23 December 2021
This page outlines the key privacy obligations relating to the disclosure of insights based on a consumer’s CDR data (‘CDR insights’). CDR insights can be shared with any third party, including those that are not accredited under the Consumer Data Right (CDR) system.
CDR insights are intended to allow accredited data recipients to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.
Disclosure of a CDR insight is not permitted under the CDR Rules until the earlier of:
- 1 February 2022, or
- the day the Data Standards Chair makes the data standard about the matter (see CDR Rule 7.5A(3)).
These obligations have been introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No.1) 2021). The CDR Privacy Safeguard Guidelines will be updated to reflect this content.
- CDR insights are insights based on a consumer’s CDR data. CDR insights remain ‘CDR data’.
- A consumer can only give a valid consent to disclose a CDR insight where it is for one of the purposes outlined in CDR Rule 1.10A(3)(a)(i)-(iii).
- An accredited data recipient must not disclose a CDR insight if it includes or reveals sensitive information about a consumer.
- Where a CDR insight relates to more than one transaction from a consumer’s account, the accredited data recipient must not disclose the amount or date of any individual transaction.
- When seeking consent from a consumer (and prior to disclosure), an accredited data recipient must explain to the consumer what the CDR insight is and what it would reveal or describe about them.
- If an accredited data recipient intends to disclose an insight to someone outside the CDR system, they must explain to the consumer that the data will not be subject to the same protections under the CDR system.
- Unaccredited entities that receive CDR insights should consider whether they have any professional or other regulatory obligations (for example, under the Privacy Act 1988) in relation to their handling of a consumer’s data, and ensure they handle data transparently and confidentially.
What is a CDR insight?
CDR insights are insights based on a consumer’s CDR data.
These insights are intended to allow accredited data recipients to disclose CDR data outside the CDR system to either confirm, deny, or provide simple information to a person selected by the consumer, where this is for a limited, permitted purpose.
Under the CDR Rules, a consumer can provide consent for an accredited data recipient to disclose CDR insights outside the CDR system for these limited purposes. This is known as an ‘insight disclosure consent’.
Insight disclosure consents can be provided by a consumer for the following permitted purposes:
- to verify the consumer’s identity
- to verify the consumer’s account balance, or
- to verify the details of credits to, and debits from, the consumer’s accounts (see CDR Rule 1.10A(3)(a)(i)-(iii)).
In order to have a valid consent to disclose the consumer’s CDR data (for the purposes of CDR Rule 1.10A(3)), an accredited data recipient must ensure that disclosures of CDR data are for one of these permitted purposes.
Disclosing CDR data for a purpose that is not permitted under the CDR Rules will breach Privacy Safeguard 6 and be a breach of the CDR Rules, in particular CDR Rules 7.6(1) and 7.5(1)(ca), and may result in civil penalties.
Some examples of use cases for insights that will likely comply with these permitted purposes are provided below:
- confirming the consumer’s account balance at a specific point in time (as this is for the purpose of verifying the consumer’s account balance – CDR Rule 1.10A(3)(a)(ii))
- confirming whether a consumer’s account balance is over a certain amount (as this is for the purpose of verifying the consumer’s account balance – CDR Rule 1.10A(3)(a)(ii))
- confirming whether a consumer has received a transfer of funds from a specific counterparty (as this is for the purpose of verifying the details of credits from a consumer’s account – CDR Rule 1.10A(3)(a)(iii)
- disclosing the consumer’s average income over a specific period of time (as this is for the purpose of verifying the details of credits from a consumer’s account – CDR Rule 1.10A(3)(a)(iii))
While the examples above will likely fall within the permitted purposes for disclosing a CDR insight, in other instances, it might be less clear. In such cases, to ensure compliance with the CDR Rules, an accredited data recipient should ensure they are able to justify why the disclosure was for a permitted purpose.
Some further examples are outlined below.
Disclosing a CDR insight
CDR insights can be disclosed to any person, provided the consumer has given valid consent (that is, consent in accordance with CDR Rule 1.10A(3), and any other relevant CDR Rules requirements).
This means that, unless the insight is disclosed to an accredited person, the CDR data will no longer be subject to the protections and safeguards of the CDR system. An accredited data recipient must explain this to the consumer at the time of disclosure in accordance with the relevant CX standard (see CDR Rule 8.11(1A)(b)).
Seeking consent to disclose
As noted above, before an accredited data recipient is permitted to disclose a CDR insight, the consumer needs to provide a valid consent known as an ‘insight disclosure consent’ (see CDR Rule 1.10A(3)).
An accredited data recipient must ask for an insight disclosure consent in accordance with Division 4.3 of the CDR Rules. This Division seeks to ensure that consent is voluntary, express, informed, specific as to purpose, time limited, and easily withdrawn (see CDR Rule 4.9).
The CDR Rules also include a requirement for the accredited data recipient to give an explanation of the CDR insight to be disclosed, including what this would reveal or describe about the consumer (see CDR Rule 4.11(3)(ca)).
An accredited data recipient’s process for seeking consent from a consumer must also be consistent with the consumer experience data standards. Data standards must be made about the processes for disclosing CDR insights and obtaining consumer consent (see CDR Rule 8.11(c)(v)). Accredited data recipients must comply with these CX standards when they are made.
Prohibition on disclosing sensitive information
Sensitive information includes information or an opinion (that is also personal information) about an individual’s:
- racial or ethnic origin
- political opinions or membership of a political association
- religious beliefs or affiliations
- philosophical beliefs
- membership of a professional or trade association, or trade union
- sexual orientation or practices, or
- criminal record.
It also includes:
- health information
- genetic information
- biometric information used for automated biometric verification or identification,
- or biometric or templates (see s 6 of the Privacy Act 1988).
‘Health information’ includes information or an opinion, that is also personal information, about:
- the health, including an illness, disability or injury of an individual
- an individual's expressed wishes about the future provision of health services, or
- a health service provided to an individual (see s 6FA of the Privacy Act 1988).
It can also include information collected to provide a health service, information about donating body parts, organs or substances, or genetic information that could predict an individual’s health or the health of a genetic relative.
Examples of CDR data or insights that may include or reveal sensitive information may include details of transactions regarding:
- payments to a doctor, psychologist or other health service provider
- payments/reimbursements made to an individual’s bank account from Medicare, or
- payments to a political party, union or professional association.
Prohibition on disclosing details of more than one transaction
Where a CDR insight relates to more than one transaction from a consumer’s account, the accredited data recipient must not disclose the amount or date of any individual transaction (see CDR Rule 1.10A(3)(b)).
In other words, while an insight may be derived from multiple transactions, the insight itself that is disclosed to the recipient must not detail the amounts or dates of any individual transactions.
This means that an accredited data recipient cannot disclose, for example, a full transaction list or a detailed business ledger from a consumer’s account in the form of a CDR insight.
An accredited data recipient must provide a consumer dashboard for each consumer who has provided a consent in relation to their CDR data (see CDR Rule 1.14(1)).
Where an insight disclosure consent is provided, the consumer’s dashboard must include a description of the CDR insight and to whom it was disclosed (see CDR Rule 1.14(3)(ea)).
In accordance with Privacy Safeguard 10, when an accredited data recipient discloses a CDR insight they must also update each consumer dashboard as soon as practicable to indicate:
- what CDR data was disclosed
- when it was disclosed, and
- the person they disclosed it to (see CDR Rule 7.9(4)).
An accredited data recipient must also include certain information in the consumer’s dashboard, stating that they can request copies of these records and how to request a copy (see CDR Rule 1.14(3A)).
Record keeping and reporting
An accredited data recipient must keep and maintain records when it discloses a CDR insight. This includes:
- a copy of each CDR insight it discloses (that is, a copy of the actual insight itself)
- a record of who it disclosed the insight to, and
- a record of when the insight was disclosed (see CDR Rule 9.3(2)(ed)).
The accredited data recipient must include this information in their regular reports to the Australian Competition and Consumer Commission (ACCC).
The report must also state how many insight disclosure consents it received from consumers during the reporting period (see CDR Rule 9.4(2)(f)(viii)).