CDR outsourcing arrangements Privacy obligations for outsourced service providers

23 December 2021

In the CDR system, an outsourced service provider (OSP) is a person engaged by an accredited person (the ‘principal’) under a CDR outsourcing arrangement to do one or both of the following:

  • collect CDR data from a CDR participant on behalf of the principal
  • provide goods or services to the principal using CDR data that the OSP collected on the principal’s behalf or that was disclosed to the OSP by the that principal.

This page outlines the privacy obligations for OSPs. The main privacy obligation for an OSP is to comply with the terms of its written contract with the principal that engaged them. This page explains what the written contract is, and outlines its key terms, which fall under the following topics:

  • Collection
  • Use and disclosure
  • Information security
  • Deletion
  • Access
  • Further outsourcing

Many of these obligations have been in place since June 2020. This page outlines those obligations as well as provisions introduced by Version 3 of the CDR Rules (being the Competition and Consumer (Consumer Data Right) Amendment Rules (No. 1) 2021). The Version 3 CDR Rules removed the requirement for an OSP to be accredited in order to collect CDR data on behalf of a principal. This means that, since 19 October 2021, there is no requirement for an OSP to be accredited, regardless of what service they are providing.

The CDR Privacy Safeguard Guidelines will be updated to reflect the changes introduced by the Version 3 CDR Rules.

For information on the privacy obligations for principals, see CDR outsourcing arrangements: Privacy obligations for principals.

Key Points

  • An outsourced service provider (OSP) is a person who does one or both of the following:
    • collects CDR data from a CDR participant on behalf of an accredited person in accordance with the CDR Rules
    • provides goods or services to the accredited person using CDR data that it collected on behalf of the accredited person or that has been disclosed to them by the accredited person.
  • An OSP must have a ‘CDR outsourcing arrangement’ with an accredited person that meets the requirements set out in CDR Rule 1.10(2).
  • An accredited person who engages an OSP under a CDR outsourcing arrangement is known as the ‘principal’.
  • An OSP must comply with the terms of the CDR outsourcing arrangement.
  • An OSP is not required to be accredited.

Written contract

An OSP must have a ‘CDR outsourcing arrangement’ with an accredited person that meets the requirements set out in CDR Rule 1.10(2).

A CDR outsourcing arrangement is a written contract between the OSP and an accredited person (known as the ‘principal’) under which the OSP will do one or both of the following:

  • collect CDR data from a CDR participant on behalf of the principal in accordance with the CDR Rules
  • provide goods or services to the principal using CDR data that it has collected on behalf of the principal or that has been disclosed to it by the principal.

The purpose of the CDR outsourcing arrangement is to govern the OSP’s handling of ‘service data’, being CDR data that is:

  • collected by the OSP under the arrangement; or
  • disclosed from the principal to the OSP for the purposes of the arrangement; or
  • directly or indirectly derives from the above.

The OSP’s obligations under the arrangement are outlined in the following sections.

Collection

Where an OSP has been engaged to collect CDR data on a principal’s behalf, the OSP must collect CDR data in accordance with the CDR Rules. For example, this means an OSP can only collect CDR data if the principal has obtained the relevant consent from the consumer.

Use and disclosure

An OSP must not use or disclose the service data other than in accordance with their CDR outsourcing arrangement.

Information security

An OSP must take the steps in Schedule 2 of the CDR Rules to protect the service data as if they were an accredited person. This includes the implementation of minimum information security controls outlined in Part 2 of Schedule 2, such as data segregation (to segregate data held by an entity in their capacity as an OSP from data held by that entity in their other capacities).

For guidance on the steps in Schedule 2, see Chapter 12 of the Privacy Safeguard Guidelines (Privacy Safeguard 12).

Deletion

An OSP must, when directed by their principal:

  • delete any service data that it holds in accordance with the CDR data deletion process
  • provide the principal with records of any deletion required to be made under the CDR data deletion process, and
  • direct any other person to which it has disclosed CDR data to take corresponding steps (noting the limits on on-disclosure discussed in ‘Further outsourcing’ below).

For information on the CDR deletion process please see CDR Rule 1.18 and Chapter 12 of the Privacy Safeguard Guidelines (Privacy Safeguard 12).

Access

An OSP must, when directed by their principal:

  • provide the principal with access to any service data held, and
  • return CDR data disclosed to it by the principal.

Further outsourcing

An OSP may further outsource its functions under the CDR outsourcing arrangement to another person where they have a CDR outsourcing arrangement in place with that person. In this situation, the OSP would fulfil the role of the ‘principal’.

Where an OSP discloses CDR data under a further CDR outsourcing arrangement, their original CDR outsourcing arrangement with their principal will require them to ensure that the other person complies with the requirements of the further CDR outsourcing arrangement (CDR Rule 1.10(2)(b)(vi)).

Privacy tip: As part of discharging their obligation to ensure their subcontractor complies with the further CDR outsourcing arrangement, the OSP could consider:

  • undertaking review and assurance activities at least annually
  • requiring the subcontractor to provide regular reports against its compliance with the CDR outsourcing arrangement, and/or
  • providing the subcontractor with any appropriate assistance or training in technical and compliance matters.

Prior to entering the further CDR outsourcing arrangement, the OSP could undertake due diligence on the proposed subcontractor, with a focus on their personal information handling capabilities, procedures and practices.

Accredited OSPs

While there is no requirement for an OSP to be accredited under the CDR system, some accredited persons may choose to enter a CDR outsourcing arrangement in a provider capacity.

Where an OSP is an accredited person and, in their capacity as an OSP, collects CDR data on behalf of a principal, certain obligations are adjusted under the CDR Rules to ensure that there is no duplication. These are:

  • Privacy Safeguard 5 and CDR Rule 7.4 – only the principal needs to notify the consumer of the collection of the CDR data.
  • Privacy Safeguard 10 and CDR Rule 7.9 – only the principal needs to notify the consumer of the disclosure of CDR data.
  • Privacy Safeguard 11 and CDR Rule 7.10(1)(a) – only the principal needs to be identified as the accredited data recipient to whom the incorrect CDR data was disclosed.

For further information see CDR Rule 1.16(2).