR representative, in relation to the relevant goods or services).

CDR policy

A CDR principal must ensure their CDR policy includes:

  • a list of their CDR representatives, and
  • for each CDR representative, information about the nature of the goods and services provided by that CDR representative using CDR data (CDR Rule 7.2(4)).

Record keeping, reporting and access

A CDR principal must keep and maintain records in relation to each of their CDR representatives. The required records are set out in CDR Rule 9.3(2A).

A CDR principal must prepare and submit a report to the Office of the Australian Information Commissioner and Australian Competition and Consumer Commission on a bi-annual basis. This report must contain the information set out in CDR Rule 9.4(2A) about each of their CDR representatives. See CDR Rule 9.4 for further information.

Upon request from a consumer, a CDR principal must provide a copy of records relating to certain information in CDR Rule 9.3(2A) that relates to the consumer. See CDR Rule 9.5 for further information.

Dispute resolution

A CDR principal is responsible for dispute resolution in relation to its CDR representatives. Consumers may however complain directly to the CDR representative about that CDR representative’s provision of goods or services. Such complaints will trigger the CDR principal’s internal dispute resolution obligations in CDR Rule 5.12(1)(b).