CDR outsourcing arrangements – Privacy obligations for outsourced service providers
23 December 2021
In the CDR system, an outsourced service provider (OSP) is a person engaged by an accredited person (the ‘principal’) under a CDR outsourcing arrangement to do one or both of the following:
- collect CDR data from a CDR participant on behalf of the principal
- provide goods or services to the principal using CDR data that the OSP collected on the principal’s behalf or that was disclosed to the OSP by the that principal.
This page outlines the privacy obligations for OSPs. The main privacy obligation for an OSP is to comply with the terms of its written contract with the principal that engaged them. This page explains what the written contract is, and outlines its key terms, which fall under the following topics:
- Use and disclosure
- Information security
- Further outsourcing
Many of these obligations have been in place since June 2020. This page outlines those obligations as well as provisions introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021). The Version 3 CDR Rules removed the requirement for an OSP to be accredited in order to collect CDR data on behalf of a principal. This means that, since 19 October 2021, there is no requirement for an OSP to be accredited, regardless of what service they are providing.
For information on the privacy obligations for principals, see CDR outsourcing arrangements: Privacy obligations for principals.
- An outsourced service provider (OSP) is a person who does one or both of the following:
- collects CDR data from a CDR participant on behalf of an accredited person in accordance with the CDR Rules
- provides goods or services to the accredited person using CDR data that it collected on behalf of the accredited person or that has been disclosed to them by the accredited person.
- An OSP must have a ‘CDR outsourcing arrangement’ with an accredited person that meets the requirements set out in CDR Rule 1.10(2).
- An accredited person who engages an OSP under a CDR outsourcing arrangement is known as the ‘principal’.
- An OSP must comply with the terms of the CDR outsourcing arrangement.
- An OSP is not required to be accredited.
An OSP must have a ‘CDR outsourcing arrangement’ with an accredited person that meets the requirements set out in CDR Rule 1.10(2).
A CDR outsourcing arrangement is a written contract between the OSP and an accredited person (known as the ‘principal’) under which the OSP will do one or both of the following:
- collect CDR data from a CDR participant on behalf of the principal in accordance with the CDR Rules
- provide goods or services to the principal using CDR data that it has collected on behalf of the principal or that has been disclosed to it by the principal.
The purpose of the CDR outsourcing arrangement is to govern the OSP’s handling of ‘service data’, being CDR data that is:
- collected by the OSP under the arrangement; or
- disclosed from the principal to the OSP for the purposes of the arrangement; or
- directly or indirectly derives from the above.
The OSP’s obligations under the arrangement are outlined in the following sections.
Where an OSP has been engaged to collect CDR data on a principal’s behalf, the OSP must collect CDR data in accordance with the CDR Rules. For example, this means an OSP can only collect CDR data if the principal has obtained the relevant consent from the consumer.
Use and disclosure
An OSP must not use or disclose the service data other than in accordance with their CDR outsourcing arrangement.
An OSP must take the steps in Schedule 2 of the CDR Rules to protect the service data as if they were an accredited person. This includes the implementation of minimum information security controls outlined in Part 2 of Schedule 2, such as data segregation (to segregate data held by an entity in their capacity as an OSP from data held by that entity in their other capacities).
For guidance on the steps in Schedule 2, see Chapter 12 of the Privacy Safeguard Guidelines (Privacy Safeguard 12).
An OSP must, when directed by their principal:
- delete any service data that it holds in accordance with the CDR data deletion process
- provide the principal with records of any deletion required to be made under the CDR data deletion process, and
- direct any other person to which it has disclosed CDR data to take corresponding steps (noting the limits on on-disclosure discussed in ‘Further outsourcing’ below).
For information on the CDR deletion process please see CDR Rule 1.18 and Chapter 12 of the Privacy Safeguard Guidelines (Privacy Safeguard 12).
An OSP must, when directed by their principal:
- provide the principal with access to any service data held, and
- return CDR data disclosed to it by the principal.
An OSP may further outsource its functions under the CDR outsourcing arrangement to another person where they have a CDR outsourcing arrangement in place with that person. In this situation, the OSP would fulfil the role of the ‘principal’.
Where an OSP discloses CDR data under a further CDR outsourcing arrangement, their original CDR outsourcing arrangement with their principal will require them to ensure that the other person complies with the requirements of the further CDR outsourcing arrangement (CDR Rule 1.10(2)(b)(vi)).
While there is no requirement for an OSP to be accredited under the CDR system, some accredited persons may choose to enter a CDR outsourcing arrangement in a provider capacity.
Where an OSP is an accredited person and, in their capacity as an OSP, collects CDR data on behalf of a principal, certain obligations are adjusted under the CDR Rules to ensure that there is no duplication. These are:
- Privacy Safeguard 5 and CDR Rule 7.4 – only the principal needs to notify the consumer of the collection of the CDR data.
- Privacy Safeguard 10 and CDR Rule 7.9 – only the principal needs to notify the consumer of the disclosure of CDR data.
- Privacy Safeguard 11 and CDR Rule 7.10(1)(a) – only the principal needs to be identified as the accredited data recipient to whom the incorrect CDR data was disclosed.
For further information see CDR Rule 1.16(2).